Friday, December 1, 2017

kex - python kernel exploit library - update #3

Another week passed, another update. Not sure how long I can keep up with this frequency :)

  • all 3 shellcodes (token stealing, update token privileges, update ACL of target process)
    • padded all of them with NOPs, so their length is divisible by 4, this is required if we use PALETTE objects as r/w primitive to write the shellcode somewhere. If the shellcode is not divisible by 4, the last couple of bytes will be missing as we can only write multiplies of 4 with PALETTEs
    • in newer Windows versions the KTHREAD->Process pointer is larger than 0x7f (specifically 0xb8), which means that the assembly code is different
      • for sizes <0x80:
        • "\x48\x8b\x40" + 1 byte value (e.g.: 0x7f)
      • for sizes >=0x80:
        • "\x48\x8b\x80" + 1 byte value (e.g.: 0xb8) + "\x00\x00\x00"
  • all 3 shellcodes are verified now to work
The new additions are based on the following resources:

  • Leaking NT base, HalDispatchTable, PTE base address using PALETTE objects
  • Calculate PTE address for a given virtual address
  • Ability to change a VA to executable
  • An example for the new functions using the HEVD driver as usual
With that you can write a shellcode to kernel space, change the PTE address execution flags, update HalDisPatchTable and trigger shellcode - this is what happens in the added example. All works from low privilege mode, up to Windows 10 RS3 (v1709 / FCU).

No comments: