HackSys Extreme Vulnerable Driver

hacksys_vulnerable_driver


Introduction

HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.

HackSys Extreme Vulnerable Driver caters wide range of vulnerabilities ranging from simple Buffer Overflows to complex Use After Frees and Pool Overflows. This allows the researchers to explore the exploitation techniques for all the implemented vulnerabilities.

Why HackSys Extreme Vulnerable Driver?

I was giving a series of talks on Windows Kernel Exploitation at null Security Community’s Pune Chapter. So, I thought, it’s better to write a driver which has all the major vulnerabilities implemented in it. The idea to write the driver was to provide the attendees a better view of what’s happening behind the vulnerable code and also this will be of great help during my workshops and trainings.

Vulnerabilities Implemented

  • Pool Overflow
  • Use After Free
  • Type Confusion
  • Stack Overflow
  • Integer Overflow
  • Stack Overflow GS
  • Arbitrary Overwrite
  • Null Pointer Dereference

Screenshots

1) Help

2) Exploit

3) Driver Debug Print

Source Code

Supported Windows Versions

This driver has been successfully tested on Windows XP SP3 (x86)Windows 2003 SP3 (x86) andWindows 7 SP1 (x86), but it can support Windows 8/8.1 (x86) too. Windows 8/8.1 support has not been tested now.

 What about exploits?

The exploits have been provided with this project. The exploit has been tested on Windows 7 SP1 (x86) and will need tweaking to support other versions of Windows OS.

Building Driver

  1. Install Windows Driver Kit
  2. Change %localSymbolServerPath% in bat and Build_HEVD_Vulnerable.bat driver builder
  3. Run the appropriate driver builder Build_HEVD_Secure.bat or Build_HEVD_Vulnerable.bat

Installing Driver

Use OSR Driver Loader to install HackSys Extreme Vulnerable Driver

TODO

Yes, there are few more vulnerabilities I want to implemented in it like Use Of Uninitialized Variable Vulnerability and Time-Of-Check-To-Time-Of-Use (TOCTOU) Vulnerability. Another important vulnerability I want to implement is Memory Disclosure Vulnerability, this will help me to break KASLR on Windows 8 variant.

If you have ideas to propose, do contact me or raise a feature request/bug report via Github Issue Tracking page https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/issues

Sessions Conducted

Workshops Conducted

Bug Report

Please file any bug report via GitHub Issue Tracker at the below given address:https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/issues

Author

Ashfaq Ansari is working as Sr. Security Researcher at Payatu Technologies where he spends time experimenting and understanding different attack vectors to exploit Windows User Mode as well as Kernel Mode vulnerabilities. He likes fuzzing and a fanboy of machine learning. He is a computer enthusiast and tries to learn new things.

Ashfaq Ansari

ashfaq[at]payatu[dot]com

@HackSysTeam | Blog | null | Github

Payatu Technologies
http://payatu.com/

Comments ( 5 )

  1. Pingback: HackSys Extreme Vulnerable Driver | [email protected] | Sc...

  2. Hi,

    Thank you for your great release. Could you please to share the python exploit codes which you have used in your Windows Kernel Exploitation workshops (like “stackoverflowgs-1.py”, “aow_kernel_win2k3_cmd.py”, …) ? Thank you so much.

    Best Regards,

  3. Pingback: HackSys Extreme Vulnerable Driver - payatu | Cy...

  4. hi, i test stack overflow, ring0 the ret addr is covered with EopPayload addr, and eip points EopPayload,

    but EopPayload is not shellcode , see follow pics . thank you

    EopPayload addr
    [img]http://s0ul.tk/xxxxbbbb2ksw/1.png[/img]
    [img]http://s0ul.tk/xxxxbbbb2ksw/2.png[/img]

    EIP, but not shellcode …
    [img]http://s0ul.tk/xxxxbbbb2ksw/3.png[/img]

    • admin_payatu
      says:

      Hi bigric3,

      Thanks for writing back. EIP holds the address of TokenStealingPayloadWin7 (for stack overflow). That’s why you do not directly see the EoP payload, but if you follow that JMP instruction as you showed in the image, you will see that, it will slide the execution to EoP payload.

      Please feel free to ask if you have more doubts.

      Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 − one =