Token Stealing

It has been done before, but its worth covering in detail

We do not believe there is excessive need to elaborate on the importance of access tokens.

MSDN does a pretty good job explaining, and we also believe that if you are reading this now, you already have a pretty clear understanding of what a token is, and of its importance.

To those who still wish to understand its meaning in one line:

An access token is an object associated with a thread or a process which defines the security context of the owner associated with that thread or process, which contains its identity and privileges.

Token harvesting is a topic discussed quite a lot, and has numerous tools out in the wild which can be used quite easily, like internal-monologue by Elad Shamir, or KOH by GhostPack (mostly Will Schroeder and Lee Christensen).

With that being said, we believe that Token Stealing is still one of the most important techniques to demonstrate using BYOVD, since this amazing technique will mostly assist an attacker in a domain environment to connect the local and the domain context.

Tokens stored in the local kernel may be those of a domain user’s context, and as such the ability to steal any token from the kernel opposes not only LPE risks, but also Domain Escalation risks.

To better understand the attack, we have already explained in the previous sections regarding the structure _EX_FAST_REF.

Reminder, the object consists of three members:

1.Pointer to the object

2.Reference counter

3.The value of the token which contains the identity and the privileges of the user

Keeping the members in mind, we know that when elevating a token, we must not change the object it points to, or change the reference counter for that token just like that, both of which will result in BSOD.

Now understanding which value of the tokens structure we would need to steal in order to perform the attack effectively, the following steps become our flow:

1.Locate an EPROCESS structure containing the desired token by PID

2.Jump to the Token member

3.Copy the token object as is to our memory in order to present it programmatically in user mode

4.Locate the target EPROCESS structure for the process we wish to elevate.

5.Jump to the Token member

6.Copy the token object as is to our memory in order to present it programmatically in user mode

7.Modify the target process token object’s value member to that of the source token

8.Cast the object to a new byte array

9.Write that array into the address to the target process token member.

10.Enjoy new privileges.

The code for this attack looks something like this:

The flow explained portrays this code snippet quite clearly.

The only other function worth a mention is RetriveTokenAddress which will return the address of EPROCESS + Token offset for the desired process by PID.

In the pictures above we can see a PowerShell process opened with the user “host” alongside its token information and privileges, in the below pictures we may Kernel Cactus running with system process as a source process, and our PowerShell as a destination process.

After running the Kernel Cactus, we may observe that whilst the PID is the same, the token information and user information have both been edited to NT AUTHORITY\SYSTEM, including all privileges.

As we mentioned before, this technique is effective also for domain users, also allowing the stolen domain user token to perform domain operations using the same token (for example, stealing DA token and adding new user etc.)