Chapter 6

Windows

Description

This chapter covers the most popular operating system in the world, Microsoft Windows.

Source Code

This chapter provides vulnerable drivers and working exploits for Windows.

[-] Windows

Windows DVWD Driver.
Exploits against the DVWD Driver.

In order to compile the DVWD driver you need to install the WDK (Windows Driver Kit). If you can't install the WDK, no worries, here you go the binary version of the driver:

Windows 2008 R2 (64-bit free-build)
Windows 2003 SP2 (32-bit free-build)

Unzip the DVWDDriver package in a space-free path (e.g., don't use c:\Documents and Settings\).

Run the proper operating system WDK build environment which can be found under the menu: Programs->Windows Driver Kit->WDK 7600->Build Enviroment

Run the the build utility as follows:

WDK build utility example
		
c:\WinDDK\DVWDDriver>build -cwfe
BUILD: Compile and Link for AMD64
BUILD: Loading c:\winddk\7600.16385.0\build.dat...
BUILD: Computing Include file dependencies:
BUILD: Start time: Tue Jun 01 21:41:40 2010
BUILD: Examining c:\WinDDK\DVWDDriver directory for files to compile.
c:\winddk\dvwddriver Auto-cleaning queue for 'WDKSamples:amd64fre' (3 of 3 file(s) removed)
Invalidating OACR warning log for 'WDKSamples:amd64fre'
BUILD: Saving c:\winddk\7600.16385.0\build.dat...
BUILD: Compiling and Linking c:\winddk\dvwddriver directory
Configuring OACR for 'WDKSamples:amd64fre' - <OACR on>
Compiling - driver.c
Compiling - stackoverflow.c
Compiling - overwrite.c
Linking Executable - objfre_wlh_amd64\amd64\dvwd.sys
BUILD: Finish time: Tue Jun 01 21:41:42 2010
BUILD: Done

5 files compiled - 336 LPS
1 executable built
c:\WinDDK\DVWDDriver>

You can use your preferred driver-loader application to load the DVWD driver (e.g. the OSR Driver Loader).

NOTE: Since the drivers are not signed they failed to load on newer x64 Windows systems. You have a few options:

1) Enable kernel debugging, reboot and attach a kernel debugger (WinDBG kernel mode).
2) Reboot and press F5 to enter into the Windows Boot Manager menu, press F8 to access the Advanced Boot Option and select Disable Driver Signature Enforcment. This option is not persistent across reboots.
3) Self-Sign the drivers.

In order to compile the DVWDExploits package you need to install the evaluation version of Visual Studio 2008 Professional (or newer).

If you can't install Visual Studio, again, here you go the DVWDExploit binary versions:

x64 binary - debug build (to run against Windows 2008 R2 64-bit)
x32 binary - debug build (to run against Windows 2003 SP2 32-bit)

In order to run DVWDExploits you need to run the exploit binary passing the correct argument. No argument will show the possibile options. On an x64 build the compiled binary is stored into the ..\DVWDExploits\x64\Debug\ path. A couple of exploit vectors against x64 system are left as an exercise for the reader. The followiig is an example on Windows 2003 SP2 32-bit:

Windows 2003 SP2 32-bit example

C:\exploit-test\DVWDExploits\Debug>DVWDExploits.exe
[-] You must supply one of those:
        --exploit-overwrite-ldtway-32
        --exploit-overwrite-profile-32
        --exploit-stack-overflow-32

C:\exploit-test\DVWDExploits\Debug>DVWDExploits.exe --exploit-overwrite-ldtway-32
Version Detected: 5.2 SP 2.0
[-] Available Target: Windows 2003 SP2 32-bit
[*] Kernel Executive Entry: \WINDOWS\system32\ntkrnlpa.exe at 80800000
[*] Driver Entry: \??\C:\exploit-test\DVWDDriver\objfre_wnet_x86\i386\dvwd.sys at F77C7000
[*] Get Current Process Handle=1968 Object=8611ED88 Type=5
[--] kprocessLDTDesc found at: 8611EDA8
[--] LDT Descriptor fake: 0x82680000ffff
etc.

page last modified: Oct 06, 2010 @ 15:00