Rootkitsmm/Win10Pcap-Exploit

语言: C++

git: https://github.com/Rootkitsmm/Win10Pcap-Exploit

利用Win10Pcap驱动程序在我们的进程令牌中启用某些权限(本地权限提升)
Exploit Win10Pcap Driver to enable some Privilege in our process token ( local Privilege escalation )
README.md (中文)

Win10Pcap - 开拓

归功于

https://twitter.com/R00tkitSMM(fonozimaysam@gmail.com)电报用户名:https://telegram.me/firozi


前一天我发现win10pcap驱动程序中存在漏洞,可能导致权限升级我报告漏洞,现在修复了错误:

呜呜呜.win10PC AP.org/download/

所以我决定发布样本漏洞利用

Win10Pcap是一个新的基于WinPcap的以太网数据包捕获库。 与原始WinPcap不同,Win10Pcap与NDIS 6.x驱动程序模型兼容,可与Windows 10稳定运行.Win10Pcap还支持捕获IEEE802.1Q VLAN标记。


所以如果你在窗口10上安装wireshark你需要这个狗屎:)


Win10Pcap内核模式驱动程序没有检查从用户模式传递的虚拟地址,IOCTL使用没有ProbeForWrite的Nither Buffered Nor Direct I / O来验证传递的地址

你需要在运行时找到准确的设备名称来发送IOCTL,硬编码的设备名称不会导致易受攻击的代码

IOCTL处理程序在传递的地址中写入一个字符串,字符串类似于“Global \ WTCAP_EVENT_3889023063_1”

有很多方法可以利用这个漏洞我决定在进程TOKEN中设置权限并覆盖_SEP_TOKEN_PRIVILEGES

使用字符串“Global \ WTCAP_EVENT”覆盖地址0x034处的令牌可以设置SeDebugPrivilege而不会破坏敏感的Filds

81687cf8 cc              int     3
2: kd> dt nt!_TOken
   +0x000 TokenSource      : _TOKEN_SOURCE
   +0x010 TokenId          : _LUID
   +0x018 AuthenticationId : _LUID
   +0x020 ParentTokenId    : _LUID
   +0x028 ExpirationTime   : _LARGE_INTEGER
   +0x030 TokenLock        : Ptr32 _ERESOURCE
   +0x034 ModifiedId       : _LUID
   +0x040 Privileges       : _SEP_TOKEN_PRIVILEGES
   +0x058 AuditPolicy      : _SEP_AUDIT_POLICY

alt tag

本文使用googletrans自动翻译,仅供参考, 原文来自github.com

en_README.md

Win10Pcap-Exploit

credit to

https://twitter.com/R00tkitSMM (firozimaysam@gmail.com) telegram username : https://telegram.me/firozi


some day ago i found vulnerability in win10pcap Driver that can lead to Privilege escalation i report vulnerability and now bug is fixed :

www.win10pcap.org/download/

so i decide to publish sample exploit

Win10Pcap is a new WinPcap-based Ethernet packet capture library.
Unlike original WinPcap, Win10Pcap is compatible with NDIS 6.x driver model to work stably with Windows 10. Win10Pcap also supports capturing IEEE802.1Q VLAN tags.


so if you install wireshark on window 10 you need this shit :)


Win10Pcap kernel-mode driver did not check the virtual addresses which are passed from the user-mode , IOCTL Using Neither Buffered Nor Direct I/O without ProbeForWrite to validating passed address

you need find accurate Device name in runtime to send IOCTL , hardcoded device name dont lead to vulnerable code

IOCTL handller write a string in passed address , string is something like "Global\WTCAP_EVENT_3889023063_1"

ther was many way to exploit this vulnerability i decide to set privilege in process TOKEN with overwriting _SEP_TOKEN_PRIVILEGES

overwriting token at address 0x034 with string "Global\WTCAP_EVENT" can set SeDebugPrivilege without corrupting sensitive Filds

81687cf8 cc              int     3
2: kd> dt nt!_TOken
   +0x000 TokenSource      : _TOKEN_SOURCE
   +0x010 TokenId          : _LUID
   +0x018 AuthenticationId : _LUID
   +0x020 ParentTokenId    : _LUID
   +0x028 ExpirationTime   : _LARGE_INTEGER
   +0x030 TokenLock        : Ptr32 _ERESOURCE
   +0x034 ModifiedId       : _LUID
   +0x040 Privileges       : _SEP_TOKEN_PRIVILEGES
   +0x058 AuditPolicy      : _SEP_AUDIT_POLICY

alt tag