Log in

View Full Version : IOCTL-Proxy

_g_
December 21st, 2008, 13:19
This is a POC of IOCTL fuzzer. It gave surprisingly good results.

IOCTL-Proxy works by hooking NtDeviceIoControlFile, manipulating its' parameters and feeding them to the real function.

Load the driver and simply click around in application you want to test.

You will get a lot of BSODS, be careful.

PreviousMode==KernelMode is ignored, since we are only interested in calls from UserMode to KernelMode, not Kernel->Kernel.

Get it here:
http://www.orange-bat.com
evilcry
December 22nd, 2008, 01:23
Great work man!
I've also worked on a Private tool that Hooks DeviceIoControl() and
compiles a list of used IOCTLs (with particular attention to METHOD_NEITHER ones) and fuzzes these with the basical fuzz engine of Kartoffel

I'll test your tool =)

For Fuzzing People:

Concentrate your attention to METHOD_NEITHER that if badly implemented could allow remote/local privilege-escalation vulnerability because it fails to adequately sanitize user-supplied input

Regards,
Giuseppe 'Evilcry' Bonfa'
_g_
December 28th, 2008, 16:03
http://milw0rm.com/exploits/7556

so it works, right?

AFAIR it's only bad ptr dereference. Check avast!, you should get another nice BSOD, but I haven't digged enough to tell if it's a privilege escalation.
Also, some of SysInternals tools should BSOD, DebugView/FileMon/RegMon for shure.

WinDbg + VMWare:
http://silverstr.ufies.org/lotr0/windbg-vmware.html
evilcry
December 29th, 2008, 02:23
Hi,

Yeah it worked fine

Quote:

Check avast!, you should get another nice BSOD, but I haven't digged enough to tell if it's a privilege escalation.


Yeah Aavmon4.sys crashes and presents an intersting StackTrace, and seems to BSOD when a Scan is launched, the only difficulty is given by the fact that log.txt is empty so its needed an APISpy or IDA Study to know the faulting IOCTL..

Great tool man

PS: Also VirtualBox crashes
evaluator
December 29th, 2008, 15:10
i not understood, this is driver & it can do BSOD+anything.
what is idea? maybe you will write more description
_g_
December 29th, 2008, 15:52
In ring3 applications, triggering an exception can often lead to some kind of exploit.

Exceptions in ring0 can lead to privilege escalation (executing code in kernel). Of course exception in ring0 = BSOD.

This proxy tries to trigger exceptions in drivers by manipulating parameters of DeviceIoControl function, an API that is used by ring3 apps to communicate with ring0 code.
It does that by hooking NtDeviceControl syscall, so all calls from the whole system are "fuzzed".

Hope this answers your question
evaluator
December 30th, 2008, 01:08
ah! it does like test Drivers, if they are badly programmed!?
ok
evilcry
December 31st, 2008, 03:12
Exactly!
When a Driver does not sanitize or badly sanitize User Supplied Input it could crash

A Fuzzer submits high volume of 'random'/malformed data to check this

Regards,
Giuseppe 'Evilcry' Bonfa'