metasploit-framework
metasploit-framework copied to clipboard
rapid7
Write module for Lenovo Diagnostics Driver Exploit CVE-2022-3699
Currently working on this, using as a placeholder
Summary
More info here: https://github.com/alfarom256/CVE-2022-3699/
Basic example
If you have a POC, blog post or any other useful references please let us know in this section.
Motivation
Why are we doing this? What use cases does it support? What is the expected outcome?
Hey @jheysel-r7 if you have any questions please feel free to hit me up. There's one thing I'd like to do better in my PoC: Once the PteBase is resolved and I get a working VtoP function, the physical swap space should be restored to 0u64 and another "swap" space should be used.
e.g. (something like this):
UINT64 global_qwJunkSwap = 0;
// ...
// ...
UINT64 qwNewSwapPhys = lm.VtoP(global_qwJunkSwap);
lm.WritePhysical(oldSwap, 0);
lm.SetPhysSwap(qwNewSwapPhys );
Just to help with stability so we're lessening the chance of a heap corruption leading to a bugcheck. That is if you're still doing it the way I did it which may not be the best way tbh.
Can't wait to see what you make!
Hey @jheysel-r7 if you have any questions please feel free to hit me up. There's one thing I'd like to do better in my PoC: Once the PteBase is resolved and I get a working VtoP function, the physical swap space should be restored to 0u64 and another "swap" space should be used.
e.g. (something like this):
UINT64 global_qwJunkSwap = 0; // ... // ... UINT64 qwNewSwapPhys = lm.VtoP(global_qwJunkSwap); lm.WritePhysical(oldSwap, 0); lm.SetPhysSwap(qwNewSwapPhys );Just to help with stability so we're lessening the chance of a heap corruption leading to a bugcheck. That is if you're still doing it the way I did it which may not be the best way tbh.
Can't wait to see what you make!
Hey @alfarom256, I really appreciate you reaching out! I was just in the midst of rewriting your exploit from C++ into C to avoid potential copy write issues. If you would be so kind as to accept this pull request that adds an open source MIT license to your PoC, I'd be able reuse it in metasploit and it would really expedite the process of getting a working metasploit module landed. No worries if you're not comfortable with that, just thought I would ask!
Also thanks for bringing up that improvement. I'll definitely work towards improving your PoC as to avoid heap corruption that leads to a bugcheck. Looking forward to hearing from you soon and seeing this awesome exploit get incorporated into the metasploit-framework!
Hey @alfarom256, I'm excited to share I've got your PoC working nicely in metasploit on Windows 11. I have draft PR up that makes use of our Reflective DLL template.
I've been testing the module (and PoC) on Windows 10 21H2, and have been minding the EPROCESS offsets although right before the module executes the payload here when attempting to Upgrade the token used, this KernelWrite causes a bug check.
The SYSTEM_SERVICE_EXCEPTION bug check has a value of 0x0000003B. This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.
I'm going to try implementing your suggested improvements tomorrow. Do you think this bug check is being thrown due to the stability issue you suggested? Wanted to see what you thought as it seems to work quite consistently on Windows 11 but I haven't been able to run in successfully yet on Windows 10.
Ooooh yes, there's a different path on W10 to resolve MmPteBase. IIRC I accidentally left the functions and patterns in one of the headers, but I'll check a commit I made when I was testing W10 on my dev repo and get back to you.
On Wed, Dec 14, 2022, 9:08 PM jheysel-r7 @.***> wrote:
Hey @alfarom256 https://github.com/alfarom256, I'm excited to share I've got your PoC working nicely in metasploit on Windows 11. I have draft PR https://github.com/rapid7/metasploit-framework/pull/17371 up that makes use of our Reflective DLL template https://github.com/rapid7/metasploit-framework/tree/c44fb61c9a8a9be54b99a36f2c09f162fc64d261/external/source/rdll_template .
I've been testing the module (and PoC) on Windows 10 21H2, and have been minding the EPROCESS offsets although right before the module executes the payload here https://github.com/rapid7/metasploit-framework/pull/17371/files#diff-d2b493173ee43c4aba98b51381919ff5fecff09d676b2670be89d439ec779689R231-R233 when attempting to Upgrade the token used, this KernelWrite https://github.com/rapid7/metasploit-framework/pull/17371/files#diff-d2b493173ee43c4aba98b51381919ff5fecff09d676b2670be89d439ec779689R177 causes a bug check.
The SYSTEM_SERVICE_EXCEPTION bug check has a value of 0x0000003B. This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.
I'm going to try implementing your suggested improvements tomorrow. Do you think this bug check is being thrown due to the stability issue you suggested? Wanted to see what you thought as it seems to work quite consistently on Windows 11 but I haven't been able to run in successfully yet on Windows 10.
— Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/17329#issuecomment-1352464889, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIU25W65G3MSHUG2ILYNX53WNJ4TPANCNFSM6AAAAAASSBXXWE . You are receiving this because you were mentioned.Message ID: @.***>
Ok so pattern matching for MmPteBase for W10 21H2 is:
KeBugCheckEx -> KeBugCheck2 -> KiMarkBugCheckRegions -> MmPteBase
In hindsight I should have just used the ntoskrnl mapped into the um process w/ LoadLibraryA to resolve this instead of reading from the kernel....... Oops.
Hey @alfarom256, happy new year. Thanks so much for all the help thus far, I really appreciate it.
I think I've almost implemented the pattern matching for W10 but have a couple questions.
I noticed you kindly left the pattern mask combinations for KeBugCheckEx and KeBugCheck2 here. Do you know what the pattern / mask looks like for KiMarkBugCheckRegions ? I think they may have been excluded, or possibly defined as something else (I added place holders to the header in my PR).
In your GetPteBase function you return qwPteBase but here refer to MmPteBase. I'm quite new to kernel exploitation and am still unsure of what some of these prefixes refer to. I found this document helpful though am not confident with what I'll need to change to retrieve MmPteBase
I've added a LenovoMemoryMgr::GetPteBaseW10(). The bottom of the method is commented out - I'm wondering if we should be able search MiKiMarkBugCheckRegions directly for PteBase and what that is going to look like.
I know this is a lot though any tips or suggestions or general guidance would be super helpful.
Ah - smcintyre-r7 just kindly gave me an overview of what's happening here as well kindly explained how to load up ntoskrnl.exe into binary ninja in order to find the patterns and corresponding offsets. I'll let you know how it goes!
Hey!! I was out and didn't get a chance to see the updates to this thread. I'm glad smcintyre-r7 helped you out! I'll add this account to my mobile in case you need anything so I can see it sooner lol. Happy new year to you all as well! Unfortunately I had not committed a working W10 sample, so that pattern mask is gone for the moment.
On Thu, Jan 12, 2023 at 11:57 AM jheysel-r7 @.***> wrote:
Ah - smcintyre-r7 just kindly gave me an overview of what's happening here as well kindly explained how to load up ntoskrnl.exe into binary ninja in order to find the patterns and corresponding offsets. I'll let you know how it goes!
— Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/17329#issuecomment-1380720626, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIU25WZG4KZHANC5RM3G7YLWSAZYXANCNFSM6AAAAAASSBXXWE . You are receiving this because you were mentioned.Message ID: @.***>
Hey @alfarom256, no worries! I was able to resolve the pointer chain to retrieve PteBase on Windows 10. The metasploit module has been testing W10 + W11 and is just waiting for review. I can't thank you enough for all your help and guidance through out this effort, couldn't have done it without ya 🙏
Hey @alfarom256, no worries! I was able to resolve the pointer chain to retrieve PteBase on Windows 10. The metasploit module has been testing W10 + W11 and is just waiting for review. I can't thank you enough for all your help and guidance through out this effort, couldn't have done it without ya 🙏
You've done a killer job! Likewise, thank you, and I can't wait to use this :)