Skip to content

ayoubfaouzi/windows-exploitation

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Windows exploitation

Types of Bugs

Uninitialized Stack Variable

  • References a local variable or buffer, which wasn’t previously properly initialized.
  • Usually mitigated by compiler warnings/errors, informing about potential security flaws present in the source code.
  • Challenge: how can one control the trash bytes present on the ring-0 stack, from within a ring-3 perspective?
  • How to exploit:
    • Find the kernel stack init address: !thread.
    • Find the offset of our callback from this init address
    • Spray the Kernel Stack with User controlled input from the user mode using NtMapUserPhysicalPages trick.

Null-Pointer Dereference

  • Happens when the value of the pointer is NULL, and is used by the application to point to a valid memory area.
  • How to exploit:
    • Map the NULL page in user space.
    • Place a fake data structure in it which will cause our shell code to be executed.
    • Trigger the dereference bug.

Symbolic links

  • Leverages two fundamental concepts in Windows:
    • object manager symbolic links.
    • NTFS junctions/mount points.
  • Requirements for exploitation:
    • A high privileged process writing to user controlled files or directories: C:\PownMe\Link.ex.
    • Reading permission to the referenced directory C:\Windows\System32\sysprep\ and writing permissions to the directory where the junction will be stored C:\PownMe.
    • directory where the junction will be stored must be empty: C:\PownMe before the reparse point is defined.
  • How to find them:
    • launch process monitor and filter by the process you are targeting.
    • look for CreateFile operations by the SYSTEM process.
    • then check if the target directory has the right access for the everyone group or username.

Payloads

Token Stealing Payload

  • The general algorithm for the token stealing shellcode is:
    • Save the drivers registers so we can restore them later and avoid crashing it.
    • Find the _KPRCB struct by looking in the fs segment register
    • Find the _KTHREAD structure corresponding to the current thread by indexing into_KPRCB.
    • Find the _EPROCESS structure corresponding to the current process by indexing into_KTHREAD.
    • Look for the _EPROCESS structure corresponding to the process with PID=4 (UniqueProcessId = 4) by walking the doubly linked list of all_EPROCESS structures that the_EPROCRESS structure contains a references to, this is the "System" process that always has SID ( Security Identifier) = NT AUTHORITY\SYSTEM SID.
    • Retrieve the address of the Token of that process.
    • Look for the _EPROCESS structure corresponding to the process we want to escalate (our process).
    • Replace the Token of the target process with the Token of the "System" process.
    • Clean up our stack and reset our registers before returning.

Mitigations

SMEP (Supervisor Mode Execution Prevention)

  • Introduced in 2011 in Intel processors based on the Ivy Bridge architecture and enabled by default since Windows 8.0.
  • SMEP restricts executing code that lies in usermode to be executed with Ring-0 privileges, attempts result in a crash. This basically prevents EoP exploits that rely on executing a usermode payload from ever executing it.
  • The SMEP bit is bit 20 of the CR4 register.
  • SMEP's goal is to block kernel exploit which:
    • Prepares a shellcode in user memory
    • Redirects execution to the prepared payload, by exploiting a kernel/driver security flaw.

SMEP Bypass

  • Craft a rop chain to disable SMEP (not possible with win10 vbs)
  • Modifying nt!MmUserProbeAddress
  • Windows Reserve Objects

About

My notes while studying Windows exploitation

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published