living off the kernel land: developing post-exploitation ... · • exploit win32k.sys -...
TRANSCRIPT
Living Off the Kernel Land: Developing Post-Exploitation Kernel Threat
Alonso Candado Sánchez Euskalhack IV June 21, 2019
WHOAMI
Alonso Candado Sánchez
- Security Software Engineer at Countercraft
- @alonso.candado on twitter
- Interested in :
- Low level development - Malware research - Reversing - kernel exploitation
Introduction: kernel threats 1
- TDL4(2010) :• Bootkit component• Modify Boot Config Data option to disable dse
- Turla/Uroboros(2009-2013) :• Virtualbox exploit (CVE-2008-3431)• Overwrite global system variable(ntoskrnl!g_CiEnabled) controlling DSE behavior• Bypass PatchGuard hooking KeBugCheckEx API
- Derusbi(2013) :• First version 2008• NICM.SYS exploit (CVE-2013-3956) signed by Novell• g_CiEnabled modification
- Grayfish(2013) :• Equation Group rootkit• Bypass DSE with bootkit component. Overwrite hard disk driver firmware that contains infected VBR
- DuQu 2.0 (2015):
• Exploit win32k.sys
- Remsec(2016) :• Exploits vulnerability in Agnitum driver called Sandbox.sys• IOCTL which call to ZwLoadDriver
- Slingshot APT (2018) :• Exploit in Sandra.sys CVE-2010-1592• Exploit in CVE-2007-5633• Writing in MSR registers and restore the original value.
Introduction: kernel threats 2
-SMEP
- SMAP
- KASLR
- VIRTUALIZATION BASED SECURITY (VBS):
• Prevent MSR registers modifications• SMEP cannot be disabled• Only signed kernel pages can become executable (HVCI)
Kernel threat loader : exploitation 1
Kernel threat loader : exploitation 2
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf
Kernel threat loader : exploitation 3
https://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerability
- Driver is open to communicate to any arbitrary process
- Lack buffer validation
- Use METHOD_NEITHER
- What-Write-Where vulnerability
1.- Target ICTL
2.- Write target value
3.- Target buffer nt!g_CiEnable
VIRTUALBOX EXPLOIT:
• SUP_IOCTL_COOKIE I/O.
• SUP_IOCTL_LDR_OPEN get ring 0 buffer
• SUP_IOCTL_LDR_LOAD load the shellcode into ring 0 buffer
• UP_IOCTL_SET_VM_FOR_FAST
• UP_IOCTL_FAST_DO_NOP
Summary: vulnerability + abuse the insecure logic
Kernel threat loader : exploitation 4
A vulnerable driver: lesson almost learned(2018)How not to use a driver to execute code with kernel privileges
• Anti-cheat driver bandainamcoonline.sys
Kernel threat loader : exploitation 6
https://securelist.com/elevation-of-privileges-in-namco-driver/83707/
- Logical components:
• Payload
• Shellcode Builder:
PE Loader
Kernel threat loader : practical example 2
- Kernel Loader:
• Reflective loader
• Actions:
• Map Sections • Relocations • Find Imports • IoCreateDriver DriverEntry
Kernel threat loader : practical example 4
- Shellcode builder
• Get export address from payload DriverLoader
• Get MmGetSystemRoutineAddress (bypass KASLR)
• Build the shellcode
• Send IOCTL to vulnerable driver
Kernel threat loader : practical example 5
Kernel threat loader : practical example 5
- Shellcode(stage1):
• Solve dependencias/contex in order to load a new PE and launch a new driver.
• Copy buffer driver to NonPagedPoolExecute memory
• Get PsCreateSystemThread
• Launch a new thread • Entry point DriverLoader • Parameters Context
Living off the land features
• Kernel keylogger
• Kernel backdoor
• Remote backdoor that does not bind new sockets
• Registering SMB handle
• https://github.com/zerosum0x0/smbdoor
• Hypervisor capabilities