Strategy:<\/h2>\n\n\n\n
The strategy for this blogpost will be as follows:<\/p>\n\n\n\n
Initial Phase:<\/p>\n\n\n\n
- Some Theory<\/li>
- Source Code Review – very brief<\/li>
- Finding IOCTL<\/li>
- Verifying the vulnerability with the initial script<\/li>
- IDA Analysis #2 After the Initial Exploit:<\/li><\/ul>\n\n\n\n
Final Exploit Steps:<\/p>\n\n\n\n
- create shellcode variable from token stealing shellcode (refer to the previous blogs)<\/li>
- place the shellcode into a string buffer (we’ll use create_string_buffer from ctypes)<\/li>
- VirtualAlloc() to bypass DEP and allocate memory to copy our shellcode there (we’ll use memmove() from ctypes this time)<\/li><\/ul>\n\n\n\n
- Place a pointer to our shellcode buffer at memory address 0x4 (we’ll use memmove() from ctypes this time)<\/li>
- call the shellcode<\/li><\/ul>\n\n\n\n
Theory 1: Non-Paged vs Paged Memory:<\/h2>\n\n\n\n
At each bootup, the memeory manager creates 2 memory pool (Paged Pool and NonPaged Pool)<\/p>\n\n\n\n
- these are dynamically sized<\/li>
- they are used for kernel-components to allocate system memory<\/li>
- they start at a certain size (based on the physical memory in the system) <\/li>
- the size of the pool can grow up to a maximum size (determined by the system at boot time) <\/li>
- The paged pool can page out or can be lowered<\/li>
- The paged pool consists of virtual memory that can be paged in and out of the system.<\/li>
- The NonPaged Pool cannot be paged out (used by drivers so they can be accessed at any Interrupt Request Level)<\/li><\/ul>\n\n\n\n
- The nonpaged pool consists of virtual memory addresses that are guaranteed to reside in physical memory as long as the corresponding kernel objects are allocated.<\/li>
- To improve performance, systems with a single processor have three “paged pools”, and multiprocessor systems have five paged pools.<\/li><\/ul>\n\n\n\n
Theory 2: NULL pointer dereference in Windows OS<\/h2>\n\n\n\n
We’ll use Windows 7 x86 on this blogpost. This can be exploited on Win 10 x32 as well however starting with Win 8, Microsoft mitigated this vulnerability by making NULL page unavailable. <\/p>\n\n\n\n
Source Code Review:<\/h2>\n\n\n\n
We have 2 files again: the header file and the source file<\/p>\n\n\n\n
As the previous blogpost explained, header file will create a few variables to initialize and call later in the source code file. We’ll have a look at the source code file to understand the vulnerability:<\/p>\n\n\n\n
- https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver\/blob\/master\/Driver\/HEVD\/Windows\/NullPointerDereference.h<\/a><\/li>
- https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver\/blob\/master\/Driver\/HEVD\/Windows\/NullPointerDereference.c<\/a><\/li><\/ul>\n\n\n\n
The initial part of the code compare the UserValue with the value 0xBAD0B0B0, if they are different, NullPointerDereference<\/em> is set to NULL. <\/p>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-9.png\")
<\/figure>\n\n\n\nIn the secure version, the developer checks if NullPointerDereference is not set to NULL<\/p>\n\n\n\n
In the vulnerable version, no checks are made.<\/p>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-13-1024x625.png\")
<\/figure>\n\n\n\nThe vulnerability is so easy to read and detect in the source file so I’ll focus on more how it looks like on IDA and WinDBG in this blogpost.<\/p>\n\n\n\n
Finding the IOCTL Code:<\/h2>\n\n\n\n
As always, we’ll check IrpDeviceIoCtlHandler function and where NullPointerDereferenceIOCTLHandler call is, which will follow to the TriggerNullPointerDereference call. When we follow in this order, the IOCTL shows up as 0x22202Bh. <\/p>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-8.png\")
<\/figure>\n\n\n\nInitial Exploit<\/h2>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/Screenshot-2022-08-19-at-17.57.46-1024x378.png\")
<\/figure>\n\n\n\nIDA Analysis #2 After the Initial Exploit:<\/h2>\n\n\n\n
Let’s look at the TriggerNullPointerDereference<\/em><\/strong> function in disassembly:<\/p>\n\n\n\n
there is a ExAllocatePoolWithTag API call with the following parameters before the call and between the previous call:<\/p>\n\n\n\n
- push 6B636148h (which is kacH in ASCII)<\/li>
- push 8 <\/li>
- push edi (which is 0 as it was cleared few lines before with xor edi, edi)<\/li><\/ul>\n\n\n\n
When we look at the API call reference: https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/nf-wdm-exallocatepoolwithtag<\/a><\/p>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-12-1024x188.png\")
<\/figure>\n\n\n\nAccording to the syntax each paramter value refers as below:<\/p>\n\n\n\n
- PoolType: 0 (which refers to NonPagedPool)<\/li>
- NumberOfBytes: 8<\/li>
- Tag: Hack<\/li><\/ul>\n\n\n\n
The next 3 lines after ExAllocatePoolWithTag call is also worth noting:<\/p>\n\n\n\n
- mov esi,eax: move the API call return value to esi<\/li>
- cmp esi, edi: compare the API call return value with esi (0) if it’s 0<\/li>
- jnz short loc_14E5B –> when the result is 0, we’ll trigger the exploit<\/li><\/ul>\n\n\n\n
When we check the manual for ExAllocatePoolWithTag API call, its mentioned under Return value section as below:<\/p>\n\n\n\n
- ExAllocatePoolWithTag returns NULL if there is insufficient memory in the free pool to satisfy the request.<\/em><\/li><\/ul>\n\n\n\n
When we follow the path, we see that our user value is compared with 0xBAD0B0B0h<\/p>\n\n\n\n
jnz will take place if those values do NOT match. So we need to make sure our user provided value is not 0xBAD0B0B0h<\/p>\n\n\n\n
When we go down in the code, we see the following last line which triggers the exploit:<\/p>\n\n\n\n
call dword ptr [esi+4] –> esi was 0 as we saw before and we have a pointer at address 0x00000004<\/p>\n\n\n\n
- That\u2019s going to reside on the NULL page<\/li>
- Our code will dereference a null pointer<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-11.png\")
<\/figure>\n\n\n\nNtAllocateVirtualMemory<\/h2>\n\n\n\n
We’ll refer to the original API documentation: https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/ntifs\/nf-ntifs-ntallocatevirtualmemory<\/a><\/p>\n\n\n\n
Well use NtAllocateVirtualMemory call to allocate a shellcode buffer at the pointer location esi+4 as given above<\/p>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/image-10-1024x299.png\")
<\/figure>\n\n\n\nresult = ntdll.NtAllocateVirtualMemory(GetCurrentProcess(),pointer(c_void_p(1)),0,pointer(c_ulong(4096)),0x3000,0x40) <\/p>\n\n\n\n
- ProcessHandle –>we’ll get the handle to the current process using GetCurrentProcess()<\/li>
- BaseAddress –> will be a pointer to a PVOID 0x1<\/li>
- Zerobits –> 0<\/li>
- RegionSize –> we will give 4096 bytes<\/li>
- AllocationType –> 0x3000 (the constant hex value for MEM_COMMIT | MEM_RESERVE)<\/li>
- Protect –> 0x40 (the constant hex value for PAGE_EXECUTE_READWRITE)<\/li><\/ul>\n\n\n\n
result returning 0 means we mapped a NULL page<\/p>\n\n\n\n
References:<\/p>\n\n\n\n
- https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/internet-explorer\/ie-developer\/windows-scripting\/reference\/ijsdebugdatatarget-allocatevirtualmemory-method<\/a><\/li>
- https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/memory\/memory-protection-constants<\/a><\/li><\/ul>\n\n\n\n
Final Exploit<\/h2>\n\n\n\n
- https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/memory\/memory-protection-constants<\/a><\/li><\/ul>\n\n\n\n
- https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/internet-explorer\/ie-developer\/windows-scripting\/reference\/ijsdebugdatatarget-allocatevirtualmemory-method<\/a><\/li>
- ExAllocatePoolWithTag returns NULL if there is insufficient memory in the free pool to satisfy the request.<\/em><\/li><\/ul>\n\n\n\n
- https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver\/blob\/master\/Driver\/HEVD\/Windows\/NullPointerDereference.c<\/a><\/li><\/ul>\n\n\n\n
- https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver\/blob\/master\/Driver\/HEVD\/Windows\/NullPointerDereference.h<\/a><\/li>
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/1-1.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/2-1-1024x157.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/3-1-1024x517.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/4-1-1024x110.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/5-1-1024x195.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/08\/6-1.png\")
<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"