-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BYOVD to Enable/Disable Windows Memory Protection #15955
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Top-level:
- The module seems to support x86 targets and the compilation configs also create x86 targets, but the offsets and dll seem to only be for x64.
- Debug prints in the cpp file- not adamantly opposed, but we could definitely go without them.
- I want to verify the check logic works for server releases as well as workstation releases.
</PropertyGroup> | ||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> | ||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> | ||
<ConfigurationType>DynamicLibrary</ConfigurationType> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did dell release a Win32 version of the driver, and is it vulnerable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, given this is IOCTL based write-anywhere, it is probably vulnerable, but does the driver exist, are the offsets the same, and do we care?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apparently you have to hand modify the vcxproject to remove the default Win32 target 🙄 But you can see in the .sln
that the targets are x64 Debug|Release only now.
|
||
namespace | ||
{ | ||
const std::string s_driverHandle("\\\\.\\DBUtil_2_5"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume you tested this with the 2.7 version? Were they just a bit sloppy with naming things?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, both versions use this handle. 🤷♂️
Is there a link or info on how/where to obtain these drivers? |
Unfortunately, I'm told there is legal concern about distributing the drivers. However, I did link the hashes to VirusTotal in the documentation. If you can't download from VT, the relationships tab can lead you to places like: |
Updated to address some of @bwatters-r7's comments and the things we discussed in module hacking. Specifically:
Based on our conversation, I left the dprintf's in the dll. |
In a quick test, this did not appear to work.... I'm looking to see what's going on now....
|
Looks like you misspelled the file path. |
|
Release NotesThis module leverages a write-what-where condition in DBUtilDrv2.sys version 2.5 or 2.7 to disable or enable LSA protect on a given PID (assuming the system is configured for LSA Protection). The drivers must be provided by the user. |
The Dell driver dbutil_2_3.sys was affected by a local privilege escalation issue due to a write-what-where condition exposed by a few of the driver's IOCTLs. This was assigned CVE-2021-21551. Dell "fixed" this issue by deprecating dbutil_2_3.sys and switching to DBUtilDrv2.sys. The new driver prevent low privileged users from interacting with the driver but did not fix the write-what-where condition.
This module leverages the write-what-where condition in DBUtilDrv2.sys version 2.5 or 2.7 to disable or enable LSA protect on a given PID (assuming the system is configured for LSA Protection). This would allow, for example, dumping LSASS memory even when Secure Boot and RunAsPPL are enabled. Or, as another example, allow an attacker to prevent antivirus from accessing the memory of a chosen process.
The Dell drivers are not in this pull request since they cannot be distributed with Metasploit. The attacker must truly BYOVD and upload the driver and installation files to the target system themselves. The module will install, exploit, and remove the driver.
The Dell drivers are of particular use since they are fully compliant with Windows recent kernel driver signing requirements, so they will likely continue being useful for the foreseeable future. The dbutil_2_3.sys driver was not included in this pull request because it is not compliant, and it uses a different installation method (which would complicate the code). It is also bound for the black list, whereas the new drivers seemingly are not.
Verification
Acquire the necessary drivers. Hashes are in the documentation or come have a chat with me. The verification below assumes we want to dump LSASS (since that would be the most popular use case). In order to enable memory protection on LSASS, enable Secure Boot and enable runAsPPL by setting a registery key in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
as described here.ps | grep lsass
post/windows/gather/memory_dump
SESSION
,PID
, andDUMP_PATH
options.run
sessions -i 1
upload /home/albinolobster/drivers/2_7/ C:\\Windows\\Temp\\
use post/windows/manage/dell_memory_protect
SESSION
,PID
, andDRIVER_PATH
(e.g.C:\\Windows\\Temp
) options.run
post/windows/gather/memory_dump
run
Video || GTFO
See vidyard video (sorry too large to convert to a gif and host on here): https://share.vidyard.com/watch/QdGRV956ZTtGfR7WXVmP2q