Awesome
CVE-2021-21551
Simple PoC for exploiting CVE-2021-21551 for LPE by spawning system cmd.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21551
An issue was discovered in signed dell windows driver (dbutil_2_3.sys) which may lead to compromisation of whole local system. Driver's ioctl dispatch routine lacks of validation of user supplied buffer.
IOCTL
Anyone can create handle and issue ioctl requests to these ioctl codes which break windows security model:
- 0x9b0c1f40 - arbitrary physical memory read
- 0x9b0c1f44 - arbitrary physical memory write
- 0x9b0c1ec4 - arbitrary kernel memory read
- 0x9b0c1ec8 - arbitrary kernel memory write
- 0x9b0c1ecc - controlled parameters to MmFreeContiguousMemorySpecifyCache call
- 0x9b0c1ec0 - controlled parameters to MmAllocateContiguousMemorySpecifyCache call
- 0x9b0c1f00 & 0x9b0c1f8c & 0x9b0c1f88 & 0x9b0c1f84 & 0x9b0c1f80 - access to some ports
Compiling PoC
This PoC exploits 0x9b0c1ec4/0x9b0c1ec8 ioctl codes for arbitrary kernel memory read/write respectively. Firstly it locates PsInitialSystemProcess in kernel to get system token and then it writes this token to current process EPROCESS struct. Before compiling update your EPROCESS offsets to avoid BSOD using https://www.vergiliusproject.com/
DWORD EPROCESS_ActiveProcessLinks = 0x2e8;
DWORD EPROCESS_Token = 0x348;
Use visual studio to compile (requires windows header). Ntdll SDK header: https://github.com/mathisvickie/segy-software/blob/main/external/ntdll.h
Running
Tested on:
- Windows 8
- Windows 10 2004
- Windows 10 20H2
Successful exploit will run system cmd. If you get bugcheck PAGE_FAULT_IN_NONPAGED_AREA then the offsets are probably incorrect. Sample output: