Penetration Testing mailing list archives

Re: Running Ring3 command from Ring0 in Windows?

From: Jun Koi <junkoi2004 () gmail com>
Date: Fri, 5 Jun 2009 12:29:51 +0900

On Fri, Jun 5, 2009 at 7:36 AM, H D Moore <sflist () digitaloffense net> wrote:

On Wed, 03 Jun 2009 11:39:32 -0500, Jun Koi <junkoi2004 () gmail com> wrote:

Hi,

I am looking for a way to execute Ring3 command (for ex, "net user
passwd" to change password of an user) from Ring0 of Windows.

The motivation of this is that I can exploit Windows kernel, and can
execute my code there. So far so good. But I am not content with
executing in Ring0 only, and want to run some code in Ring3, too. The
code can be injected by me, or I just simply run an existent command
tool (like cmd.exe)

Could anybody recommend any technique to achieve this?


This is what skape's kernel-to-userland injection code does (now part of
metasploit). It installs a hook, uses this to find a target process, and
copies the userland shellcode into the target process. We use this to run
userland payloads through exploited wireless drivers.

Ring0-Ring3 staging:
http://metasploit.com/svn/framework3/trunk/lib/rex/payloads/win32/kernel/stager.rb

Kernel symbol resolution:
http://uninformed.org/index.cgi?v=3&a=4&p=10
http://metasploit.com/svn/framework3/trunk/lib/rex/payloads/win32/common.rb

To run a command, just export a shellcode buffer from msfpayload
windows/exec CMD="cmd.exe /c something", and append this to the userland
stub.


It is quite clear: we can inject code from kernel to userspace using
the starger you pointed out. However, the question remains: after
that, how the shellcode (in userspace) is triggered?

In Metasploit method, I imagine that the code is somehow executed
later, but I am not sure how it is done.

The paper of skape proposes many techniques, so which techniques are
implemented in Metasploit?

Many thanks,
J

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Running Ring3 command from Ring0 in Windows? Jun Koi (Jun 03)
- Re: Running Ring3 command from Ring0 in Windows? Jeffrey Walton (Jun 03)
- Re: Running Ring3 command from Ring0 in Windows? H D Moore (Jun 04)
  - Re: Running Ring3 command from Ring0 in Windows? Jun Koi (Jun 08)
    - Re: Running Ring3 command from Ring0 in Windows? H D Moore (Jun 08)