ioctlance: detect various vulnerability types in Windows Driver Model (WDM) drivers

IOCTLance

Presented at CODE BLUE 2023, this project titled Enhanced Vulnerability Hunting in WDM Drivers with Symbolic Execution and Taint Analysis introduces IOCTLance, a tool that enhances its capacity to detect various vulnerability types in Windows Driver Model (WDM) drivers. In a comprehensive evaluation involving 104 known vulnerable WDM drivers and 328 unknown ones, IOCTLance successfully unveiled 117 previously unidentified vulnerabilities within 26 distinct drivers. As a result, 41 CVEs were reported, encompassing 25 cases of denial of service, 5 instances of insufficient access control, and 11 examples of elevation of privilege.

Features

Target Vulnerability Types

  • map physical memory
  • controllable process handle
  • buffer overflow
  • null pointer dereference
  • read/write controllable address
  • arbitrary shellcode execution
  • arbitrary wrmsr
  • arbitrary out
  • dangerous file operation

Optional Customizations

  • length limit
  • loop bound
  • total timeout
  • IoControlCode timeout
  • recursion
  • symbolize data section

Build

Docker

git clone https://github.com/zeze-zeze/ioctlance.git
docker build .

Local

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”dpkg%20–add-architecture%20i386%0Aapt-get%20update%0Aapt-get%20install%20git%20build-essential%20python3%20python3-pip%20python3-dev%20htop%20vim%20sudo%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20openjdk-8-jdk%20zlib1g%3Ai386%20libtinfo5%3Ai386%20libstdc%2B%2B6%3Ai386%20libgcc1%3Ai386%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20libc6%3Ai386%20libssl-dev%20nasm%20binutils-multiarch%20qtdeclarative5-dev%20libpixman-1-dev%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20libglib2.0-dev%20debian-archive-keyring%20debootstrap%20libtool%20libreadline-dev%20cmake%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20libffi-dev%20libxslt1-dev%20libxml2-dev%0A%0Apip%20install%20angr%3D%3D9.2.18%20ipython%3D%3D8.5.0%20ipdb%3D%3D0.13.9″/]

Use

Copyright (C) 2023 zeze-zeze

Source: https://github.com/zeze-zeze/

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply