#dokydoky

verifier on/off 비교(UAF, double free) 본문

Windows Exploit

verifier on/off 비교(UAF, double free)

dokydoky 2016. 11. 15. 16:27

verifier는 windows Kernel에서 special pool을 만들어주는 기능을 제공합니다.

special pool을 만들면 crash가 났을 때, 더 정확하게 분석할 수 있습니다.

UAF, double free의 crash가 났을 때, verifier on/off 결과를 비교해 보겠습니다.


[verifier on일 경우]

 - corruption이 발생할 때 바로 exception 발생 후 정지.(off일 경우 바로 안멈출때도 있음)

 - "!analyze -v" 결과에서 원인을 정확히 말해줌.

 - stacktrace에 corruption의 원인이되는 드라이버도 함께 표시.


[verifier on - UAF-1]

*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
828977b8 cc              int     3
1: kd> ed nt!Kd_DEFAULT_Mask 8
1: kd> .reload
Connected to Windows 7 7601 x86 compatible target at (Tue Nov 15 03:24:16.871 2016 (UTC - 8:00)), ptr64 FALSE
Loading Kernel Symbols
....................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

...........................
................................................................
.......................
Loading User Symbols
..................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................
................................................................
...............
Loading unloaded module list
.................................
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for wuaueng.dll - 
1: kd> g

     $$\      $$\ $$\   $$\ $$$$$$$$\
     $$ | $\  $$ |$$ | $$  |$$  _____|
     $$ |$$$\ $$ |$$ |$$  / $$ |
     $$ $$ $$\$$ |$$$$$  /  $$$$$\
     $$$$  _$$$$ |$$  $$<   $$  __|
     $$$  / \$$$ |$$ |\$$\  $$ |
     $$  /   \$$ |$$ | \$$\ $$$$$$$$\
     \__/     \__|\__|  \__|\________|

    Windows Kernel Exploitation Training
          Use After Free Fuzzer
                 Fuzzing

        Ashfaq Ansari (@HackSysTeam)

Note: This is a very dirty script that won't work
for other drivers. The motive of the script to show
attendees that we can write a very simple fuzzer to
find UaF bugs without using any other tools.
    
[+] Opening vulnerable device: \\.\HackSysExtremeVulnerableDriver
[+] Fuzzing HackSys Extreme Vulnerable Driver for UaF bugs
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x84C5F130
[+] UseAfterFree Object: 0x84C5F130
[+] g_UseAfterFreeObject: 0x84C5F130
[+] UseAfterFree->Callback: 0x92B84180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
[+] Freeing UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Chunk: 0x84C5F130
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
	[*] Creating Fake Object
		[++] Length: 18324
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x84C5F130
[+] Fake Object: 0x84C5F130
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
[+] Using UaF Object
[+] g_UseAfterFreeObject: 0x84C5F130
[+] g_UseAfterFreeObject->Callback: 0x41414141
[+] Calling Callback
[-] Exception Code: 0xC0000005
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
[+] Freeing UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Chunk: 0x84C5F130
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
[+] Freeing UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Chunk: 0x84C5F130

*** Fatal System Error: 0x000000c2
                       (0x00000007,0x0000109B,0x080C0025,0x84C5F130)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Tue Nov 15 03:49:07.199 2016 (UTC - 8:00)), ptr64 FALSE
Loading Kernel Symbols
.........................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

......................................
................................................................
.......................
Loading User Symbols
.........................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.


Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 109b, 80c0025, 84c5f130}

*** WARNING: Unable to verify checksum for _ctypes.pyd
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for _ctypes.pyd - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for python27.dll - 
Probably caused by : HEVD.sys ( HEVD!FreeUaFObject+5f )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
828977b8 cc              int     3
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000109b, (reserved)
Arg3: 080c0025, Memory contents of the pool block
Arg4: 84c5f130, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  84c5f130 Nonpaged pool

FREED_POOL_TAG:  Hack

BUGCHECK_STR:  0xc2_7_Hack

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME:  python.exe

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from 828fbd5f to 828977b8

STACK_TEXT:  
999f460c 828fbd5f 00000003 65a40c3b 00000065 nt!RtlpBreakWithStatusInstruction
999f465c 828fc85d 00000003 84c5f128 000001ff nt!KiBugCheckDebugBreak+0x1c
999f4a20 8293dc6b 000000c2 00000007 0000109b nt!KeBugCheck2+0x68b
999f4a9c 92b84395 84c5f130 6b636148 0b277853 nt!ExFreePoolWithTag+0x1b1
999f4adc 92b844d9 92b85055 85baab90 85baac00 HEVD!FreeUaFObject+0x5f [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 193]
999f4ae0 92b85055 85baab90 85baac00 84ce7388 HEVD!FreeUaFObjectIoctlHandler+0x5 [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 308]
999f4afc 82853c1e 84c81d88 85baab90 85baab90 HEVD!IrpDeviceIoCtlHandler+0xef [c:\hacksysextremevulnerabledriver\driver\source\hacksysextremevulnerabledriver.c @ 258]
999f4b14 82a47c09 84ce7388 85baab90 85baac00 nt!IofCallDriver+0x63
999f4b34 82a4adf2 84c81d88 84ce7388 00000000 nt!IopSynchronousServiceTail+0x1f8
999f4bd0 82a91789 84c81d88 85baab90 00000000 nt!IopXxxControlFile+0x6aa
999f4c04 8285a8c6 00000080 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
999f4c04 778570f4 00000080 00000000 00000000 nt!KiSystemServicePostCall
0021f920 778558a4 759b987d 00000080 00000000 ntdll!KiFastSystemCallRet
0021f924 759b987d 00000080 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc
0021f984 76f7ba7d 00000080 0022201b 00000000 KERNELBASE!DeviceIoControl+0xf6
0021f9b0 1d1add7a 00000080 0022201b 00000000 kernel32!DeviceIoControlImplementation+0x80
WARNING: Stack unwind information not available. Following frames may be wrong.
0021f9dc 1d1aca96 1d1ac910 0021f9fc 00000020 _ctypes!DllCanUnloadNow+0x5b4a
0021fa0c 1d1a8db8 76f7ba35 0021fb20 4ec0bf24 _ctypes!DllCanUnloadNow+0x4866
0021fabc 1d1a959e 00001100 76f7ba35 0021fb00 _ctypes!DllCanUnloadNow+0xb88
0021fbf0 1d1a54d8 76f7ba35 014fc2b0 00000000 _ctypes!DllCanUnloadNow+0x136e
0021fc48 1e07bd9c 00000000 014fc2b0 00000000 _ctypes+0x54d8
00000000 00000000 00000000 00000000 00000000 python27!PyObject_Call+0x4c


STACK_COMMAND:  kb

FOLLOWUP_IP: 
HEVD!FreeUaFObject+5f [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 193]
92b84395 8975e4          mov     dword ptr [ebp-1Ch],esi

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  HEVD!FreeUaFObject+5f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: HEVD

IMAGE_NAME:  HEVD.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  57cd57c9

FAILURE_BUCKET_ID:  0xc2_7_Hack_HEVD!FreeUaFObject+5f

BUCKET_ID:  0xc2_7_Hack_HEVD!FreeUaFObject+5f

Followup: MachineOwner
---------


[verifier off - UAF-1]

Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
828b57b8 cc              int     3
1: kd> g
VBOXNP: DLL loaded.

     $$\      $$\ $$\   $$\ $$$$$$$$\
     $$ | $\  $$ |$$ | $$  |$$  _____|
     $$ |$$$\ $$ |$$ |$$  / $$ |
     $$ $$ $$\$$ |$$$$$  /  $$$$$\
     $$$$  _$$$$ |$$  $$<   $$  __|
     $$$  / \$$$ |$$ |\$$\  $$ |
     $$  /   \$$ |$$ | \$$\ $$$$$$$$\
     \__/     \__|\__|  \__|\________|

    Windows Kernel Exploitation Training
          Use After Free Fuzzer
                 Fuzzing

        Ashfaq Ansari (@HackSysTeam)

Note: This is a very dirty script that won't work
for other drivers. The motive of the script to show
attendees that we can write a very simple fuzzer to
find UaF bugs without using any other tools.
    
[+] Opening vulnerable device: \\.\HackSysExtremeVulnerableDriver
[+] Fuzzing HackSys Extreme Vulnerable Driver for UaF bugs
	[*] Creating Fake Object
		[++] Length: 9433
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x8538DEE0
[+] Fake Object: 0x8538DEE0
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Creating Fake Object
		[++] Length: 9685
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x85AF00D0
[+] Fake Object: 0x85AF00D0
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x85C171F0
[+] UseAfterFree Object: 0x85C171F0
[+] g_UseAfterFreeObject: 0x85C171F0
[+] UseAfterFree->Callback: 0x8E778180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
[+] Using UaF Object
[+] g_UseAfterFreeObject: 0x85C171F0
[+] g_UseAfterFreeObject->Callback: 0x8E778180
[+] Calling Callback
[+] UseAfter Free Object Callback
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Creating Fake Object
		[++] Length: 18957
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x853B03C8
[+] Fake Object: 0x853B03C8
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Creating Fake Object
		[++] Length: 18475
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x85D12898
[+] Fake Object: 0x85D12898
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x8590EEE0
[+] UseAfterFree Object: 0x8590EEE0
[+] g_UseAfterFreeObject: 0x8590EEE0
[+] UseAfterFree->Callback: 0x8E778180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
[+] Freeing UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Chunk: 0x8590EEE0
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x85A09EE0
[+] UseAfterFree Object: 0x85A09EE0
[+] g_UseAfterFreeObject: 0x85A09EE0
[+] UseAfterFree->Callback: 0x8E778180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x8590EEE0
[+] UseAfterFree Object: 0x8590EEE0
[+] g_UseAfterFreeObject: 0x8590EEE0
[+] UseAfterFree->Callback: 0x8E778180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x85A3A0D0
[+] UseAfterFree Object: 0x85A3A0D0
[+] g_UseAfterFreeObject: 0x85A3A0D0
[+] UseAfterFree->Callback: 0x8E778180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating Fake Object
		[++] Length: 711
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x85D24868
[+] Fake Object: 0x85D24868
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Creating Fake Object
		[++] Length: 4341
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x852CF108
[+] Fake Object: 0x852CF108
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
[+] Using UaF Object
[+] g_UseAfterFreeObject: 0x85A3A0D0
[+] g_UseAfterFreeObject->Callback: 0x8E778180
[+] Calling Callback
[+] UseAfter Free Object Callback
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
[+] Freeing UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Chunk: 0x85A3A0D0
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
[+] Using UaF Object
[+] g_UseAfterFreeObject: 0x85A3A0D0
[+] g_UseAfterFreeObject->Callback: 0x85AD5D38
[+] Calling Callback
[-] Exception Code: 0xC0000005
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x8578E730
[+] UseAfterFree Object: 0x8578E730
[+] g_UseAfterFreeObject: 0x8578E730
[+] UseAfterFree->Callback: 0x8E778180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x852D27E8
[+] UseAfterFree Object: 0x852D27E8
[+] g_UseAfterFreeObject: 0x852D27E8
[+] UseAfterFree->Callback: 0x8E778180

*** Fatal System Error: 0x000000c5
                       (0x90F49DA8,0x00000002,0x00000000,0x8295C795)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Mon Nov 14 23:04:03.866 2016 (UTC - 8:00)), ptr64 FALSE
Loading Kernel Symbols
.................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................
................................................................
.......................
Loading User Symbols

Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C5, {90f49da8, 2, 0, 8295c795}

Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+135 )

Followup: Pool_corruption
---------

nt!RtlpBreakWithStatusInstruction:
828b57b8 cc              int     3
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 90f49da8, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8295c795, address which referenced memory

Debugging Details:
------------------


BUGCHECK_STR:  0xC5_2

CURRENT_IRQL:  2

FAULTING_IP: 
nt!ExDeferredFreePool+135
8295c795 8b10            mov     edx,dword ptr [eax]

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME:  System

TRAP_FRAME:  8906ba84 -- (.trap 0xffffffff8906ba84)
ErrCode = 00000000
eax=90f49da8 ebx=000001ff ecx=000001ff edx=82971858 esi=8cacb0d0 edi=829716c0
eip=8295c795 esp=8906baf8 ebp=8906bb30 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
nt!ExDeferredFreePool+0x135:
8295c795 8b10            mov     edx,dword ptr [eax]  ds:0023:90f49da8=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82919d5f to 828b57b8

STACK_TEXT:  
8906b64c 82919d5f 00000003 55d11e9c 00000065 nt!RtlpBreakWithStatusInstruction
8906b69c 8291a85d 00000003 90f49da8 8295c795 nt!KiBugCheckDebugBreak+0x1c
8906ba64 8287bb7f 0000000a 90f49da8 00000002 nt!KeBugCheck2+0x68b
8906ba64 8295c795 0000000a 90f49da8 00000002 nt!KiTrap0E+0x1b3
8906bb30 8295c35f 829716c0 00000000 843d8c18 nt!ExDeferredFreePool+0x135
8906bb9c 82a5da39 85672c38 e5726854 85672c38 nt!ExFreePoolWithTag+0x8a4
8906bbc0 82a5d7de 85672c60 85672c48 00000000 nt!ObpFreeObject+0x24f
8906bbd4 828b3200 00000000 00000000 85672c60 nt!ObpRemoveObjectRoutine+0x5e
8906bbe8 828b3170 85672c60 828f0852 8297cc90 nt!ObfDereferenceObjectWithTag+0x88
8906bbf0 828f0852 8297cc90 843ebd48 829763f8 nt!ObfDereferenceObject+0xd
8906bc00 828b814b 00000000 00000000 843ebd48 nt!PspReaper+0x84
8906bc50 82a44141 00000002 55d11490 00000000 nt!ExpWorkerThread+0x10d
8906bc90 828eb559 828b803e 00000002 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExDeferredFreePool+135
8295c795 8b10            mov     edx,dword ptr [eax]

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  nt!ExDeferredFreePool+135

FOLLOWUP_NAME:  Pool_corruption

IMAGE_NAME:  Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID:  0xC5_2_nt!ExDeferredFreePool+135

BUCKET_ID:  0xC5_2_nt!ExDeferredFreePool+135

Followup: Pool_corruption
---------


[verifier off - Double Free]

*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
828c57b8 cc              int     3
1: kd> ed nt!Kd_DEFAULT_Mask 8
1: kd> .reload
Connected to Windows 7 7601 x86 compatible target at (Tue Nov 15 01:16:52.452 2016 (UTC - 8:00)), ptr64 FALSE
Loading Kernel Symbols
.......................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

........................
................................................................
.......................
Loading User Symbols

Loading unloaded module list
......
1: kd> g

     $$\      $$\ $$\   $$\ $$$$$$$$\
     $$ | $\  $$ |$$ | $$  |$$  _____|
     $$ |$$$\ $$ |$$ |$$  / $$ |
     $$ $$ $$\$$ |$$$$$  /  $$$$$\
     $$$$  _$$$$ |$$  $$<   $$  __|
     $$$  / \$$$ |$$ |\$$\  $$ |
     $$  /   \$$ |$$ | \$$\ $$$$$$$$\
     \__/     \__|\__|  \__|\________|

    Windows Kernel Exploitation Training
          Use After Free Fuzzer
                 Fuzzing

        Ashfaq Ansari (@HackSysTeam)

Note: This is a very dirty script that won't work
for other drivers. The motive of the script to show
attendees that we can write a very simple fuzzer to
find UaF bugs without using any other tools.
    
[+] Opening vulnerable device: \\.\HackSysExtremeVulnerableDriver
[+] Fuzzing HackSys Extreme Vulnerable Driver for UaF bugs
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x85D43820
[+] UseAfterFree Object: 0x85D43820
[+] g_UseAfterFreeObject: 0x85D43820
[+] UseAfterFree->Callback: 0x92D52180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating Fake Object
		[++] Length: 17705
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x85D4E638
[+] Fake Object: 0x85D4E638
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
[+] Freeing UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Chunk: 0x85D43820
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
[+] Freeing UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Chunk: 0x85D43820

*** Fatal System Error: 0x000000c2
                       (0x00000007,0x0000109B,0x080C0027,0x85D43820)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Tue Nov 15 01:18:31.765 2016 (UTC - 8:00)), ptr64 FALSE
Loading Kernel Symbols
.............................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..................................
................................................................
.......................
Loading User Symbols
......................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

...
Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 109b, 80c0027, 85d43820}

*** WARNING: Unable to verify checksum for _ctypes.pyd
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for _ctypes.pyd - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for python27.dll - 
Probably caused by : HEVD.sys ( HEVD!FreeUaFObject+5f )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
828c57b8 cc              int     3
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000109b, (reserved)
Arg3: 080c0027, Memory contents of the pool block
Arg4: 85d43820, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  85d43820 Nonpaged pool

FREED_POOL_TAG:  Hack

BUGCHECK_STR:  0xc2_7_Hack

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME:  python.exe

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from 82929d5f to 828c57b8

STACK_TEXT:  
9f51760c 82929d5f 00000003 52fa2a8b 00000065 nt!RtlpBreakWithStatusInstruction
9f51765c 8292a85d 00000003 85d43818 000001ff nt!KiBugCheckDebugBreak+0x1c
9f517a20 8296bc6b 000000c2 00000007 0000109b nt!KeBugCheck2+0x68b
9f517a9c 92d52395 85d43820 6b636148 0d846b77 nt!ExFreePoolWithTag+0x1b1
9f517adc 92d524d9 92d53055 85d8f5f8 85d8f668 HEVD!FreeUaFObject+0x5f [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 193]
9f517ae0 92d53055 85d8f5f8 85d8f668 85efef18 HEVD!FreeUaFObjectIoctlHandler+0x5 [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 308]
9f517afc 82881c1e 85c42030 85d8f5f8 85d8f5f8 HEVD!IrpDeviceIoCtlHandler+0xef [c:\hacksysextremevulnerabledriver\driver\source\hacksysextremevulnerabledriver.c @ 258]
9f517b14 82a75c09 85efef18 85d8f5f8 85d8f668 nt!IofCallDriver+0x63
9f517b34 82a78df2 85c42030 85efef18 00000000 nt!IopSynchronousServiceTail+0x1f8
9f517bd0 82abf789 85c42030 85d8f5f8 00000000 nt!IopXxxControlFile+0x6aa
9f517c04 828888c6 00000080 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
9f517c04 772070f4 00000080 00000000 00000000 nt!KiSystemServicePostCall
0021f920 772058a4 7528987d 00000080 00000000 ntdll!KiFastSystemCallRet
0021f924 7528987d 00000080 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc
0021f984 76e1ba7d 00000080 0022201b 00000000 KERNELBASE!DeviceIoControl+0xf6
0021f9b0 1d1add7a 00000080 0022201b 00000000 kernel32!DeviceIoControlImplementation+0x80
WARNING: Stack unwind information not available. Following frames may be wrong.
0021f9dc 1d1aca96 1d1ac910 0021f9fc 00000020 _ctypes!DllCanUnloadNow+0x5b4a
0021fa0c 1d1a8db8 76e1ba35 0021fb20 27afdc76 _ctypes!DllCanUnloadNow+0x4866
0021fabc 1d1a959e 00001100 76e1ba35 0021fb00 _ctypes!DllCanUnloadNow+0xb88
0021fbf0 1d1a54d8 76e1ba35 0142c2b0 00000000 _ctypes!DllCanUnloadNow+0x136e
0021fc48 1e07bd9c 00000000 0142c2b0 00000000 _ctypes+0x54d8
00000000 00000000 00000000 00000000 00000000 python27!PyObject_Call+0x4c


STACK_COMMAND:  kb

FOLLOWUP_IP: 
HEVD!FreeUaFObject+5f [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 193]
92d52395 8975e4          mov     dword ptr [ebp-1Ch],esi

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  HEVD!FreeUaFObject+5f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: HEVD

IMAGE_NAME:  HEVD.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  57cd57c9

FAILURE_BUCKET_ID:  0xc2_7_Hack_HEVD!FreeUaFObject+5f

BUCKET_ID:  0xc2_7_Hack_HEVD!FreeUaFObject+5f

Followup: MachineOwner
---------


[verifier on - Double Free]

Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
828b57b8 cc              int     3
1: kd> g $$\ $$\ $$\ $$\ $$$$$$$$\ $$ | $\ $$ |$$ | $$ |$$ _____| $$ |$$$\ $$ |$$ |$$ / $$ | $$ $$ $$\$$ |$$$$$ / $$$$$\ $$$$ _$$$$ |$$ $$< $$ __| $$$ / \$$$ |$$ |\$$\ $$ | $$ / \$$ |$$ | \$$\ $$$$$$$$\ \__/ \__|\__| \__|\________| Windows Kernel Exploitation Training Use After Free Fuzzer Fuzzing Ashfaq Ansari (@HackSysTeam) Note: This is a very dirty script that won't work for other drivers. The motive of the script to show attendees that we can write a very simple fuzzer to find UaF bugs without using any other tools. [+] Opening vulnerable device: \\.\HackSysExtremeVulnerableDriver [+] Fuzzing HackSys Extreme Vulnerable Driver for UaF bugs [*] Using UaF Object ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** [*] Using UaF Object ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** [*] Freeing UaF Object ****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ****** ****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ****** [*] Creating Fake Object [++] Length: 5756 ****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ****** [+] Creating Fake Object [+] Pool Tag: 'kcaH' [+] Pool Type: NonPagedPool [+] Pool Size: 0x58 [+] Pool Chunk: 0x9C680FA8 [+] Fake Object: 0x9C680FA8 ****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ****** [*] Using UaF Object ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** [*] Creating Fake Object [++] Length: 19255 ****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ****** [+] Creating Fake Object [+] Pool Tag: 'kcaH' [+] Pool Type: NonPagedPool [+] Pool Size: 0x58 [+] Pool Chunk: 0x94948FA8 [+] Fake Object: 0x94948FA8 ****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ****** [*] Freeing UaF Object ****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ****** ****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ****** [*] Creating Fake Object [++] Length: 1882 ****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ****** [+] Creating Fake Object [+] Pool Tag: 'kcaH' [+] Pool Type: NonPagedPool [+] Pool Size: 0x58 [+] Pool Chunk: 0x9C790FA8 [+] Fake Object: 0x9C790FA8 ****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ****** [*] Creating UaF Object ****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ****** [+] Allocating UaF Object [+] Pool Tag: 'kcaH' [+] Pool Type: NonPagedPool [+] Pool Size: 0x58 [+] Pool Chunk: 0x96A2EFA8 [+] UseAfterFree Object: 0x96A2EFA8 [+] g_UseAfterFreeObject: 0x96A2EFA8 [+] UseAfterFree->Callback: 0x9255A180 ****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ****** [*] Using UaF Object ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** [+] Using UaF Object [+] g_UseAfterFreeObject: 0x96A2EFA8 [+] g_UseAfterFreeObject->Callback: 0x9255A180 [+] Calling Callback [+] UseAfter Free Object Callback ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** [*] Using UaF Object ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** [+] Using UaF Object [+] g_UseAfterFreeObject: 0x96A2EFA8 [+] g_UseAfterFreeObject->Callback: 0x9255A180 [+] Calling Callback [+] UseAfter Free Object Callback ****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ****** [*] Freeing UaF Object ****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ****** [+] Freeing UaF Object [+] Pool Tag: 'kcaH' [+] Pool Chunk: 0x96A2EFA8 ****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ****** [*] Freeing UaF Object ****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ****** [+] Freeing UaF Object [+] Pool Tag: 'kcaH' [+] Pool Chunk: 0x96A2EFA8 *** Fatal System Error: 0x000000cc (0x96A2E000,0x00000000,0x8292F9E5,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows 7 7601 x86 compatible target at (Mon Nov 14 23:24:11.706 2016 (UTC - 8:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ................................................................ ........ Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. ............... Loading User Symbols ......................... Loading unloaded module list ...... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck CC, {96a2e000, 0, 8292f9e5, 0} *** WARNING: Unable to verify checksum for _ctypes.pyd *** ERROR: Symbol file could not be found. Defaulted to export symbols for _ctypes.pyd - *** ERROR: Symbol file could not be found. Defaulted to export symbols for python27.dll - Probably caused by : HEVD.sys ( HEVD!FreeUaFObject+5f ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 828c27b8 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc) Memory was referenced after it was freed. This cannot be protected by try-except. When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: 96a2e000, memory referenced Arg2: 00000000, value 0 = read operation, 1 = write operation Arg3: 8292f9e5, if non-zero, the address which referenced memory. Arg4: 00000000, Mm internal code. Debugging Details: ------------------ READ_ADDRESS: 96a2e000 Special pool FAULTING_IP: nt!MmQuerySpecialPoolBlockSize+1a 8292f9e5 8b00 mov eax,dword ptr [eax] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO BUGCHECK_STR: 0xCC PROCESS_NAME: python.exe CURRENT_IRQL: 2 TRAP_FRAME: 9a2df990 -- (.trap 0xffffffff9a2df990) ErrCode = 00000000 eax=96a2e000 ebx=00000fa8 ecx=00000fff edx=00002000 esi=96a2efa8 edi=96a2e000 eip=8292f9e5 esp=9a2dfa04 ebp=9a2dfa68 iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 nt!MmQuerySpecialPoolBlockSize+0x1a: 8292f9e5 8b00 mov eax,dword ptr [eax] ds:0023:96a2e000=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 82926d5f to 828c27b8 STACK_TEXT: 9a2df4e4 82926d5f 00000003 476689d5 00000065 nt!RtlpBreakWithStatusInstruction 9a2df534 8292785d 00000003 00000000 0009c68c nt!KiBugCheckDebugBreak+0x1c 9a2df8f8 828d5879 00000050 96a2e000 00000000 nt!KeBugCheck2+0x68b 9a2df978 82888aa8 00000000 96a2e000 00000000 nt!MmAccessFault+0x104 9a2df978 8292f9e5 00000000 96a2e000 00000000 nt!KiTrap0E+0xdc 9a2dfa00 82968b81 00000000 96a2efa8 9481cf68 nt!MmQuerySpecialPoolBlockSize+0x1a 9a2dfa68 82b7af90 96a2efa8 6b636148 00000000 nt!ExFreePoolWithTag+0xc7 9a2dfa7c 9255a395 96a2efa8 6b636148 08786818 nt!VerifierExFreePoolWithTag+0x30 9a2dfabc 9255a4d9 9255b055 9481cf68 9481cfd8 HEVD!FreeUaFObject+0x5f [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 193] 9a2dfac0 9255b055 9481cf68 9481cfd8 8af42380 HEVD!FreeUaFObjectIoctlHandler+0x5 [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 308] 9a2dfadc 82b796c3 8b339898 9481cf68 88b7ea98 HEVD!IrpDeviceIoCtlHandler+0xef [c:\hacksysextremevulnerabledriver\driver\source\hacksysextremevulnerabledriver.c @ 258] 9a2dfb00 8287ebd5 00000000 9481cf68 8b339898 nt!IovCallDriver+0x258 9a2dfb14 82a72c09 88b7ea98 9481cf68 9481cfd8 nt!IofCallDriver+0x1b 9a2dfb34 82a75df2 8b339898 88b7ea98 00000000 nt!IopSynchronousServiceTail+0x1f8 9a2dfbd0 82abc789 8b339898 9481cf68 00000000 nt!IopXxxControlFile+0x6aa 9a2dfc04 828858c6 00000080 00000000 00000000 nt!NtDeviceIoControlFile+0x2a 9a2dfc04 76e470f4 00000080 00000000 00000000 nt!KiSystemServicePostCall 0021f920 76e458a4 74ea987d 00000080 00000000 ntdll!KiFastSystemCallRet 0021f924 74ea987d 00000080 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc 0021f984 7539ba7d 00000080 0022201b 00000000 KERNELBASE!DeviceIoControl+0xf6 0021f9b0 1d1add7a 00000080 0022201b 00000000 kernel32!DeviceIoControlImplementation+0x80 WARNING: Stack unwind information not available. Following frames may be wrong. 0021f9dc 1d1aca96 1d1ac910 0021f9fc 00000020 _ctypes!DllCanUnloadNow+0x5b4a 0021fa0c 1d1a8db8 7539ba35 0021fb20 1955559c _ctypes!DllCanUnloadNow+0x4866 0021fabc 1d1a959e 00001100 7539ba35 0021fb00 _ctypes!DllCanUnloadNow+0xb88 0021fbf0 1d1a54d8 7539ba35 013eb2b0 00000000 _ctypes!DllCanUnloadNow+0x136e 0021fc48 1e07bd9c 00000000 013eb2b0 00000000 _ctypes+0x54d8 00000000 00000000 00000000 00000000 00000000 python27!PyObject_Call+0x4c STACK_COMMAND: kb FOLLOWUP_IP: HEVD!FreeUaFObject+5f [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 193] 9255a395 8975e4 mov dword ptr [ebp-1Ch],esi SYMBOL_STACK_INDEX: 8 SYMBOL_NAME: HEVD!FreeUaFObject+5f FOLLOWUP_NAME: MachineOwner MODULE_NAME: HEVD IMAGE_NAME: HEVD.sys DEBUG_FLR_IMAGE_TIMESTAMP: 57cd57c9 FAILURE_BUCKET_ID: 0xCC_VRF_HEVD!FreeUaFObject+5f BUCKET_ID: 0xCC_VRF_HEVD!FreeUaFObject+5f Followup: MachineOwner ---------



[verifier on - UAF]

Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
8287e7b8 cc              int     3
1: kd> ed nt!Kd_DEFAULT_Mask 8
1: kd> .reload
Connected to Windows 7 7601 x86 compatible target at (Tue Nov 15 00:37:43.983 2016 (UTC - 8:00)), ptr64 FALSE
Loading Kernel Symbols
..............................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.................
................................................................
.......................
Loading User Symbols

Loading unloaded module list
......
1: kd> x HEVD!Trigger*
9475fab8 HEVD!TriggerNullPointerDereference (void *)
9475fc42 HEVD!TriggerUninitializedHeapVariable (void *)
9475f63c HEVD!TriggerTypeConfusion (struct _USER_TYPE_CONFUSION_OBJECT *)
9475fdd2 HEVD!TriggerUninitializedStackVariable (void *)
9475f506 HEVD!TriggerStackOverflow (void *, unsigned long)
9475f006 HEVD!TriggerPoolOverflow (void *, unsigned long)
9475f9e4 HEVD!TriggerArbitraryOverwrite (struct _WRITE_WHAT_WHERE *)
9475f8b0 HEVD!TriggerIntegerOverflow (void *, unsigned long)
9475f7b6 HEVD!TriggerStackOverflowGS (void *, unsigned long)
1: kd> g

     $$\      $$\ $$\   $$\ $$$$$$$$\
     $$ | $\  $$ |$$ | $$  |$$  _____|
     $$ |$$$\ $$ |$$ |$$  / $$ |
     $$ $$ $$\$$ |$$$$$  /  $$$$$\
     $$$$  _$$$$ |$$  $$<   $$  __|
     $$$  / \$$$ |$$ |\$$\  $$ |
     $$  /   \$$ |$$ | \$$\ $$$$$$$$\
     \__/     \__|\__|  \__|\________|

    Windows Kernel Exploitation Training
          Use After Free Fuzzer
                 Fuzzing

        Ashfaq Ansari (@HackSysTeam)

Note: This is a very dirty script that won't work
for other drivers. The motive of the script to show
attendees that we can write a very simple fuzzer to
find UaF bugs without using any other tools.
    
[+] Opening vulnerable device: \\.\HackSysExtremeVulnerableDriver
[+] Fuzzing HackSys Extreme Vulnerable Driver for UaF bugs
	[*] Creating Fake Object
		[++] Length: 17940
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x9AC2CFA8
[+] Fake Object: 0x9AC2CFA8
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Creating Fake Object
		[++] Length: 934
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x9ACB0FA8
[+] Fake Object: 0x9ACB0FA8
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x9AD68FA8
[+] UseAfterFree Object: 0x9AD68FA8
[+] g_UseAfterFreeObject: 0x9AD68FA8
[+] UseAfterFree->Callback: 0x9475F180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x9AC22FA8
[+] UseAfterFree Object: 0x9AC22FA8
[+] g_UseAfterFreeObject: 0x9AC22FA8
[+] UseAfterFree->Callback: 0x9475F180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x9AC6AFA8
[+] UseAfterFree Object: 0x9AC6AFA8
[+] g_UseAfterFreeObject: 0x9AC6AFA8
[+] UseAfterFree->Callback: 0x9475F180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating Fake Object
		[++] Length: 7044
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
[+] Creating Fake Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x9AC54FA8
[+] Fake Object: 0x9AC54FA8
****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
[+] Using UaF Object
[+] g_UseAfterFreeObject: 0x9AC6AFA8
[+] g_UseAfterFreeObject->Callback: 0x9475F180
[+] Calling Callback
[+] UseAfter Free Object Callback
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x97414FA8
[+] UseAfterFree Object: 0x97414FA8
[+] g_UseAfterFreeObject: 0x97414FA8
[+] UseAfterFree->Callback: 0x9475F180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x9743AFA8
[+] UseAfterFree Object: 0x9743AFA8
[+] g_UseAfterFreeObject: 0x9743AFA8
[+] UseAfterFree->Callback: 0x9475F180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Creating UaF Object
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
[+] Allocating UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Type: NonPagedPool
[+] Pool Size: 0x58
[+] Pool Chunk: 0x9AC72FA8
[+] UseAfterFree Object: 0x9AC72FA8
[+] g_UseAfterFreeObject: 0x9AC72FA8
[+] UseAfterFree->Callback: 0x9475F180
****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******
	[*] Freeing UaF Object
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
[+] Freeing UaF Object
[+] Pool Tag: 'kcaH'
[+] Pool Chunk: 0x9AC72FA8
****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******
	[*] Using UaF Object
****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******
[+] Using UaF Object
[+] g_UseAfterFreeObject: 0x9AC72FA8

*** Fatal System Error: 0x000000d5
                       (0x9AC72FA8,0x00000000,0x9475F2D3,0x00000000)

Driver at fault: 
***      HEVD.sys - Address 9475F2D3 base at 9475B000, DateStamp 57cd57c9
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Tue Nov 15 00:39:25.436 2016 (UTC - 8:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
............

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

...........
Loading User Symbols
.........................
Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D5, {9ac72fa8, 0, 9475f2d3, 0}

*** WARNING: Unable to verify checksum for _ctypes.pyd
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for _ctypes.pyd - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for python27.dll - 
Probably caused by : HEVD.sys ( HEVD!UseUaFObject+3f )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8287e7b8 cc              int     3
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 9ac72fa8, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 9475f2d3, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  9ac72fa8 Special pool

FAULTING_IP: 
HEVD!UseUaFObject+3f [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 146]
9475f2d3 ff30            push    dword ptr [eax]

MM_INTERNAL_CODE:  0

IMAGE_NAME:  HEVD.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  57cd57c9

MODULE_NAME: HEVD

FAULTING_MODULE: 9475b000 HEVD

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR:  0xD5

PROCESS_NAME:  python.exe

CURRENT_IRQL:  2

TRAP_FRAME:  953fba0c -- (.trap 0xffffffff953fba0c)
ErrCode = 00000000
eax=9ac72fa8 ebx=94760cb8 ecx=94760cb8 edx=00000025 esi=00000000 edi=9ac34f68
eip=9475f2d3 esp=953fba80 ebp=953fbabc iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
HEVD!UseUaFObject+0x3f:
9475f2d3 ff30            push    dword ptr [eax]      ds:0023:9ac72fa8=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 828e2d5f to 8287e7b8

STACK_TEXT:  
953fb55c 828e2d5f 00000003 46fc8808 00000065 nt!RtlpBreakWithStatusInstruction
953fb5ac 828e385d 00000003 00000000 0009ac88 nt!KiBugCheckDebugBreak+0x1c
953fb970 82891879 00000050 9ac72fa8 00000000 nt!KeBugCheck2+0x68b
953fb9f4 82844aa8 00000000 9ac72fa8 00000000 nt!MmAccessFault+0x104
953fb9f4 9475f2d3 00000000 9ac72fa8 00000000 nt!KiTrap0E+0xdc
953fbabc 9475f4cb 9475ffc5 9ac34f68 9ac34fd8 HEVD!UseUaFObject+0x3f [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 146]
953fbac0 9475ffc5 9ac34f68 9ac34fd8 8b91ee00 HEVD!UseUaFObjectIoctlHandler+0x5 [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 290]
953fbadc 82b356c3 8b594cc0 9ac34f68 8c67b8e8 HEVD!IrpDeviceIoCtlHandler+0x5f [c:\hacksysextremevulnerabledriver\driver\source\hacksysextremevulnerabledriver.c @ 253]
953fbb00 8283abd5 00000000 9ac34f68 8b594cc0 nt!IovCallDriver+0x258
953fbb14 82a2ec09 8c67b8e8 9ac34f68 9ac34fd8 nt!IofCallDriver+0x1b
953fbb34 82a31df2 8b594cc0 8c67b8e8 00000000 nt!IopSynchronousServiceTail+0x1f8
953fbbd0 82a78789 8b594cc0 9ac34f68 00000000 nt!IopXxxControlFile+0x6aa
953fbc04 828418c6 00000080 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
953fbc04 779970f4 00000080 00000000 00000000 nt!KiSystemServicePostCall
0021f920 779958a4 75b9987d 00000080 00000000 ntdll!KiFastSystemCallRet
0021f924 75b9987d 00000080 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc
0021f984 778bba7d 00000080 00222017 00000000 KERNELBASE!DeviceIoControl+0xf6
0021f9b0 1d1add7a 00000080 00222017 00000000 kernel32!DeviceIoControlImplementation+0x80
WARNING: Stack unwind information not available. Following frames may be wrong.
0021f9dc 1d1aca96 1d1ac910 0021f9fc 00000020 _ctypes!DllCanUnloadNow+0x5b4a
0021fa0c 1d1a8db8 778bba35 0021fb20 d94d6dd5 _ctypes!DllCanUnloadNow+0x4866
0021fabc 1d1a959e 00001100 778bba35 0021fb00 _ctypes!DllCanUnloadNow+0xb88
0021fbf0 1d1a54d8 778bba35 0143c2b0 00000000 _ctypes!DllCanUnloadNow+0x136e
0021fc48 1e07bd9c 00000000 0143c2b0 00000000 _ctypes+0x54d8
00000000 00000000 00000000 00000000 00000000 python27!PyObject_Call+0x4c


STACK_COMMAND:  kb

FOLLOWUP_IP: 
HEVD!UseUaFObject+3f [c:\hacksysextremevulnerabledriver\driver\source\useafterfree.c @ 146]
9475f2d3 ff30            push    dword ptr [eax]

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  HEVD!UseUaFObject+3f

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0xD5_VRF_HEVD!UseUaFObject+3f

BUCKET_ID:  0xD5_VRF_HEVD!UseUaFObject+3f

Followup: MachineOwner
---------



[verifier on - UAF]





Comments