Skip to content
This repository has been archived by the owner on Nov 17, 2021. It is now read-only.

arbitrary kernel read/write in dbutil_2_3.sys, Proof of Concept Local Privilege Escalation to nt authority/system

Notifications You must be signed in to change notification settings

mathisvickie/CVE-2021-21551

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2021-21551

Simple PoC for exploiting CVE-2021-21551 for LPE by spawning system cmd.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21551

An issue was discovered in signed dell windows driver (dbutil_2_3.sys) which may lead to compromisation of whole local system. Driver's ioctl dispatch routine lacks of validation of user supplied buffer.

IOCTL

Anyone can create handle and issue ioctl requests to these ioctl codes which break windows security model:

  • 0x9b0c1f40 - arbitrary physical memory read
  • 0x9b0c1f44 - arbitrary physical memory write
  • 0x9b0c1ec4 - arbitrary kernel memory read
  • 0x9b0c1ec8 - arbitrary kernel memory write
  • 0x9b0c1ecc - controlled parameters to MmFreeContiguousMemorySpecifyCache call
  • 0x9b0c1ec0 - controlled parameters to MmAllocateContiguousMemorySpecifyCache call
  • 0x9b0c1f00 & 0x9b0c1f8c & 0x9b0c1f88 & 0x9b0c1f84 & 0x9b0c1f80 - access to some ports

Compiling PoC

This PoC exploits 0x9b0c1ec4/0x9b0c1ec8 ioctl codes for arbitrary kernel memory read/write respectively. Firstly it locates PsInitialSystemProcess in kernel to get system token and then it writes this token to current process EPROCESS struct. Before compiling update your EPROCESS offsets to avoid BSOD using https://www.vergiliusproject.com/

DWORD EPROCESS_ActiveProcessLinks = 0x2e8;
DWORD EPROCESS_Token = 0x348;

Use visual studio to compile (requires windows header). Ntdll SDK header: https://github.com/mathisvickie/segy-software/blob/main/external/ntdll.h

Running

Tested on:

  • Windows 8
  • Windows 10 2004
  • Windows 10 20H2

Successful exploit will run system cmd. If you get bugcheck PAGE_FAULT_IN_NONPAGED_AREA then the offsets are probably incorrect. Sample output: 404