SlideShare a Scribd company logo

Metasploit & Windows Kernel Exploitation

Download as PPTX, PDF
Z
zeroSteiner

Cleveland BSides 2015 presentation.

Technology
1 of 37
Metasploit & Windows Kernel Exploitation Spencer (@zeroSteiner) McIntyre BSides Cleveland Saturday June 20th, 2015
Agenda • Agenda • Kernel Exploitation Overview & Basics • Common Vulnerability Classes • Executing Code • Mitigation Technologies • Kernel Exploits in MSF • Writing Windows Kernel exploits for MSF • Common Techniques Employed By MSF Modules • Improving Reliability
About Me • Spencer McIntyre • Work at SecureState • Research, Development, “Special” Projects • BSOD-inducer • Avid open source contributor • Metasploit among others • Python enthusiast • I can haz acronyms? • OSCP, OSEE
BSOD Warning • BSODs are imminent • None of the solutions here are fit-all • Just aggregated from personal experience Bug check from MS14-040 due to corrupted structures
Windows Kernel Exploitation Basics
Overview • Why Kernel Exploitation? • Downward trend of RCE over last couple years • Last “Great” RCE MS08-067 • New RCE are generally in 3rd party software / libraries • The kernel is always there • Upward trend of client side exploitation as a foothold • Social engineering • Some great vulnerabilities coming from Pwn2Own and the wild
Recent Windows Kernel Vulnerabilities Name Advisory / Details Released Public Exploit Code? MS14-058 / CVE-2014-4113 October 14th, 2014 Yes MS14-070 / CVE-2014-4076 November 11th, 2014 Yes MS15-010 February 10th, 2015 Yes MS15-034 / CVE-2015-1635 April 14th, 2015 Yes (DoS) MS15-051 / CVE-2015-1701 April 18th, 2015 Yes • Incomplete list of recent “notable” vulnerabilities as of June 15th, 2015 • Notable because additional details were published outside the MSB / CVE boilerplate verbiage
Common Vulnerability Classes • Write-What-Where • NULL Pointer Dereference • Use After Free (UAF) • Honorable Mention: Stack Buffer Overflow • Exist, but not particularly common in Kernel land
Write-What-Where • (Sometimes) Controlled data can be written to an attacker- controlled location • nt!HalDispatchTable is a popular target • Exploitation is often stable • Commonly exploited with IOCTL routines using NtDeviceIoControlFile • Also more common than other classes in third party drivers • Example exploits: • MS11-080 • MS14-070
NULL Pointer Dereference • Occurs when a NULL pointer is referred to as an object • Exploitation is often stable • NULL page can not always be mapped, mitigations exist • Sometimes negative numbers from error statuses are used as pointers • MS14-058 / CVE-2014-4113 for example • Can be beneficial on 64-bit systems if truncated to a 32-bit number (resulting in 0x00000000ffffffff being used) • Example Exploits: • MS13-081 • MS14-058
Use After Free • Pointer to an object is used after it has been freed • Successful exploitation often requires re-allocating the freed object • Not always reliable, depends on successful reallocation • Examples: • MS15-020
Vulnerability To Code Execution • Techniques dependent on class • Write-What-Where • Well documented, overwrite nt!HalDispatchTable+0x4 • HalDispatchTable can be resolved from the ntkrnlpa.exe • Triggered on demand with NtQueryIntervalProfile • NULL Pointer Dereference & UAF • Similar in the sense that they are object-dependent • UAF is more difficult to set up the object (not in user-land address space)
NULL Pointer Dereference / UAF • An object is corrupted • For UAF a replacement object is created • No easy way to determine a suitable object • Object size, layout and destination heap all must be considered • Object needs to provide a primitive • Generally Write-What-Where or Call
Useful Object: tagWND (Window) • win32k!tagWND • Pretty common object (CVE-2014-4113) • Set two values for kernel code execution • bServerSideWindowProc (Bit flag) • lpfnWndProc (Pointer) • Callback function can be triggered on demand
Mitigation Technologies • Commonly encountered on modern systems • The days of jmp-esp died with XP • Address Space Layout Randomization (ASLR) • Only a semi-issue due to already having code execution • Only need to worry about kernel addresses • Driver bases can be determined • Memory leaks or read primitives can disclose additional kernel addresses • LoadLibrary & GetProcAddress are your friends • Data Execution Prevention (DEP) • NtAllocateVirtualMemory, VirtualProtect • SMEP can be an issue (more on this later)
Mitigation Technologies • NULL Page Mapping • One of the oldest protections in EMET • Pre-Allocate and squat on the page, mark with PAGE_NOACCESS • Get around it by avoiding it (migrate into an unprotected process if possible) • Supervisor Mode Execution Protection (SMEP) • Prevents user-land addresses from being executed from the Kernel context • Originally developed by Intel • Support added to Windows 8
SMEP Exception
Disabling SMEP • Some well-documented techniques • See the “Further Reading & Resources” slide • Use a ROP gadget in nt!KiConfigureDynamicProcessor to clear the SMEP bit in the CR4 register • Resolve the kernel address of the ROP gadget • A few drawbacks to this approach • Can’t be resolved with GetProcAddress like nt!HalDispatchTable • Its in the PAGELK section on Windows 8.1 • Requires running in the native architecture, i.e. not WOW64 • If the kernel can’t be loaded (WOW64 or sandbox) a read primitive needs to be available for resolution
Windows Kernel Exploits In Metasploit
Metasploit Windows Kernel Modules • Divided into two categories based on implementation • Ruby (relying heavily on RailGun) • C (implemented as a Reflectively-loadable DLL) • Don’t have to be local privilege escalation but almost all are • Almost all directly steal / duplicate the token • An alternative approach is to “clear” the ACL of a SYSTEM process to inject into (e.g. ms13_053_schlamperei) • Msf::Exploit::Local::WindowsKernel mixin for convenience methods
Ruby Implementations • Might be eventually deprecated in favor of RDLL1 • Well suited for simple NtDeviceIoControlFile-centric exploits • e.g. MS11-080, MS14-002, MS14-070 • Benefits are that the exploit is a self-contained ruby file • Failed attempts result in a lost session due to self-corruption 1 Details in issue #4715 https://github.com/rapid7/metasploit-framework/issues/4715
C Implementations • Much more flexible • Threads can be used • Can be faster to write if extensive Windows API calls are necessary • PoC exploits can be developed as standalone executables • Primary benefit is the exploit can be injected into a dummy process • Results in stability if the exploit fails without a BSOD
Writing a Kernel Exploit for Metasploit • C / Reflective DLL style is preferred • General Steps: 1. Environment detection • Is the session a meterpreter or running as SYSTEM? 2. Vulnerability check • Often implemented in the “check” function, result is verified • Checks are often for the file version and running services 3. Start a dummy process to host the malicious DLL • If in a sandbox, load the DLL in the session process 4. The RDLL will (hopefully) exploit the vulnerability successfully and open a new session
Shellcode • Options are traditional raw bytecode or C, but only for RDLLs • C implementation is preferable and more reliable • Different version of Windows have different token offsets • Generic implementation uses PsLookupProcessByProcessId then find and replace • Works across Windows versions
Exploit Reliability
Sources of Instability • Corrupted structures • Token reference count • Returning control after elevation
Corrupted Structures • Certain objects are in a shared region between user & kernel lands1 • Handle table information without a system call for efficiency • user32!gSharedInfo is available since Windows 7 • Region is read-only • Back it up • Read-only so restore from within the shellcode • If structures are corrupted and code execution does not occur a BSOD is imminent without a reliable write primitive • nt!HalDispatchTable 1https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf
Token Reference Count • “Stealing” the token can cause issues • Token object has a reference count • Possible workarounds • Clear an ACL from a process • Process still might die and cause instability • Duplicate the token • Not practical from raw shellcode • Backup original token, Steal the token, Spawn a new shell, Restore the token • Is practical from raw shellcode • Exploit must be reliably triggered twice
Returning Control • What to do if process dies after elevation? • Find a suitable location to return control to • Unwind the stack via assembly • Microsoft uses a standard calling convention • Not applicable in every situation, depends on the call • Trivial to differentiate a user-land address vs kernel-land
Returning Control • Last call in user-land ntdll!KiFastSystemCallRet • First call in kernel-land nt!KiSystemServicePostCall • KiSystemServicePostCall performs cleanup operations and restores the user-mode context • Can not directly return to user-land • System call will probably fail but the status can be set • Be careful about allowing it to succeed
Returning Control • Resulting shellcode is 29-bytes • Not that size matters when dealing with a local
64-bit Exploitation • Starting to pick up • Exploits being written in C to support both architectures • x64 uses one calling convention, only one • WOW64 complicates things • For Metasploit, migrate into or spawn a native process • Check for pointer truncation • Might help, might not
Closing Thoughts • Kernel exploitation is flexible • Code execution ahead of time can be leveraged • Size matters not • Hypothesis: Kernel exploitation is going to stick around for a while
Questions? Ask them.
Further Reading & Resources • Kernel Attacks Through User-Mode Callbacks • Tarjei Mandt, Black Hat USA 2011 • https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf • SMEP: What is it, and how to beat it on Windows • Mateusz ‘j00ru’ Jurczyk & Gynvael Coldwind • http://j00ru.vexillium.org/?p=783 • Windows Kernel Exploitation Basics - Part 2 : Arbitrary Memory Overwrite exploitation using HalDispatchTable • dimanche , July 17th, 2011 • http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part.html • Polishing Chrome for Fun and Profit • Nils & Jon, August 29th, 2013 • https://labs.mwrinfosecurity.com/system/assets/538/original/mwri_polishing-chrome- slides-nsc_2013-09-06.pdf
Further Reading & Resources • Pwn2Own 2014: AFD.sys Dangling Pointer Vulnerability • Sebastian Apelt, July 11th, 2014 • http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation .pdf • One-Bit To Rule Them All: Bypassing Windows’ 10 Protections using a Single Bit • Udi Yavo, Februrary 10th, 2015 • http://breakingmalware.com/vulnerabilities/one-bit-rule-bypassing-windows- 10-protections-using-single-bit/
• Spencer McIntyre • Twitter: @zeroSteiner • Checkout “Phishing Without Ruby” • I’ll be co-presenting with Brandan Geise • Downstairs at 4PM Thank You For Your Time!

Recommended

Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr BrownzeroSteiner
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 

Recommended

Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr BrownzeroSteiner
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Windows Crash Dump Analysis
Windows Crash Dump AnalysisWindows Crash Dump Analysis
Windows Crash Dump AnalysisMicrosoft TechNet - Belgium and Luxembourg
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharingJames Hsieh
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demon|u - The Open Security Community
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 

More Related Content

What's hot

Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharingJames Hsieh
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 

What's hot (20)

Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Windows Crash Dump Analysis
Windows Crash Dump AnalysisWindows Crash Dump Analysis
Windows Crash Dump Analysis
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 

Similar to Metasploit & Windows Kernel Exploitation

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Nikolay Savvinov
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesPriyanka Aash
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber WeaponryJoshua L. Davis
 
Latest (storage IO) patterns for cloud-native applications
Latest (storage IO) patterns for cloud-native applications Latest (storage IO) patterns for cloud-native applications
Latest (storage IO) patterns for cloud-native applications OpenEBS
 
Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPrashant Rane
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Bridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentBridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentAndy Lee
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running ModulesYourHelper1
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heLiang Chen
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 

Similar to Metasploit & Windows Kernel Exploitation (20)

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber Weaponry
 
Latest (storage IO) patterns for cloud-native applications
Latest (storage IO) patterns for cloud-native applications Latest (storage IO) patterns for cloud-native applications
Latest (storage IO) patterns for cloud-native applications
 
Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCD
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Bridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentBridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized Environment
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
 
Deep hooks
Deep hooksDeep hooks
Deep hooks
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Linux device drivers
Linux device driversLinux device drivers
Linux device drivers
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Metasploit & Windows Kernel Exploitation

  • 1. Metasploit & Windows Kernel Exploitation Spencer (@zeroSteiner) McIntyre BSides Cleveland Saturday June 20th, 2015
  • 2. Agenda • Agenda • Kernel Exploitation Overview & Basics • Common Vulnerability Classes • Executing Code • Mitigation Technologies • Kernel Exploits in MSF • Writing Windows Kernel exploits for MSF • Common Techniques Employed By MSF Modules • Improving Reliability
  • 3. About Me • Spencer McIntyre • Work at SecureState • Research, Development, “Special” Projects • BSOD-inducer • Avid open source contributor • Metasploit among others • Python enthusiast • I can haz acronyms? • OSCP, OSEE
  • 4. BSOD Warning • BSODs are imminent • None of the solutions here are fit-all • Just aggregated from personal experience Bug check from MS14-040 due to corrupted structures
  • 6. Overview • Why Kernel Exploitation? • Downward trend of RCE over last couple years • Last “Great” RCE MS08-067 • New RCE are generally in 3rd party software / libraries • The kernel is always there • Upward trend of client side exploitation as a foothold • Social engineering • Some great vulnerabilities coming from Pwn2Own and the wild
  • 7. Recent Windows Kernel Vulnerabilities Name Advisory / Details Released Public Exploit Code? MS14-058 / CVE-2014-4113 October 14th, 2014 Yes MS14-070 / CVE-2014-4076 November 11th, 2014 Yes MS15-010 February 10th, 2015 Yes MS15-034 / CVE-2015-1635 April 14th, 2015 Yes (DoS) MS15-051 / CVE-2015-1701 April 18th, 2015 Yes • Incomplete list of recent “notable” vulnerabilities as of June 15th, 2015 • Notable because additional details were published outside the MSB / CVE boilerplate verbiage
  • 8. Common Vulnerability Classes • Write-What-Where • NULL Pointer Dereference • Use After Free (UAF) • Honorable Mention: Stack Buffer Overflow • Exist, but not particularly common in Kernel land
  • 9. Write-What-Where • (Sometimes) Controlled data can be written to an attacker- controlled location • nt!HalDispatchTable is a popular target • Exploitation is often stable • Commonly exploited with IOCTL routines using NtDeviceIoControlFile • Also more common than other classes in third party drivers • Example exploits: • MS11-080 • MS14-070
  • 10. NULL Pointer Dereference • Occurs when a NULL pointer is referred to as an object • Exploitation is often stable • NULL page can not always be mapped, mitigations exist • Sometimes negative numbers from error statuses are used as pointers • MS14-058 / CVE-2014-4113 for example • Can be beneficial on 64-bit systems if truncated to a 32-bit number (resulting in 0x00000000ffffffff being used) • Example Exploits: • MS13-081 • MS14-058
  • 11. Use After Free • Pointer to an object is used after it has been freed • Successful exploitation often requires re-allocating the freed object • Not always reliable, depends on successful reallocation • Examples: • MS15-020
  • 12. Vulnerability To Code Execution • Techniques dependent on class • Write-What-Where • Well documented, overwrite nt!HalDispatchTable+0x4 • HalDispatchTable can be resolved from the ntkrnlpa.exe • Triggered on demand with NtQueryIntervalProfile • NULL Pointer Dereference & UAF • Similar in the sense that they are object-dependent • UAF is more difficult to set up the object (not in user-land address space)
  • 13. NULL Pointer Dereference / UAF • An object is corrupted • For UAF a replacement object is created • No easy way to determine a suitable object • Object size, layout and destination heap all must be considered • Object needs to provide a primitive • Generally Write-What-Where or Call
  • 14. Useful Object: tagWND (Window) • win32k!tagWND • Pretty common object (CVE-2014-4113) • Set two values for kernel code execution • bServerSideWindowProc (Bit flag) • lpfnWndProc (Pointer) • Callback function can be triggered on demand
  • 15. Mitigation Technologies • Commonly encountered on modern systems • The days of jmp-esp died with XP • Address Space Layout Randomization (ASLR) • Only a semi-issue due to already having code execution • Only need to worry about kernel addresses • Driver bases can be determined • Memory leaks or read primitives can disclose additional kernel addresses • LoadLibrary & GetProcAddress are your friends • Data Execution Prevention (DEP) • NtAllocateVirtualMemory, VirtualProtect • SMEP can be an issue (more on this later)
  • 16. Mitigation Technologies • NULL Page Mapping • One of the oldest protections in EMET • Pre-Allocate and squat on the page, mark with PAGE_NOACCESS • Get around it by avoiding it (migrate into an unprotected process if possible) • Supervisor Mode Execution Protection (SMEP) • Prevents user-land addresses from being executed from the Kernel context • Originally developed by Intel • Support added to Windows 8
  • 18. Disabling SMEP • Some well-documented techniques • See the “Further Reading & Resources” slide • Use a ROP gadget in nt!KiConfigureDynamicProcessor to clear the SMEP bit in the CR4 register • Resolve the kernel address of the ROP gadget • A few drawbacks to this approach • Can’t be resolved with GetProcAddress like nt!HalDispatchTable • Its in the PAGELK section on Windows 8.1 • Requires running in the native architecture, i.e. not WOW64 • If the kernel can’t be loaded (WOW64 or sandbox) a read primitive needs to be available for resolution
  • 19. Windows Kernel Exploits In Metasploit
  • 20. Metasploit Windows Kernel Modules • Divided into two categories based on implementation • Ruby (relying heavily on RailGun) • C (implemented as a Reflectively-loadable DLL) • Don’t have to be local privilege escalation but almost all are • Almost all directly steal / duplicate the token • An alternative approach is to “clear” the ACL of a SYSTEM process to inject into (e.g. ms13_053_schlamperei) • Msf::Exploit::Local::WindowsKernel mixin for convenience methods
  • 21. Ruby Implementations • Might be eventually deprecated in favor of RDLL1 • Well suited for simple NtDeviceIoControlFile-centric exploits • e.g. MS11-080, MS14-002, MS14-070 • Benefits are that the exploit is a self-contained ruby file • Failed attempts result in a lost session due to self-corruption 1 Details in issue #4715 https://github.com/rapid7/metasploit-framework/issues/4715
  • 22. C Implementations • Much more flexible • Threads can be used • Can be faster to write if extensive Windows API calls are necessary • PoC exploits can be developed as standalone executables • Primary benefit is the exploit can be injected into a dummy process • Results in stability if the exploit fails without a BSOD
  • 23. Writing a Kernel Exploit for Metasploit • C / Reflective DLL style is preferred • General Steps: 1. Environment detection • Is the session a meterpreter or running as SYSTEM? 2. Vulnerability check • Often implemented in the “check” function, result is verified • Checks are often for the file version and running services 3. Start a dummy process to host the malicious DLL • If in a sandbox, load the DLL in the session process 4. The RDLL will (hopefully) exploit the vulnerability successfully and open a new session
  • 24. Shellcode • Options are traditional raw bytecode or C, but only for RDLLs • C implementation is preferable and more reliable • Different version of Windows have different token offsets • Generic implementation uses PsLookupProcessByProcessId then find and replace • Works across Windows versions
  • 26. Sources of Instability • Corrupted structures • Token reference count • Returning control after elevation
  • 27. Corrupted Structures • Certain objects are in a shared region between user & kernel lands1 • Handle table information without a system call for efficiency • user32!gSharedInfo is available since Windows 7 • Region is read-only • Back it up • Read-only so restore from within the shellcode • If structures are corrupted and code execution does not occur a BSOD is imminent without a reliable write primitive • nt!HalDispatchTable 1https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf
  • 28. Token Reference Count • “Stealing” the token can cause issues • Token object has a reference count • Possible workarounds • Clear an ACL from a process • Process still might die and cause instability • Duplicate the token • Not practical from raw shellcode • Backup original token, Steal the token, Spawn a new shell, Restore the token • Is practical from raw shellcode • Exploit must be reliably triggered twice
  • 29. Returning Control • What to do if process dies after elevation? • Find a suitable location to return control to • Unwind the stack via assembly • Microsoft uses a standard calling convention • Not applicable in every situation, depends on the call • Trivial to differentiate a user-land address vs kernel-land
  • 30. Returning Control • Last call in user-land ntdll!KiFastSystemCallRet • First call in kernel-land nt!KiSystemServicePostCall • KiSystemServicePostCall performs cleanup operations and restores the user-mode context • Can not directly return to user-land • System call will probably fail but the status can be set • Be careful about allowing it to succeed
  • 31. Returning Control • Resulting shellcode is 29-bytes • Not that size matters when dealing with a local
  • 32. 64-bit Exploitation • Starting to pick up • Exploits being written in C to support both architectures • x64 uses one calling convention, only one • WOW64 complicates things • For Metasploit, migrate into or spawn a native process • Check for pointer truncation • Might help, might not
  • 33. Closing Thoughts • Kernel exploitation is flexible • Code execution ahead of time can be leveraged • Size matters not • Hypothesis: Kernel exploitation is going to stick around for a while
  • 35. Further Reading & Resources • Kernel Attacks Through User-Mode Callbacks • Tarjei Mandt, Black Hat USA 2011 • https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf • SMEP: What is it, and how to beat it on Windows • Mateusz ‘j00ru’ Jurczyk & Gynvael Coldwind • http://j00ru.vexillium.org/?p=783 • Windows Kernel Exploitation Basics - Part 2 : Arbitrary Memory Overwrite exploitation using HalDispatchTable • dimanche , July 17th, 2011 • http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part.html • Polishing Chrome for Fun and Profit • Nils & Jon, August 29th, 2013 • https://labs.mwrinfosecurity.com/system/assets/538/original/mwri_polishing-chrome- slides-nsc_2013-09-06.pdf
  • 36. Further Reading & Resources • Pwn2Own 2014: AFD.sys Dangling Pointer Vulnerability • Sebastian Apelt, July 11th, 2014 • http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation .pdf • One-Bit To Rule Them All: Bypassing Windows’ 10 Protections using a Single Bit • Udi Yavo, Februrary 10th, 2015 • http://breakingmalware.com/vulnerabilities/one-bit-rule-bypassing-windows- 10-protections-using-single-bit/
  • 37. • Spencer McIntyre • Twitter: @zeroSteiner • Checkout “Phishing Without Ruby” • I’ll be co-presenting with Brandan Geise • Downstairs at 4PM Thank You For Your Time!