## https://sploitus.com/exploit?id=785EFCE5-6562-5DE7-B851-302E4E192D71
# SMEP & kASLR Bypassing - HEVD x86 Kernel Exploit

---
> ## Environment:
> - x86 [HackSys Extreme Vulnerable Driver (HEVD)](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver)
> - Windows 10 x86 - Build 1703
> - SMEP & kASLR enabled
---
## SMEP Definition
SMEP (Supervisor Mode Execution Prevention) is a CPU security feature that prevents code running in supervisor mode (ring 0) from executing instructions located in user-mode memory pages (ring 3), thereby blocking a common class of kernel exploits.

---
## SMEP Bypass ROP Chain
The gadgets' addresses exist in the kernel address space, within the `nt` module, which is the core Windows kernel executable image loaded from `C:\Windows\System32\ntoskrnl.exe` on boot.

Line 105 in exploit.c shows the SMEP bypass ROP chain:
```c
DWORD ROP[6];
ROP[0] = kernel_base + 0x0002a43a; // pop eax ; ret
ROP[1] = 0x42424242; // Padding
ROP[2] = 0x43434343; // Padding
ROP[3] = 0x000406e9; // New CR4 value (bit 20 = 0)
ROP[4] = kernel_base + 0x0011f8de; // mov cr4, eax ; ret
ROP[5] = shellcode_addr; // Shellcode address
```
### **ROP[0]: `pop eax ; ret`**
- pops the value from top of the stack (ESP) to EAX. We'll use this register in Gadget-3.
- ESP at this point will be pointing to the new CR4 value (ROP[3]).
- `ret` will return to ROP[3].
### **ROP[1] & ROP[2]: Padding**
- Stack alignment/offset padding
### **ROP[3]: CR4 Value with SMEP bit disabled**
- The 20th bit in the CR4 CPU register denotes SMEP protection (1 = SMEP protection enabled; 0 = SMEP disabled).
The screenshot below shows CR4's SMEP bit in WinDbg kernel debugger

- Calculating the proper value by flipping the 20th-bit to 0 and converting to hex:

### **ROP[4]**: `mov cr4, eax ; ret`** (ntoskrnl.exe+0x11f8de)
- Now this gadget is responsible for loading the new CR4 value, held by EAXm to the CR4 register. Effectively disabling SMEP.

### **ROP[5]: Shellcode Address**
- Next we can `ret` to the value on the top of the stack (ESP), which should be shellcode.
- The shellcode is a token-stealing shellcode from SYSTEM PID 4 process, elevating our process (cmd.exe) to SYSTEM.
The shellcode can now be executed by the kernel, which instruct the kernel to copy System process PID 4 token to our cmd process, making our process system process elevating our privileges.
---
> TODO: Kernel Token Stealing Walkthrough