Sorry, but I missed the keynote of the 3rd day. You can get the slides directly from HES web site.
Easy local Windows Kernel exploitation by Cesar Cerrudo.
The goal of this presentation as expressed by Cerrudo is to show some simple tricks for windows exploitation vulnerability.
Before that, Cerrudo underlines that Windows exploitation still a dark art and there still few and good reliable kernel exploitation techniques.
Generally, for a specific vulnerability it can be possible to choose a specific value to write at a specific controlled kernel address.However, few techniques are generic and work across Windows Versions.
Cerrudo pointed out that running code on kernel mode looking for and elevation of privilege could generates errors that cannot be caught for further analysis.
The current work of Cerrudo was inspired form J00ru's paper "GDT and LDT In Windows Kernel". This paper sheds lights on the following Windows API:
NtQuerySystemInformation (used by explorer to get information about process) allows to get the Kernel address of KPROCESS and returns the
struct_SYSTEM_HANDLE_TABLE_ENTRY_INFO {
USHORT ProcessId
....
PVOID Object // Kernel address
}
In Some wayss this structure helps to get Kernel information on any Windows in order to to execute an exploit. So what could be done then:
What if we can remove ACLs of almost Windows Object ?
What if we can set any privilges on a process token ?
What if we can replace a process token ?
In all these cases, it is possible to do any of te above action with just one write. Indeed, Cerrudo stress on the fact that attackers are always looking for a system shell.
However, we don't need system shell for privilege escalation exploitation and that makes the exploitation easier.
The different techniques presented by Cerrudo could be summarized as below:
#1: Windows Object ACL
kd> dt nt!_Object_HEADER
0x000 PoinbterCount : INT 4B
.....
0x014 SecurityDescriptor : Prt32 information about the ACL (if you null out the field the object has no ACL any more )
0x018 Body
For that:
Get the target object (process....) kernel address using NtQuerySystemInformation
Write NULL to [Object adr -0x14]
Manipulate the target object
#2:Token privileges (Windows >Vista)
Typdef struct_TOKEN
{
typedef strruct_SEP_TOKEN_PRIVILEGES
{
UINT64 Present
UINT64 ENABLED; // all ones -- all privileges enabled
...
#3:Token privileges (Windows XP et WINodws 2003)
k>dt_TOKEN
+0x000 TokenSource : _TOKEN_SOURCE
+0x010 TokenId : _LUID
...
If we can modify the Token it is possible to get powerful privileges as:
- Debug programs
- Take onwbership
- Restore files and dir
- Impersonate a client after auth
- Load ad drivers
- Create a token object
- Act as part of the OS
So for Enabling privileges:
- Get process primary token and then search its kernel address using NTquerySystemInormation
- Write 0xFFFFFFFF (or the wanted value for the corresponding privileges) to TOKEN at +0x48 (0x14 Win XP)
to illustrate this technique, Cerrudo uses the exploit for Tarjei Mandt Kernel vulnerability(use after free) as below:
dec dword ptr [eax +4]
if we can control only eax then is to hard to exploit , However in:
Windows XP the default value is : TOKEN +0x48 == 0x80000000
Win7 ==> 1000000000000 only one privilges i enabled by def SeChangeNotifyPrivileges
0x8000000-0x1 == 0x7FFFFFF ==> 1111111111111b lots of privileges
#4:Process primary token
Typdef struct_EPROCESS (Win 7)
{
Struct_EX_FAST_REF Token;
kd>dt nt!_Object_HEADER
+x000 PointerCont : Int4B
The goal here is to Replace the process token by the system identity token by hooking NtOpenThreadToken and calling MsiInstallProduct then get the object kernel address using NtQuerySystemInfdo.
If multiple writes
Increase reference count with first write to PinterCount [_TOKEN -0X18] (on 32) and the second write to replace Token on _EPROCESS with system token.
If one write
replace TOKEN on _EPROCESS, and after elevation and before exploit finishes duplicate the system token.
Conclusions
Exploiting some kernel vulnerabilities are made more easier using NTquerySystemInformation
this API helps to build more reliable exploits
You don't need system shells to elevate our privileges
Just awesome ! thanks Cerrudo for this presentation ...
Follow Cerrudo at @cesarcer
All I could say concerning this talk is : ZDI team are just amazing. Indeed, in this talk they presented to us their IDA Toolbag.
So I won't give technical details about the tools for the simple reason that this latter contains a lot of features...
The speakers pointed out that during their job at ZDI they face a lot of problems due to some limitations in IDA Pro.
In consequence they decides to develop a tool to mitigate these problems. For that, their tool include features into the following IDA modules:
Data storage
Querying
Navigation
Collaboration
...
A demo of the ToolBag has been introduced by the speakers.
I suggest you to go and get a glance on the project : http://thunkers.net/~deft/code/toolbag/
Yo Dawg I heard you like reversing by Aaron Portnoy & Brandon Edwards
All I could say concerning this talk is : ZDI team are just amazing. Indeed, in this talk they presented to us their IDA Toolbag.
So I won't give technical details about the tools for the simple reason that this latter contains a lot of features...
The speakers pointed out that during their job at ZDI they face a lot of problems due to some limitations in IDA Pro.
In consequence they decides to develop a tool to mitigate these problems. For that, their tool include features into the following IDA modules:
Data storage
Querying
Navigation
Collaboration
...
A demo of the ToolBag has been introduced by the speakers.
I suggest you to go and get a glance on the project : http://thunkers.net/~deft/code/toolbag/
No comments:
Post a Comment