During the weekend of 6-8th of July, our CTF team – Dragon Sector – played in an invite-only competition called WCTF, held in Beijing. The other participants were top-tier groups from around the world (e.g. Shellphish, ESPR, LC↯BC or Tokyo Westerns), and the prize pool of the contest was a stunning $100,000 USD. One particularly unique rule of the CTF was that the challenges were prepared by the teams themselves and not the organizers. Each of the 10 teams was obligated to provide two tasks, at least one of which had to run on Windows. This meant that each team could capture a maximum of 18 flags set up by the other teams in the room. In practice, the structure of the contest incentivized submitting extremely difficult and complex challenges. Remote help was allowed, and the scoring system offered first blood bonus points for being the first, second and third team to solve a task. The hacking part of the event was followed by a soft part, where additional points were granted by a jury and the participants for presenting one’s own tasks on stage.

After two days of though competition, we came out as the runner up of the CTF with 6/18 tasks solved, behind the winner – Tokyo Westerns (7/18 tasks):

My contribution to the above result was a flag for the “Searchme” task authored by Eat, Sleep, Pwn, Repeat. It involved the exploitation of an off-by-one buffer overflow of a PagedPool allocation made by a vulnerable kernel driver loaded in Windows 10 64-bit. Shortly after the CTF, the original author (@_niklasb) published the source code of the driver and the corresponding exploit (see niklasb/elgoog on GitHub and discussion on Twitter), which revealed that my solution was partially unintended. Niklas used the off-by-one to corrupt allocation metadata and performed some pool feng-shui to get overlapping pool chunks. On the other hand, I achieved a similar outcome through a data-only attack without touching any pool metadata, which made the overall exploitation process somewhat simpler. I encourage you to closely analyze Niklas’ exploit, and if you’re interested in my approach, follow along.

Beijing JCZ Technology Co., Ltd., mainly focused on the development of laser control system. The company introduced laser marking control system, fly marking control system, rotary marking control system, biaxial parquet marking control system according to the characteristics of laser processing, the common configuration of domestic laser equipment and the common problems in laser processing.

BeiJing JCZ USB Drivers Download. In our share libs contains the list of BeiJing JCZ USB drivers available for download. To download the proper driver by vender name. If not found in our garage driver you need, please contact us, we will help you in time, and updates to our website. Beijing Subway Map free download - Subway Surfers Game Cheats, 3D World Map, Beijing Subway Map, and many more programs.

If you want to jump straight to the exploit code, find it on GitHub.

Initial recon

As a part of the task, we were provided with a 64-bit Windows kernel driver called searchme.sys consuming 14 kB of disk space, and the following description:

<ip> 3389 flag is here: c:flag.txt, User:ctf, password:ctf

When I connected to the remote host via RDP, I could log in as a regular “ctf” user. The searchme.sys driver was loaded in the system, and the desired C:flag.txt file was found on disk, but it couldn’t be read from the security context of the current user, as expected:

At this point, it was quite clear that the goal of the challenge was to exploit a kernel-mode vulnerability in searchme.sys to elevate privileges to administrative or system rights, and then read the flag from the protected file. When I loaded the module in IDA Pro, I quickly learned that it registered a device under DeviceSearchme and handled four IOCTLs using the Buffered I/O communication scheme:

• 0x222000 – allocates an empty object from PagedPool, saves it in a global array and returns its address to the caller,
• 0x222004 – frees a previously allocated object,
• 0x222008 – adds a pair of (char[16], uint32) to an existing object,
• 0x22200C – transforms an existing object of type-0 to type-1 in a one-way, irreversible manner.

As IOCTLs #1 and #2 were trivial, the vulnerability had to lurk somewhere in the implementation of #3 or #4. I briefly reverse-engineered the entire code found in the driver (with the help of Redford and implr) to get a grasp of its functionality, rename symbols and fix data types. It was clear that the driver maintained a hash map associating textual strings with lists of numeric values, and that some type of binary data structure was involved in type-1 objects, but I still didn’t fully understand the underlying purpose of the code (it later turned out to be binary interpolative code). I didn’t observe any obvious vulnerabilities either, but I noticed two suspicious behaviors:

1. In the handling of 0x222008, the driver wouldn’t allow duplicates within the list of integers associated with a string token. However, it only checked the newly added value against the one at the back of the list. For example, a [1,2,2] list wouldn’t be allowed due to the equal consecutive numbers, but [2,1,2] could be created just fine. This seemed especially odd considering that the list was sorted later on when being processed by another IOCTL, potentially nullifying the whole point of the duplicate detection.
2. In nested functions called by the 0x22200C handler, the following code construct was found:

   Assuming that buf_end was the smallest address beyond the valid buffer, this could indicate an off-by-one error, as the comparison should otherwise use the >= operator.

Since following the leads discussed above could be time consuming, I decided to try an easier route and see if I could trigger any crashes through dumb fuzzing. This would allow me to start my analysis from a known bad state, instead of spending time on searching for memory corruption primitives in the first place.

Fuzzing the driver

In the context of fuzzing, it was convenient that the communication interface of the driver was limited to four simple operations. During the development stage, I created several wrapper functions around DeviceIoControl which were later reused in the actual exploit. The fuzzer was very simple in its core – it infinitely invoked one of the IOCTLs with random, but correctly formatted input arguments (token=['aa','bb'], value=[0.9]).

After enabling Special Pool for searchme.sys and starting the fuzzer, it only took a few seconds to see the following crash in WinDbg:

The crash occurred at searchme+0x2628, which belongs to a bit-writing function – the same that contains the suspicious *cur_buf > buf_end comparison. Further analysis and experiments (e.g. fuzzing without Special Pool) confirmed that the overflow was indeed limited to a single byte.

At that moment, a light bulb went off in my head – I had already seen similar code not so long ago! After a quick check, it turned out to be true; the “searchme” task was in fact a slightly modified and recompiled version of elgoog2 from 34C3 a few months ago. The immediate benefit of the discovery was that the “elgoog” task came with debugging symbols, including structure definitions, function names and so on. After doing a bit more recon, I found this tweet, which lead to this short write-up and an exploit from shiki7 from Tea Deliverers. The unintended type confusion bug was patched in “searchme” so the old exploit no longer worked, but it still provided some valuable insight. Additionally, Niklas’ description of the pool buffer overflow in point (1) reinforced my belief that this was the intended bug to be exploited here.

And so, I spent the next hour or two moving the symbols from “elgoog” to my “searchme” IDA database.

Controlling the overflow

Upon looking into the series of commands sent by the fuzzer to trigger the crash, I learned that the overflow was indeed caused by “compressing” (IOCTL 0x22200C) an object containing a token with duplicate entries. Since I could only write one byte beyond the allocated buffer, it was likely that its value would need to be carefully controlled. Even with the help of debug symbols, I was still unsure what data structure was constructed by the code, and hence – how to precisely control its contents.

To avoid wasting time on an in-depth examination of the algorithm, I shamelessly copy-pasted the interpolative_size and write_interpolative functions (together with their dependencies) from the Hex-Rays decompiler to Visual Studio, and wrote a simple brute-force program around it, to test the overflow byte for various random input lists. The gist of the tool boils down to the following:

Depending on the desired value, the length of input_buffer and the range of input numbers can be manipulated. For a simple value of 0x00, the desired effect can be achieved with just five numbers in the [0.9] range:

With the ability to choose the single byte overflowing our allocation, it was time to lift the primitive to a more powerful one.

Data-only pool corruption

Most dynamic allocators used today place metadata in front of the allocated memory chunks, which has historically facilitated a number of generic heap exploitation techniques. On the other hand, it may currently make the exploitation of small overflows difficult, as metadata separates application-specific objects from each other, and it is often subject to extensive integrity checks. It is obligatory to make the following two references here: A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator(Dan Rosenberg, 2012) and The poisoned NUL byte, 2014 edition (Chris Evans and Tavis Ormandy, 2014).

In his intended solution, Niklas also used pool metadata corruption to confuse the kernel pool allocator, and consequently have two distinct objects overlap with each other to achieve a more useful primitive. This is a valid approach, but it requires the exploit writer to be conscious of the inner workings of the allocator, and to precisely set up the pool layout to guarantee reliable exploitation. As a personal preference, I find it easier to attack program-specific objects than internal system structures, so I intuitively started looking for options to solve the challenge this way.

It may be a little known fact that in the Windows kernel, small allocations (fitting into a single memory page) are handled differently than large ones. For somewhat dated but still relevant details, see Kernel Pool Exploitation on Windows 7 (Tarjei Mandt, 2011) and Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool (Alex Ionescu, 2014). In this specific case, we are interested in two properties of large pool chunks:

• Metadata is stored separately, so allocations start at page-aligned addresses such as 0xffffa803f5892000.
• The chunks are often adjacent in memory; e.g. two consecutive allocations of size 0x1000 may be mapped to addresses 0xffffa803f5892000 and 0xffffa803f5893000, respectively.

In the vulnerable driver, we can accurately control the size of the overflown chunk up to a size of 0x10000 (16 pages). This is more than enough to allocate two large objects next to each other, and we can even determine the exact pairs of adjacent areas thanks to the fact that the IOCTLs explicitly return the kernel-mode addresses of the created objects. This was successfully confirmed by a simple tool I wrote during the CTF, which created eight 0x2000-byte long indexes and compared their addresses. The output was similar to the following:

As you can see, all objects were in fact mapped next to each other in a continuous block of 0x10000 bytes. If we subsequently free every other object to create “holes” in the pool, and promptly allocate a new chunk of the same size that gets overflown by the driver, the overflow should overlap with the first byte of the adjacent index object. This is illustrated below:

At this point, we should look at the type of information stored in the first byte of the allocation. As it turns out, it is the least significant byte of a 32-bit integer indicating the type of the object (type 0 – regular, type 1 – compressed). The structure of the regular object is defined as shown below:

If the compressed member is non-zero, the layout of the structure is quite different:

Thanks to the fact that the type of the object is either 0x00000000 or 0x00000001, our one-byte overflow enables us to change the type of the object from compressed_index to inverted_index. The type confusion has some handy primitives – in the structures above, we can see that the table pointer at offset 8 overlaps with the items of offsets[0] and offsets[1]. The values in the offsets array are offsets of compressed data relative to the compressed index, and thus they are relatively small. In our testing, they were equal to 0x558 and 0x56C, respectively.

When combined and interpreted as a 64-bit address, these two values form the following pointer: 0x0000056c00000558. It is not a typical address often observed in regular applications, but nevertheless it is a canonical user-mode address that can be mapped by the program using a simple VirtualAlloc call. In other words, the type confusion allows us to redirect a sensitive kernel-mode pointer to user space, and get complete control over the _ii_token_table structure used by the driver.

If we implement the discussed logic in a proof of concept program to change the type of an object from 1 to 0, and then try to add a new (keyword, value) pair to the corrupted index, we should observe the following system crash while searchme.sys tries to dereference memory from 0x0000056c00000558:

Let’s take a closer look at the capabilities provided by the controlled _ii_token_table structure.

Getting a write-what-where condition

Based on the elgoog symbol files, I recovered the prototypes of the _ii_token_table and related _ii_posting_list structures and wrote them down as the following C definitions:

In many ways, the above data structure is similar to a std::map<string, std::vector<unsigned int>> construct in C++. When a program requests that a new (token, value) pair is added to the index, the code iterates through the slots array to find the posting list corresponding to the provided token, and once it’s found, the input value is appended to the list with the following expression:

Considering that the token table is under our control, the _ii_posting_list.size field is 64-bit wide, and we know the base address of the fake posting list, this behavior is trivial to convert to an arbitrary write primitive. First, we declare the fake posting list in static memory with a known name (“fake”) and capacity equal to UINT64_MAX:

Then, we write a function to initialize the fake token table at the special 0x0000056c00000558 address:

Lastly, we add a helper function to trigger the 4-byte write-what-where condition:

With all this in place, we can test that it works:

which should trigger the following exception in the vulnerable driver:

The above crash log doesn’t fully illustrate the “write” operation due to some prior meaningless reads from PostingList.data, but the attack works.

Executing shellcode

At this point, I could write arbitrary kernel memory but not read it, which ruled out the option of data-only attacks performed directly from user-mode. However, with the write-what-where primitive in hand, executing ring-0 shellcode should be just a formality. In this case, it was made even easier thanks to the fact that the exploit was running at Medium integrity, so it had access to the base addresses of kernel modules, and could acquire other useful addresses through the various information classes of NtQuerySystemInformation.

In his Black Hat USA 2017 talk, Morten Schenk proposed that arbitrary write can be used to overwrite kernel function pointers residing in the .data section of win32kbase.sys, and more specifically in the win32kbase!gDxgkInterface table used by graphical syscalls from the NtGdiDdDDI* family. The system call handlers are in fact trivial wrappers around the function pointers, and conveniently don’t corrupt any of the arguments passed through the RCX, RDX, … registers, e.g.:

C-motech modems driver download for windows. DRIVERS C-MOTECH EVDO FOR WINDOWS 8 X64. Usb mobile broadband router. Free driver compuprint sp40. Free driver download official. Spotfire business intelligence, free driver download official shipping. Tes dafa fds free. 3g mobile router 802.11 b,g,n wide-coverage wifi. Wifi repeater signal booster. Ethernet lan drivers windows. V2 audio manager.

Download drivers for modems for free. Operating System Versions: Windows XP, 7, 8, 8.1, 10 (x64, x86) Category: Devices. Subcategory: modems. Popular Drivers. Smartphones TV-tuners webcams other devices. Are you tired of looking for the drivers for your devices? This package installs the software (Conexant Audio Software) to enable the following device. Conexant 20672 SmartAudio HD. Cnxt modems driver download for windows 10. Custom Instructions for CNXTD850Drv2K3A00.exe: Download 1. Click the 'Download Now' link to download the file. If the Export Compliance Disclaimer window appears, click the 'I agree' link to accept the agreement. When the File Download window appears. Select Search automatically for updated driver software. Select Update Driver. If Windows doesn't find a new driver, you can try looking for one on the device manufacturer's website and follow their instructions. Reinstall the device driver. In the search box on the taskbar, enter.

This allows the attacker to invoke arbitrary kernel functions with controlled arguments, and receive the return values. As discussed by Morten, the complete exploitation process consists of just a few simple steps:

1. Overwrite the function pointer with the address of nt!ExAllocatePoolWithTag.
2. Call the routine with the NonPagedPool parameter to allocate writable/executable memory.
3. Write the ring-0 shellcode to the allocated memory.
4. Overwrite the function pointer with the address of the shellcode.
5. Call the shellcode.

The above scheme makes it possible to cleanly execute the desired payload without corrupting the system state (except for the one overwritten pointer). In his paper, Morten suggested the use of NtGdiDdDDICreateAllocation as the proxy syscall, but I found that it was used in Windows sufficiently often that the system would start malfunctioning if the pointer was not promptly fixed up. To make my life a little bit easier, I chose a less frequently used service that seemed to be called exclusively by my exploit: NtGdiDdDDIGetContextSchedulingPriority.

After implementing the logic in code, I could enjoy arbitrary kernel code execution – in this example, a single int3 instruction:

Elevating privileges

In Windows, one of the easier ways of elevating one’s privileges in the system is to “steal” the security token of a system process and copy it to the current process (specifically to EPROCESS.Token). An address of a system process can be found in the static memory of the ntoskrnl.exe image, under nt!PsInitialSystemProcess. As the attack only involves the copying of one pointer between two kernel structures, the shellcode only consists of six instructions:

Getting the flag

Once the security token of the exploit process is replaced, we have full control over the operating system. We can start an elevated command prompt and read the flag:

In summary, after approximately 15 hours of work, the exploit was functional and netted us 120 points + 30 points of a first (and last) blood bonus. Thanks go to Niklas for creating this fun challenge and to WCTF organizers for running the competition. I think the task and its solution neatly illustrate that even today, theoretically minor bugs such as off-by-one overflows on the kernel pool may be conceptually simple to exploit, given the right set of circumstances. Buffer overflow exploitation in Windows is not dead just yet. :)

As a reminder, the full source code of the exploit is available on GitHub.

1,214 drivers total Last updated: Apr 26th 2017, 07:16 GMT RSS Feed

sort by:

Beijing Gda Driver Download For Windows 10 Free

Beijing Gda Driver Download For Windows 10 Laptop

Download For Windows 10 Free