CVE 2020-17382
In this section, we'll install and activate the vulnerable driver, laying the foundation for exploring its potential exploits. Let's get started!
Last updated
In this section, we'll install and activate the vulnerable driver, laying the foundation for exploring its potential exploits. Let's get started!
Last updated
This vulnerability was discovered and researched by Lucas Dominikow from the Core Security Team.
Described as "Multiple stack buffer overflows were found in the MsIo64 driver used by the service MSI AmbiLighter from MSI Ambient Link when processing IoControlCode (IOCTL) 0x80102040, 0x80102044, 0x80102050, and 0x80102054. Local attackers, including low integrity processes, can exploit these vulnerabilities and consequently gain NT AUTHORITY\SYSTEM privileges."
In this section we will write an exploit for the MSI Ambient Link driver (v1.0.0.08). We will start off finding the vulnerability and tghen developing an exploit, whilst encountering mitigations such as kASLR, DEP and SMEP.
For this section, we focus on the vulnerable driver installed on Windows 10 1607 64-bit, also known as the "Windows 10 Anniversary Update." If you opt to perform this section on a different operating system, keep in mind that the address offsets for ROP gadgets and kernel structs will vary. Additionally, mitigations may differ depending on the chosen operating system.
Download the driver below, unzip the file and place it somewhere convenient on the target machine.
Note: In order to install unsigned drivers you will need to submit the following command from an escalated command prompt:
To install the driver for testing enter the following command:
The driver should install successfully.
During exploit development we will need to reboot the target operating system frequently. When the operating system restarts we will need to restart the driver service. The following command can be used from an escalated command prompt:
Note: it may be beneficial to create a batch file that is executed automatically on sign in, to save time when starting the driver.
Remember to connect your debugging host to the target!
