支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: e81619d8326f5094e3dd1483883d04dadd5f5cfd

来源
https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562
关联漏洞
标题:AMD μProf 安全漏洞 (CVE-2023-20562)
Description:AMD μProf是美国超微半导体(AMD)公司的一款软件分析工具。 AMD μProf 存在安全漏洞,该漏洞源于IOCTL输入缓冲区验证不充分,导致攻击者可以加载未签名的驱动程序,从而导致任意内核执行。
介绍
# HITCON 2023 Demo CVE-2023-20562

## Description
This demonstration took place at HITCON 2023 in Taiwan. The demo highlights the exploitation of AMDCpuProfiler.sys within AMD μProf. By triggering an arbitrary write on the EPROCESS token, privilege escalation to SYSTEM level is achieved. Disabling the DSE flag allows loading of a malicious unsigned driver. The presentation further showcases an attack on 360 Total Security through nullifying its ObRegisterCallbacks, enabling execution of malicious actions on the processes of 360 Total Security.

## Info
* Topic: Uncovering Kernel Exploits: Exploring Vulnerabilities in AMD's Windows Kernel Drivers
* Session: https://hitcon.org/2023/CMT/en/agenda/5cb8168d-8fd6-4741-95a5-2e32aeb3e8af/
* Slide: https://drive.google.com/file/d/1bWwzsUL0aSQA3lqu1WFrtAp3EW93Y0cx/view?usp=sharing
* Demo Video: https://youtu.be/j8dpt3TLKKY

## Environment
* Windows 10 1909
* Visual Studio 2017
* AMD μProf 3.6.839
* 360 Total Security 6.6.0.1060

## Usage
1. Install AMD μProf 3.6.839 and 360 Total Security 6.6.0.1060
2. Put exploit.exe and Malicious.sys to the same directory.
3. Execute `exploit.exe LPE` with a normal user, and a cmd.exe with SYSTEM privilege is expected to pop up.
4. Execute `exploit.exe BYOVD` in the cmd.exe with SYSTEM privilege, and the processes of 360 Total Security are expected to be killed.

Note that since the DSE flag is not reset to the original value, and the callbacks is forcelly nullified, the system may not be stable.

## Reference
* nt!_SEP_TOKEN_PRIVILEGES - Single Write EoP Protect: https://anti-reversing.com/Downloads/Sec_Research/ntoskrnl_v10.0.15063_nt!_SEP_TOKEN_PRIVILEGES-Single_Write_EoP_Protect.pdf
* EXPLOITING VIR.IT EXPLORER ANTI-VIRUS ARBITRARY WRITE VULNERABILITY: https://www.greyhathacker.net/?p=990
* find DSE flag: https://github.com/hfiref0x/DSEFix
文件快照

 [4.0K]  /data/pocs/e81619d8326f5094e3dd1483883d04dadd5f5cfd
├── [4.0K]  bin
│   ├── [ 24K]  exploit.exe
│   └── [7.1K]  malicious.sys
├── [4.0K]  exploit
│   ├── [4.1K]  byovd.cpp
│   ├── [ 278]  byovd.h
│   ├── [7.6K]  exploit.cpp
│   ├── [8.3K]  exploit.vcxproj
│   ├── [2.2K]  exploit.vcxproj.filters
│   ├── [ 162]  exploit.vcxproj.user
│   ├── [5.1K]  global.h
│   ├── [4.0K]  hde
│   │   ├── [9.4K]  hde64.c
│   │   ├── [2.5K]  hde64.h
│   │   └── [3.5K]  table64.h
│   ├── [221K]  ntdll.h
│   ├── [434K]  ntdllp_7.lib
│   ├── [5.7K]  pe.cpp
│   ├── [ 16K]  swind2.cpp
│   ├── [6.9K]  sysinfo.cpp
│   ├── [5.0K]  token.cpp
│   └── [ 599]  token.h
├── [3.7K]  Exploit-AMDμProf-AMDCpuProfiler.sln
├── [5.9K]  Exploit-AMDμProf-AMDCpuProfiler.vcxproj
├── [ 814]  Exploit-AMDμProf-AMDCpuProfiler.vcxproj.filters
├── [ 162]  Exploit-AMDμProf-AMDCpuProfiler.vcxproj.user
├── [4.0K]  malicious
│   ├── [8.8K]  malicious.cpp
│   ├── [ 503]  malicious.inf
│   ├── [6.7K]  malicious.vcxproj
│   └── [1.1K]  malicious.vcxproj.filters
└── [1.8K]  README.md

4 directories, 28 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。