- With Arbitraty Overwrite: we’ll be writing the value pointed by “what” to the memory location referenced by “where”<\/li><\/ul>\n\n\n\n
The strategy for this blogpost:<\/p>\n\n\n\n
Initial Phase:<\/h4>\n\n\n\n
- Source Code Review<\/li>
- Finding IOCTL<\/li>
- Verifying the vulnerability with the initial script<\/li><\/ul>\n\n\n\n
Exploitation Phase:<\/h4>\n\n\n\n
- Enumerate all drivers<\/li>
- Find the address for ntoskrnl.exe<\/li>
- Load ntoskrnl.exe into LoadLibraryExA<\/li>
- Enumerate HalDispatchTable address<\/li>
- Overwrite HalDispatchTable + 0x4 with a pointer to our shellcode<\/li><\/ul>\n\n\n\n
Source Code Review:<\/h2>\n\n\n\n
We have 2 source-code files for this vulnerability:<\/p>\n\n\n\n
- https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver\/blob\/master\/Driver\/HEVD\/Windows\/ArbitraryWrite.h<\/a><\/li><\/ul>\n\n\n\n
- https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver\/blob\/master\/Driver\/HEVD\/Windows\/ArbitraryWrite.c<\/a><\/li><\/ul>\n\n\n\n
Let’s start with the header file: ArbitraryWrite.h<\/em><\/strong>:<\/p>\n\n\n\n
- in the first snippet, typedef is used to create new datatype for what and where<\/li>
- WRITE_WHAT_WHERE<\/em><\/strong> is an alias used to reference the struct _WRITE_WHAT_WHERE<\/em><\/strong><\/li>
- PWRITE_WHAT_WHERE<\/em><\/strong> is an ‘aliased pointer’ to the struct _WRITE_WHAT_WHERE<\/em><\/strong><\/li><\/ul>\n\n\n\n
- in the second snippet, we see a variable UserWriteWhatWhere<\/em><\/strong> with the datatype PWRITE_WHAT_WHERE<\/em><\/strong> which was a pointer to the struct _WRITE_WHAT_WHERE<\/em><\/strong> which contains What & Where pointers<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-5.png\")
<\/figure>\n\n\n\nAfter getting some insights from the header file, we’ll have a look at the C code:<\/p>\n\n\n\n
- here we see what and where which was declared in the header file already<\/li>
- they are initialized here as NULL<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image.png\")
<\/figure>\n\n\n\nThen we see the secure version of the code which verifies if values pointed by what and where resides in User mode. The vulnerable version doesn’t verify while writing the value pointed by WHAT to the memory location referenced by WHERE, if the values reside in user mode or not. <\/p>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-6-1024x331.png\")
<\/figure>\n\n\n\nSo after doing some source code review, we’ll find the IOCTL code as the first thing: <\/p>\n\n\n\n
- if we subtract 0x222003 from our IOCTL and we don\u2019t get 0x0,<\/li>
- subtract another 0x4. If we don\u2019t get 0x0,<\/li>
- subtract another 0x4. If we get 0x0, jump to the Arbitrary Write function.<\/li>
- this makes our IOCTL 0x222003 + 8 bytes = 0x22200B<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-3.png\")
<\/figure>\n\n\n\nNow we have the IOCTL code, we’ll verify the vulnerability with our initial script:<\/p>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/Screenshot-2022-08-13-at-17.39.54-1024x406.png\")
<\/figure>\n\n\n\nAfter verifing the vulnerability, we will proceed with the exploitation phase:<\/p>\n\n\n\n
Exploitation Phase:<\/h2>\n\n\n\n
- Enumerate all drivers<\/li>
- Find the address for ntoskrnl.exe<\/li>
- Load ntoskrnl.exe into LoadLibraryExA<\/li>
- Enumerate HalDispatchTable address<\/li>
- Overwrite HalDispatchTable + 0x4 with a pointer to our shellcode<\/li><\/ul>\n\n\n\n
So I’ll give a bit of theory here to understand what are we doing and why are we doing it, then will continue purely with code snippets and explaning the lines of code:<\/p>\n\n\n\n
Since the Arbitrary Overwrite vulnerability exists, we need to find a way to execute user mode shellcode from kernel mode. This can be done via HalDispatchTable which is a part of the kernel for hardware\/machine instructions. It helps making various hardware architectures to be compatible with Windows. We’ll use various Windows API calls for our goal. Let’s start by creating code snippets for each goal:<\/p>\n\n\n\n
Enumerate all drivers:<\/h3>\n\n\n\n
We’ll use EnumDeviceDrivers() to enumerate all driver addresses: https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/psapi\/nf-psapi-enumdevicedrivers<\/a><\/p>\n\n\n\n
- It gets 3 parameters: *lpImageBase, cb, and lpcbNeeded:<\/li><\/ul>\n\n\n\n
- An array that receives the list of load addresses for the device drivers.<\/li>
- The size of the lpImageBase<\/em> array, in bytes<\/li>
- The number of bytes returned in the lpImageBase<\/em> array<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-7-1024x174.png\")
<\/figure>\n\n\n\nFind the address for ntoskrnl.exe:<\/h3>\n\n\n\n
For finding the address of ntoskrnk.exe, we will use GetDeviceDriverBaseNameA function: https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/psapi\/nf-psapi-getdevicedriverbasenamea<\/a><\/p>\n\n\n\n
- it gets 3 parameters: ImageBase, lpFilename, nSize<\/li>
- ImageBase: the load address of the device driver<\/li>
- nSize: the size of the lpBaseName buffer, in characters<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-4-1024x378.png\")
<\/figure>\n\n\n\nLoad ntoskrnl.exe into LoadLibraryExA:<\/h3>\n\n\n\n
This time we’ll use the API function: LoadLibraryExA: https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/libloaderapi\/nf-libloaderapi-loadlibraryexa<\/a><\/p>\n\n\n\n
- it gets 3 parameters: lpLibFileName, hFile, dwFlags<\/li><\/ul>\n\n\n\n
- lpLibFileName: A string that specifies the file name of the module to load<\/li>
- hFile: This parameter is reserved for future use. It must be NULL<\/li>
- dwFlags: The action to be taken when loading the module<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-1.png\")
<\/figure>\n\n\n\nEnumerate HalDispatchTable address:<\/h3>\n\n\n\n
We’ll use GetProcAddress() to find the address of HalDispatchTable: https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/libloaderapi\/nf-libloaderapi-getprocaddress<\/a><\/p>\n\n\n\n
- it gets 2 parameters: hModule, lpProcName<\/li>
- hModule: A handle to the DLL module that contains the function or variable<\/li>
- lpProcName: The function or variable name, or the function’s ordinal value<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-2.png\")
<\/figure>\n\n\n\nFinal Exploit – few more additions<\/h3>\n\n\n\n
So let’s see what do we have in our final exploit:<\/p>\n\n\n\n
- DLLs for windows APIs (kernel32, ntdll, psapi)<\/li>
- We define the what & where stuctures<\/li>
- shellcode (same we used in the Stack overflow exploit)<\/li>
- Defeating DEP with VirtualAlloc (same we used in the Stack overflow exploit)<\/li>
- Enumerate all drivers – explained above<\/li>
- Find the address for ntoskrnl.exe – explained above<\/li>
- Load ntoskrnl.exe into LoadLibraryExA – explained above<\/li>
- Enumerate HalDispatchTable address – explained above<\/li>
- Trigger the exploit<\/li>
- CreateFileA and DeviceIoControl API functions – same as the Stack overflow exploit<\/li>
- NtQueryIntervalProfile() call to make sure the exploit is working by executing the shellcode at HAL+0x4<\/li>
- Pop the shell – same as used in Stack Overflow exploit<\/li><\/ol>\n\n\n\n
Most of the code is already given above, there are few adjustments made with the explanations given below. After that run the script and enjoy the SYSTEM shell.<\/p>\n\n\n\n
- w00t w00t \ud83c\udf89<\/li><\/ul>\n\n\n\n
- w00t w00t \ud83c\udf89<\/li><\/ul>\n\n\n\n
- it gets 3 parameters: lpLibFileName, hFile, dwFlags<\/li><\/ul>\n\n\n\n
- The number of bytes returned in the lpImageBase<\/em> array<\/li><\/ul>\n\n\n\n
- It gets 3 parameters: *lpImageBase, cb, and lpcbNeeded:<\/li><\/ul>\n\n\n\n
- PWRITE_WHAT_WHERE<\/em><\/strong> is an ‘aliased pointer’ to the struct _WRITE_WHAT_WHERE<\/em><\/strong><\/li><\/ul>\n\n\n\n
- https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver\/blob\/master\/Driver\/HEVD\/Windows\/ArbitraryWrite.c<\/a><\/li><\/ul>\n\n\n\n
- https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver\/blob\/master\/Driver\/HEVD\/Windows\/ArbitraryWrite.h<\/a><\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/1.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/2.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/3-1024x598.png\")
\u00a0![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/4-1024x344.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/5-1024x174.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/6-1024x378.png\")
\u00a0![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/8.png\")
\u00a0![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/9.png\")
\u00a0![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/10.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/11-1024x68.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/12.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/13.png\")
\u00a0\u00a0<\/td><\/tr><\/tbody><\/table>