Look at Windows 8.1 kernel exploits from MS16-098
I did not have any experience with the kernel when I was new to the kernel vulnerability, let alone exploit kernel vulnerabilities, but I was always interested in reverse engineering and exploit technologies.
Initially, my idea was simple: to find a patch that could not have exploitable exploit currently available, from which it started my reverse engineering as well as using the journey. The vulnerability in this article is not my first choice: the test failed. This is actually my second choice, and it took me four months to learn everything about the loophole.
I hope this blog can help those who are eager to learn about reverse engineering and exploit development. This is a long process, and I am a novice in kernel exploit development, so I hope you will be patient while reading this article.
Use the tools
Expand.exe (for MSU files)
Virtual KD
Http://virtualkd.sysprogs.org/ (they say they are 45 times faster than normal kernel debugging)
Windbg (kd)
IDA professional
Https://www.hex-rays.com/products/ida/
Zynamics BinDiff IDA plugin
Https://www.zynamics.com/bindiff.html
Use of Expand.exe
Expand.exe can be used to extract files from Microsoft Update Files (MSU) and CAB files.
Use the following command to update and extract the CAB file to the specified directory:
1
2
Expand.exe -F: * [PATH TO MSU] [PATH TO EXTRACT TO]
Expand.exe -F: * [PATH TO EXTRACTED CAB] [PATH TO EXTRACT TO]
T01ce55a6cfbd2275c6.png
If the command is followed by an address, it will be dumped according to the structure defined by the symbol
T0105d3b7450d3adcdc.png
Pool pool! Poolfind and! Poolused command in my analysis of the kernel pool overflow, the kernel pool feng shui to help me a lot.
Some useful examples:
To dump the kernel pool page layout for the specified address, we can use the following command:
1
Kd>! Poolused [POOLTYPE] [POOLTAG]
The number of objects to retrieve the specified pool tag in the specified pool type:
1
Kd>! Poolused [POOLTYPE] [POOLTAG]
The kernel pool address space for the fully assigned pool type for the specified pool tag is searched for.
1
Kd>! Poolused [POOLTYPE] [POOLTAG]
Windbg use tips
Compared to other modems I personally prefer Windbg because it supports some useful commands, especially for kernel debugging.
1
Kd> dt [OBJECT SYMBOL NAME] [ADDR]
The dt command uses the structure defined by the symbol table to dump the memory, which is useful when parsing the object and can understand some special cases when the object's symbol has been exported.
Use this command if you do not add the address that will directly display the structure of this object. For example, to see the structure of the EPROCESS object, we can use the following command.
Through the patch to understand the loopholes in the principle
Download a good update file, we opened and found that the modified file is win32k.sys, version is 6.3.9600.18405.
When comparing with its old version 6.3.9600.17393, we used IDA's Zynamics BinDiff plugin. The similarity rating of an interesting function that can be found to have changed is 0.98. There is a loophole function that is win32k! BFill.
Here are the differences between the two versions,
Diff quickly shows how an integer overflow vulnerability is patched by adding a UlongMult3 function that detects integer overflow by multiplying. If the result overflows the object type (ie, ULONG), the error "INTSAFE_E_ARITHMETIC_OVERFLOW" is returned.
This function was added before calling PALLOCMEM2, PALLOCMEM2 used a checked parameter [rsp + Size]. This confirms that this integer overflow will result in the assignment of small size objects; then the question is - can this value be controlled by the user in some way?
When faced with a complex problem, it is recommended that it be broken down into smaller problems. Because kernel exploits are a big problem, it seems like a good way to step by step.
Proceed as follows:
1. Hit the loopholes in the function
2. Control the size of the allocation
The core of the pool
4. Using GDI bitmap objects (Bitmap GDI objects)
5. Analyze and control overflow
6. Repair the overflow head
7. Obtain the Token that represents the authority from the kernel process object (EPROCESS) of the SYSTEM process
8. Successfully get SYSTEM permissions
Initially, my idea was simple: to find a patch that could not have exploitable exploit currently available, from which it started my reverse engineering as well as using the journey. The vulnerability in this article is not my first choice: the test failed. This is actually my second choice, and it took me four months to learn everything about the loophole.
I hope this blog can help those who are eager to learn about reverse engineering and exploit development. This is a long process, and I am a novice in kernel exploit development, so I hope you will be patient while reading this article.
Use the tools
Expand.exe (for MSU files)
Virtual KD
Http://virtualkd.sysprogs.org/ (they say they are 45 times faster than normal kernel debugging)
Windbg (kd)
IDA professional
Https://www.hex-rays.com/products/ida/
Zynamics BinDiff IDA plugin
Https://www.zynamics.com/bindiff.html
Use of Expand.exe
Expand.exe can be used to extract files from Microsoft Update Files (MSU) and CAB files.
Use the following command to update and extract the CAB file to the specified directory:
1
2
Expand.exe -F: * [PATH TO MSU] [PATH TO EXTRACT TO]
Expand.exe -F: * [PATH TO EXTRACTED CAB] [PATH TO EXTRACT TO]
T01ce55a6cfbd2275c6.png
If the command is followed by an address, it will be dumped according to the structure defined by the symbol
T0105d3b7450d3adcdc.png
Pool pool! Poolfind and! Poolused command in my analysis of the kernel pool overflow, the kernel pool feng shui to help me a lot.
Some useful examples:
To dump the kernel pool page layout for the specified address, we can use the following command:
1
Kd>! Poolused [POOLTYPE] [POOLTAG]
The number of objects to retrieve the specified pool tag in the specified pool type:
1
Kd>! Poolused [POOLTYPE] [POOLTAG]
The kernel pool address space for the fully assigned pool type for the specified pool tag is searched for.
1
Kd>! Poolused [POOLTYPE] [POOLTAG]
Windbg use tips
Compared to other modems I personally prefer Windbg because it supports some useful commands, especially for kernel debugging.
1
Kd> dt [OBJECT SYMBOL NAME] [ADDR]
The dt command uses the structure defined by the symbol table to dump the memory, which is useful when parsing the object and can understand some special cases when the object's symbol has been exported.
Use this command if you do not add the address that will directly display the structure of this object. For example, to see the structure of the EPROCESS object, we can use the following command.
Through the patch to understand the loopholes in the principle
Download a good update file, we opened and found that the modified file is win32k.sys, version is 6.3.9600.18405.
When comparing with its old version 6.3.9600.17393, we used IDA's Zynamics BinDiff plugin. The similarity rating of an interesting function that can be found to have changed is 0.98. There is a loophole function that is win32k! BFill.
Here are the differences between the two versions,
Diff quickly shows how an integer overflow vulnerability is patched by adding a UlongMult3 function that detects integer overflow by multiplying. If the result overflows the object type (ie, ULONG), the error "INTSAFE_E_ARITHMETIC_OVERFLOW" is returned.
This function was added before calling PALLOCMEM2, PALLOCMEM2 used a checked parameter [rsp + Size]. This confirms that this integer overflow will result in the assignment of small size objects; then the question is - can this value be controlled by the user in some way?
When faced with a complex problem, it is recommended that it be broken down into smaller problems. Because kernel exploits are a big problem, it seems like a good way to step by step.
Proceed as follows:
1. Hit the loopholes in the function
2. Control the size of the allocation
The core of the pool
4. Using GDI bitmap objects (Bitmap GDI objects)
5. Analyze and control overflow
6. Repair the overflow head
7. Obtain the Token that represents the authority from the kernel process object (EPROCESS) of the SYSTEM process
8. Successfully get SYSTEM permissions
评论
发表评论