Wednesday, June 7, 2017

Talk/Workshop at DEF CON 25

Just got the word that @aleph___naught and I will be presenting a talk and workshop at DEF CON 25.

Our talk is a post-exploitation RAT using the Windows Script Host. Executing completely from memory with tons of ways to fork to shellcode. Will contain some original research (with the help of @JennaMagius and @The_Naterz) and amazing prior work by @tiraniddo, @subTee, and @enigma0x3. Queue @mattifestation interjecting with something about app whitelisting!

The workshop is not just the tactics, but the code and reverse engineering behind all the stuff in penetration testing rootkits such as Meterpreter and PowerShell Empire. It will include a deep look into Windows internals and some new concepts and ideas not yet present in the normal set of tools.

All slides and code will be posted at the end of DEF CON.

ETERNALBLUE: Exploit Analysis and Port to Microsoft Windows 10

The whitepaper for the research done on ETERNALBLUE by @JennaMagius and I has been completed.

Be sure to check the bibliography for other great writeups of the pool grooming and overflow process. This paper breaks some new ground by explaining the execution chain after the memory corrupting overwrite is complete.

PDF Download


r5hjrtgher pointed out the vulnerable code section did not appear accurate. Upon further investigation, we discovered this was correct. The confusion was because unlike the version of Windows Server 2008 we originally reversed, on Windows 10 the Srv!SrvOs2FeaListSizeToNt function was inlined inside Srv!SrvOs2FeaListToNt. We saw a similar code path and hastily concluded it was the vulnerable one. Narrowing the exact location was not necessary to port the exploit.

Here is the correct vulnerable code path for Windows 10 version 1511:

How the vulnerability was patched with MS17-010:

The 16-bit registers were replaced with 32-bit versions, to prevent the mathematical miscalculation leading to buffer overflow.

Minor note: there was also extra assembly and mitigations added in the code paths leading to this.

To all the foreign intelligence agencies trying to spear phish I've already deleted all my data! :tinfoil: