Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Exploitation techniques for NT kernel Introduction General concepts Internals Adrien ‘Adr1’ Garin Exploitation Stack overflow Integer overflow Write What Where EPITA Shellcode CVEs CVE-2016-0040 July 14, 2016 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 1 / 47
Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Introduction Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 2 / 47
Introduction Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction Lot of security measure in userland General concepts bypassing sandboxes Internals ring0 privileges Exploitation Stack overflow UAC bypass Integer overflow Write What Where Lots of signed drivers are vulnerable Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 3 / 47
Introduction Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction An error at the kernel level = BSoD General concepts The kernel is a large and complex system Internals lots of interconnected subsystems that you have to deeply Exploitation Stack overflow understand Integer overflow less likely to be bug-free Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 4 / 47
Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation General concepts Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 5 / 47
General concepts Exploitation find the location or o ff sets of critical structures in kernel techniques for NT kernel memory Adrien ‘Adr1’ find addresses of kernel API functions Garin two possibilities for code execution Introduction code located in user space (easier) General code located in kernel space (harder but SMEP bypass) concepts Internals Exploitation Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Figure 1:Shellcode type overview Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 6 / 47
General concepts Exploitation techniques for NT kernel List modules Adrien ‘Adr1’ Garin PRTL_PROCESS_MODULES m = VirtualAlloc(NULL, 1024 * 1024, Introduction MEM_COMMIT, General PAGE_READWRITE); concepts Internals NtQuerySystemInformation(SystemModuleInformation, Exploitation m, 1024 * 1024, NULL); Stack overflow Integer overflow for (SIZE_T i = 0; i < m->NumberOfModules; ++i) { Write What Where Shellcode printf("Image base: %p\n", m->Modules[i].ImageBase); CVEs printf("Image name: %s\n", CVE-2016-0040 m->Modules[i].FullPathName + m->Modules[i].OffsetToFileName); Mitigations } KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 7 / 47
Output Image base: FFFFF8008B683000 Exploitation techniques for Image name: ntoskrnl.exe NT kernel Adrien ‘Adr1’ Image base: FFFFF8008B610000 Garin Image name: hal.dll Introduction General Image base: FFFFF8008A005000 concepts Image name: kd.dll Internals Exploitation Image base: FFFFF8003D4C0000 Stack overflow Image name: mcupdate_GenuineIntel.dll Integer overflow Write What Where Shellcode Image base: FFFFF8003D550000 CVEs Image name: werkernel.sys CVE-2016-0040 Mitigations Image base: FFFFF8003D560000 KASLR Integrity levels Image name: CLFS.SYS DEP/NX [...] SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 8 / 47
General concepts Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General Now we can load these module in user-space with LoadLibrary concepts and use GetProcAddress to compute o ff set Internals Exploitation return GetProcAddress(ntoskrnl, "NtCreateFile) - ntoskrnl; Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 9 / 47
General concepts Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Figure 2:System process Stack overflow Integer overflow Write What Where Shellcode CVEs Privilege escalation CVE-2016-0040 Elevate privileges of the user-mode process Mitigations KASLR Copy the System token and overwrite the current process Integrity levels DEP/NX access token SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 10 / 47
General concepts Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction Enumerate EPROCESS structures in kernel memory General concepts find the System process Internals copy the pointer to the token structure of System to the Exploitation current process Stack overflow Integer overflow Write What Where Now the process receives the SID S-1-5-18 Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 11 / 47
DACL Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow Write What Where Shellcode Figure 3:DACL CVEs CVE-2016-0040 Mitigations KASLR Discretionary access control list (DACL) Integrity levels DEP/NX Specifies who has what access to the object SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 12 / 47
ACL Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin WinDbg Introduction lkd> !process 0 0 explorer.exe General PROCESS ffffe0005168a840 concepts SessionId: 1 Cid: 1690 Peb: 00b85000 ParentCid: 1664 Internals DirBase: 191e8c000 ObjectTable: ffffc001f211eb80 Exploitation Image: explorer.exe Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 13 / 47
ACL Exploitation techniques for NT kernel WinDbg Adrien ‘Adr1’ Garin lkd> !process 1690 1 Searching for Process with Cid == 1690 Introduction PROCESS ffffe0005168a840 General concepts SessionId: 1 Cid: 1690 Peb: 00b85000 ParentCid: 1664 DirBase: 191f0c000 ObjectTable: ffffc001f211eb80 Internals Image: explorer.exe Exploitation DeviceMap ffffc001dd5cd760 Stack overflow Integer overflow Token ffffc001f212a960 Write What Where [...] Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 14 / 47
ACL WinDbg Exploitation techniques for lkd> !token ffffc001f212a960 NT kernel _TOKEN ffffc001f212a960 Adrien ‘Adr1’ Garin TS Session ID: 0x1 User: S-1-5-21-542871337-1692334756-291223173-1001 Introduction User Groups: General 00 S-1-5-21-542871337-1692334756-291223173-513 concepts Attributes - Mandatory Default Enabled Internals 01 S-1-1-0 Exploitation Attributes - Mandatory Default Enabled Stack overflow [...] Integer overflow Write What Where Primary Group: S-1-5-21-542871337-1692334756-291223173-513 Shellcode Privs: CVEs 19 0x000000013 SeShutdownPrivilege Attributes - CVE-2016-0040 23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Mitigations KASLR 25 0x000000019 SeUndockPrivilege Attributes - Integrity levels 33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - DEP/NX SMEP / SMAP 34 0x000000022 SeTimeZonePrivilege Attributes - CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 15 / 47
ACL Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin WinDbg Introduction lkd> !object ffffe0005168a840 General concepts Object: ffffe0005168a840 Type: (ffffe0004ba88480) Process ObjectHeader: ffffe0005168a810 (new version) Internals HandleCount: 14 PointerCount: 421752 Exploitation Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 16 / 47
Recommend
More recommend