0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft

Windows Privilege Escalation
Russell Sanford
xort @ sploit.online
A Low-Level Explanation of Token Theft

What Were Covering:
• KPRCB structure
• ETHREAD structure
• EPROCESS structures
• ActiveProcessLinks
• Locating SYSTEM’s EPROCESS structure from Userland
• Stealing SYSTEM’s TOKEN and patching them over our
process’ EPROCESS for Priv Esc
• Read / Write Primitives
Extra Fun - Interactive Learning Exploit!
• DHA_Vuln_Driver_RW_Primitive.sys
• DHA_Userland_Exploit_PEEKPOKE.exe
• DHA_Userland_Find_SYSTEM_EPROCESS.exe
• DHA_PrivEsc_Demo.py
Token Theft @ A Low-Level
WOOHOO!

Goals of this presentation
• Explain how Token Theft Privilege Escalation Work
• Explain what Read-What-Where and Write-What-Where primitives are
• Provide you with a simplified vulnerable target driver and tool to exploit
the driver to practice with
• Walk through exploiting our demo kernel vulnerability

Before we start…
A quick note on pointers and memory addressing

What's this ‘pointer’ you speak of?
A pointer is a variable that stores the address of another variable.
Its an address stored at an address that points to somewhere else.
In the example above, the POINTER located at address 0x7fff98b499e8 POINTS to address 0x7fffa0757dd4 which
is where the Variable with the value “10” is located.

Setup : The Code

Setup : The Code
• I’ve provided compiled versions of the kernel driver, the executables used to exploit
them, and scripted exploit. Compiled Binaries and Source Codes:
http://sploit.online/0x2_KernelTalks_TokenTheftPrivEsc/
• If you don’t trust the code – or just wish to analyze it – the source has been provided
as well.
• To compile the code, you will need Visual Studio as well as the Windows SDK and
WDK. Instructions for installing these prerequisites can all be found here:
https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk

1
2 3
Setup : Loading the DHA_VulnDriver with
OSR Driver Loader
1) Select BROWSE to select the Driver
2) Select Register Service
( All Windows Drivers must have a entry in the
Registry in order to load )
3) Select Start Service
* ALTERNATIVELY, you could use an unsigned driver loader like KDU :D :D

+ SHIFT
Press F7
Select Startup Settings Select Restart
In order to load
The vulnerable
Driver, you must first
Disable Driver
Signature
Enforcement!
1 2 3 4
SETUP: DISABLE DRIVER SIGNING

Windows Internal Structures for Process Management

Windows Internals:
KPRCB structure
The name KPRCB stands for (Kernel) Processor Control Block.
The kernel keeps one for each logical processor as the last
member of the processor’s KPCR.
The KPRCB (formally _KPRCB) holds most of what the kernel
needs ready access to while managing a processor and while
managing resources that are themselves managed more simply
and quickly per processor.
The KPRCB structure’s CurrentThread pointer connects the
structure to a _ETHREAD structure….

Windows Internals:
ETHREAD structure
• The ETHREAD structure is the kernel’s
representation of a thread object.
• In the Windows Kernel it is accessed by
referencing GS:0x188
• When writing Kernel Shellcode, this is the easiest
entry point path to work your way to the
EPROCESS list of linked structures
<----- %gs:0x188
( in assembly points here)

Windows Internals:
EPROCESS structures
• The EPROCESS structure is the kernel's representation
of a process object.
• Each running process has an associated
EPROCESS structure that Windows Uses to
keep track of it with.

A look inside an EPROCESS structure
• The Actual structure is 2944 bytes in length and host
a vast amount of information describing the running
process such as the process’s name, Image Base
Address of the loaded binary in Memory and a a whole
lot more.
• For this Exercise we’ll only be using 3 fields of this
Lengthy and detailed structure:
1) UniqueProcessId (PID)
2) ActiveProcessLinks (Links to the next/previous
EPROCESS structures)
3) Token (Security Token Assigned to process)
0:027> dt nt!_EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
...
+0x440 UniqueProcessId : Ptr64 Void
+0x448 ActiveProcessLinks : _LIST_ENTRY
...
+0x4b8 Token : _EX_FAST_REF
...
...
+0x5a8 ImageFileName : [15] UChar
...
+0xb70 MitigationFlags3Values : <unnamed-tag>
0:024> ?? sizeof(nt!_EPROCESS)
unsigned int64 0xb80

Walking EPROCESS structures using ActiveProcessLinks
• Each EPROCESS structure contains a LIST_ENTRY substructure which is a pair of
pointers known as ActiveProcessLinks
• LIST_ENTRY structures are double-linked list that point to a identical structures
both preceding/proceeding the current structure

Walking EPROCESS structures using ActiveProcessLinks
• ActiveProcessLinks (LIST_ENTRY links) allow us to walk through a list of all the
system’s EPROCESS structures – each of which representing a running process –
in a circular manner – both forwards of backwards

Exploit Primitives

READ-WHAT-WHERE & WRITE WHAT WHERE Primitives
READ-WHAT-WHERE – allows us to specify an address to a function
and return the value stored at that location in memory
WRITE-WHAT-WHERE – allows us to specify an address in memory
along with a value to store at that location in memory
* These terms are typically used when referring to kernel land
vulnerabilities but also can be used in describing userland bugs

Data-Driven Attacks
Due to VBS, HVCI, CI, DEP, Page Guard, and other mitigations the days of
running executable shellcode are largely over with
Data-Driven attacks involving modifying Process’ Handles, Structures, and
Objects is still fair game.
We can utilize Data-Driven Attacks to Escalate Privileges and get executable
code to run (example: LOL Driver attacks)

Exploitation Tool

Keeping it old school - PEEK and POKE 

DHA_Userland_Exploit_PEEKPOKE.exe
Allows for us to READ or
WRITE to R/W Section of
memory by offering Read-
What-Where and Write-
What-Where primitives to
conduct Data-Driven attacks
against the kernel.
Usage:
PEEK [address]
POKE [address] [write-data]
Operates with UINT64
variables

The Vulnerable Driver

DHA_Vuln_Driver_RW_Primitive.sys
BSOD-free kernel fun !
• The vulnerable driver was compiled with Exception Handling to not allow illegal
memory access attempts.
• Normally, if you tried to access an
unallocated, privately mapped, or
illegal address you would cause an
exception leading to something like…

The Privilege Escalation Attack – Step by Step

Locating SYSTEM’s EPROCESS structure from Userland
DHA_Userland_Find_SYSTEM_EPROCESS.exe explained… (c++)
STEP 1: Finding Windows Kernel Base
• The EnumDeviceDrivers() function will populate a list of loaded system modules
• The first entry [0] contains the loading address of ntosknrl.exe (windows kernel)

DHA_Userland_Find_SYSTEM_EPROCESS.exe explained… (c++)
STEP 2: Finding SYSTEM’s EPROCCESS structure offset
• We use LoadLibraryA() to load ntoskrnl.exe (Normally used for DLL’s – but .EXE, .SYS, and
.DLL are the same PE file format
• We use GetProcAddress() to find the export for PsInitialSystemProcess (EPROCESS pointer
offset)
( GetProcAddress() is normally used to look
up function addresses – but what it’s
ACTUALLY doing is looking up EXPORT
names/addresses  )
• We Add Kernelbase + PsInitialSystemProcess together for pointer to EPROCESS in memory

STEP 1 & 2: Finding SYSTEM’s EPROCCESS structure offset
Note: KERNELBASE + OFFSET == POINTER to SYSTEM EPROCESS Structure (#4)
STEP3: Resolve the POINTER to SYSTEM’s EPROCESS structure
Now we have the location of SYSTEM’s EPROCESS structure and have entered the
double-linked list of EPROCESS structures!
ADDRESS: 0xffff848b9eafd040

Let’s Verify we have SYSTEM’s EPROCESS structure
SYSTEM’s EPROCESS structure ALWAYS has a PID of #4
EPROCESS Structure offsets
UniqueProcessId = 0x440 # PVOID
ActiveProcessLinks = 0x448 # LIST_ENTRY
Token = 0x4b8 # PVOID
EPROCESS ADDRESS = 0xffff848b9eafd040
UniqueProcessId = 0x440
0xffff848b9eafd040 + 0x440 = 0xffff848b9eafd480
YEP That’s SYSTEM!

Let’s steal SYSTEM’s EPROCESS structure’s security Token !
EPROCESS Structure offsets
UniqueProcessId = 0x440 # PVOID
ActiveProcessLinks = 0x448 # LIST_ENTRY
Token = 0x4b8 # PVOID
EPROCESS ADDRESS = 0xffff848b9eafd040
Token = 0x4b8
0xffff848b9eafd040 + 0x440 = 0xffff848b9eafd4f8
SYSTEM_TOKEN = 0xffffbe87f081e62f

Let’s adjust our recovered SYSTEM EPROCESS Token for use
All Windows internal OBJECTs have an attached ‘Reference Count’ (Ref Cnt) number to
keep copies of different instances of use of an object.
Were going to remove the Reference Count from the Token for our purposes
This simply means removing the lower 3 bits of our recovered token by using a logical
AND operation with the value 0xfffffffffffffff7
SYSTEM_TOKEN = 0xFFFFBE87F081E62F (BEFORE)
&
0xFFFFFFFFFFFFFFF7
=
SYSTEM_TOKEN = 0xFFFFBE87F081E628 (AFTER) * in this instance the lower 0xF (1111) becomes 0x8 (1000)

Let’s walk the EPROCESS list’s connecting LIST_ENTRYs
Remember, Each Link in a LIST_ENTRY structure just points to the next link (Flink/Blink)
0xffff848b9eb90488 0xffff848b9ebe2488 0xffff848ba0fda488

Let’s walk the EPROCESS list’s connecting LIST_ENTRYs to
find our process’ PID
We Add the ActiveProcessLinks offset
of +0x448 to the location address of
SYSTEM’s EPROCESS structure and
dereference (PEEK) the address there
to enter the double linked list
The LOOP:
We check (PEEK) the value of
ADDRESS – 0x8 to see if is equal to
our PID
If not: we (PEEK) the address of the
last address returned to walk the list
forward

Ounce we find our PID lets copy SYSTEM’s Token over Ours
Note: The difference
between the
UniqueProcessID offset and
Token offsets is 0x78 bytes
At this location we write our
stolen Token using the POKE
command supplying the
address of our PID’s Token
to write to and the SYSTEM
Token value

Demo Exploit Automating the Attack

Demo Exploit Module DHA_PrivEsc_Demo.py

Final Notes on Professional Exploitation

Final notes on writing Profession Exploits…
The EPROESS Structure is what’s known as an “Opaque structure” basically meaning –
it’s meant to be internal and is subject to change in it’s layout.
The EPROCESS structure has changed many times in the last few versions of windows.
Offset changes can be observed in the structure here:
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/ps/eprocess/index.htm
In writing a professional exploit a exploit author would detect the OS version and adjust
to ensure these offsets match the version of the target OS and that the exploit could be
versatile if affecting multiple versions of the Operating system

Final notes on writing Profession Exploits…
To keep some of the math basic I explained to you that PID could be found 8 bytes
behind ActiveProcessLink’s LIST_ENTRY structure when walking EPROCESS structures.
A more structured exploit would have deducted the length of ActiveProcessLinks from
the ActiveProcessLink location to find the actual beginning of the EPROCESS structure
then use the offset values from the base of the structure.
This is the more elegant approach and makes exploits easier to port to multiple versions
of an OS and utilizes offsets more recognizable to other researchers vs our this-8=PID
styled tricks used. 

Next Talk: Exploiting LOLDriver Vulnerabilities
DC214 – 7.13.23

Thanks!
Russell Sanford
xort@sploit.online

0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft

Recommended

Recommended

More Related Content

Similar to 0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft

Similar to 0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft (20)

More from Russell Sanford

More from Russell Sanford (6)

Recently uploaded

Recently uploaded (20)

0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft