Windows exploitation
Types of Bugs
Uninitialized Stack Variable
- References a local variable or buffer, which wasnβt previously properly initialized.
- Usually mitigated by compiler warnings/errors, informing about potential security flaws present in the source code.
- Challenge: how can one control the trash bytes present on the ring-0 stack, from within a ring-3 perspective?
- How to exploit:
- Find the kernel stack init address:
!thread. - Find the offset of our callback from this init address
- Spray the Kernel Stack with User controlled input from the user mode using NtMapUserPhysicalPages trick.
- Find the kernel stack init address:
Null-Pointer Dereference
- Happens when the value of the pointer is NULL, and is used by the application to point to a valid memory area.
- How to exploit:
- Map the NULL page in user space.
- Place a fake data structure in it which will cause our shell code to be executed.
- Trigger the dereference bug.
Symbolic links
- Leverages two fundamental concepts in Windows:
- object manager symbolic links.
- NTFS junctions/mount points.
- Requirements for exploitation:
- A high privileged process writing to user controlled files or directories:
C:\PownMe\Link.ex. - Reading permission to the referenced directory
C:\Windows\System32\sysprep\and writing permissions to the directory where the junction will be storedC:\PownMe. - directory where the junction will be stored must be empty:
C:\PownMebefore the reparse point is defined.
- A high privileged process writing to user controlled files or directories:
- How to find them:
- launch process monitor and filter by the process you are targeting.
- look for
CreateFileoperations by the SYSTEM process. - then check if the target directory has the right access for the
everyonegroup or username.
Payloads
Token Stealing Payload
- The general algorithm for the token stealing shellcode is:
- Save the drivers registers so we can restore them later and avoid crashing it.
- Find the _KPRCB struct by looking in the fs segment register
- Find the _KTHREAD structure corresponding to the current thread by indexing into_KPRCB.
- Find the _EPROCESS structure corresponding to the current process by indexing into_KTHREAD.
- Look for the _EPROCESS structure corresponding to the process with PID=4 (UniqueProcessId = 4) by walking the doubly linked list of all_EPROCESS structures that the_EPROCRESS structure contains a references to, this is the "System" process that always has SID ( Security Identifier) = NT AUTHORITY\SYSTEM SID.
- Retrieve the address of the Token of that process.
- Look for the _EPROCESS structure corresponding to the process we want to escalate (our process).
- Replace the Token of the target process with the Token of the "System" process.
- Clean up our stack and reset our registers before returning.
Mitigations
SMEP (Supervisor Mode Execution Prevention)
- Introduced in 2011 in Intel processors based on the Ivy Bridge architecture and enabled by default since Windows 8.0.
- SMEP restricts executing code that lies in usermode to be executed with Ring-0 privileges, attempts result in a crash. This basically prevents EoP exploits that rely on executing a usermode payload from ever executing it.
- The SMEP bit is bit 20 of the CR4 register.
- SMEP's goal is to block kernel exploit which:
- Prepares a shellcode in user memory
- Redirects execution to the prepared payload, by exploiting a kernel/driver security flaw.
SMEP Bypass
- Craft a rop chain to disable SMEP (not possible with win10 vbs)
- Modifying nt!MmUserProbeAddress
- Windows Reserve Objects