# Overview

In the real world, while I was pentesting a financial institute I came across a scenario where they had an internal intranet and it was using MySQL 5.7 64-bit as the backend database technology. Most of the time the I encounter MSSQL in most cooperate environments, but this was a rare case. I found SQL injection in the web application and I was able to dump the username and password from the mysql.user and I realized it had privileges to write files to disk. This lead me into writing a post and sharing techniques in injecting a UDF library to MySQL and gaining code execution and popping a shell in Windows. When I Googled most techniques are a bit vague when it comes to Windows. So, I thought of writing this post with my own research to clear things and make you understand few tricks you can use to do this manually.

I will be hosting the latest MySQL 5.7.21 latest community server by the time I am blogging this, in one machine. To reproduce the scenario, I am running the mysqld server with ‘–secure-file-priv=’ parameter set to blank. In this scenario I was able to retrieve the username and password from the mysql.user table using a union based injection in the intranet. Note that in MySQL 5.7 and above the column ‘password’ doesn’t exists. They have changed it to ‘authentication_string’.

# MySQL 5.6 and below
select host, user, password from mysql.user;
# MySQL 5.7 and above
select host, user, authentication_string from mysql.user;


Note that you can use the metasploit’s mysql_hashdump.rb auxiliary module to dump the MySQL hashes if you already have the credentials. By the time I am writing this blog post the script needed to be updated to extract in MySQL 5.7 you can check my pull request here

The host column for the user ‘osanda’ allows connections from 192.168.0.*, which means we can use this user for remote connections from that IP range. I cracked password hash and got the plain text password.
(more…)

## Exploiting Format Strings in Windows

I thought of making a small challenge in exploiting format strings in Windows. This is how it looks, it asks for a filename to open. At first this might be a bit confusing. There’s no vulnerable functions in reading a file. You can see that our first argument to the program is echoed back in the program.

Let’s investigate this inside a debugger. As you can see if argc == 2 the application continues the flow and argv[1] is passed into that function highlighted.

## A Basic RSA Encrypter

This is a small post about implementing a basic RSA encrypter to encrypt sections in an exe. We can use this to exchange exes with people. We will encrypt the section using the public key and the user has to use his private key to decrypt the exe. This can be applied in evading anti-viruses too.

I will use multiplication instead of an exponent. Since it would be easy to implement in few lines in assembly. However, this will allow breaking the private key easily hence the complete scheme is broken.

$Enc = (m*e) \text{ mod } N$

$Dec = (c*d) \text{ mod } N$

The correctness of this scheme depends on the fact that

$Dec(Enc(m)) = (m*e*d) \text{ mod } N = m \text{ mod } N$

## Windows Kernel Exploitation – Null Pointer Dereference

Today I’m sharing on exploiting the null pointer dereference vulnerability present in the HackSysExtreme Vulnerable Driver.

# The Vulnerability

You can view the source from here.

NTSTATUS TriggerNullPointerDereference(IN PVOID UserBuffer) {
ULONG UserValue = 0;
NTSTATUS Status = STATUS_SUCCESS;
PNULL_POINTER_DEREFERENCE NullPointerDereference = NULL;

PAGED_CODE();

__try {
// Verify if the buffer resides in user mode
sizeof(NULL_POINTER_DEREFERENCE),
(ULONG)__alignof(NULL_POINTER_DEREFERENCE));

// Allocate Pool chunk
NullPointerDereference = (PNULL_POINTER_DEREFERENCE)
ExAllocatePoolWithTag(NonPagedPool,
sizeof(NULL_POINTER_DEREFERENCE),
(ULONG)POOL_TAG);

if (!NullPointerDereference) {
// Unable to allocate Pool chunk
DbgPrint(&quot;[-] Unable to allocate Pool chunk\n&quot;);

Status = STATUS_NO_MEMORY;
return Status;
}
else {
DbgPrint(&quot;[+] Pool Tag: %s\n&quot;, STRINGIFY(POOL_TAG));
DbgPrint(&quot;[+] Pool Type: %s\n&quot;, STRINGIFY(NonPagedPool));
DbgPrint(&quot;[+] Pool Size: 0x%X\n&quot;, sizeof(NULL_POINTER_DEREFERENCE));
DbgPrint(&quot;[+] Pool Chunk: 0x%p\n&quot;, NullPointerDereference);
}

// Get the value from user mode
UserValue = *(PULONG)UserBuffer;

DbgPrint(&quot;[+] UserValue: 0x%p\n&quot;, UserValue);
DbgPrint(&quot;[+] NullPointerDereference: 0x%p\n&quot;, NullPointerDereference);

// Validate the magic value
if (UserValue == MagicValue) {
NullPointerDereference-&gt;Value = UserValue;
NullPointerDereference-&gt;Callback = &amp;NullPointerDereferenceObjectCallback;

DbgPrint(&quot;[+] NullPointerDereference-&gt;Value: 0x%p\n&quot;, NullPointerDereference-&gt;Value);
DbgPrint(&quot;[+] NullPointerDereference-&gt;Callback: 0x%p\n&quot;, NullPointerDereference-&gt;Callback);
}
else {
DbgPrint(&quot;[+] Freeing NullPointerDereference Object\n&quot;);
DbgPrint(&quot;[+] Pool Tag: %s\n&quot;, STRINGIFY(POOL_TAG));
DbgPrint(&quot;[+] Pool Chunk: 0x%p\n&quot;, NullPointerDereference);

// Free the allocated Pool chunk
ExFreePoolWithTag((PVOID)NullPointerDereference, (ULONG)POOL_TAG);

// Set to NULL to avoid dangling pointer
NullPointerDereference = NULL;
}

#ifdef SECURE
// Secure Note: This is secure because the developer is checking if
// 'NullPointerDereference' is not NULL before calling the callback function
if (NullPointerDereference) {
NullPointerDereference-&gt;Callback();
}
#else
DbgPrint(&quot;[+] Triggering Null Pointer Dereference\n&quot;);

// Vulnerability Note: This is a vanilla Null Pointer Dereference vulnerability
// because the developer is not validating if 'NullPointerDereference' is NULL
// before calling the callback function
NullPointerDereference-&gt;Callback();
#endif
}
__except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
DbgPrint(&quot;[-] Exception Code: 0x%X\n&quot;, Status);
}

return Status;
}


As usual, everything is clearly explained in the source. At line 42 the ‘userValue’ is compared with the value ‘0xBAD0B0B0’ and if it fails at line 58 the ‘NullPointerDereference’ value is set to NULL and at line 73 the value ‘NullPointerDereference’ is not validated whether it’s NULL before calling the callback function.

Let’s disassemble and see it closely. As you can see, if the provided ‘MagicValue’ is wrong the value of ‘NullPointerDereference’ is set to NULL to avoid the dangling pointer.
(more…)

## Windows Kernel Exploitation – Arbitrary Overwrite

Today I’m sharing what I learned on developing an exploit for the arbitrary overwrite vulnerability present in the HackSysExtreme Vulnerable Driver. This is also known as the “write-what-where” vulnerability. You can refer to my previous post on exploiting the stack overflow vulnerability and the analysis of the shellcode.

# The Vulnerability

You can check the source from here

NTSTATUS TriggerArbitraryOverwrite(IN PWRITE_WHAT_WHERE UserWriteWhatWhere) {
PULONG What = NULL;
PULONG Where = NULL;
NTSTATUS Status = STATUS_SUCCESS;

PAGED_CODE();

__try {
// Verify if the buffer resides in user mode
sizeof(WRITE_WHAT_WHERE),
(ULONG)__alignof(WRITE_WHAT_WHERE));

What = UserWriteWhatWhere-&gt;What;
Where = UserWriteWhatWhere-&gt;Where;

DbgPrint(&quot;[+] UserWriteWhatWhere: 0x%p\n&quot;, UserWriteWhatWhere);
DbgPrint(&quot;[+] WRITE_WHAT_WHERE Size: 0x%X\n&quot;, sizeof(WRITE_WHAT_WHERE));
DbgPrint(&quot;[+] UserWriteWhatWhere-&gt;What: 0x%p\n&quot;, What);
DbgPrint(&quot;[+] UserWriteWhatWhere-&gt;Where: 0x%p\n&quot;, Where);

#ifdef SECURE
// Secure Note: This is secure because the developer is properly validating if address
// pointed by 'Where' and 'What' value resides in User mode by calling ProbeForRead()
// routine before performing the write operation

*(Where) = *(What);
#else
DbgPrint(&quot;[+] Triggering Arbitrary Overwrite\n&quot;);

// Vulnerability Note: This is a vanilla Arbitrary Memory Overwrite vulnerability
// because the developer is writing the value pointed by 'What' to memory location
// pointed by 'Where' without properly validating if the values pointed by 'Where'
// and 'What' resides in User mode
*(Where) = *(What);
#endif
}
__except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
DbgPrint(&quot;[-] Exception Code: 0x%X\n&quot;, Status);
}

return Status;
}


Everything is well explained in the source code. Basically the ‘where’ and ‘what’ pointers are not validated whether they are located in userland. Due to this we can overwrite an arbitrary kernel address with an arbitrary value.
(more…)

## A Simple API Monitor

This is a simple Windbg script to monitor common Win32 API calls and display the strings, IPs, Ports, Registry keys passed to the APIs. The Win32 API is huge and I have used common APIs used by programs and malware. I coded this for fun 🙂

Usage: ApiMon.wds run; g;


You can remove APIs as you wish to minimize the output or you can add any API you desire. For example

bp DLLName!APIName @&quot;$$&gt;a&lt;{arg0} APIName FileNamePtr bp kernelbase!CreateFileA @&quot;$$&gt;a&lt;${$arg0} CreateFileA 1&quot;;


This is a sample output that uses CreateProcess API.

This is from running netcat.

## Executing Shellcode Directly

I found this post by Alex Ionescu pretty interesting. I recreated the poc and wrote position independent shellcode. It’s more like executing shellcode directly by the windows loader.

One could develop complete malware by dynamically locating the base address of kernel32.dll and once you locate the functions LoadLibraryA and GetProcAddress, you can load any library in the system and find the exported symbols, in which you have complete access to the win32 API.

You don’t need to specifically write position independent code using assembly. You can directly code in C/C++ and extract the opcodes.

For example using the ‘InMemoryOrderModuleList’ LDR_DATA_TABLE_ENTRY located in the PEB->LDR we can get the base address of kernel32.dll. Usually kernel32.dll can be found in the third LDR_MODULE in the double linked list. If you have done shellcoding under Windows these things should be familiar.
(more…)

# Introduction

This post is on exploiting a stack based buffer overflow in the HackSysExtremeVulnerableDriver.
There’s lot of background theory required to understand types of Windows drivers, developing drivers, debugging drivers, etc. I will only focus on developing the exploit while explaining some internal structures briefly. I would assume you have experience with assembly, C, debugging in the userland.
This driver is a kernel driver. A driver is typically used to get our code into the kernel. An unhandled exception will cause the famous BSOD. I will be using Windows 7 32-bit for this since it doesn’t support SMEP (Supervisor Mode Execution Prevention) or SMAP (Supervisor Mode Access Prevention). In simple words, I would say that when SMEP is enabled the CPU will generate a fault whenever the ring0 tries to execute code from a page marked with the user bit. Basically, due to this being not enabled, we can map our shellcode to steal the ‘System’ token. Check the Shellcode Analysis part for the analysis. Exploiting this vulnerability on a 64-bit system is different.
You can use the OSR Driver Loader to load the driver into the system.
If you want to debug the machine itself using windbg you can use VirtualKD or LiveKD

You can add a new serial connection using VirtualBox or VMware, so you can debug the guest system via windbg. I will be using a serial connection from VMware.
For kernel data structures refer to this. I have used it mostly to refer the structures.
After you have registered the driver you should see this in ‘msinfo32’.

If you check the loaded modules in the ‘System’ process you should see our kernel driver ‘HEVD.sys’.

## Lab01-01 Analysis

In my leisure time I like reading the book Practical Malware Analysis and I thought of sharing my analysis in the practical sections. You can find detailed answers in the book as well.

# Lab01-01.dll Analysis

If we have a look at the “Lab01-01.dll” file’s imports we can see that it uses network functions from “ws2_32.dll”. We can suspect that this file is responsible for network communications to the attacker.

But if we have a look at the exports section we see nothing, which is strange.

(more…)

## Shellcode to Scroll your Desktop Vertically and Horizontally

This is another fun shellcode that I made to scroll your desktop vertically and horizontally infinitely.

(more…)