References a local variable or buffer, which wasn’t previously properly initialized.
Usually mitigated by compiler warnings/errors, informing about potential security flaws present in the source code.
Challenge: how can one control the trash bytes present on the ring-0 stack, from within a ring-3 perspective?
How to exploit:
Find the kernel stack init address: !thread.
Find the offset of our callback from this init address
Spray the Kernel Stack with User controlled input from the user mode using NtMapUserPhysicalPages trick.
Null-Pointer Dereference
Happens when the value of the pointer is NULL, and is used by the application to point to a valid memory area.
How to exploit:
Map the NULL page in user space.
Place a fake data structure in it which will cause our shell code to be executed.
Trigger the dereference bug.
Paylods
Token Stealing Payload
The general algorithm for the token stealing shellcode is:
Save the drivers registers so we can restore them later and avoid crashing it.
Find the _KPRCB struct by looking in the fs segment register
Find the _KTHREAD structure corresponding to the current thread by indexing into _KPRCB.
Find the _EPROCESS structure corresponding to the current process by indexing into _KTHREAD.
Look for the _EPROCESS structure corresponding to the process with PID=4 (UniqueProcessId = 4) by walking the doubly linked list of all _EPROCESS structures that the _EPROCRESS structure contains a references to, this is the "System" process that always has SID ( Security Identifier) = NT AUTHORITY\SYSTEM SID.
Retrieve the address of the Token of that process.
Look for the _EPROCESS structure corresponding to the process we want to escalate (our process).
Replace the Token of the target process with the Token of the "System" process.
Clean up our stack and reset our registers before returning.
Mitigations
SMEP (Supervisor Mode Execution Prevention)
SMEP is a hardware mitigation introducted by Intel (branded as “OS Guard”) that restricts executing code that lies in usermode to be executed with Ring-0 privileges, attempts result in a crash. This basically prevents EoP exploits that rely on executing a usermode payload from ever executing it.
The SMEP bit is bit 20 of the CR4 register.
SMEP's goal is to block kernel exploit which:
Prepares a shellcode in user memory,
Redirects execution to the prepared payload, by exploiting a kernel/driver security flaw.
SMEP Bypass
Craft a rop chain to disable SMEP (not possible with win10 vbs)