tandasat
commented
3 years ago Thanks for reporting the issue. I am not going to address this. However, in case anyone is interested, here is technical details and a possible fix.
Symptoms
The system reliably crashes on execution of ExploitCapcom.exe.
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffb1089ab30ed0, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8046e500631, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2812
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 364541
Key : Analysis.Init.CPU.mSec
Value: 6827
Key : Analysis.Init.Elapsed.mSec
Value: 1578046
Key : Analysis.Memory.CommitPeak.Mb
Value: 114
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 50
BUGCHECK_P1: ffffb1089ab30ed0
BUGCHECK_P2: 0
BUGCHECK_P3: fffff8046e500631
BUGCHECK_P4: 2
READ_ADDRESS: ffffb1089ab30ed0 Special pool
MM_INTERNAL_CODE: 2
IMAGE_NAME: Capcom.sys
MODULE_NAME: Capcom
FAULTING_MODULE: fffff8046e500000 Capcom
PROCESS_NAME: ExploitCapcom.exe
TRAP_FRAME: ffffc1021d746f70 -- (.trap 0xffffc1021d746f70)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=b3ff1f4d5ab70000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8046e500631 rsp=ffffc1021d747100 rbp=0000000000000000
r8=ffffb1089ab01040 r9=0000000000000000 r10=ffffb10894815160
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
Capcom+0x631:
fffff804`6e500631 mov eax,dword ptr [rbx+30h] ds:00000000`00000030=????????
Resetting default scope
STACK_TEXT:
ffffc102`1d746518 fffff804`6f72f382 : ffffc102`1d746680 fffff804`6f599670 fffff804`6e500000 00000000`00000000 : nt!DbgBreakPointWithStatus
ffffc102`1d746520 fffff804`6f72e966 : fffff804`00000003 ffffc102`1d746680 fffff804`6f627d10 ffffc102`1d746bd0 : nt!KiBugCheckDebugBreak+0x12
ffffc102`1d746580 fffff804`6f612eb7 : 00000000`00000000 00000000`00000000 ffffb108`9ab30ed0 ffffb108`9ab30ed0 : nt!KeBugCheck2+0x946
ffffc102`1d746c90 fffff804`6f63bd01 : 00000000`00000050 ffffb108`9ab30ed0 00000000`00000000 ffffc102`1d746f70 : nt!KeBugCheckEx+0x107
ffffc102`1d746cd0 fffff804`6f429960 : ffffb108`94815160 00000000`00000000 ffffc102`1d746ff0 00000000`00000000 : nt!MiSystemFault+0x1f44f1
ffffc102`1d746dd0 fffff804`6f620f5e : ffffb108`9ab30e00 00000000`00000001 00000000`00000000 ffffc102`1d747010 : nt!MmAccessFault+0x400
ffffc102`1d746f70 fffff804`6e500631 : 00000205`d1f90008 ffffb108`9be6cb10 00000000`00400000 00000000`00000000 : nt!KiPageFault+0x35e
ffffc102`1d747100 fffff804`6f58a4f7 : ffffb108`9ab30fb8 fffff804`6fbeb1ae ffffb108`00000001 ffffb108`00000000 : Capcom+0x631
ffffc102`1d747140 fffff804`6fbdef1a : ffffb108`9ab30ea0 ffffb108`9be6cb10 00000000`20206f49 00000000`00000000 : nt!IopfCallDriver+0x53
ffffc102`1d747180 fffff804`6f64bdb9 : ffffb108`9ab30ea0 00000000`00000002 00000000`00000028 ffffb108`9c5e4470 : nt!IovCallDriver+0x266
ffffc102`1d7471c0 fffff804`6f81a928 : ffffc102`1d747540 ffffb108`9ab30ea0 00000000`00000001 ffffc102`1d747540 : nt!IofCallDriver+0x1dbeb9
ffffc102`1d747200 fffff804`6f81a1f5 : 00000000`aa013044 ffffc102`1d747540 00000000`00000000 ffffc102`1d747540 : nt!IopSynchronousServiceTail+0x1a8
ffffc102`1d7472a0 fffff804`6f819bf6 : 00000205`d1f90000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x5e5
ffffc102`1d7473e0 fffff804`6f6247b5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffc102`1d747450 00007ffe`cdb0ccf4 : 00007ffe`cb6eac3b 000000a5`e7cffbe8 00007ff6`e0270220 00007ff6`e0270220 : nt!KiSystemServiceCopyEnd+0x25
000000a5`e7cffb88 00007ffe`cb6eac3b : 000000a5`e7cffbe8 00007ff6`e0270220 00007ff6`e0270220 00000000`0000000a : ntdll!NtDeviceIoControlFile+0x14
000000a5`e7cffb90 00007ffe`cd595611 : 00000000`aa013044 00007ff6`e0233d59 0000ce64`9a6c9c3e 00007ff6`e0270220 : KERNELBASE!DeviceIoControl+0x6b
000000a5`e7cffc00 00007ff6`e02312b9 : 00000205`d1f90008 00000000`00001000 000000a5`e7cffd50 00000205`d1f90000 : KERNEL32!DeviceIoControlImplementation+0x81
000000a5`e7cffc50 00000205`d1f90008 : 00000000`00001000 000000a5`e7cffd50 00000205`d1f90000 000000a5`e7cffcbc : ExploitCapcom+0x12b9
000000a5`e7cffc58 00000000`00001000 : 000000a5`e7cffd50 00000205`d1f90000 000000a5`e7cffcbc 00000000`00000004 : 0x00000205`d1f90008
000000a5`e7cffc60 000000a5`e7cffd50 : 00000205`d1f90000 000000a5`e7cffcbc 00000000`00000004 000000a5`e7cffcb8 : 0x1000
000000a5`e7cffc68 00000205`d1f90000 : 000000a5`e7cffcbc 00000000`00000004 000000a5`e7cffcb8 00000000`00000000 : 0x000000a5`e7cffd50
000000a5`e7cffc70 000000a5`e7cffcbc : 00000000`00000004 000000a5`e7cffcb8 00000000`00000000 00000205`d1fb07b0 : 0x00000205`d1f90000
000000a5`e7cffc78 00000000`00000004 : 000000a5`e7cffcb8 00000000`00000000 00000205`d1fb07b0 00000000`00000020 : 0x000000a5`e7cffcbc
000000a5`e7cffc80 000000a5`e7cffcb8 : 00000000`00000000 00000205`d1fb07b0 00000000`00000020 00000000`25fffb90 : 0x4
000000a5`e7cffc88 00000000`00000000 : 00000205`d1fb07b0 00000000`00000020 00000000`25fffb90 00007ff6`e0231450 : 0x000000a5`e7cffcb8
SYMBOL_NAME: Capcom+631
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 631
FAILURE_BUCKET_ID: AV_VRF_R_INVALID_Capcom!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {ce2ffabd-ba6a-e0ed-877b-b869e90b5ec8}
Followup: MachineOwner
---------Root Cause
The problem is that Capcom.sys's IOCTL handling is broken, in that it uses IRP after IofCompleteRequest. Here is the relevant code.
// ..
IofCompleteRequest(Irp, 0);
return Irp->IoStatus.Status; // Irp is freed
}It should have just be returning NTSTATUS from a local variable.
This bug is nothing to do with the shell code implemented in this project. As long as the IOCTL is issued, it will hit the issue and causes the system crash.
Fix
We should be able to "fix" this issue through shell code, for example, by patching problematic code, since shell code is already running at CPL0.
I will not going to work on this as I do not see a value of weaponizing this (over the time I would need for it). If anyone wants to PR for this issue, I do not against it. I am going to close this issue as "Will Not Fix" and update the README.md to highlight this issue.
kkent030315
Could you add support for Windows 10 x64 Build 19041 (20H2) version please?