{"id":26458481,"url":"https://github.com/rootkitsmm/openvpn-pool-overflow","last_synced_at":"2025-03-19T00:01:53.366Z","repository":{"id":97353762,"uuid":"45444188","full_name":"Rootkitsmm-zz/OpenVpn-Pool-Overflow","owner":"Rootkitsmm-zz","description":"Pool Overflow  in OpenVpn NDIS TAP Driver ","archived":false,"fork":false,"pushed_at":"2015-11-03T15:00:37.000Z","size":126,"stargazers_count":17,"open_issues_count":0,"forks_count":6,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-12T18:02:06.064Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Rootkitsmm-zz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-03T05:34:34.000Z","updated_at":"2019-10-06T15:51:10.000Z","dependencies_parsed_at":"2023-03-13T16:14:41.664Z","dependency_job_id":null,"html_url":"https://github.com/Rootkitsmm-zz/OpenVpn-Pool-Overflow","commit_stats":null,"previous_names":["rootkitsmm/openvpn-pool-overflow"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rootkitsmm-zz%2FOpenVpn-Pool-Overflow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rootkitsmm-zz%2FOpenVpn-Pool-Overflow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rootkitsmm-zz%2FOpenVpn-Pool-Overflow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rootkitsmm-zz%2FOpenVpn-Pool-Overflow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Rootkitsmm-zz","download_url":"https://codeload.github.com/Rootkitsmm-zz/OpenVpn-Pool-Overflow/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244326199,"owners_count":20435122,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-19T00:01:48.311Z","updated_at":"2025-03-19T00:01:53.354Z","avatar_url":"https://github.com/Rootkitsmm-zz.png","language":null,"funding_links":[],"categories":["\u003ca id=\"7cf7e8a30b73997985f20698eaf6b0c9\"\u003e\u003c/a\u003eOpenVPN"],"sub_categories":["\u003ca id=\"8ea8f890cf767c3801b5e7951fca3570\"\u003e\u003c/a\u003e公网访问局域网"],"readme":"# OpenVpn TAP Driver Pool Overflow\nCredit \n\nhttps://twitter.com/R00tkitSMM (firozimaysam@gmail.com) telegram username : https://telegram.me/firozi\n\nthis vulnerability is reported to OpenVpn.\n****\nsuccessfully exploiting this vulnerability can help attacker to bypass driver singing enforcement in windows and Load Unsigned malicious Driver.\n****\nOpenVpn Tap Driver use  NdisReadConfiguration for reading  some Configuration from Registry.\none of the obvious task before using any function, is you must read it's manual \n\n[NdisReadConfiguration manual](https://msdn.microsoft.com/en-us/library/windows/hardware/ff564511(v=vs.85).aspx )\n\n```\nNote that NDIS does not validate values that a driver reads from the registry.\nThe caller of NdisReadConfiguration must therefore not make any assumptions about \nsuch values and must validate each value read from the registry.If the caller \ndetermines that a value is out of bounds, it should use a default value instead.\n```\ntap0901.sys (IDA-Pro output ) :\n\n```\nKeyword.Buffer = (PWSTR)\"N\";\nNdisReadConfiguration(\u0026Status, \u0026ParameterValue, ConfigurationHandle, \u0026Keyword, NdisParameterString);\nif ( Status || (v2 = ParameterValue, ParameterValue-\u003eParameterType != 2) )\n{\n  Status = -1073676267;\n}\nelse\n{\n  v3 = ParameterValue-\u003eParameterData.StringData.Length;\n  *(_WORD *)(v1 + 32) = v3;\n  v4 = *(_WORD *)(v1 + 32);\n  *(_WORD *)(v1 + 34) = v3;\n  *(_DWORD *)(v1 + 36) = v1 + 40;\n  memcpy((void *)(v1 + 40), v2-\u003eParameterData.StringData.Buffer, v4);\n```\n\ntap0901.sys read some config string from NetCfgInstanceId Value under\n```\n\"\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\CLASS\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\00XX\"\n```\nkey 00XX is something like 0012,\nThen it copy this string to alocated Pool,without properley cheking  the size of string.\n\nso if we change NetCfgInstanceId just before driver call  NdisReadConfiguration, We Write a string more than size of the Buffer in allocated Pool.\n\ngood news is this Pool point to  \"MiniportAdapterContext\" buffer  and i think we can overwrite something interesting to get code execution in Ring0 or just overwrite pool metadata\n\n```\na773b1fa 6a02            push    2\na773b1fc 8d45e8          lea     eax,[ebp-18h]\na773b1ff 50              push    eax\na773b200 ff7508          push    dword ptr [ebp+8]\na773b203 8d45f0          lea     eax,[ebp-10h]\na773b206 50              push    eax\na773b207 8d45fc          lea     eax,[ebp-4]\na773b20a 50              push    eax\na773b20b c745eceee073a7  mov     dword ptr [ebp-14h],offset tap0901+0x40ee (a773e0ee)\na773b212 ffd7            call    edi ;NdisReadConfiguration\na773b214 395dfc          cmp     dword ptr [ebp-4],ebx\na773b217 754e            jne     tap0901+0x1267 (a773b267)\na773b219 8b4df0          mov     ecx,dword ptr [ebp-10h]\na773b21c 833902          cmp     dword ptr [ecx],2\na773b21f 7546            jne     tap0901+0x1267 (a773b267)\na773b221 0fb74104        movzx   eax,word ptr [ecx+4]\na773b225 66894620        mov     word ptr [esi+20h],ax\na773b229 0fb75620        movzx   edx,word ptr [esi+20h]\na773b22d 66894622        mov     word ptr [esi+22h],ax\na773b231 8d4628          lea     eax,[esi+28h]\na773b234 52              push    edx ; size of buffer\na773b235 894624          mov     dword ptr [esi+24h],eax ; source memory  \na773b238 ff7108          push    dword ptr [ecx+8]\na773b23b 50              push    eax ; Destination memory \na773b23c e8092b0000      call    tap0901+0x3d4a (a773dd4a) ; memcpy\n```\n\neax is Destination pool pointer ,edx is size of copy\nas you see pool size is 538 and it was less than number of bytes we write to it \n```\n3: kd\u003e r\neax=83b45af8 ebx=00000000 ecx=83a8c7c4 edx=0000ffff esi=83b45ad0 edi=898ac5c9\neip=a773b23c esp=8a6c64c4 ebp=8a6c6518 iopl=0         nv up ei pl zr na pe nc\ncs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246\ntap0901+0x123c:\na773b23c e8092b0000      call    tap0901+0x3d4a (a773dd4a)\n3: kd\u003e !pool 83b45af8 \nPool page 83b45af8 region is Nonpaged pool\n 83b45138 size:    8 previous size:    0  (Allocated)  Frag\n 83b45140 size:  1b0 previous size:    8  (Free)       Free\n 83b452f0 size:  208 previous size:  1b0  (Allocated)  Irp  Process: 856afd40\n 83b454f8 size:  5d0 previous size:  208  (Allocated)  TapR\n*83b45ac8 size:  538 previous size:  5d0  (Allocated) *TapA\n\tOwning component : Unknown (update pooltag.txt)\n```\n\n\nUsefull Breakpoints and outputs.\nNdisReadConfiguration lead to RtlQueryRegistryValues function.\n\n```\n2: kd\u003e !handle 800009e0 \n\nPROCESS 839ce020  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000\n    DirBase: 00185000  ObjectTable: 8a401b78  HandleCount: 529.\n    Image: System\n\nKernel handle table at 8d94e000 with 529 entries in use\n\n800009e0: Object: a7ba6a18  GrantedAccess: 000f003f Entry: 8caf63c0\nObject: a7ba6a18  Type: (839e77f0) Key\n    ObjectHeader: a7ba6a00 (new version)\n        HandleCount: 1  PointerCount: 1\n        Directory Object: 00000000  Name: \\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\CLASS\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\0012\n\n2: kd\u003e p\nnt!RtlQueryRegistryValues+0x26d:\n81832470 8944240c        mov     dword ptr [esp+0Ch],eax\n2: kd\u003e ln 1832470\n\n```\n\n BSOD output :\n\n```\nDRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)\nAn attempt was made to access a pageable (or completely invalid) address at an\ninterrupt request level (IRQL) that is too high.  This is usually\ncaused by drivers using improper addresses.\nIf kernel debugger is available get stack backtrace.\nArguments:\nArg1: 03851576, memory referenced\nArg2: 00000002, IRQL\nArg3: 00000001, value 0 = read operation, 1 = write operation\nArg4: 89a76e75, address which referenced memory\n\nDebugging Details:\n------------------\n\n\nWRITE_ADDRESS:  03851576 \n\nCURRENT_IRQL:  2\n\nFAULTING_IP: \ntcpip!TcpTcbHeaderSend+20f\n89a76e75 668907          mov     word ptr [edi],ax\n\nDEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO\n\nBUGCHECK_STR:  0xD1\n\nPROCESS_NAME:  System\n\nTRAP_FRAME:  8078f778 -- (.trap 0xffffffff8078f778)\nErrCode = 00000002\neax=038524c0 ebx=83b4a268 ecx=ff578963 edx=00000024 esi=83aed008 edi=03851576\neip=89a76e75 esp=8078f7ec ebp=8078f8ac iopl=0         nv up ei pl nz na po nc\ncs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202\ntcpip!TcpTcbHeaderSend+0x20f:\n89a76e75 668907          mov     word ptr [edi],ax        ds:0023:03851576=????\nResetting default scope\n\nLAST_CONTROL_TRANSFER:  from 816e1195 to 8166ecf8\n\nSTACK_TEXT:  \n8078f8ac 89a67201 83aed008 00000010 00000002 tcpip!TcpTcbHeaderSend+0x20f\n8078f8e0 89a620dc 83aed008 00000000 00000000 tcpip!TcpAcceptFin+0x6c\n8078f8f8 89a7336a 83aed008 8078fa58 83aed008 tcpip!TcpAllowFin+0x56\n8078f978 89a825dc 84829f40 83aed008 8078f9a0 tcpip!TcpTcbCarefulDatagram+0x16d5\n8078f9e4 89a828fc 84829f40 83aed008 0078fa58 tcpip!TcpTcbReceive+0x228\n8078fa4c 89a71a80 84792588 84827080 848270f4 tcpip!TcpMatchReceive+0x237\n8078fa9c 89a62e2e 84829f40 8482700c 00005000 tcpip!TcpPreValidatedReceive+0x263\n8078fab0 89a89563 8078facc 00000007 00000007 tcpip!TcpNlClientReceivePreValidatedDatagrams+0x15\n8078fad4 89a89a68 8078fae0 00000000 00000007 tcpip!IppDeliverPreValidatedListToProtocol+0x33\n8078fb70 89aa5c44 8529f778 00000000 839d74c0 tcpip!IpFlcReceivePreValidatedPackets+0x437\n8078fb98 81693624 85242410 2228e0f1 847d1418 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xfc\n8078fc00 89aa5cee 89aa5b48 8078fc28 00000000 nt!KeExpandKernelStackAndCalloutEx+0x132\n8078fc3c 8989d18d 8529a002 85241400 00000000 tcpip!FlReceiveNetBufferListChain+0x7c\n8078fc74 8988b670 8529b708 85241410 00000000 ndis!ndisMIndicateNetBufferListsToOpen+0x188\n8078fc9c 8988b5e7 00000000 85241410 84a620e0 ndis!ndisIndicateSortedNetBufferLists+0x4a\n8078fe18 89836ca5 84a620e0 00000000 00000000 ndis!ndisMDispatchReceiveNetBufferLists+0x129\n8078fe34 8988ba2e 84a620e0 85241410 00000000 ndis!ndisMTopReceiveNetBufferLists+0x2d\n8078fe5c 89836c1e 84a620e0 85241410 00000000 ndis!ndisMIndicateReceiveNetBufferListsInternal+0x62\n8078fe84 8daf87f4 84a620e0 85241410 00000000 ndis!NdisMIndicateReceiveNetBufferLists+0x52\n8078fecc 8daf777e 00000000 85255e38 00000001 E1G60I32!RxProcessReceiveInterrupts+0x108\n8078fee4 8988b309 01d11008 00000000 8078ff10 E1G60I32!E1000HandleInterrupt+0x80\n8078ff20 898369f4 85255e4c 00255e38 00000000 ndis!ndisMiniportDpc+0xe2\n8078ff48 8166b9f5 85255e4c 85255e38 00000000 ndis!ndisInterruptDpc+0xaf\n8078ffa4 8166b858 8172dd20 839d74c0 00000000 nt!KiExecuteAllDpcs+0xf9\n8078fff4 8166b01c 8a6be874 00000000 00000000 nt!KiRetireDpcList+0xd5\n8078fff8 8a6be874 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2c\nWARNING: Frame IP not in any known module. Following frames may be wrong.\n8166b01c 00000000 0000001a 00d6850f bb830000 0x8a6be874\n\n\nSTACK_COMMAND:  .trap 0xffffffff8078f778 ; kb\n\nFOLLOWUP_IP: \nE1G60I32!RxProcessReceiveInterrupts+108\n8daf87f4 8b45e8          mov     eax,dword ptr [ebp-18h]\n\nSYMBOL_STACK_INDEX:  13\n\nSYMBOL_NAME:  E1G60I32!RxProcessReceiveInterrupts+108\n\nFOLLOWUP_NAME:  MachineOwner\n\nMODULE_NAME: E1G60I32\n\nIMAGE_NAME:  E1G60I32.sys\n\nDEBUG_FLR_IMAGE_TIMESTAMP:  483de743\n\nFAILURE_BUCKET_ID:  0xD1_E1G60I32!RxProcessReceiveInterrupts+108\n\nBUCKET_ID:  0xD1_E1G60I32!RxProcessReceiveInterrupts+108\n\nFollowup: MachineOwner\n---------\n````\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootkitsmm%2Fopenvpn-pool-overflow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frootkitsmm%2Fopenvpn-pool-overflow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootkitsmm%2Fopenvpn-pool-overflow/lists"}