ATTACKING WINDOWS BY WINDOWS - Black Hat Briefings
ATTACKING WINDOWSBY WINDOWSYin Liang & Zhou LiTencent PC Manager
Outline About us How to exploit old Windows OS Windows 10 s limit New exploit method
About usTeam member: xin, godz, ki, michael, kelvin, willjAchieve: Attacking Adobe Flash in Pwn2Own 2016
Attacking Surface Pro 4 in GeekPwn Macao
46 acknowledgments!
How to exploit?Q1: Where to write?Q2: What to write?Q3: What can we do now?
Old days.Q1: Where to write? nt!HalDispatchTableQ2: What to write? Userland shellcode addressQ3: What can we do t!HalDispatchTable
Now. Forbid low integrity user SMEP
Where to write?
ctionwin32k!gSharedInfo.aheListHANDLEENTRY 0x000 phead 0x008 pOwner 0x010 bType 0x011 bFlags 0x012 wUniq 0x000 phead 0x008 pOwner 0x010 bType 0x011 bFlags 0x012 wUniq 0x000 phead 0x008 pOwner 0x010 bType 0x011 bFlags 0x012 wUniqKernel spaceuser32!gSharedInfo.aheList 0x000 phead 0x008 pOwner 0x010 bType 0x011 bFlags 0x012 wUniq 0x000 phead 0x008 pOwner 0x010 bType 0x011 bFlags 0x012 wUniq 0x000 phead 0x008 pOwner 0x010 bType 0x011 bFlags 0x012 wUniqUserlandHANDLEENTRY
What to write?
Basic object: Windowtypedef struct tagWNDCLASSW lpszClassName;} WNDCLASSW, *PWNDCLASSW;HWND WINAPI CreateWindowExW(in DWORD dwExStyle,in opt LPCWSTR lpClassName,in opt LPCWSTR lpWindowName,in DWORD dwStyle,in int X,in int Y,in int nWidth,in int nHeight,in opt HWND hWndParent,in opt HMENU hMenu,in opt HINSTANCE hInstance,in opt LPVOID lpParam);tagWND 0x000 head 0x058 spwndParent 0x090 lpfnWndProc 0x0d8 strName 0x0e8 cbwndExtra Window Extra Data
Window Extra Data Two APIs:LONG WINAPI SetWindowLongW( HWND hWnd, int nIndex, LONG dwNewLong);LONG WINAPI GetWindowLongW( HWND hWnd, int nIndex);tagWND 0x000 head 0x058 spwndParent 0x090 lpfnWndProcsizeof(tagWND) 0x0d8 strName 0x0e8 cbwndExtra cbwndExtraWindow Extra DatanIndex cbwndExtra - 4012345
Normal Case cbwndExtra 0x8 Hex: 0x8 Bin: 0000 0000 0000 0000 0000 0000 0000 1000pos3115Window 1Other ObjsExtra Datasizeof(tagWND)0x80Window 2
If we change a bit Bin: 1000 0000 0000 0000 0000 0000 0000 1000pos31150 Hex: 0x80000008 cbwndExtra 0x80000008Window 1Other ObjsEsizeof(tagWND)xtWindow 2ra0x80000008Data
What can we do now?
Read from anywhere Two APIs:LONG WINAPI SetWindowLongW( HWND hWnd, int nIndex, LONG dwNewLong);intWINAPI InternalGetWindowText( HWND hWnd, LPWSTR lpString, int nMaxCount); 0x0e8 cbwndExtra 0x80000008Window1 Window Extra DataOther Objes①SetWindowLong(Window1) 0x0d8 strName 0x000 Length 0x8Window2②InternalGetWindowText(Window2) 0x004 MaximumLength 0x8 0x008 Buffer 0xFFFFF800 02A4C000 Kernel Memory
Write to anywhere Two APIs:LONG WINAPI SetWindowLongW( HWND hWnd, int nIndex, LONG dwNewLong);BOOL NtUserDefSetText( HWND hWnd, PLARGE STRING pstrText ); 0x0e8 cbwndExtra 0x80000008Window1 Window Extra DataOther Objes①SetWindowLong(Window1) 0x0d8 strName 0x000 Length 0x8Window2②NtUserDefSetText(Window2) 0x004 MaximumLength 0x8 0x008 Buffer 0xFFFFF800 02A4C000 Kernel Memory
Steal SYSTEM TokenMy Window (tagWND) pti (tagTHREADINFO)My Thread( KTHREAD)My Proc( EPROCESS) 0x000 head 0x000 pEThread 0x010 pti 0x220 Process 0x358 Token 0x058 spwndParentstealDesktop Window (tagWND)pti (tagTHREADINFO)Csrss.exe ThreadCsrss.exe(SYSTEM) 0x000 head 0x000 pEThread 0x010 pti 0x220 Process 0x358 Token 0x058 spwndParent
Real Case: CVE-2016-0174①Load a font to create a PFFOBJ②Free a PFFOBJtagWND③Replace the freed Objrax④Free the font⑤oroffsetdword ptr [rax 0Ch], 20xEBrax 0Ch0xEA 0x0DF 0x0E8 0x0E9 0x0EA 0x0EB0xE9cbwndExtra0xE8 Bin: 0000 0000 0000 0000 0000 0000 0000 0000 Bin: 0000 0010 0000 0000 0000 0000 0000 0000 cbwndExtra: 0 0x2000000
Pwn2Own 2016 Flash
Other Casedecoffsetdword ptr [rax]0xEB0xEA0xE90xE8 Bin: 0000 0000 0000 0000 0000 0000 0000 0000 Bin: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF cbwndExtra: 0-1 0xFFFFFFFFincoffsetdword ptr [r10 8]0xEB0xEA0xE90xE8 Bin: 0000 0000 0000 0000 0000 0000 0000 0000 Bin: 0000 1000 0000 0000 0000 0000 0000 0000 cbwndExtra: 0 0x8000000
How to exploit 0 1Q1: Where to write? tagWND.cbwndExtraQ2: What to write? A big valueQ3: What can we do now? Read from anywhere Write any value to anywhere Steal csrss.exe s token
1 0
The Function - CVE-2016-3355DWORD NtGdiGetFontUnicodeRanges(HDC hdc, LPGLYPHSET lpgs){DWORD PreSize;DWORD PosSize;DWORD ReturnSize;PVOID pTmpBuf;ReturnSize 0;PreSize GreGetFontUnicodeRanges(hdc, 0);if ( PreSize && lpgs ){pTmpBuf AllocFreeTmpBuffer(PreSize);if ( pTmpBuf ){PosSize GreGetFontUnicodeRanges(hdc, pTmpBuf);if ( PosSize && PreSize PosSize ){ProbeAndWriteBuffer(lpgs, pTmpBuf, PreSize);ReturnSize PreSize;}FreeTmpBuffer(pTmpBuf);}}return ReturnSize;}①Get ranges size②Allocate a temp buffer③Get ranges with buffer④Copy to user⑤Free temp buffer
The ProblemThread AThread B①Select small ranges font①Get ranges size②Allocate a temp buffer②Select bigger ranges font③Get ranges with bufferOverflow④Copy to user⑤Free temp buffer
My Exploit①Create memory font②Create two threads③Do race condition job④Overflow⑤and dword ptr [r15], 0FFFFFFFBh Hex: 0xFFFFFFFB Bin: 1111 1111 1011Pos3173 2 1 0
My Exploit Length? 0x4 0x0, 0x14 0x10 Flag?1: kd dt win32k!tagWND. 0x014 bHasHorizontalScrollbar : Pos 2, 1 Bit. 0x018 bStartPaint: Pos 2, 1 Bit. 0x01c bWS EX NOPARENTNOTIFY : Pos 2, 1 Bit. 0x0ac bRedirectedForPrint : Pos 2, 1 Bit Type?TYPE CLIPDATA (6) TYPE MENU (2)TYPE MONITOR (0xC) TYPE ACCELTABLE (0x8)TYPE KBDFILE (0xE) TYPE DDECONV (0xA)
The Refcount! Win32k object:1: kd dt win32k!tagWND -b 0x000 head: THRDESKHEAD 0x000 h: Ptr32 0x004 cLockObj: Uint4B 0x008 pti: Ptr32 0x00c rpdesk: Ptr32 0x010 pSelf: Ptr321: kd dt win32k!tagMENU -b 0x000 head: PROCDESKHEAD 0x000 h: Ptr32 0x004 cLockObj: Uint4B 0x008 hTaskWow: Uint4B 0x00c rpdesk: Ptr32 0x010 pSelf: Ptr321: kd dt win32k!tagMONITOR -b 0x000 head: HEAD 0x000 h: Ptr32 0x004 cLockObj: Uint4B Modify cLockObj:PVOID FASTCALL HMAssignmentLock(PVOID *ppobj, PVOID pobj);PVOID FASTCALL HMAssignmentUnlock( PVOID *ppobj ); Check cLockObj:BOOL HMMarkObjectDestroy( PVOID pobj);
Basic object: Menu Two APIs:HMENU CreateMenu ();BOOL AppendMenu(HMENU hMenu,UINT uFlags,UINT PRT uIDNewItem,LPCWSTR lpNewItem);Menu1 (tagMENU) 0x008 cLockObj 0x034 cItems 4 0x050 rgItems 0x068 dwMenuData4 tagITEMs 0x010 spSubMenu 0x010 spSubMenu 0x010 spSubMenu 0x010 spSubMenu Menu2 (tagMENU) 0x008 cLockObj 4 0x034 cItems 0 0x050 rgItems NULL 0x068 dwMenuData
Make a Use-After-Free API:BOOL WINAPI DestroyMenu ();Menu2(tagMENU)Freed MemMenu2(tagMENU) 0x008 cLockObj 4 0x008 cLockObj 0 0x034 cItems 0x034 cItems 0x050 rgItems 0x050 rgItems 0x068 dwMenuData 0x068 dwMenuDataand dword ptr [r15], 0FFFFFFFBhDestroyMenu(Menu2)
Take Pos Native API:BOOL NtUserDefSetText( HWND hWnd, PLARGE STRING pstrText );Freed MemWindow Text (Fake tagMENU) 0x008 cLockObjtagWND 0x084 strName 0x034 cItems 0x000 Length 0x050 rgItems 0x004 MaximumLength 0x068 dwMenuData 0x008 BufferNtUserDefSetText
Fake tagMENUWindow Text (Fake tagMENU) 0x008 cLockObj 0x034 cItems 1Window Low (tagWND) 0x050 rgItems 0x068 dwMenuData 0x000 head 1 tagITEM 0x010 spSubMenu 0x080 rcClient {0} 0x0b0 pSBInfo 0x000 head NULL 0x034 cItems 0 0x0d0 hrgnNewFrame NULL 0x050 rgItems NULL 0x0e8 cbwndExtra 0x068 dwMenuData Virtual Menu
Change the cbwndExtra API:MenuInfo.fMask MIM MENUDATA MIM APPLYTOSUBMENUS;MenuInfo.dwMenuData ENU) 0x008 cLockObj 0x034 cItems 4 0x050 rgItems 0x068 dwMenuData4 tagITEMs 0x010 spSubMenu 0x010 spSubMenu 0x010 spSubMenu 0x010 spSubMenu Window Text (Fake tagMENU) 0x008 cLockObj 0x034 cItems 1 0x050 rgItemsWindow Low (tagWND) 0x068 dwMenuData 0x080 rcClient 0x000 head 0x0b0 pSBInfo 0x034 cItems 0 0x0d0 hrgnNewFrame 0x050 rgItems NULL 0x0e8 cbwndExtra 0x068 dwMenuData1 tagITEM 0x010 spSubMenu
Let s rule them all!
How to exploit 1 0Q1: Where to write? tagMENU.cLockObjQ2: What to write? 0Q3: What can we do now? Make a UAF Control the pointer Write a big value to tagWND. cbwndExtra
SummaryAll Windows OSTrigger one timeBypass KASLRMy ExploitOne bitBypass SMEP
Q&A
BY WINDOWS Yin Liang & Zhou Li Tencent PC Manager. Outline About us How to exploit old Windows OS Windows 10 s limit New exploit method. About us xin, godz, ki, michael, kelvin, willj Attacking Adobe Flash in Pwn2Own 2016 Achieve: Team member: Attacking Surface Pro 4 in GeekPwn Macao
The Windows The Windows Universe Universe Windows 3.1 Windows for Workgroups Windows 95 Windows 98 Windows 2000 1990 Today Business Consumer Windows Me Windows NT 3.51 Windows NT 4 Windows XP Pro/Home. 8 Windows XP Flavors Windows XP Professional Windows XP Home Windows 2003 Server
AutoCAD 2000 HDI 1.x.x Windows 95, 98, Me Windows NT4 Windows 2000 AutoCAD 2000i HDI 2.x.x Windows 95, 98, Me Windows NT4 Windows 2000 AutoCAD 2002 HDI 3.x.x Windows 98, Me Windows NT4 Windows 2000 Windows XP (with Autodesk update) AutoCAD 2004 HDI 4.x.x Windows NT4 Windows 2000 Windows XP AutoCAD 2005 HDI 5.x.x Windows 2000 Windows XP
pd8b3417.frm eng6 black black black 239-7q, black 239-6r, black eng8 239-8q, black eng11 239-10j , black 239-4bb, black 239-1jj , black black 239-15g, black
Gene example Black and Liver B Locus is the gene responsible for the Black / liver coat colours: The B Locus has two alleles : B Black b Liver The black parent alleles are B / B (Black / Black) The liver parent alleles are b / b (liver / liver) The offspring is black and its alleles are B / b (Black / liver) The offspring inherited the black allele from the black
McAfee Wireless Protection Quick-Start Guide Blocks Hackers from Attacking Your Wireless Network McAfee Wireless Protection blocks hackers from attacking your wireless network. Wireless Protection can be configured and accessed from McAfee SecurityCenter . The Quick-Start Guide is provided to you to learn more about:
A computer with at least a 450MHz Pentium CPU with 128 MB of RAM, running Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8/8.1, Windows 10, Windows Server 2012, Windows Server 2016 or Windows Server 2019 platforms. Instal
2.2.1 Furnace Black Process 14 2.2.2 Degussa Gas Black Process 18 2.2.3 Lamp Black Process 19 2.2.4 Channel Black Process (historical) 20 2.3 Thermal Decomposition Processes 21 2.3.1 Thermal Black Process 21 2.3.2 Acetylene Black Process 22 2.4 Carbon Black Di
“Accounting is the art of recording, classifying and summarizing in a significant manner and in terms of money, transactions and events which are, in part at least, of a financial character, and interpreting the result thereof”. Definition by the American Accounting Association (Year 1966): “The process of identifying, measuring and communicating economic information to permit informed .
