Are you over 18 and want to see adult content?
More Annotations
A complete backup of shakeuplearning.com
Are you over 18 and want to see adult content?
A complete backup of amaraworldhotels.com
Are you over 18 and want to see adult content?
A complete backup of therobotreport.com
Are you over 18 and want to see adult content?
A complete backup of flinntrospection.com
Are you over 18 and want to see adult content?
Favourite Annotations
A complete backup of stephaniewalter.design
Are you over 18 and want to see adult content?
A complete backup of greentophuntfish.com
Are you over 18 and want to see adult content?
A complete backup of ernestalexander.com
Are you over 18 and want to see adult content?
Text
(Recommended)”.
DETECTING MALICIOUS MICROSOFT OFFICE MACRO DOCUMENTS Macros are a series of commands that can be run automatically to perform a task. Macro code is embedded in Office documents written in a programming language known as Visual Basic for Applications (VBA). Macros could be used maliciously to drop malware, download malware, etc. Malicious macro files usually are received in Word documents orExcel
DOKANY/GOOGLE DRIVE FILE STREAM KERNEL STACK-BASED BUFFER Dokany/Google Drive File Stream Kernel Stack-based Buffer Overflow Vulnerability. Last November I reported a kernel vulnerability to CERT/CC for their help in coordinating the disclosure as it impacted dozens of vendors including Google Drive File Stream (GDFS). The vulnerability was a stack-based buffer overflow in Dokany’s kernelmode file
HIDING BROWSER HELPER OBJECTS Hiding Browser Helper Objects. A Browser Helper Object or BHO is a DLL module designed as an add-on for Microsoft’s Internet Explorer web browser to provide added functionality. When a BHO is installed on your system the add-on loads up automatically every time Internet Explorer is started. Hackers have been abusing this functionality by BYPASSING WINDOWS USER ACCOUNT CONTROL (UAC) AND WAYS OF User Account Control (UAC) gives us the ability to run in standard user rights instead of full administrator rights. So even if your standard user account is in the local admin group damage is limited, i.e. installing services, drivers, writing to secure locations, etc. are denied. To carry out these actions users would need to interactwith
BYPASSING EMET’S EAF WITH CUSTOM SHELLCODE USING KERNEL Bypassing EMET’s EAF with custom shellcode using kernel pointer. Recently I have been testing out Microsoft’s “Enhanced Mitigation Experience Toolkit” (EMET) tool for exploit mitigation. This is a free tool and is designed to harden or secure applications without having to recode them. One exploit I used to test was Adobe Flash’s BYPASSING WINDOWS ASLR USING “RUN WITHOUT PERMISSION” ADD Below are the lists of libraries that can be loaded via ProgID or ClassID. To view which libraries that can be loaded without permission go to “Manage Add-ons” which can be accessed from Internet Explorer – Tools – Manage Add-ons and choose “Run without permission” in the show dropdown list. The below script you can useto test if
HEAP SPRAYING IN INTERNET EXPLORER WITH ROP NOPS good job!but when i test this exploit-exploit.htm. i find that a9 in the 0x7c3413a9 ,maybe the bad characters!everytime i debug in the ollydbg the num 0xa9 change to 0x3f. i don’t know how you test this. i test the exp in xp sp2 and IE6so i serch another xchg address 0x7c342643.this time it works good! MITIGATING INSECURE LIBRARY LOADING VULNERABILITY Mitigating Insecure Library Loading Vulnerability. Insecure library loading or dll hijacking vulnerability occurs when libraries are loaded from a location not intended to load from due to how Windows search order works when searching for the library. This really comes down to developers not specifying the fully qualified path name of the WAYS TO DOWNLOAD AND EXECUTE CODE VIA THE COMMANDLINE In this post I am just highlighting some of the ways that I know of where we can download and execute code via the commandline which could be used in command injection vulnerabilities or exploiting buffer overflows using the classic ret-to-libc method. HIDING MALICIOUS FILES IN WINDOWS FOLDERS The desktop.ini file is normally a hidden file so to display existing ones in folders you’ll need to make it visible by opening the folder and clicking on the Tools menu . . . Folder Options and selecting View. Then select “Show hidden files and folders” radio button and also uncheck “Hide protected operating system files(Recommended)”.
DETECTING MALICIOUS MICROSOFT OFFICE MACRO DOCUMENTS Macros are a series of commands that can be run automatically to perform a task. Macro code is embedded in Office documents written in a programming language known as Visual Basic for Applications (VBA). Macros could be used maliciously to drop malware, download malware, etc. Malicious macro files usually are received in Word documents orExcel
DOKANY/GOOGLE DRIVE FILE STREAM KERNEL STACK-BASED BUFFER Dokany/Google Drive File Stream Kernel Stack-based Buffer Overflow Vulnerability. Last November I reported a kernel vulnerability to CERT/CC for their help in coordinating the disclosure as it impacted dozens of vendors including Google Drive File Stream (GDFS). The vulnerability was a stack-based buffer overflow in Dokany’s kernelmode file
HIDING BROWSER HELPER OBJECTS Hiding Browser Helper Objects. A Browser Helper Object or BHO is a DLL module designed as an add-on for Microsoft’s Internet Explorer web browser to provide added functionality. When a BHO is installed on your system the add-on loads up automatically every time Internet Explorer is started. Hackers have been abusing this functionality by BYPASSING WINDOWS USER ACCOUNT CONTROL (UAC) AND WAYS OF User Account Control (UAC) gives us the ability to run in standard user rights instead of full administrator rights. So even if your standard user account is in the local admin group damage is limited, i.e. installing services, drivers, writing to secure locations, etc. are denied. To carry out these actions users would need to interactwith
BYPASSING EMET’S EAF WITH CUSTOM SHELLCODE USING KERNEL Bypassing EMET’s EAF with custom shellcode using kernel pointer. Recently I have been testing out Microsoft’s “Enhanced Mitigation Experience Toolkit” (EMET) tool for exploit mitigation. This is a free tool and is designed to harden or secure applications without having to recode them. One exploit I used to test was Adobe Flash’s BYPASSING WINDOWS ASLR USING “RUN WITHOUT PERMISSION” ADD Below are the lists of libraries that can be loaded via ProgID or ClassID. To view which libraries that can be loaded without permission go to “Manage Add-ons” which can be accessed from Internet Explorer – Tools – Manage Add-ons and choose “Run without permission” in the show dropdown list. The below script you can useto test if
HEAP SPRAYING IN INTERNET EXPLORER WITH ROP NOPS good job!but when i test this exploit-exploit.htm. i find that a9 in the 0x7c3413a9 ,maybe the bad characters!everytime i debug in the ollydbg the num 0xa9 change to 0x3f. i don’t know how you test this. i test the exp in xp sp2 and IE6so i serch another xchg address 0x7c342643.this time it works good! MITIGATING INSECURE LIBRARY LOADING VULNERABILITY Mitigating Insecure Library Loading Vulnerability. Insecure library loading or dll hijacking vulnerability occurs when libraries are loaded from a location not intended to load from due to how Windows search order works when searching for the library. This really comes down to developers not specifying the fully qualified path name of the HIDING MALICIOUS FILES IN WINDOWS FOLDERS The desktop.ini file is normally a hidden file so to display existing ones in folders you’ll need to make it visible by opening the folder and clicking on the Tools menu . . . Folder Options and selecting View. Then select “Show hidden files and folders” radio button and also uncheck “Hide protected operating system files(Recommended)”.
ANALYSIS OF AN INTERESTING WINDOWS KERNEL CHANGE Last year I started researching into the Windows kernel to get a better understanding of privilege escalation vulnerabilities. Vulnerabilities in the kernel are a serious issue as they could be used to bypass browsers sandboxes and end up compromising the entiresystem.
SPRAYING THE HEAP IN SECONDS USING ACTIVEX CONTROLS IN Spraying the heap using classids that do not exist on the system prevents a number of mitigations. So disabling ActiveX controls in Microsoft Office via the Trust Center settings or via Office kill bit in the registry are ineffective. Only using Microsoft EMET’s heap spray mitigation would provide some protection. 1. EXPLOITING AND MITIGATING JAVA EXPLOITS IN INTERNET This mitigation only stops exploits using the applet tag, cannot be managed by Internet Explorer zones and any new Java update means you’ll need to update the registry again. Internet Explorer can use the classid attribute OBJECT tag to load Java. Hundreds of Java classids gets registered when Java is EXPLOITING VIR.IT EXPLORER ANTI-VIRUS ARBITRARY WRITE 1.0.0.11. 1.0.0.12. I decided to exploit the ioctl 0x8273007C by overwriting the _SEP_TOKEN_PRIVILEGES structure. Here I am overwriting certain offsets of the _SEP_TOKEN_PRIVILEGES structure with byte 0x11, actually overwriting a byte in the “Present” field and a byte in the “Enabled” field. This will give us the “SeDebugPrivilege EXPLOITING SYSTEM SHIELD ANTIVIRUS ARBITRARY WRITE A kernel vulnerability exists in an antivirus product called “System Shield AntiVirus and AntiSpyware” by Iolo Technologies. This is an arbitrary memory overwrite vulnerability due to the inputted buffer not being validated and has been assigned a CVE ID of CVE-2018-5701. ADOBE READER X START-UP ISSUE WITH PGP DESKTOP 1. Just don’t load PGPTray.exe executable and thus won’t load PGPhk.dll. 2. Disable Adobe Reader in “Protected Mode” but I strongly advise not to do so, this shouldn’t be seen as a solution but only if there is no other options. 3. Upgrade to the latest version of PGP Desktop 10.1 which fixes the issue. ELEVATING PRIVILEGES BY EXPLOITING WEAK FOLDER PERMISSIONS Elevating privileges by exploiting weak folder permissions. Securing machines is always an on-going process whether it is by locking down settings, blocking applications, disabling Windows Services, making sure user privileges are kept to a minimum and so on. If we don’t then users will end up installing non-standard software, makingchanges
ABUSING MSI’S ELEVATED PRIVILEGES Abusing MSI’s elevated privileges. Microsoft Windows operating systems come installed with a Windows Installer engine which is used by MSI packages for installation. One of the powerful features is that MSI packages can be installed with elevated privileges for non-admin users. For a package to use elevated privileges the a registry name MITIGATING INSECURE LIBRARY LOADING VULNERABILITY Mitigating Insecure Library Loading Vulnerability. Insecure library loading or dll hijacking vulnerability occurs when libraries are loaded from a location not intended to load from due to how Windows search order works when searching for the library. This really comes down to developers not specifying the fully qualified path name of the DOKANY/GOOGLE DRIVE FILE STREAM KERNEL STACK-BASED BUFFER Dokany/Google Drive File Stream Kernel Stack-based Buffer Overflow Vulnerability. Last November I reported a kernel vulnerability to CERT/CC for their help in coordinating the disclosure as it impacted dozens of vendors including Google Drive File Stream (GDFS). The vulnerability was a stack-based buffer overflow in Dokany’s kernelmode file
DETECTING MALICIOUS MICROSOFT OFFICE MACRO DOCUMENTSMALICIOUS CODE FILE EXTENSION EXAMPLESMALICIOUS FILE EXTENSION LISTMALICIOUS FILETYPES
Macros are a series of commands that can be run automatically to perform a task. Macro code is embedded in Office documents written in a programming language known as Visual Basic for Applications (VBA). Macros could be used maliciously to drop malware, download malware, etc. Malicious macro files usually are received in Word documents orExcel
WAYS TO DOWNLOAD AND EXECUTE CODE VIA THE COMMANDLINEEXECUTE EXE POWERSHELLEXECUTE EXE POWERSHELLPOWERSHELL EXECUTE EXE SILENTLYPOWERSHELL SCRIPT TO EXECUTE EXEPOWERSHELL SCRIPT TO EXECUTEEXE
In this post I am just highlighting some of the ways that I know of where we can download and execute code via the commandline which could be used in command injection vulnerabilities or exploiting buffer overflows using the classic ret-to-libc method. BYPASSING WINDOWS USER ACCOUNT CONTROL (UAC) AND WAYS OFBYPASS USER ACCOUNT CONTROLDISABLE USER ACCOUNT CONTROL IN WINDOWS 10ENABLE USER ACCOUNT CONTROLUSER ACCOUNT CONTROL BYPASS DOWNLOADUSER CONTROL ACCOUNTSHOW TO BYPASS USER CONTROL User Account Control (UAC) gives us the ability to run in standard user rights instead of full administrator rights. So even if your standard user account is in the local admin group damage is limited, i.e. installing services, drivers, writing to secure locations, etc. are denied. To carry out these actions users would need to interactwith
HIDING BROWSER HELPER OBJECTS Hiding Browser Helper Objects. A Browser Helper Object or BHO is a DLL module designed as an add-on for Microsoft’s Internet Explorer web browser to provide added functionality. When a BHO is installed on your system the add-on loads up automatically every time Internet Explorer is started. Hackers have been abusing this functionality by BYPASSING EMET’S EAF WITH CUSTOM SHELLCODE USING KERNEL Bypassing EMET’s EAF with custom shellcode using kernel pointer. Recently I have been testing out Microsoft’s “Enhanced Mitigation Experience Toolkit” (EMET) tool for exploit mitigation. This is a free tool and is designed to harden or secure applications without having to recode them. One exploit I used to test was Adobe Flash’s ANALYSIS OF AN INTERESTING WINDOWS KERNEL CHANGE Last year I started researching into the Windows kernel to get a better understanding of privilege escalation vulnerabilities. Vulnerabilities in the kernel are a serious issue as they could be used to bypass browsers sandboxes and end up compromising the entiresystem.
BYPASSING WINDOWS ASLR IN MICROSOFT OFFICE USING ACTIVEX Disabling ActiveX controls can be configured via the Trust Center settings. File — Options — Trust Center — Trust Center Settings — ActiveX Settings. This will disable all controls so probably not a good idea in your environment. Disabling specific embedded ActiveX controls with Office kill bit. BYPASSING WINDOWS ASLR USING “RUN WITHOUT PERMISSION” ADDCURRENTLY LOADED ADD ONSRUN WITHOUT PERMISSION MANAGE ADDONSWHAT DOES DISABLINGADD ONS MEAN
Below are the lists of libraries that can be loaded via ProgID or ClassID. To view which libraries that can be loaded without permission go to “Manage Add-ons” which can be accessed from Internet Explorer – Tools – Manage Add-ons and choose “Run without permission” in the show dropdown list. The below script you can useto test if
HEAP SPRAYING IN INTERNET EXPLORER WITH ROP NOPS good job!but when i test this exploit-exploit.htm. i find that a9 in the 0x7c3413a9 ,maybe the bad characters!everytime i debug in the ollydbg the num 0xa9 change to 0x3f. i don’t know how you test this. i test the exp in xp sp2 and IE6so i serch another xchg address 0x7c342643.this time it works good! DOKANY/GOOGLE DRIVE FILE STREAM KERNEL STACK-BASED BUFFER Dokany/Google Drive File Stream Kernel Stack-based Buffer Overflow Vulnerability. Last November I reported a kernel vulnerability to CERT/CC for their help in coordinating the disclosure as it impacted dozens of vendors including Google Drive File Stream (GDFS). The vulnerability was a stack-based buffer overflow in Dokany’s kernelmode file
DETECTING MALICIOUS MICROSOFT OFFICE MACRO DOCUMENTSMALICIOUS CODE FILE EXTENSION EXAMPLESMALICIOUS FILE EXTENSION LISTMALICIOUS FILETYPES
Macros are a series of commands that can be run automatically to perform a task. Macro code is embedded in Office documents written in a programming language known as Visual Basic for Applications (VBA). Macros could be used maliciously to drop malware, download malware, etc. Malicious macro files usually are received in Word documents orExcel
WAYS TO DOWNLOAD AND EXECUTE CODE VIA THE COMMANDLINEEXECUTE EXE POWERSHELLEXECUTE EXE POWERSHELLPOWERSHELL EXECUTE EXE SILENTLYPOWERSHELL SCRIPT TO EXECUTE EXEPOWERSHELL SCRIPT TO EXECUTEEXE
In this post I am just highlighting some of the ways that I know of where we can download and execute code via the commandline which could be used in command injection vulnerabilities or exploiting buffer overflows using the classic ret-to-libc method. BYPASSING WINDOWS USER ACCOUNT CONTROL (UAC) AND WAYS OFBYPASS USER ACCOUNT CONTROLDISABLE USER ACCOUNT CONTROL IN WINDOWS 10ENABLE USER ACCOUNT CONTROLUSER ACCOUNT CONTROL BYPASS DOWNLOADUSER CONTROL ACCOUNTSHOW TO BYPASS USER CONTROL User Account Control (UAC) gives us the ability to run in standard user rights instead of full administrator rights. So even if your standard user account is in the local admin group damage is limited, i.e. installing services, drivers, writing to secure locations, etc. are denied. To carry out these actions users would need to interactwith
HIDING BROWSER HELPER OBJECTS Hiding Browser Helper Objects. A Browser Helper Object or BHO is a DLL module designed as an add-on for Microsoft’s Internet Explorer web browser to provide added functionality. When a BHO is installed on your system the add-on loads up automatically every time Internet Explorer is started. Hackers have been abusing this functionality by BYPASSING EMET’S EAF WITH CUSTOM SHELLCODE USING KERNEL Bypassing EMET’s EAF with custom shellcode using kernel pointer. Recently I have been testing out Microsoft’s “Enhanced Mitigation Experience Toolkit” (EMET) tool for exploit mitigation. This is a free tool and is designed to harden or secure applications without having to recode them. One exploit I used to test was Adobe Flash’s ANALYSIS OF AN INTERESTING WINDOWS KERNEL CHANGE Last year I started researching into the Windows kernel to get a better understanding of privilege escalation vulnerabilities. Vulnerabilities in the kernel are a serious issue as they could be used to bypass browsers sandboxes and end up compromising the entiresystem.
BYPASSING WINDOWS ASLR IN MICROSOFT OFFICE USING ACTIVEX Disabling ActiveX controls can be configured via the Trust Center settings. File — Options — Trust Center — Trust Center Settings — ActiveX Settings. This will disable all controls so probably not a good idea in your environment. Disabling specific embedded ActiveX controls with Office kill bit. BYPASSING WINDOWS ASLR USING “RUN WITHOUT PERMISSION” ADDCURRENTLY LOADED ADD ONSRUN WITHOUT PERMISSION MANAGE ADDONSWHAT DOES DISABLINGADD ONS MEAN
Below are the lists of libraries that can be loaded via ProgID or ClassID. To view which libraries that can be loaded without permission go to “Manage Add-ons” which can be accessed from Internet Explorer – Tools – Manage Add-ons and choose “Run without permission” in the show dropdown list. The below script you can useto test if
HEAP SPRAYING IN INTERNET EXPLORER WITH ROP NOPS good job!but when i test this exploit-exploit.htm. i find that a9 in the 0x7c3413a9 ,maybe the bad characters!everytime i debug in the ollydbg the num 0xa9 change to 0x3f. i don’t know how you test this. i test the exp in xp sp2 and IE6so i serch another xchg address 0x7c342643.this time it works good! ANALYSIS OF AN INTERESTING WINDOWS KERNEL CHANGE Last year I started researching into the Windows kernel to get a better understanding of privilege escalation vulnerabilities. Vulnerabilities in the kernel are a serious issue as they could be used to bypass browsers sandboxes and end up compromising the entiresystem.
MALWARE – GREYHATHACKER.NET *Only applies when using Document_Open name.. Word 2003 also supports saving macro enabled documents to be saved as XML extension files which are able to run on Word 2010. BYPASSING WINDOWS ASLR IN MICROSOFT OFFICE USING ACTIVEX Disabling ActiveX controls can be configured via the Trust Center settings. File — Options — Trust Center — Trust Center Settings — ActiveX Settings. This will disable all controls so probably not a good idea in your environment. Disabling specific embedded ActiveX controls with Office kill bit. SPRAYING THE HEAP IN SECONDS USING ACTIVEX CONTROLS IN Spraying the heap using classids that do not exist on the system prevents a number of mitigations. So disabling ActiveX controls in Microsoft Office via the Trust Center settings or via Office kill bit in the registry are ineffective. Only using Microsoft EMET’s heap spray mitigation would provide some protection. 1. EXPLOITING VIR.IT EXPLORER ANTI-VIRUS ARBITRARY WRITE 1.0.0.11. 1.0.0.12. I decided to exploit the ioctl 0x8273007C by overwriting the _SEP_TOKEN_PRIVILEGES structure. Here I am overwriting certain offsets of the _SEP_TOKEN_PRIVILEGES structure with byte 0x11, actually overwriting a byte in the “Present” field and a byte in the “Enabled” field. This will give us the “SeDebugPrivilege ADOBE READER X START-UP ISSUE WITH PGP DESKTOP 1. Just don’t load PGPTray.exe executable and thus won’t load PGPhk.dll. 2. Disable Adobe Reader in “Protected Mode” but I strongly advise not to do so, this shouldn’t be seen as a solution but only if there is no other options. 3. Upgrade to the latest version of PGP Desktop 10.1 which fixes the issue. WINDOWS URI PROTOCOL HANDLING VULNERABILITY This is an interesting vulnerability first got published at the end of July 2007 but really brought to light at the end of October 2007. Spammers exploited this vulnerability by sending a specially crafted URI (Uniform Resource Identifier) containing a “%” character andending with a
IKARUS ANTI.VIRUS AND ITS 9 EXPLOITABLE KERNEL IKARUS anti.virus and its 9 exploitable kernel vulnerabilities. Here is a list of the 9 kernel vulnerabilities I discovered over a month ago in an antivirus product called IKARUS anti.virus which has finally been fixed. Most of the vulnerabilities were due to the inputted output buffer address (Irp->UserBuffer) being saved on the stack whichis
SURETHING LABELER PLAYLIST BUFFER OVERFLOW UNICODE EXPLOIT SureThing Labeler Playlist Buffer Overflow UNICODE Exploit. This vulnerability I had discovered a couple of years ago but never got round in writing an exploit for it till recently after studying Peter Van Eeckhoutte’s excellent exploit writing tutorial “Unicode – from 0×00410041 to calc”. In this vulnerability when data is parsedfrom
MITIGATING INSECURE LIBRARY LOADING VULNERABILITY Mitigating Insecure Library Loading Vulnerability. Insecure library loading or dll hijacking vulnerability occurs when libraries are loaded from a location not intended to load from due to how Windows search order works when searching for the library. This really comes down to developers not specifying the fully qualified path name of theGREYHATHACKER.NET
Malware, Vulnerabilities, Exploits and more . . .MENU
* About
Search for:
DOKANY/GOOGLE DRIVE FILE STREAM KERNEL STACK-BASED BUFFER OVERFLOWVULNERABILITY
Last November I reported a kernel vulnerability to CERT/CC for their help in coordinating the disclosure as it impacted dozens of vendors including Google Drive File Stream (GDFS). The vulnerability was a stack-based buffer overflow in Dokany’s kernel mode file system driver and has been assigned cve id of CVE-2018-5410. With Dokany you can create your own virtual file system without writing device drivers. The code is open source and is being used in dozens of projects listed here . A handful of products were tested and are all shipped with Dokany’s compiled package with the exception of GDFS where parts of the code have been changed and signed by Google.TRIGGERING THE BUG
Connecting to the device handle “dokan_1” and sending inputted buffer of more than 776 bytes to IOCTL 0x00222010 is enough to corrupt the stack cookie and BSOD the box.kd> !analyze -v
*************************************************************************** * * * Bugcheck Analysis * * * *************************************************************************** DRIVER_OVERRAN_STACK_BUFFER (f7) A driver has overrun a stack-based buffer. This overrun could potentially allow a malicious user to gain control of this machine.DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would have overwritten the function's return address and jumped back to an arbitrary address when the function returned. This is the classic "buffer overrun" hacking attack and the system has been brought down to prevent a malicious user from gaining complete control of it. Do a kb to get a stack backtrace -- the last routine on the stack before the buffer overrun handlers and bugcheck call is the one that overran its localvariable(s).
Arguments:
Arg1: c0693bbe, Actual security check cookie from the stack Arg2: 1c10640d, Expected security check cookie Arg3: e3ef9bf2, Complement of the expected security check cookie Arg4: 00000000, zeroDebugging Details:
------------------
DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_MISSING_GSFRAME SECURITY_COOKIE: Expected 1c10640d found c0693bbe.
.
.
Checking the source code to pinpoint vulnerable code was found to be in notification.c where RtlCopyMemory function’s szMountPoint->Length parameter is not validated RtlCopyMemory(&dokanControl.MountPoint, szMountPoint->Buffer, szMountPoint->Length); The vulnerable code was introduced from the major version update 1.0.0.5000 which was released on the 20th September 2016.TIMELINE
Below is the timeline where we can see the maintainers of Dokany were very efficient in fixing this bug. 30th November 2018 – Submitted on CERT/CC online form 03rd December 2018 – Received acknowledgement of submission 08th December 2018 – Updated Dokan code committed 18th December 2018 – Dokan change log 20th December 2018 – Compiled version released 20th December 2018 – CERT/CC publish Vulnerability Note VU#741315 SO WHAT HAPPENED TO GOOGLE? Well it would seem Google have kept quiet about this bug and silently fixed it without any publication. The only url I found on GDFS releasenotes is here
where the last update was on the 17th October 2018 on version 28.1. It was just out of curiosity I had downloaded GDFS on the 28th of December only to discover the vulnerability had already been patched. The patched versions are: _Software : GoogleDriveFSSetup.exe_ _Version : 29.1.34.1821_ _Signed : 17th December 2018_ _Driver : googledrivefs2622.sys_ _Version : 2.622.2225.0_ _Signed : 14th December 2018_ The last vulnerable version I tested was: _Software : GoogleDriveFSSetup.exe_ _Version : 28.1.48.2039_ _Signed : 13th November 2018_ _Driver : googledrivefs2544.sys_ _Version : 2.544.1532.0 _ _Signed : 27th September 2018_ CERT/CC vulnerability notes is still flagged as being affected GDFS driver filename, version and handle change in each update. Here is a list of some previous vulnerable versions.DRIVER FILENAME
DRIVER VERSION
DEVICE HANDLE
googledrivefs2285.sys2.285.2219.0
googledrivefs_2285
googledrivefs2454.sys2.454.2037.0
googledrivefs_2454
googledrivefs2534.sys2.534.1534.0
googledrivefs_2534
googledrivefs2544.sys2.544.1532.0
googledrivefs_2544
EXPLOITING THE BUG
Since the vulnerability is a stack-based buffer overflow compiled with Stack Cookie protection (/GS) which is validated before our function is returned controlling the flow of execution using the return address is not possible. To bypass cookie validation we need to overwrite an exception handler in the stack and then trigger an exception in the kernel there by calling our overwritten exception handler. This technique however only applies to 32-bit systems as when code is compiled for 64-bit the exception handlers are no longer stored on the stack so from “frame based” has become “table-based”. For 64-bit the exception handlers are stored in the PE image where there is an exception directory contains a variable number of RUNTIME_FUNCTION structures. An article posted on OSRlineexplains it
well. Below shows the exception directory in 64-bit compiled driver In order to exploit on 32-bit OS after the exception handler has been overwritten with our address pointing to our shellcode we need to trigger an exception. Usually reading beyond our inputted buffer would do it as it be unallocated memory after setting up our buffer using apis such as CreateFileMapping() and MapViewOfFile(). Unfortunately this is not possible as the IOCTL used 0x00222010 is using “Buffered I/O” transfer method where the data is allocated into the system buffer so when our inputted data is read its read from the system buffer thus there so no unallocated memory after our buffer. For Dokany driver there is still a way to exploit as after the overflow and before cookie validation it calls another subroutine which ends up calling api IoGetRequestorSessionId(). One of the parameters it reads from the stack is the IRP address which we happen to control. All we need to do is make sure our IRP address points to an area of unallocated memory. As for GDFS Google have made some changes to its code so the api IoGetRequestorSessionId() is not called and I couldn’t find any other way to produce an exception so just ends up producing BSOD. The last thing to mention is that the vulnerable subroutine is not wrapped in a __try/__except block but a parent subroutine is and thats the exception handler being overwritten further down the stack. A minimum inputted buffer size of 896 bytes is need in order to overwrite theexception handler.
2 bytes – Size used by memcpy 2 bytes – Size used to check input buffer 772 bytes – Actual data buffer 4 bytes – Cookie 4 bytes – EBP 4 bytes – RET 4 bytes – Other data 4 bytes – IRP 96 bytes – Other data 4 bytes – Exception handler Stack layout before and after our overflow a1caf9f4 00000000 a1caf9f8 fcef3710 <-- cookie a1caf9fc a1cafa1c a1cafa00 902a2b80 dokan1+0x5b80 <-- return a1cafa04 861f98b0 a1cafa08 871ef510 <-- IRP a1cafa0c 861f9968 a1cafa10 871ef580 a1cafa14 00000010 a1cafa18 c0000002 a1cafa1c a1cafa78 a1cafa20 902a2668 dokan1+0x5668 a1cafa24 861f98b0 a1cafa28 871ef510 a1cafa2c fcef3494 a1cafa30 86cd4738 a1cafa34 861f98b0 a1cafa38 00000000 a1cafa3c 00000000 a1cafa40 00000000 a1cafa44 00000000 a1cafa48 00000000 a1cafa4c 871ef580 a1cafa50 861f9968 a1cafa54 00222010 a1cafa58 c0000002 a1cafa5c 861f9968 a1cafa60 861f98b0 a1cafa64 a1cafa7c a1cafa68 a1cafacc a1cafa6c 902b2610 dokan1+0x15610 <-- Exception handlerkd> dps a1caf9f4
a1caf9f4 41414141 a1caf9f8 42424242 <-- cookie a1caf9fc 41414141 a1cafa00 43434343 <-- return a1cafa04 41414141 a1cafa08 44444444 <-- IRP a1cafa0c 41414141 a1cafa10 41414141 a1cafa14 41414141 a1cafa18 41414141 a1cafa1c 41414141 a1cafa20 41414141 a1cafa24 41414141 a1cafa28 41414141 a1cafa2c 41414141 a1cafa30 41414141 a1cafa34 41414141 a1cafa38 41414141 a1cafa3c 41414141 a1cafa40 41414141 a1cafa44 41414141 a1cafa48 41414141 a1cafa4c 41414141 a1cafa50 41414141 a1cafa54 41414141 a1cafa58 41414141 a1cafa5c 41414141 a1cafa60 41414141 a1cafa64 41414141 a1cafa68 41414141 a1cafa6c 000c0000 <-- Exception handler which now points to shellcode To recover we return to the parent subroutine. a1cafa70 00000000 a1cafa74 00000000 a1cafa78 a1cafa94 a1cafa7c 902a3d4a dokan1+0x6d4a a1cafa80 861f98b0 a1cafa84 871ef510 a1cafa88 0000000e a1cafa8c d346f492 a1cafa90 871ef580 <-- before ebp, recover here after shellcode execution a1cafa94 a1cafadc a1cafa98 902a3a8f dokan1+0x6a8f a1cafa9c 861f98b0 a1cafaa0 871ef510 a1cafaa4 fcef3430 a1cafaa8 86cd4738 a1cafaac 861f98b0 a1cafab0 00000000 a1cafab4 871ef510 a1cafab8 00000001 a1cafabc c0000001 a1cafac0 0101af00 a1cafac4 a1cafaa4 a1cafac8 871ef520 a1cafacc a1cafbc0 a1cafad0 902b2610 dokan1+0x15610 a1cafad4 cd0e6854 a1cafad8 00000001 a1cafadc a1cafaf4 a1cafae0 82a8c129 nt!IofCallDriver+0x63 a1cafae4 861f98b0 a1cafae8 871ef510 a1cafaec 871ef510 a1cafaf0 861f98b0 The exploit can be downloaded from here and the direct link to the vulnerable package used from Github . The zip file only contains exploit for Windows 7 32 bit OS along with code to trigger BSOD on earlier GDFS 32/64 bit versions. Note the exploit is not perfect as in once an elevated shell is spawned the parent process takes around 7 minutes before returning to the prompt. Most likely the recovery part of the shellcode needs a bit of work. Also for some strange reason the exploit only works when the debugger is attached and I just couldn’t figure out why. One observation I noticed was that the shellcode buffer becomes unallocated so might be some timing issue. If you have any ideas do please leave a comment.@ParvezGHH
Posted in All , Bugs, Exploits
, Vulnerabilities
and tagged Elevate
, Kernel
on January 14, 2019
by Parvez
. Leave a comment
← Older
RECENT POSTS
* Dokany/Google Drive File Stream Kernel Stack-based Buffer OverflowVulnerability
* Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege * Exploiting System Shield AntiVirus Arbitrary Write Vulnerability using SeTakeOwnershipPrivilege * IKARUS anti.virus and its 9 exploitable kernel vulnerabilities * Exploiting Vir.IT eXplorer Anti-Virus Arbitrary WriteVulnerability
CATEGORIES
* All
* Bugs
* Exploits
* Malware
* Mitigation
* Other
* Vulnerabilities
TAGS
ActionScript ActiveXAdobe
Anti-Rootkit
ASLR
Autorun
BHO
BlazeDVD
Download and ExecuteElevate
EMET
FakeAV
heapspray
Hidden
Hijack
IrfanView
Java
Kernel
Macros
McAfee
MSI
MSWord
PGP
pif
RemoteExec
Return to Libc
ROP
Sandbox
Skype
SureThing
Symantec
trailing
UAC
URI
Vista
ARCHIVES
* January 2019 (1) * September 2018 (1) * January 2018 (1) * November 2017 (2) * September 2016 (1) * December 2015 (2)* July 2015 (1)
* January 2015 (1) * December 2014 (1)* June 2014 (1)
* January 2014 (1) * November 2013 (1) * September 2013 (1) * February 2013 (1) * December 2012 (1)* August 2012 (1)
* June 2012 (1)
* February 2012 (1) * January 2012 (1) * December 2011 (1) * November 2011 (1)* August 2011 (2)
* July 2011 (1)
* April 2011 (1)
* March 2011 (1)
* October 2010 (3)* June 2010 (1)
* May 2010 (1)
* March 2010 (2)
* February 2010 (1) * December 2009 (1) * September 2009 (1)* May 2009 (1)
* April 2009 (1)
* September 2008 (1) * November 2007 (2)META
* Log in
* Entries feed
* Comments feed
* WordPress.org
Proudly powered by WordPress · Theme: Suitsby Theme Weaver
Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0