First and foremost, I would like to give credit to Rob Fuller, aka Mubix, for the tip on this awesome exploit; Be sure to check out his security blog, Room362. And of course @Ponez for for creating the Sysret vulnerability port for Windows.
The Sysret exploit is made possible due to a subtle difference in the way in which Intel processors implement error handling in their version of AMD’s SYSRET instruction. The SYSRET instruction is part of the x86-64 standard defined by AMD. If an operating system is written according to AMD’s spec, but run on Intel hardware, the difference in implementation can be exploited by an attacker to write to arbitrary addresses in the operating system’s memory. Click here for a more detailed description of the Sysret Exploit.
The flaw has already been exploited on 64-bit versions of Microsoft Windows 7, FreeBSD, NetBSD and there’s a chance Apple’s OS X may also be vulnerable, according to a blog on Xen.org, an open source community for users of the virtual service.
Using Sysret to Escalate Permissions in Windows 7: Tutorial Overview
This guide will show you how to use the Sysret exploit to escalate your user permissions (essentially bypassing UAC) on a 64bit Windows 7 (fully patched) machine. This exploit works on 64bit Intel Chips, including Windows and Linux.
Important Note: This tutorial assumes that that you either have direct access to the host machine, or have found a way to gain access (e.g., Metasploit).
Update 1: Beware of Explorer.exe
For the purposes of this tutorial, I choose to attach Sysret to a running explorer.exe process. It has been suggested that attaching anything to an open Windows Explorer process can become extremely problematic. I haven’t personally run into any problems, however, I have always just run what I need to run, and immediately disconnect/reboot. I would recommend doing the same thing. If this isn’t an option, I would suggest attaching Sysret to an alternate process.
Step 2: Upload/copy the Sysret executable onto the victim’s computer.
You can do this using a flash drive, via email, etc. If you are remotely connecting to the victim via Meterpreter, use the upload command. Here is a good starter tutorial on Metrepreter’s upload and shell commands.
For the this tutorial, I copied the Sysret executable to C:\Test
For the next step, Sysret can either attach itself to a running process, or being used to launch a specific executable.
Step 3: Find a running process for Sysret
Running “TaskList” in the Windows command prompt will show you a list of running processes. I’ve had a lot of success attaching Sysret right to Explorer (in my case, PID 4572).
Step 4: Attach Sysret to Explorer and Escalate Permissions
Now that we know the process ID of Windows Explorer, attaching Sysret to it is a fairly simple process.
Now that Sysret has attached itself to explorer.exe, you should now have full administrator rights on your local Windows 7 host. Have fun.
Note: Sysret works on ANY 64bit host running an Intel chip. You should be able to apply the same principle in this article to escalate permissions on other operating systems.
About Vinny Troia
I started out developing HTML in 1996, and have been involved in web development ever since. The majority of my work is now spent in the security field, but I also try to carve out time for dance music. I'm not as involved as I used to be, but I still like to produce music. Check me out on iTunes or Beatport.