cve-2014-4113 Win8.1 64-bit utilization (2014.11)

cve-2014-4113 Win8.1 bit Utilization

There has been a lot of analysis of the cause of the vulnerability, but the sample is Win8 prior to the use of foreign researchers Moritz Jodeit The use of Win8.1 on the study, and gave the idea. According to its thinking, the use of Win8.1 to try.

Win8.1 called in Xxxmnfindwindowfrompoint after the function, the resulting window object Tagwnd There are differences in the processing code for structs:

Win8.1 from [tag+90h] The obtained value is checked to determine that it is less than 7 to do the next step, r10+rax*8 as a kernel address, so this is something we have no way to control, we need to look for another process.     

1. construction fake Tagwnd

after the vulnerability is triggered, it is cleverly constructed in several key locations Fake Tagwnd , such as:

You can let the process of the program come to this piece of code:

The purpose of this code is to traverse head=[tagwnd+10h]+1d0h List of links: if [[tagwnd+10h]+1d0h] equals NULL , you [Head]=rdi, Otherwise, continue traversing until the last table entry is found and RDI value of the last table item is assigned to the Next pointer.

This list is removed from the table header in common2table entries, instructions"mov [Rax],rdi"it willRDIvalue of the last table item is assigned to theNextpointer. And the value of this last table entry is what we can control, so it can be further understood as: we can put the arbitrary address of the8an emptybytewith a kernel address(RDI)to overwrite. Because -features of the bit system, the range of kernel addresses is0xffff0800 ' 0000000~0xffffffff ' FFFFFFFF,soRDIthe high two bytes must be0xFF, which is the next step to get high permissionsTokenthe key.

2. Get high-privileged tokens

in the Windows System, Token is the key to managing permissions, similar to the tokens used in ancient times, if " Legal " way to make a high-privileged token, it also achieves the purpose of the right to raise.

in the kernel TOKEN The object structure has a very important sep_token_privileges structure, where each bit represents a permission, as follows:

in deciding on a Token when the permission is represented, the sep_token_privileges in the structure Enable The value is really working. It can be seen that it is possible to change the permissions by overwriting the values at [token+0x48] .

in the previous step we have found a piece of code: we can continuously control any address we can8bytes to0writes a kernel address. If you cansep_token_privilegesthe structure finds a continuous8bytes are0address and be able to makeEDIMid-high0xFFcoverEnabledkey location, then you can get a high-privilegedTokenup. The advantage is that the power code is executed in the kernel, not to mentionSMEPthe problem.

If you are able to use the process Token structure to find such a piece of memory is very good, but its Token of the sep_token_privileges The structure does not find a continuous 8 bytes to 0 address, all of which cannot be used to rewrite the process directly. Token to achieve the right to raise.

Fortunately Microsoft offers CreateRestrictedToken function , We can create a least-privileged Restricted token , and call AdjustTokenPrivileges Make it sep_token_privileges the structure has a continuous 8 bytes to 0 :

now has a continuous 8 0 sep_token_privileges structure, next you need to determine the use of edi overwrite sep_token_ Privileges The starting position of the structure, because we can only determine edi High two bytes for 0xff

sep_token_privileges The most important thing in the structure is SeDebugPrivilege permissions. As long as you have this permission, you can debug the system process and have the right to inject code into the system process and execute remotely, equal to having administrator privileges. So make sure that the flag bit is 1, which is covered by the RDI High two bytes.

combine windows big Endian memory organization, select sep_token_privileges+3 edi The starting position of the overlay. However, this value needs to be subtracted from the 8 and then assign sep_token_privileges+3 8 after the operation.

was EDI after overwriting sep_token_privileges the values for each member of the struct are as follows:

The red box is EDI the covered part, visible Enable member Number 8 to the at Have the permissions of the.

so far, we've got a SeDebugPrivilege and other permissions. Token up.

Note : There is a problem when this is implemented , high-privileged access by viewing memory acknowledgement Token, But the program goes into the process of waiting indefinitely for a suspended thread .

3. Leverage High-privilege tokens

because of the resulting Token have SeDebugPrivilege permissions, the next step is to call WriteProcessMemory will be Shellcode injected into a system process, and then called CreateRemoteThread to start. This completes the entire use of power.

cve-2014-4113 Win8.1 64-bit utilization (2014.11)