Introduction:
Hello All, moving in to further research about exploit development and kernel exploitation I came across a technique which I'll be discussing today it's really an interesting technique known as token stealing.
Basically in this technique an attacker can open a process which is running as system get the security token from the process and replaces the token in the process that is running as a low level user and gain system level privilege.
Security Tokens:
According to the microsoft documentation, When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
For more on security tokens and access tokens refer to the Microsoft documentation.
EProcess:
Now, in a process the token resides in Eprocess. Eprocess is basically a structures that has stores attributes of the process as well as other attributes and other data structures related to that process.
Before beginning the demonstration we need to enable the local kernel debugging for that,
1. Open cmd as administrator and use the command bcdedit /debug on and reboot the computer.
2. Open Windbg in the file menu select Attach to kernel and click ok.
Demonstration:
In Windows when the system starts, a system process is started, which always has a process ID of 4.
To see the structure of the Eprocess we can simply type in command
dt nt!_EPROCESS
One of the Eprocess structure member is token.
depending on the token permissions the process can perform different operations for example, if a process wants to read a file, that file security descriptor will check if the token in the process has the permissions to do it. The process that is running as SYSTEM has all the permissions on all the system objects.
What we need to do is get the token of the system process and replace the token in our cmd.exe process.
Let's get the token from the system process.
In the above image we can see that the token has an offset of 0x4b8, also in the above image there is something call _EX_FAST_REF, it is an EXECUTIVE FAST Reference union. This is what the access token of a process is stored in. Let's look into it further,
dt nt!_EX_FAST_REF
In the above image there is a RefCnt value, this is a value that is appended to the access token, that keeps track of references of the access token. Using bitwise AND we will clear these bits out. That way we can just extract the actual value of the token and not unnecessary metadata. To extract the value of the EX_FAST_REF we use the following command:
dt nt!_EXFAST_REF <Process Address>+0x4b8
As you can see, RefCnt is equal to 0y1110. 0y is a binary value. So this means that RefCnt in this situation equals 14.
Using bitwise to clear out the last bits,
? <token> & 0xf
And the result we get is 14. We don't actually want this value we want the inverse of this, so we will use -0xf
This will be the raw access token. Let's copy this to our cmd.exe process and see what happens.
Since the token is at the offset of the process address we can use the following command to replace it.
eq <process address>+0x4b8 ffffb203`73429040
and let's see if we can execute commands as system.
Awesome! We successfully replaced the token and got nt authority\system.
That's it for today. Hope you guys learned something new.
References:
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-local-kernel-debugging-of-a-single-computer-manually
https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens
https://connormcgarr.github.io/x64-Kernel-Shellcode-Revisited-and-SMEP-Bypass/
https://fluidattacks.com/blog/hevd-privilege-escalation/