EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-11-2017, 12:03
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 471
Rept. Given: 366
Rept. Rcvd 176 Times in 77 Posts
Thanks Given: 488
Thanks Rcvd at 902 Times in 235 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Cool Load and Execute unsigned code into kernel in Windows 10x64

Load and execute unsigned code into kernel of latest Windows 10 (64) with help of VMware Workstation Pro/Player design flaw :

Description from site :


Quote:
It is well known, however in case you are not familiar - few words about workstation “hypervisor”:

It is located inside vmware-vmx.exe resources as elf executables. Those elf’s from usermode resources are manually loaded into kernelmode using helper driver vmx86.sys. Vmware-vmx.exe and vmx86.sys communication is performed using deviceiocontrols. One of those controls is VMX86_RUN_VM, it is executed from “vmware-vmx:VMLoader”, vmx86.sys handler for this iocontrol invokes in kernelmode not verified functions delivered from usermode.

So by simply overwriting one function (Host64ToVmm) it is possible to execute our code in kernelmode.

(after quick check it seems that hypervisor for workstation family is loaded in the same way on macOS and linux)

(.text:0000000140007523 FF D2 call rdx) When this call is made environment is already partially set for hypervisor creating some limitations, to bypass it in PoC there is upper function return address redirected - making payload execution much more comfortable.

For admin user injecting code to vmware-vmx.exe is as simple as: OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread (w/o elevation)

bonus: For limited (standard) user it isn't so easy because when vmware-authd service creates vmware-vmx process it sets higher integrity level. vmware-vmx process uses SetDefaultDllDirectories, SetSearchPathMode and SetDllDirectoryW mitigating simple dll hijacking. However vmware-authd doesn't sanitize local environment variables when creating child vmware-vmx process, it is possible to set local variable SystemRoot pointing to controlled directory. As it turns out some of dlls dependencies will be loaded from that controlled directory (mswsock.dll is used in PoC)

VMware was contacted regarding this, as a result issues was addressed in security advisory: VMSA-2017-0003 (CVE-2017-4898)

x64 PoC testing environment:

i7 2xxx, Windows 10 x64 (1607) HOME, VMware Workstation Full 12.5.2, VMware Workstation Player 12.5.1
i5 6xxxU, Windows 10 x64 (insider 15002, 15025) PRO, VMware Workstation Full 12.5.2, VMware Workstation Player 12.5.1

binary: Please keep in mind it is messy barely tested PoC so on other configuration it can potentially cause bsod, system instability or even bricking limited user account. So I don't take responsibility for any damage. You should only use it if you really know what you are doing.

*it is fast and messy PoC, therefore I've used hooks inside vmware-vmx, with proper execution chain and thread context - instead of building malicious request myself

**Quite Frankly I do understand VMware Workstation design - simply it was designed years before Microsoft thought of signing drivers. Interesting now is that MS signed that driver as since Windows 10 (1607) (fresh installations with secureboot) drivers needs to be also signed by Microsoft (Dev Portal). Microsoft made that change to make OS supposedly more secure, when vmx86.sys loads to kernelmode code that isn't anyway validated IMO this whole security model goes out of the window(s)
Link to SOURCE CODE HERE and ORIGINAL SITE HERE.
Reply With Quote
The Following User Gave Reputation+1 to TechLord For This Useful Post:
b30wulf (03-13-2017)
The Following 4 Users Say Thank You to TechLord For This Useful Post:
alephz (03-22-2017), chessgod101 (03-12-2017), niculaita (03-11-2017), tonyweb (03-12-2017)
  #2  
Old 03-12-2017, 16:30
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Europe
Posts: 173
Rept. Given: 87
Rept. Rcvd 59 Times in 37 Posts
Thanks Given: 30
Thanks Rcvd at 7 Times in 6 Posts
deepzero Reputation: 59
Isn't this why Virtualbox takes immense measures to prevent DLL injection in their VM processes? I wonder if this was the last we heard from VMWare regarding these types of problems...
Reply With Quote
The Following User Says Thank You to deepzero For This Useful Post:
tonyweb (03-12-2017)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code sh3dow Source Code 0 05-12-2016 03:15
How to execute a snippet of code before the main execution! Android General Discussion 8 10-04-2006 01:22
Reversed kernel code Zaltekk General Discussion 2 06-07-2004 19:16


All times are GMT +8. The time now is 22:57.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX