Leaking ref counts for SYSTEM process

[jdness]

Hi, this exploit has been handy to demonstrate local EoP. Thanks for making it available. Unfortunately it bugchecks after being run ~20 times because it is leaking ref counts. You can repro this by running it in a loop like this:

for /L %x in (1,1,20) do Taihou32.exe

Here's the stack trace:

ChildEBP RetAddr

00 820c7834 82b18e71 nt!RtlpBreakWithStatusInstruction
01 820c7884 82b1996d nt!KiBugCheckDebugBreak+0x1c
02 820c7c48 82b18d10 nt!KeBugCheck2+0x68b
03 820c7c6c 82aa4f22 nt!KeBugCheckEx+0x1e
04 820c7c90 82aa4ed0 nt!ObfDereferenceObjectWithTag+0x4b
05 820c7c98 82c8178c nt!ObfDereferenceObject+0xd
06 820c7cdc 82c82f72 nt!ObpCloseHandleTableEntry+0x21d
07 820c7d0c 82c830ea nt!ObpCloseHandle+0x7f
08 820c7d28 82a7f42a nt!NtClose+0x4e
09 820c7d28 775364f4 nt!KiFastCallEntry+0x12a
0a 0018ecfc 7753491c ntdll!KiFastSystemCallRet
0b 0018ed00 76e0623e ntdll!NtClose+0xc
0c 0018ef9c 76e04b37 kernel32!BasepCheckWinSaferRestrictions+0x71c
0d 0018f5d8 76db2059 kernel32!CreateProcessInternalW+0x1508
0e 0018f610 012f151d kernel32!CreateProcessW+0x2c
WARNING: Stack unwind information not available. Following frames may be wrong.
0f 0018fe58 76e01174 Taihou32+0x151d
10 0018fe64 7754b3f5 kernel32!BaseThreadInitThunk+0xe
11 0018fea4 7754b3c8 ntdll!__RtlUserThreadStart+0x70
12 0018febc 00000000 ntdll!_RtlUserThreadStart+0x1b
0: kd>

Seems to be leaking 2 each execution. A fresh boot that starts at ~40 references therefore bugchecks after 20 executions. Would you mind incrementing ref count to make it more stable? Thanks!

[hfiref0x]

Hello,

yes it leaks resource, because shellcode which steal system token doesn't dereference EPROCESS objects with ObDereferenceObject. This is exactly how it implemented in Sednit from APT28. The goal of this project was to show EXACT exploit, not fix/improve it. I have no plans in fixing anything (I even dont watch this project), however you can do it yourself.

To do this yourself: find ObfDereferenceObject pointer as done with with PsLookupProcessByProcessId in GetPsLookupProcessByProcessId. Use this pointer over EPROCESS objects in StealProcessToken routine, ObfDereferenceObject(SystemProcess) and ObfDereferenceObject(CurrentProcess) after stealing work done.