Win 1909 Enterprise socket timeout

[0xShkk]

Followup on #5 (comment)

[chompie1337]

hi, how many times have you tried? what is the stop code? thank you

[MagicNieh]

Hi. My stop code is "overwrote HalpInterruptController pointer, should have execution shortly...", but I didn't get shell.

[0xShkk]

Hello,

have tried it like 5 times or so.
Everytime the bluescreen was immediately trigged without the python script giving me any output but immediately timeout (because windows was down obviously).

BUT I was trying it again just now and discovered that I have accidentally used python version 2.7.18 which forces the described crash reliably..

Windows error code:

KMODE EXCEPTION NOT HANDLED

Sorry for confusion!

Tried it again then with python3 like 10 times.

Get this result every time:

python3 exploit.py -ip 192.168.100.51
[+] found low stub at phys addr 13000!
[+] PML4 at 1aa000
[+] base of HAL heap at fffff7e380000000
[+] found PML4 self-ref entry 162
Traceback (most recent call last):
File "exploit.py", line 466, in
do_rce(args.ip, args.port)
File "exploit.py", line 429, in do_rce
search_hal_heap(ip, port)
File "exploit.py", line 325, in search_hal_heap
phys_addr = get_phys_addr(ip, port, index)
File "exploit.py", line 262, in get_phys_addr
pte_buff = read_physmem_primitive(ip, port, pte)
File "exploit.py", line 206, in read_physmem_primitive
buff = try_read_physmem_primitive(ip, port, phys_addr)
File "exploit.py", line 221, in try_read_physmem_primitive
buff = sock.recv(1000)
socket.timeout: timed out

[0xShkk]

Got Bluescreen now with correct execution (py3)

Win error:

IRQL NOT LESS OR EQUAL

[0xShkk]

Get BLs now reliable with IRQL NOT LESS OR EQUAL error after second to fourth execution of exploit.py

[chompie1337]

Hi. My stop code is "overwrote HalpInterruptController pointer, should have execution shortly...", but I didn't get shell.

did you replace payload like it says in the README?

[MagicNieh]

Thank you for your reply. I have reproduced it successfully.

[Stab1el]

Thank you for your reply. I have reproduced it successfull

could you please show your successful working environment? Since I got read primitive failed on Vmware + win10 1909

[wanghualei2]

hello,I can't find low_stub,can you tell why your code write so,do you study some paper?

[wanghualei2]

what is low stub? why you write so to get it?

[MagicNieh]

Thank you for your reply. I have reproduced it successfull

could you please show your successful working environment? Since I got read primitive failed on Vmware + win10 1909

This exploit code has a low success rate. I tried it more than ten times before it succeeded once.

[chompie1337]

Reducing the number of processor cores in the VM increases reliability due to the physical read primitive.

[chompie1337]

what is low stub? why you write so to get it?
I got the idea from Alex Ioenscu's research. It is to have a reliable way to defeat KASLR with only a physical read primitive. It may not present on all VMs, but I've seen it on most.
Here's the talk, relevant portion @ 38 minutes
https://www.youtube.com/watch?v=RSV3f6aEJFY

[wanghualei2]

I think your code only success on win10 with UEFI,I always failed on win10 with BIOS.DO you have some suggestion?