Windows Kernel Shellcode on Windows 10 – Part 3

This blog post is the third in the series on Windows kernel shellcode and rounds off the methods described by Cesar Cerrudo at Black Hat in 2012. You can find part 1 here and part 2 here. This time we focus on the privileges in the process token.

The same assumptions as in the previous blog posts apply here, that being the exploit as gained arbitrary kernel mode code execution and we can handcraft the assembly code to run. I do not see this technique used very much even though it is quite neat. The idea is to locate the token of the cmd.exe process, or whichever process should gain elevated privileges, and modify the enabled privileges.

Looking at the structure of a Token object we find:

77519-img.png

The _SEP_TOKEN_PRIVILEGES structure is located at offset 0x40 just as Cesar explained. Looking deeper we find:

3a6d1-img.png

Still the exact same layout, so the background for this technique has not changed at all. We have to modify offset 0x48 in the process token to enable the privileges of said process.

The Shellcode

We begin in the same way as the previous two times, by locating the KTHREAD from the GS register, and then the EPROCESS at offset 0x220 from the KTHREAD:

15673-img.png

Since I want to enable the privileges on the parent process, which is cmd.exe when I launch the exploit from a stand-alone binary, I find the EPROCESS of cmd.exe next. This is done by remembering from the first blog post in the series that the PID of the parent process is located at offset 0x3E0 in the EPROCESS:

43538-img.png

Once we have the EPROCESS we find the pointer to the token at offset 0x358 and remember that it is a fast reference, so the lower 4 bits should be ignored. Then we change the value at offset 0x48 to enable all the privileges we want:

2fcbf-img.png

Running the shellcode gets the following output from whoami /all:

ad34d-img.png

Only the privileges which are present are listed, even though we have enabled many more. When we start a child process it inherits the privileges of the parent process, meaning if we start an application which injects code into a privileged process like winlogon.exe we can create a new SYSTEM integrity cmd.exe:

03e53-img.png

We can of cause do many more things with the privileges available. The complete assembly code can be found on GitHub here.

That concludes this blog post, the summary should be that the ideas and techniques which Cesar Cerrudo presented back in 2012 still work, with some modifications, in 2017.