I made a larger update to my kex library again. Token stealing is not the only way in kernel exploitation, suggest to read the following:
https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf
https://improsec.com/blog/windows-kernel-shellcode-on-windows-10-part-1
https://improsec.com/blog/windows-kernel-shellcode-on-windows-10-part-2
https://improsec.com/blog/windows-kernel-shellcode-on-windows-10-part-3
https://improsec.com/blog/windows-kernel-shellcode-on-windows-10-part-4-there-is-no-code
I essentially implemented additional shellcodes based on Cerudo's BlackHat talk and Martin Schenk's blogpost, there are a few differences to how I implemented them vs how Martin did:
- I elevate my own process privileges, not the parent or cmd.exe
- I use different offset in KTHREAD to find the EPROCESS structure (nt!_KTHREAD -> _KAPC_STATE -> EPROCESS), so you will see different values there
- I used PALETTEs for data-only pwning and not the tagWND method, this also means that it won't work beyond Win10 RS3
- The token overwrite has been extended to also change the Present bit as it is required after Win10 RS3, as described here: http://anti-reversing.com/Downloads/Sec_Research/ntoskrnl_v10.0.15063_nt!_SEP_TOKEN_PRIVILEGES-Single_Write_EoP_Protect.pdf
- I added all offsets from Win7 to Win10 RS3 so the code should work universally across all platforms
I added an example with the HEVD driver to show how all these works. I didn't have a chance to test the actual shellcodes, only the data-only variant, so if any issues, let me know.
Link:
https://github.com/theevilbit/kex/
No comments:
Post a Comment