- WINDOWS 10 POOL CORRUPTION IN FILE AREA DRIVER
- WINDOWS 10 POOL CORRUPTION IN FILE AREA WINDOWS 10
- WINDOWS 10 POOL CORRUPTION IN FILE AREA WINDOWS
WINDOWS 10 POOL CORRUPTION IN FILE AREA DRIVER
It was clear that the driver maintained a hash map associating textual strings with lists of numeric values, and that some type of binary data structure was involved in type-1 objects, but I still didn’t fully understand the underlying purpose of the code (it later turned out to be binary interpolative code). I briefly reverse-engineered the entire code found in the driver (with the help of Redford and implr) to get a grasp of its functionality, rename symbols and fix data types. 0x22200C – transforms an existing object of type-0 to type-1 in a one-way, irreversible manner.Īs IOCTLs #1 and #2 were trivial, the vulnerability had to lurk somewhere in the implementation of #3 or #4.0x222008 – adds a pair of (char, uint32) to an existing object,.0x222004 – frees a previously allocated object,.0x222000 – allocates an empty object from PagedPool, saves it in a global array and returns its address to the caller,.When I loaded the module in IDA Pro, I quickly learned that it registered a device under \Device\Searchme and handled four IOCTLs using the Buffered I/O communication scheme: The searchme.sys driver was loaded in the system, and the desired C:\flag.txt file was found on disk, but it couldn’t be read from the security context of the current user, as expected:Īt this point, it was quite clear that the goal of the challenge was to exploit a kernel-mode vulnerability in searchme.sys to elevate privileges to administrative or system rights, and then read the flag from the protected file. When I connected to the remote host via RDP, I could log in as a regular “ctf” user. 3389 flag is here: c:\flag.txt, User:ctf, password:ctf
WINDOWS 10 POOL CORRUPTION IN FILE AREA WINDOWS
Initial reconĪs a part of the task, we were provided with a 64-bit Windows kernel driver called searchme.sys consuming 14 kB of disk space, and the following description: If you want to jump straight to the exploit code, find it on GitHub. On the other hand, I achieved a similar outcome through a data-only attack without touching any pool metadata, which made the overall exploitation process somewhat simpler. I encourage you to closely analyze Niklas’ exploit, and if you’re interested in my approach, follow along. Niklas used the off-by-one to corrupt allocation metadata and performed some pool feng-shui to get overlapping pool chunks.
Shortly after the CTF, the original author ( published the source code of the driver and the corresponding exploit (see niklasb/elgoog on GitHub and discussion on Twitter), which revealed that my solution was partially unintended.
WINDOWS 10 POOL CORRUPTION IN FILE AREA WINDOWS 10
It involved the exploitation of an off-by-one buffer overflow of a PagedPool allocation made by a vulnerable kernel driver loaded in Windows 10 64-bit.
My contribution to the above result was a flag for the “Searchme” task authored by Eat, Sleep, Pwn, Repeat. The hacking part of the event was followed by a soft part, where additional points were granted by a jury and the participants for presenting one’s own tasks on stage.Īfter two days of though competition, we came out as the runner up of the CTF with 6/18 tasks solved, behind the winner – Tokyo Westerns (7/18 tasks):
Remote help was allowed, and the scoring system offered first blood bonus points for being the first, second and third team to solve a task. In practice, the structure of the contest incentivized submitting extremely difficult and complex challenges. This meant that each team could capture a maximum of 18 flags set up by the other teams in the room. Each of the 10 teams was obligated to provide two tasks, at least one of which had to run on Windows. One particularly unique rule of the CTF was that the challenges were prepared by the teams themselves and not the organizers. Shellphish, ESPR, LC↯BC or Tokyo Westerns), and the prize pool of the contest was a stunning $100,000 USD. The other participants were top-tier groups from around the world (e.g. During the weekend of 6-8th of July, our CTF team – Dragon Sector – played in an invite-only competition called WCTF, held in Beijing.
0 kommentar(er)
