关联漏洞
标题:
Micro Star MSI Afterburner 安全漏洞
(CVE-2019-16098)
描述:Micro Star MSI Afterburner是中国台湾微星科技(Micro Star)公司的一款显卡超频实用程序。 Micro Star MSI Afterburner 4.6.2.15658版本中存在安全漏洞。攻击者可利用该漏洞向任意内存、I/O端口和MSRs执行读取和写入操作,进而提升权限,执行代码,泄露信息并可能绕过Microsoft驱动程序签名策略,部署恶意代码。
描述
This exploit rebuilds and exploit the CVE-2019-16098 which is in driver Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. Instead of hardcoded base address of Ntoskrnl.exe, I calculated it dynamically and also calculated all offsets.
介绍
# NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE
This exploit rebuilds and exploit the CVE-2019-16098 which is in driver Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. Instead of hardcoded base address of Ntoskrnl.exe, I calculated it dynamically and recalculated all offsets for new version of windows. EPROCESS structure is an opaque structure that serves as the process object for a process and the PsInitialSystemProcess global variable points to the process object for the system process. So for calculate the offsetPsInitialSystemProcess address we need Ntoskrnl.exe base address which we calculated dynamically and after that calculated all fields within EPROCESS structure needed to steal system token and escalate priviliges. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.
https://github.com/user-attachments/assets/64295738-987a-4309-811a-c8805d788e05
## Flow of code
* Define required structure needed for RTCORE64 read and write operations.
* Calculated the base address of Ntoskrnl.exe
* Calculated the offset and address of PsInitialSystemProcess
* Calculated the offsets for required fields under EPROCESS Structure (Token, UniqueProcessId, ActiveProcessLinks)
* Use the device object to steal and write the token of System process.
* Elevated with System Context.
## Usage
* Build and compile the program with visual studio 2019
* Start service before execution of compiled binary.
* Run command to create service (sc create RTCORE64 binPath="Path of Driver File" type=kernel)
* Start the service (sc start RTCORE64
* Run the compiled binary and get NT-AUTHORITY\SYSTEM
## NOTE
* Tested on windows 11 23H2 with releaseID 2009, Build Number 22621.3447 and major version 10.
* New releases and build numbers can have different offsets.
* This code is utilizing the technique of PPLKiller to get based address of Ntoskrnl.exe.
### Disclaimer
Only for educational purposes.
### References
* https://github.com/Barakat/CVE-2019-16098
* https://github.com/RedCursorSecurityConsulting/PPLKiller
文件快照
[4.0K] /data/pocs/19adecaf97b75cec0ee03bcc31ddc4bdf685e045
├── [1.0K] LICENSE
├── [2.1K] README.md
└── [4.0K] SYSTEM_CONTEXT_RTCORE
├── [4.0K] Driver
│ └── [ 14K] RTCore64.sys
├── [4.0K] SYSTEM_CONTEXT_RTCORE
│ ├── [6.7K] SYSTEM_CONTEXT_RTCORE.cpp
│ ├── [6.4K] SYSTEM_CONTEXT_RTCORE.vcxproj
│ ├── [ 973] SYSTEM_CONTEXT_RTCORE.vcxproj.filters
│ ├── [ 165] SYSTEM_CONTEXT_RTCORE.vcxproj.user
│ └── [4.0K] x64
│ ├── [4.0K] Debug
│ │ ├── [4.0K] SYSTEM_C.325995fb.tlog
│ │ │ ├── [ 922] CL.command.1.tlog
│ │ │ ├── [ 26K] CL.read.1.tlog
│ │ │ ├── [ 808] CL.write.1.tlog
│ │ │ ├── [1.5K] link.command.1.tlog
│ │ │ ├── [3.5K] link.read.1.tlog
│ │ │ ├── [ 804] link.write.1.tlog
│ │ │ └── [ 179] SYSTEM_CONTEXT_RTCORE.lastbuildstate
│ │ ├── [ 975] SYSTEM_CONTEXT_RTCORE.Build.CppClean.log
│ │ ├── [ 320] SYSTEM_CONTEXT_RTCORE.exe.recipe
│ │ ├── [668K] SYSTEM_CONTEXT_RTCORE.ilk
│ │ ├── [ 154] SYSTEM_CONTEXT_RTCORE.log
│ │ ├── [ 80K] SYSTEM_CONTEXT_RTCORE.obj
│ │ ├── [ 0] SYSTEM_CONTEXT_RTCORE.vcxproj.FileListAbsolute.txt
│ │ ├── [251K] vc143.idb
│ │ └── [156K] vc143.pdb
│ └── [4.0K] Release
│ ├── [4.0K] SYSTEM_C.325995fb.tlog
│ │ ├── [ 930] CL.command.1.tlog
│ │ ├── [ 26K] CL.read.1.tlog
│ │ ├── [ 626] CL.write.1.tlog
│ │ ├── [1.6K] link.command.1.tlog
│ │ ├── [4.0K] link.read.1.tlog
│ │ ├── [1.0K] link.write.1.tlog
│ │ └── [ 181] SYSTEM_CONTEXT_RTCORE.lastbuildstate
│ ├── [1.3K] SYSTEM_CONTEXT_RTCORE.Build.CppClean.log
│ ├── [ 322] SYSTEM_CONTEXT_RTCORE.exe.recipe
│ ├── [ 66K] SYSTEM_CONTEXT_RTCORE.iobj
│ ├── [ 20K] SYSTEM_CONTEXT_RTCORE.ipdb
│ ├── [ 357] SYSTEM_CONTEXT_RTCORE.log
│ ├── [222K] SYSTEM_CONTEXT_RTCORE.obj
│ ├── [ 0] SYSTEM_CONTEXT_RTCORE.vcxproj.FileListAbsolute.txt
│ └── [140K] vc143.pdb
└── [1.4K] SYSTEM_CONTEXT_RTCORE.sln
8 directories, 38 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。