kex - python kernel exploit library - update #3

Another week passed, another update. Not sure how long I can keep up with this frequency :)

https://github.com/theevilbit/kex/

Fixed:

• all 3 shellcodes (token stealing, update token privileges, update ACL of target process)
• padded all of them with NOPs, so their length is divisible by 4, this is required if we use PALETTE objects as r/w primitive to write the shellcode somewhere. If the shellcode is not divisible by 4, the last couple of bytes will be missing as we can only write multiplies of 4 with PALETTEs
• in newer Windows versions the KTHREAD->Process pointer is larger than 0x7f (specifically 0xb8), which means that the assembly code is different
• for sizes <0x80:
• "\x48\x8b\x40" + 1 byte value (e.g.: 0x7f)
• for sizes >=0x80:
• "\x48\x8b\x80" + 1 byte value (e.g.: 0xb8) + "\x00\x00\x00"
• all 3 shellcodes are verified now to work

The new additions are based on the following resources:

https://github.com/FuzzySecurity/PSKernel-Primitives/blob/master/Pointer-Leak.ps1

https://www.blackhat.com/docs/us-17/wednesday/us-17-Schenk-Taking-Windows-10-Kernel-Exploitation-To-The-Next-Level%E2%80%93Leveraging-Write-What-Where-Vulnerabilities-In-Creators-Update-wp.pdf

https://www.coresecurity.com/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DS.pdf

Added:

• Leaking NT base, HalDispatchTable, PTE base address using PALETTE objects
• Calculate PTE address for a given virtual address
• Ability to change a VA to executable
• An example for the new functions using the HEVD driver as usual

With that you can write a shellcode to kernel space, change the PTE address execution flags, update HalDisPatchTable and trigger shellcode - this is what happens in the added example. All works from low privilege mode, up to Windows 10 RS3 (v1709 / FCU).