CVE 2020-17382

In this section, we'll install and activate the vulnerable driver, laying the foundation for exploring its potential exploits. Let's get started!

This vulnerability was discovered and researched by Lucas Dominikow from the Core Security Team.

Described as "Multiple stack buffer overflows were found in the MsIo64 driver used by the service MSI AmbiLighter from MSI Ambient Link when processing IoControlCode (IOCTL) 0x80102040, 0x80102044, 0x80102050, and 0x80102054. Local attackers, including low integrity processes, can exploit these vulnerabilities and consequently gain NT AUTHORITY\SYSTEM privileges."

The Exploit

In this section we will write an exploit for the MSI Ambient Link driver (v1.0.0.08). We will start off finding the vulnerability and tghen developing an exploit, whilst encountering mitigations such as kASLR, DEP and SMEP.

Preparation

For this section, we focus on the vulnerable driver installed on Windows 10 1607 64-bit, also known as the "Windows 10 Anniversary Update." If you opt to perform this section on a different operating system, keep in mind that the address offsets for ROP gadgets and kernel structs will vary. Additionally, mitigations may differ depending on the chosen operating system.

Driver Installation

Download the driver below, unzip the file and place it somewhere convenient on the target machine.

14KB

MSIO64.zip

Starting the Driver

During exploit development we will need to reboot the target operating system frequently. When the operating system restarts we will need to restart the driver service. The following command can be used from an escalated command prompt:

sc start MSI

Note: it may be beneficial to create a batch file that is executed automatically on sign in, to save time when starting the driver.

Debugging

Remember to connect your debugging host to the target!

PreviousA Kernel Exploit NextIDA Free

Last updated 1 year ago