search

varwara / CVE-2024-35250

PoC for the Untrusted Pointer Dereference in the ks.sys driver
MIT License
208 stars 46 forks source link

Windows server #4

Open benzamir1234 opened 1 month ago

benzamir1234 commented 1 month ago

Hi, Is it intended to work on windows sever as well? When tested on unpatched server (2019 and 2022) it prints the DRM device handle then exits without an error message

zorejt commented 1 month ago

hey buddy ,how to generate exe ??

yonggi0x0 commented 1 month ago

I tried this version on Windows Server and it work. https://github.com/0xjiefeng/CVE-2024-35250-BOF

varwara commented 1 month ago

@benzamir1234 I didn't test it on the Server versions, but Microsoft mark them as vulnerable also. I can only suggest you to run with a debugger and look what exceptions you may catch.

benzamir1234 commented 1 month ago

Hi, thanks for the reply.. I made some searches and i think i may know the answer. It seems that the ks.sys, isnt loaded by default on server versions. Perhaps that is the reason..

On Tue, 22 Oct 2024 at 14:11 yonggi0x0 @.***> wrote:

I tried this version on Windows Server and it work. https://github.com/0xjiefeng/CVE-2024-35250-BOF

— Reply to this email directly, view it on GitHub https://github.com/varwara/CVE-2024-35250/issues/4#issuecomment-2428991635, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2RIA47YNSD4O3XPYZB4XZLZ4YXGBAVCNFSM6AAAAABQL5K4AKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRYHE4TCNRTGU . You are receiving this because you authored the thread.Message ID: @.***>

varwara commented 1 month ago

@benzamir1234 you mean that this driver even not present in the system32\drivers folder?

It's loaded by ksthunk.

3: kd> k
 # Child-SP          RetAddr               Call Site
00 ffffaa0c`02779418 fffff801`62fae32b     ks!UnserializePropertySet
01 ffffaa0c`02779420 fffff801`62fad8de     ks!KspPropertyHandler+0x6db
02 ffffaa0c`02779490 fffff801`62fad0f7     ks!KspHandleAutomationIoControl+0xce
03 ffffaa0c`02779530 fffff801`62f65fca     ks!KsDispatchIrp+0xf7
04 ffffaa0c`027795f0 fffff801`5bacb875     ks!CKsDevice::PassThroughIrp+0x6a
05 ffffaa0c`02779630 fffff801`63321415     nt!IofCallDriver+0x55
06 ffffaa0c`02779670 fffff801`63321133     ksthunk!CKernelFilterDevice::DispatchIrp+0xf5
07 ffffaa0c`027796d0 fffff801`5bacb875     ksthunk!CKernelFilterDevice::DispatchIrpBridge+0x13
08 ffffaa0c`02779700 fffff801`5bec2c70     nt!IofCallDriver+0x55
09 ffffaa0c`02779740 fffff801`5bec123c     nt!IopSynchronousServiceTail+0x1d0
0a ffffaa0c`027797f0 fffff801`5bebf516     nt!IopXxxControlFile+0x72c
0b ffffaa0c`02779a00 fffff801`5bc3d1e5     nt!NtDeviceIoControlFile+0x56
0c ffffaa0c`02779a70 00007ffa`55b6eee4     nt!KiSystemServiceCopyEnd+0x25
0d 0000007c`53cffb68 00007ffa`534bbc5b     ntdll!NtDeviceIoControlFile+0x14
0e 0000007c`53cffb70 00007ffa`54b727f1     KERNELBASE!DeviceIoControl+0x6b
0f 0000007c`53cffbe0 00007ff7`6ef21a17     KERNEL32!DeviceIoControlImplementation+0x81
10 0000007c`53cffc30 000001f7`47ade710     CVE_2024_35250+0x1a17

Behavior that you described looks like int3 somewhere. Maybe page fault in UM or something.

benzamir1234 commented 1 month ago

No i mean that its not loaded by default. But ksthunk is there so i guess thats not the cause

On Tue, 22 Oct 2024 at 18:33 varwara @.***> wrote:

@benzamir1234 https://github.com/benzamir1234 you mean that this driver even not present in the system32\drivers folder?

It's loaded by ksthunk which is loaded by the kernel itself with IofCallDriver.

3: kd> k

Child-SP RetAddr Call Site

00 ffffaa0c02779418 fffff80162fae32b ks!UnserializePropertySet 01 ffffaa0c02779420 fffff80162fad8de ks!KspPropertyHandler+0x6db 02 ffffaa0c02779490 fffff80162fad0f7 ks!KspHandleAutomationIoControl+0xce 03 ffffaa0c02779530 fffff80162f65fca ks!KsDispatchIrp+0xf7 04 ffffaa0c027795f0 fffff8015bacb875 ks!CKsDevice::PassThroughIrp+0x6a 05 ffffaa0c02779630 fffff80163321415 nt!IofCallDriver+0x55 06 ffffaa0c02779670 fffff80163321133 ksthunk!CKernelFilterDevice::DispatchIrp+0xf5 07 ffffaa0c027796d0 fffff8015bacb875 ksthunk!CKernelFilterDevice::DispatchIrpBridge+0x13 08 ffffaa0c02779700 fffff8015bec2c70 nt!IofCallDriver+0x55 09 ffffaa0c02779740 fffff8015bec123c nt!IopSynchronousServiceTail+0x1d0 0a ffffaa0c027797f0 fffff8015bebf516 nt!IopXxxControlFile+0x72c 0b ffffaa0c02779a00 fffff8015bc3d1e5 nt!NtDeviceIoControlFile+0x56 0c ffffaa0c02779a70 00007ffa55b6eee4 nt!KiSystemServiceCopyEnd+0x25 0d 0000007c53cffb68 00007ffa534bbc5b ntdll!NtDeviceIoControlFile+0x14 0e 0000007c53cffb70 00007ffa54b727f1 KERNELBASE!DeviceIoControl+0x6b 0f 0000007c53cffbe0 00007ff76ef21a17 KERNEL32!DeviceIoControlImplementation+0x81 10 0000007c53cffc30 000001f747ade710 CVE_2024_35250+0x1a17

Behavior that you described looks like int3 somewhere. Maybe page fault in UM or something.

— Reply to this email directly, view it on GitHub https://github.com/varwara/CVE-2024-35250/issues/4#issuecomment-2429610771, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2RIA46UXFI36SJZYUS73CLZ4ZV4VAVCNFSM6AAAAABQL5K4AKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRZGYYTANZXGE . You are receiving this because you were mentioned.Message ID: @.***>

varwara commented 1 month ago

hey buddy ,how to generate exe ??

If you have WDK installed then from X64 Native Tools Command Prompt For VS 2022.

cl.exe CVE-2024-35250.cpp

Microsoft (R) Incremental Linker Version 14.41.34123.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:CVE-2024-35250.exe
CVE-2024-35250.obj

Or just use the Visual Studio itself to build console application.

sec13b commented 1 month ago 
C:\Users\test\Desktop\CVE-2024-35250-main>"C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\14.41.34120\bin\Hostx64\x64\cl.exe" CVE-2024-35250.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.41.34123 for x64
Copyright (C) Microsoft Corporation.  All rights reserved.

CVE-2024-35250.cpp
CVE-2024-35250.cpp(17): fatal error C1034: Windows.h: no include path set

C:\Users\test\Desktop\CVE-2024-35250-main>
varwara commented 1 month ago 
C:\Users\test\Desktop\CVE-2024-35250-main>"C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\14.41.34120\bin\Hostx64\x64\cl.exe" CVE-2024-35250.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.41.34123 for x64
Copyright (C) Microsoft Corporation.  All rights reserved.

CVE-2024-35250.cpp
CVE-2024-35250.cpp(17): fatal error C1034: Windows.h: no include path set

C:\Users\test\Desktop\CVE-2024-35250-main>

It's easier to use Developer prompt and not regular cmd/terminal. To use cmd you need additionally set %LIBPATH%, %LIB%, %INCLUDE% environment variables with all paths. I recommend you to use X64 Native Tools Command Prompt For VS 2022 as mentioned above.

zorejt commented 1 month ago

ohh thx man , i only have vs 2022, btw when i generate exe ,that callback error with not found functiondiscovery.h function

sec13b commented 4 weeks ago

can you upload exe release

AbdulWahid-007 commented 4 weeks ago

I have generated the exe . but privilege escalation not happening.