search

stephenfewer / grinder

Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes.
BSD 3-Clause "New" or "Revised" License
415 stars 135 forks source link

Grinder for Edge on Win10 #62

Open pyoor opened 8 years ago

pyoor commented 8 years ago

Has anyone got a working stub for Edge on Win10?

hacksysteam commented 8 years ago

@pyoor I will be starting to write one now. Let me see how it works out.

mtowalski commented 8 years ago

@hacksysteam I hope that You will succeed :)

ca0nguyen commented 8 years ago

Latest Edge come with new mitigation that prevent inject unsigned DLL. Grinder logger works only with successful dll injection. This is a problem :(. https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/

v-p-b commented 8 years ago

Can't you workaround this problem with some leaked code signing certs? (e.g. https://www.duosecurity.com/static/files/DellCertificates.zip)

hacksysteam commented 8 years ago

@v-p-b Nice. But how about self signed certificate and trusting the root CA?

v-p-b commented 8 years ago

@hacksysteam Sounds good! Self-signed might be problematic but registering an internal CA seems like a universal solution.

ca0nguyen commented 8 years ago

I've already tried to add a Root CA and signed the DLL. Windows 10 tells "This digital signature is OK", but still cannot inject to MicrosoftEdgeCP.exe. According to msedgedev blog, Edge uses enforcement in the kernel. Maybe have to look the kernel to see what happening.

hacksysteam commented 8 years ago

@ca0nguyen Quoting from MS Edge blog _"DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked." _. I guess we need to dig kernel then.

ca0nguyen commented 8 years ago

@hacksysteam Thanks to point out. I missed that part and took hours to make signtool work. The more challenge now since I don't know much about kernel stuff.

hacksysteam commented 8 years ago

@ca0nguyen Now, that's a good thing. We can now inject grinder_logger in Edge

http://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/

v-p-b commented 7 years ago

@hacksysteam Did you manage to create a PoC for this? If I understand correctly this would require patching LoadLibrary() (with a kernel debugger perhaps?), no configuration option is available, right?

hacksysteam commented 7 years ago

@v-p-b unfortunately no. Currently I'm not fuzzing browsers. But with new mitigations in Edge, it would be hard to run this logger. However, I can not guarantee as I have not tested it.

jessefmoore commented 5 years ago

Can't you workaround this problem with some leaked code signing certs? (e.g. https://www.duosecurity.com/static/files/DellCertificates.zip)

Hi v-p-b, do you have that zip file still? I would like to use them. :-)

jessefmoore commented 5 years ago

DellCertificates.zip

Got it, never mind. https://duo.com/assets/files/DellCertificates.zip