Results 1 to 8 of 8

Thread: IOCTL-Proxy

  1. #1

    IOCTL-Proxy

    This is a POC of IOCTL fuzzer. It gave surprisingly good results.

    IOCTL-Proxy works by hooking NtDeviceIoControlFile, manipulating its' parameters and feeding them to the real function.

    Load the driver and simply click around in application you want to test.

    You will get a lot of BSODS, be careful.

    PreviousMode==KernelMode is ignored, since we are only interested in calls from UserMode to KernelMode, not Kernel->Kernel.

    Get it here:
    http://www.orange-bat.com

  2. #2
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Great work man!
    I've also worked on a Private tool that Hooks DeviceIoControl() and
    compiles a list of used IOCTLs (with particular attention to METHOD_NEITHER ones) and fuzzes these with the basical fuzz engine of Kartoffel

    I'll test your tool =)

    For Fuzzing People:

    Concentrate your attention to METHOD_NEITHER that if badly implemented could allow remote/local privilege-escalation vulnerability because it fails to adequately sanitize user-supplied input

    Regards,
    Giuseppe 'Evilcry' Bonfa'

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  3. #3
    http://milw0rm.com/exploits/7556

    so it works, right?

    AFAIR it's only bad ptr dereference. Check avast!, you should get another nice BSOD, but I haven't digged enough to tell if it's a privilege escalation.
    Also, some of SysInternals tools should BSOD, DebugView/FileMon/RegMon for shure.

    WinDbg + VMWare:
    http://silverstr.ufies.org/lotr0/windbg-vmware.html

  4. #4
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Hi,

    Yeah it worked fine

    Check avast!, you should get another nice BSOD, but I haven't digged enough to tell if it's a privilege escalation.
    Yeah Aavmon4.sys crashes and presents an intersting StackTrace, and seems to BSOD when a Scan is launched, the only difficulty is given by the fact that log.txt is empty so its needed an APISpy or IDA Study to know the faulting IOCTL..

    Great tool man

    PS: Also VirtualBox crashes
    Last edited by evilcry; December 29th, 2008 at 02:26.

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,520
    Blog Entries
    1
    i not understood, this is driver & it can do BSOD+anything.
    what is idea? maybe you will write more description

  6. #6
    In ring3 applications, triggering an exception can often lead to some kind of exploit.

    Exceptions in ring0 can lead to privilege escalation (executing code in kernel). Of course exception in ring0 = BSOD.

    This proxy tries to trigger exceptions in drivers by manipulating parameters of DeviceIoControl function, an API that is used by ring3 apps to communicate with ring0 code.
    It does that by hooking NtDeviceControl syscall, so all calls from the whole system are "fuzzed".

    Hope this answers your question

  7. #7
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,520
    Blog Entries
    1
    ah! it does like test Drivers, if they are badly programmed!?
    ok

  8. #8
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Exactly!
    When a Driver does not sanitize or badly sanitize User Supplied Input it could crash

    A Fuzzer submits high volume of 'random'/malformed data to check this

    Regards,
    Giuseppe 'Evilcry' Bonfa'

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

Similar Threads

  1. IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]
    By debasishm89 in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: March 14th, 2014, 05:05
  2. Stateless Bi-Directional Proxy
    By REBlog in forum Blogs Forum
    Replies: 0
    Last Post: October 19th, 2007, 20:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •