References a local variable or buffer, which wasn’t previously properly initialized.
Usually mitigated by compiler warnings/errors, informing about potential security flaws present in the source code.
Challenge: how can one control the trash bytes present on the ring-0 stack, from within a ring-3 perspective?
How to exploit:
Find the kernel stack init address: !thread.
Find the offset of our callback from this init address
Spray the Kernel Stack with User controlled input from the user mode using NtMapUserPhysicalPages trick.
Null-Pointer Dereference
Happens when the value of the pointer is NULL, and is used by the application to point to a valid memory area.
How to exploit:
Map the NULL page in user space.
Place a fake data structure in it which will cause our shell code to be executed.
Trigger the dereference bug.
Symbolic links
Leverages two fundamental concepts in Windows:
object manager symbolic links.
NTFS junctions/mount points.
Requirements for exploitation:
A high privileged process writing to user controlled files or directories: C:\PownMe\Link.ex.
Reading permission to the referenced directory C:\Windows\System32\sysprep\ and writing permissions to the directory where the junction will be stored C:\PownMe.
directory where the junction will be stored must be empty: C:\PownMe before the reparse point is defined.
How to find them:
launch process monitor and filter by the process you are targeting.
look for CreateFile operations by the SYSTEM process.
then check if the target directory has the right access for the everyone group or username.
Payloads
Token Stealing Payload
The general algorithm for the token stealing shellcode is:
Save the drivers registers so we can restore them later and avoid crashing it.
Find the _KPRCB struct by looking in the fs segment register
Find the _KTHREAD structure corresponding to the current thread by indexing into_KPRCB.
Find the _EPROCESS structure corresponding to the current process by indexing into_KTHREAD.
Look for the _EPROCESS structure corresponding to the process with PID=4 (UniqueProcessId = 4) by walking the doubly linked list of all_EPROCESS structures that the_EPROCRESS structure contains a references to, this is the "System" process that always has SID ( Security Identifier) = NT AUTHORITY\SYSTEM SID.
Retrieve the address of the Token of that process.
Look for the _EPROCESS structure corresponding to the process we want to escalate (our process).
Replace the Token of the target process with the Token of the "System" process.
Clean up our stack and reset our registers before returning.
Mitigations
SMEP (Supervisor Mode Execution Prevention)
Introduced in 2011 in Intel processors based on the Ivy Bridge architecture and enabled by default since Windows 8.0.
SMEP restricts executing code that lies in usermode to be executed with Ring-0 privileges, attempts result in a crash. This basically prevents EoP exploits that rely on executing a usermode payload from ever executing it.
The SMEP bit is bit 20 of the CR4 register.
SMEP's goal is to block kernel exploit which:
Prepares a shellcode in user memory
Redirects execution to the prepared payload, by exploiting a kernel/driver security flaw.
SMEP Bypass
Craft a rop chain to disable SMEP (not possible with win10 vbs)
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent