Penetration Testing mailing list archives
Re: Running Ring3 command from Ring0 in Windows?
From: Jun Koi <junkoi2004 () gmail com>
Date: Fri, 5 Jun 2009 12:29:51 +0900
On Fri, Jun 5, 2009 at 7:36 AM, H D Moore <sflist () digitaloffense net> wrote:
On Wed, 03 Jun 2009 11:39:32 -0500, Jun Koi <junkoi2004 () gmail com> wrote:Hi, I am looking for a way to execute Ring3 command (for ex, "net user passwd" to change password of an user) from Ring0 of Windows. The motivation of this is that I can exploit Windows kernel, and can execute my code there. So far so good. But I am not content with executing in Ring0 only, and want to run some code in Ring3, too. The code can be injected by me, or I just simply run an existent command tool (like cmd.exe) Could anybody recommend any technique to achieve this?This is what skape's kernel-to-userland injection code does (now part of metasploit). It installs a hook, uses this to find a target process, and copies the userland shellcode into the target process. We use this to run userland payloads through exploited wireless drivers. Ring0-Ring3 staging: http://metasploit.com/svn/framework3/trunk/lib/rex/payloads/win32/kernel/stager.rb Kernel symbol resolution: http://uninformed.org/index.cgi?v=3&a=4&p=10 http://metasploit.com/svn/framework3/trunk/lib/rex/payloads/win32/common.rb To run a command, just export a shellcode buffer from msfpayload windows/exec CMD="cmd.exe /c something", and append this to the userland stub.
It is quite clear: we can inject code from kernel to userspace using the starger you pointed out. However, the question remains: after that, how the shellcode (in userspace) is triggered? In Metasploit method, I imagine that the code is somehow executed later, but I am not sure how it is done. The paper of skape proposes many techniques, so which techniques are implemented in Metasploit? Many thanks, J ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Running Ring3 command from Ring0 in Windows? Jun Koi (Jun 03)
- Re: Running Ring3 command from Ring0 in Windows? Jeffrey Walton (Jun 03)
- Re: Running Ring3 command from Ring0 in Windows? H D Moore (Jun 04)
- Re: Running Ring3 command from Ring0 in Windows? Jun Koi (Jun 08)
- Re: Running Ring3 command from Ring0 in Windows? H D Moore (Jun 08)
- Re: Running Ring3 command from Ring0 in Windows? Jun Koi (Jun 08)