You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
References a local variable or buffer, which wasn’t previously properly initialized.
Usually mitigated by compiler warnings/errors, informing about potential security flaws present in the source code.
Challenge: how can one control the trash bytes present on the ring-0 stack, from within a ring-3 perspective?
How to exploit:
Find the kernel stack init address: !thread.
Find the offset of our callback from this init address
Spray the Kernel Stack with User controlled input from the user mode using NtMapUserPhysicalPages trick.
Null-Pointer Dereference
Happens when the value of the pointer is NULL, and is used by the application to point to a valid memory area.
How to exploit:
Map the NULL page in user space.
Place a fake data structure in it which will cause our shell code to be executed.
Trigger the dereference bug.
Symbolic links
Leverages two fundamental concepts in Windows:
object manager symbolic links.
NTFS junctions/mount points.
Requirements for exploitation:
A high privileged process writing to user controlled files or directories: C:\PownMe\Link.ex.
Reading permission to the referenced directory C:\Windows\System32\sysprep\ and writing permissions to the directory where the junction will be stored C:\PownMe.
directory where the junction will be stored must be empty: C:\PownMe before the reparse point is defined.
How to find them:
launch process monitor and filter by the process you are targeting.
look for CreateFile operations by the SYSTEM process.
then check if the target directory has the right access for the everyone group or username.
Payloads
Token Stealing Payload
The general algorithm for the token stealing shellcode is:
Save the drivers registers so we can restore them later and avoid crashing it.
Find the _KPRCB struct by looking in the fs segment register
Find the _KTHREAD structure corresponding to the current thread by indexing into_KPRCB.
Find the _EPROCESS structure corresponding to the current process by indexing into_KTHREAD.
Look for the _EPROCESS structure corresponding to the process with PID=4 (UniqueProcessId = 4) by walking the doubly linked list of all_EPROCESS structures that the_EPROCRESS structure contains a references to, this is the "System" process that always has SID ( Security Identifier) = NT AUTHORITY\SYSTEM SID.
Retrieve the address of the Token of that process.
Look for the _EPROCESS structure corresponding to the process we want to escalate (our process).
Replace the Token of the target process with the Token of the "System" process.
Clean up our stack and reset our registers before returning.
Mitigations
SMEP (Supervisor Mode Execution Prevention)
Introduced in 2011 in Intel processors based on the Ivy Bridge architecture and enabled by default since Windows 8.0.
SMEP restricts executing code that lies in usermode to be executed with Ring-0 privileges, attempts result in a crash. This basically prevents EoP exploits that rely on executing a usermode payload from ever executing it.
The SMEP bit is bit 20 of the CR4 register.
SMEP's goal is to block kernel exploit which:
Prepares a shellcode in user memory
Redirects execution to the prepared payload, by exploiting a kernel/driver security flaw.
SMEP Bypass
Craft a rop chain to disable SMEP (not possible with win10 vbs)
Modifying nt!MmUserProbeAddress
Windows Reserve Objects
SMAP Supervisor Mode Access Prevention
Is a newer mitigation that has been introduced to complement SMEP and further restrict access from the kernel to user-mode pages.
– It disallows both reads and writes. Just as SMEP, its status is stored as a bit in the CR4 register.
SMAP should render the previously described ROP chain technique useless, since the stack containing the ROP chain is in fact a user-mode page.
Can also be temporarily disabled by setting the AC flag in the EFLAGS CPU register.
KVA shadowing
KVA shadowing was introduced as a software mitigation for the Meltdown CPU vulnerability discovered at the end of 2017.
The basic idea of this mitigation is that the virtual address space is split into two : user mode and kernel mode.
The user-mode address space has access only to very restricted parts of the ntoskrnl module, specifically a single code section called .KVASCODE that is responsible for low-level operations like entering and leaving the kernel when handling a system call.
While KVA shadowing was designed as a fix for the Meltdown vulnerability, it also potentially causes trouble for other kinds of vulnerabilities, including the MSR one.
Bypasses
There are generally two approaches to disable the mitigation:
One is to disable it as a setting in the registry. This requires admin access and a reboot afterwards for the changes to take effect.
Alternatively, when building a ROP chain for MSR exploitation, an attacker tries to find gadgets exclusively in the .KVASCODE section of the ntoskrnl module – since that section handles the system call transition, it is possible to build a working ROP chain