Share
## https://sploitus.com/exploit?id=785EFCE5-6562-5DE7-B851-302E4E192D71
# SMEP & kASLR Bypassing - HEVD x86 Kernel Exploit



![Alt text](images/system.png)

---


> ## Environment:
> - x86 [HackSys Extreme Vulnerable Driver (HEVD)](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver)
> - Windows 10 x86 - Build 1703
> - SMEP & kASLR enabled



---


## SMEP Definition

SMEP (Supervisor Mode Execution Prevention) is a CPU security feature that prevents code running in supervisor mode (ring 0) from executing instructions located in user-mode memory pages (ring 3), thereby blocking a common class of kernel exploits.


![Alt text](images/diagram.png)

---


## SMEP Bypass ROP Chain


The gadgets' addresses exist in the kernel address space, within the `nt` module, which is the core Windows kernel executable image loaded from `C:\Windows\System32\ntoskrnl.exe` on boot.

![Alt text](images/lm2.png)


Line 105 in exploit.c shows the SMEP bypass ROP chain:

```c
DWORD ROP[6];
ROP[0] = kernel_base + 0x0002a43a;    // pop eax ; ret
ROP[1] = 0x42424242;                  // Padding
ROP[2] = 0x43434343;                  // Padding
ROP[3] = 0x000406e9;                  // New CR4 value (bit 20 = 0)
ROP[4] = kernel_base + 0x0011f8de;    // mov cr4, eax ; ret
ROP[5] = shellcode_addr;              // Shellcode address
```


### **ROP[0]: `pop eax ; ret`**
- pops the value from top of the stack (ESP) to EAX. We'll use this register in Gadget-3. 
- ESP at this point will be pointing to the new CR4 value (ROP[3]).
- `ret` will return to ROP[3].


 
### **ROP[1] & ROP[2]: Padding**
  - Stack alignment/offset padding



### **ROP[3]: CR4 Value with SMEP bit disabled**
- The 20th bit in the CR4 CPU register denotes SMEP protection (1 = SMEP protection enabled; 0 = SMEP disabled).
The screenshot below shows CR4's SMEP bit in WinDbg kernel debugger 

  ![Alt text](images/cr4.png)


- Calculating the proper value by flipping the 20th-bit to 0 and converting to hex:
  ![Alt text](images/ipython_2.png) 



### **ROP[4]**: `mov cr4, eax ; ret`** (ntoskrnl.exe+0x11f8de)
- Now this gadget is responsible for loading the new CR4 value, held by EAXm to the CR4 register. Effectively disabling SMEP.

![Alt text](images/7bp.png)



### **ROP[5]: Shellcode Address**
- Next we can `ret` to the value on the top of the stack (ESP), which should be shellcode.
- The shellcode is a token-stealing shellcode from SYSTEM PID 4 process, elevating our process (cmd.exe) to SYSTEM.


The shellcode can now be executed by the kernel, which instruct the kernel to copy System process PID 4 token to our cmd process, making our process system process elevating our privileges.



---



> TODO: Kernel Token Stealing Walkthrough