Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ayoubfaouzi/windows-exploitation

My notes while studying Windows exploitation
https://github.com/ayoubfaouzi/windows-exploitation

windows-exploitation

Last synced: 8 months ago
JSON representation

My notes while studying Windows exploitation

Awesome Lists containing this project

README 

          
# Windows exploitation



## Types of Bugs



## Uninitialized Stack Variable



- References a local variable or buffer, which wasn’t previously properly initialized.

- Usually mitigated by compiler warnings/errors, informing about potential security flaws present in the source code.

- Challenge: how can one control the trash bytes present on the ring-0 stack, from within a ring-3 perspective?

- How to exploit:

  - Find the kernel stack init address: `!thread`.

  - Find the offset of our callback from this init address

  - Spray the Kernel Stack with User controlled input from the user mode using **NtMapUserPhysicalPages** trick.



## Null-Pointer Dereference



- Happens when the value of the pointer is NULL, and is used by the application to point to a valid memory area.

- How to exploit:

  - Map the NULL page in user space.

  - Place a fake data structure in it which will cause our shell code to be executed.

  - Trigger the dereference bug.



## Symbolic links



- Leverages two fundamental concepts in Windows:

  - object manager symbolic links.

  - NTFS junctions/mount points.

- Requirements for exploitation:

  - A high privileged process writing to user controlled files or directories: `C:\PownMe\Link.ex`.

  - Reading permission to the referenced directory `C:\Windows\System32\sysprep\` and writing permissions to the directory where the junction will be stored `C:\PownMe`.

  - directory where the junction will be stored must be empty: `C:\PownMe` before the reparse point is defined.

- How to find them:

  - launch process monitor and filter by the process you are targeting.

  - look for `CreateFile` operations by the **SYSTEM** process.

  - then check if the target directory has the right access for the `everyone` group or username.



## Payloads



### Token Stealing Payload



- The general algorithm for the **token stealing** shellcode is:

  - Save the drivers registers so we can restore them later and avoid crashing it.

  - Find the \_KPRCB struct by looking in the fs segment register

  - Find the \_KTHREAD structure corresponding to the current thread by indexing into_KPRCB.

  - Find the \_EPROCESS structure corresponding to the current process by indexing into_KTHREAD.

  - Look for the \_EPROCESS structure corresponding to the process with PID=4 (UniqueProcessId = 4) by walking the doubly linked list of all_EPROCESS structures that the_EPROCRESS structure contains a references to, this is the "System" process that always has SID ( Security Identifier) = NT AUTHORITY\SYSTEM SID.

  - Retrieve the address of the Token of that process.

  - Look for the \_EPROCESS structure corresponding to the process we want to escalate (our process).

  - Replace the Token of the target process with the Token of the "System" process.

  - Clean up our stack and reset our registers before returning.



## Mitigations



### SMEP (Supervisor Mode Execution Prevention)



- Introduced in 2011 in Intel processors based on the Ivy Bridge architecture and enabled by default since Windows 8.0.

- SMEP restricts executing code that lies in usermode to be executed with Ring-0 privileges, attempts result in a crash. This basically prevents EoP exploits that rely on executing a usermode payload from ever executing it.

- The SMEP bit is bit 20 of the CR4 register.

- SMEP's goal is to block kernel exploit which:

  - Prepares a shellcode in user memory

  - Redirects execution to the prepared payload, by exploiting a kernel/driver security flaw.



### SMEP Bypass



- Craft a rop chain to disable SMEP (not possible with win10 vbs)

- Modifying nt!MmUserProbeAddress

- Windows Reserve Objects