Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove syscall hook from BlueKeep payload #12553

Merged
merged 1 commit into from Nov 11, 2019
Merged

Remove syscall hook from BlueKeep payload #12553

merged 1 commit into from Nov 11, 2019

Conversation

ghost
Copy link

@ghost ghost commented Nov 9, 2019
edited by ghost

This removes all syscall hooking code from BK payload. Syscall hooking is only needed to lower DISPATCH_LEVEL, however sleepya pointed out BK call [rax] gadget happens at PASSIVE_LEVEL. This avoids needing to bypass Meltdown KVA shadow as well. Overall reliability in the wild improves immensely as targets WITH Meltdown patch are a common scenario.

Note when testing there are pre-existing bugchecks 0xa and 0x3b because the resource lock at fake_channel+0x18 is part of the allocation header (not directly under our control like the call gadget). It may be possible to have that code path attacker controlled but it will require some digging. For another time...

Edit: The Meltdown announcement was in Jan2018, but I'm not sure exactly when Meltdown fix code was put in place. Looks like possibly Nov 2017ish. Certainly after Jan2018, I tested 2010 and 2019 kernel.

Verification

  • Start msfconsole
  • use cve_2019_0708_bluekeep_rce
  • Verify shell poppage on PRE Meltdown patch ntoskrnl
  • Verify shell poppage on POST Meltdown patch ntoskrnl

@wvu wvu self-assigned this Nov 11, 2019
wvu added a commit that referenced this pull request Nov 11, 2019
@wvu
Land #12553, Meltdown fix for BlueKeep exploit
22da634
@wvu wvu merged commit 01d84c5 into rapid7:master Nov 11, 2019
@wvu
Copy link
Contributor

wvu commented Nov 11, 2019
edited by tdoan-r7

Release Notes

Syscall hooking has been removed from the BlueKeep exploit, adapting it for targets with the Meltdown patch installed.

msjenkins-r7 pushed a commit that referenced this pull request Nov 11, 2019
@wvu @msjenkins-r7
Land #12553, Meltdown fix for BlueKeep exploit
eebe4e9
@wvu
Copy link
Contributor

wvu commented Nov 11, 2019

4f2cab4

@tdoan-r7 tdoan-r7 added the rn-fix release notes fix label Dec 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
bug enhancement module rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wvu @tdoan-r7