- References a local variable or buffer, which wasn’t previously properly initialized.
- Usually mitigated by compiler warnings/errors, informing about potential security flaws present in the source code.
- Challenge: how can one control the trash bytes present on the ring-0 stack, from within a ring-3 perspective?
- How to exploit:
- Find the kernel stack init address:
!thread
. - Find the offset of our callback from this init address
- Spray the Kernel Stack with User controlled input from the user mode using NtMapUserPhysicalPages trick.
- Find the kernel stack init address:
- Happens when the value of the pointer is NULL, and is used by the application to point to a valid memory area.
- How to exploit:
- Map the NULL page in user space.
- Place a fake data structure in it which will cause our shell code to be executed.
- Trigger the dereference bug.
- The general algorithm for the token stealing shellcode is:
- Save the drivers registers so we can restore them later and avoid crashing it.
- Find the _KPRCB struct by looking in the fs segment register
- Find the _KTHREAD structure corresponding to the current thread by indexing into _KPRCB.
- Find the _EPROCESS structure corresponding to the current process by indexing into _KTHREAD.
- Look for the _EPROCESS structure corresponding to the process with PID=4 (UniqueProcessId = 4) by walking the doubly linked list of all _EPROCESS structures that the _EPROCRESS structure contains a references to, this is the "System" process that always has SID ( Security Identifier) = NT AUTHORITY\SYSTEM SID.
- Retrieve the address of the Token of that process.
- Look for the _EPROCESS structure corresponding to the process we want to escalate (our process).
- Replace the Token of the target process with the Token of the "System" process.
- Clean up our stack and reset our registers before returning.
- SMEP is a hardware mitigation introducted by Intel (branded as “OS Guard”) that restricts executing code that lies in usermode to be executed with Ring-0 privileges, attempts result in a crash. This basically prevents EoP exploits that rely on executing a usermode payload from ever executing it.
- The SMEP bit is bit 20 of the CR4 register.
- SMEP's goal is to block kernel exploit which:
- Prepares a shellcode in user memory,
- Redirects execution to the prepared payload, by exploiting a kernel/driver security flaw.
- Craft a rop chain to disable SMEP (not possible with win10 vbs)
- Modifying nt!MmUserProbeAddress
- Windows Reserve Objects