Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove syscall hook from BlueKeep payload #12553

Merged
merged 1 commit into from Nov 11, 2019

Conversation

@zerosum0x0
Copy link
Contributor

zerosum0x0 commented Nov 9, 2019

This removes all syscall hooking code from BK payload. Syscall hooking is only needed to lower DISPATCH_LEVEL, however sleepya pointed out BK call [rax] gadget happens at PASSIVE_LEVEL. This avoids needing to bypass Meltdown KVA shadow as well. Overall reliability in the wild improves immensely as targets WITH Meltdown patch are a common scenario.

Note when testing there are pre-existing bugchecks 0xa and 0x3b because the resource lock at fake_channel+0x18 is part of the allocation header (not directly under our control like the call gadget). It may be possible to have that code path attacker controlled but it will require some digging. For another time...

Edit: The Meltdown announcement was in Jan2018, but I'm not sure exactly when Meltdown fix code was put in place. Looks like possibly Nov 2017ish. Certainly after Jan2018, I tested 2010 and 2019 kernel.

Verification

  • Start msfconsole
  • use cve_2019_0708_bluekeep_rce
  • Verify shell poppage on PRE Meltdown patch ntoskrnl
  • Verify shell poppage on POST Meltdown patch ntoskrnl
@wvu-r7 wvu-r7 self-assigned this Nov 11, 2019
wvu-r7 added a commit that referenced this pull request Nov 11, 2019
@wvu-r7 wvu-r7 merged commit 01d84c5 into rapid7:master Nov 11, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Nov 11, 2019

Release Notes

This removes the syscall hooking in the BlueKeep exploit, adapting it for targets with the Meltdown patch installed.

msjenkins-r7 added a commit that referenced this pull request Nov 11, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Nov 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.