Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up aprocess creation notification routine. In this particular routine, if ( cur->image_names_count > 0 ) { // info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine. image_filename = info_->ImageFileName; buf = image_filename->Buffer; if ( buf ) { if ( !v5 ) { i = 0i64; num_chars = image_filename->Length / 2; // Look for the filename by scanning for backslash. if ( num_chars ) { while ( buf[num_chars - (unsigned int)i - 1] != '\\' ) { i = (unsigned int)(i + 1); if ( (unsigned int)i >= num_chars ) goto LABEL_39; } buf += num_chars - (unsigned __int64)(unsigned int)i; }LABEL_39: v26 = (unsigned int)i; wcscpy_s((wchar_t *)Dst, i, buf); Dst[v26] = 0; wcslwr((wchar_t *)Dst); v5 = 1; wcscpy_s is used incorrectly here, as the second argument is not the size of|Dst|, but rather the calculated size of the filename. |Dst| is a stack bufferthat is at least 255 characters long. The the maximum component paths of mostfilesystems on Windows have a limit that is <= 255 though, so this shouldn't bean issue on normal filesystems. However, one can pass UNC paths to CreateProcessW containing forward slashes asthe path delimiter, which means that the extracted filename here can be"a/b/c/...", leading to a buffer overflow. Additionally, this function has nostack cookie. e.g. CreateProcessW(L"\\\\?\\UNC\\127.0.0.1@8000\\DavWWWRoot\\..../..../..../blah.exe", ... Crashing context with my PoC (Win 10 x64 with 372.54): NvStreamKms+0x1c6a:fffff801`5c791c6a c3 ret kd> dqs rspffffd000`25bc5d18 00410041`00410041 kd> t ... KMODE_EXCEPTION_NOT_HANDLED (1e)...FAULTING_IP:NvStreamKms+1c6afffff800`5b1d1c6a c3 ret To reproduce, a WebDAV server is required (can be localhost), and the WebClientservice needs to be started (start can be triggered by user without additional privileges). Then, run setup to create the long path to the target executable (you'll need tochange the base directories), and then run poc_part1, and then poc_part2 (withthe right UNC path) on the target machine. Proofs of Concept:www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India