StopZilla - The (Almost) Forgotten Vulnerable Driver

https://decoder.cloud/2025/01/09/the-almost-forgotten-vulnerable-driver/ Thank you ❤️
magicsword-io · Jan 10, 2025 · ad94c7e · ad94c7e
1 parent 23108d3
commit ad94c7e
Show file tree

Hide file tree

Showing 2 changed files with 242 additions and 0 deletions.
diff --git a/drivers/8598e4a12eaa945b35365dd2750b9777 b/drivers/8598e4a12eaa945b35365dd2750b9777
diff --git a/yaml/375e8de3-aae4-488d-8273-66744978b45f.yaml b/yaml/375e8de3-aae4-488d-8273-66744978b45f.yaml
@@ -0,0 +1,242 @@
+Id: 375e8de3-aae4-488d-8273-66744978b45f
+Author: decoder
+Created: '2025-01-10'
+MitreID: T1068
+Category: vulnerable driver
+Verified: 'TRUE'
+Commands:
+  Command: sc.exe create szkg64.sys binPath=C:\windows\temp\szkg64.sys type=kernel
+    && sc.exe start szkg64.sys
+  Description: "The StopZilla driver is a forgotten but still exploitable vulnerable\
+    \ driver that allows arbitrary kernel memory writes via unvalidated IOCTLs (0x80002063\
+    \ and 0x8000206F). Attackers can leverage it to escalate privileges, disable LSASS\
+    \ PPL protection, and even modify PreviousMode in _KTHREAD to execute user-mode\
+    \ code as kernel-mode, effectively bypassing security checks. Despite its risks,\
+    \ it remains unblocked by Microsoft\u2019s Driver Block List and many AV/EDR solutions.\
+    \ This driver highlights the persistent threat of forgotten vulnerable drivers\
+    \ still exploitable in modern Windows environments."
+  Usecase: Elevate privileges
+  Privileges: kernel
+  OperatingSystem: Windows 11
+Resources:
+- https://www.greyhathacker.net/?p=1025
+- https://decoder.cloud/2025/01/09/the-almost-forgotten-vulnerable-driver/
+Acknowledgement:
+  Person: ''
+  Handle: ''
+Detection: []
+KnownVulnerableSamples:
+- Filename: ''
+  MD5: 8598e4a12eaa945b35365dd2750b9777
+  SHA1: d7698828cdc3c96cc17fe2d4ff6d93bb0cd355d8
+  SHA256: 6bc0e1c104fac4a8caa4237c7ae181ca11a043a3ee26426aeb7a90dc40281fad
+  Signature: ''
+  Date: ''
+  Publisher: ''
+  Company: iS3 Inc.
+  Description: szkg Device Driver
+  Product: Stopzilla
+  ProductVersion: 5.0.95.0
+  FileVersion: 3.0.24
+  MachineType: AMD64
+  OriginalFilename: szkg64.sys
+  Imphash: f5a9e7716a1b8e1d5f64dfacca5283d0
+  Authentihash:
+    MD5: 392ed92d6a91fa7cd318e2846ce07490
+    SHA1: c516d0e96129086f6096e1e38ae90ed4da736ccb
+    SHA256: 95ca14e045618fb38834d17c5cc176162a29d846c1463b840c9129fb9af47c68
+  RichPEHeaderHash:
+    MD5: 47a1b6291b2b38ecad52872b32e76144
+    SHA1: 1ecb1c14211313369b4a0fffe21905815b091c3f
+    SHA256: 6496d78731fbd793b73e87549d6bfc4935243fcb60e48729009e68cd5dd6927a
+  Sections:
+    .text:
+      Entropy: 6.354741679891764
+      Virtual Size: '0xae45'
+    .rdata:
+      Entropy: 7.004106421562834
+      Virtual Size: '0x1ff4'
+    .data:
+      Entropy: 1.6422573312600202
+      Virtual Size: '0x580'
+    .pdata:
+      Entropy: 4.59640397395735
+      Virtual Size: '0x648'
+    .STL:
+      Entropy: -0.0
+      Virtual Size: '0x20'
+    .CRT:
+      Entropy: 1.3036153750871016
+      Virtual Size: '0x30'
+    PAGE:
+      Entropy: 6.232150847058998
+      Virtual Size: '0xd35'
+    INIT:
+      Entropy: 5.959502553877967
+      Virtual Size: '0xeec'
+    .rsrc:
+      Entropy: 3.315711212378508
+      Virtual Size: '0x398'
+    .reloc:
+      Entropy: 3.582279956777612
+      Virtual Size: '0x212'
+  MagicHeader: 50 45 0 0
+  CreationTimestamp: '2011-09-26 09:16:17'
+  InternalName: Avenger 64
+  Copyright: Copyright (c)2005-2011  iS3 Inc . All rights reserved.
+  Imports:
+  - ntoskrnl.exe
+  ExportedFunctions: ''
+  ImportedFunctions:
+  - ExFreePoolWithTag
+  - ZwQuerySymbolicLinkObject
+  - RtlInitUnicodeString
+  - MmGetSystemRoutineAddress
+  - ZwOpenSymbolicLinkObject
+  - ObQueryNameString
+  - ExAllocatePool
+  - ZwClose
+  - RtlAppendUnicodeStringToString
+  - ObReferenceObjectByHandle
+  - PsGetVersion
+  - ObfDereferenceObject
+  - ZwDeleteKey
+  - RtlDeleteRegistryValue
+  - MmUnmapLockedPages
+  - ExReleaseFastMutex
+  - ExAcquireFastMutex
+  - MmMapLockedPages
+  - PsSetLoadImageNotifyRoutine
+  - ZwReadFile
+  - KeSetEvent
+  - ProbeForWrite
+  - KeInitializeEvent
+  - KeReleaseSpinLock
+  - PsSetCreateProcessNotifyRoutine
+  - IoFreeMdl
+  - ZwQueryDirectoryFile
+  - PsTerminateSystemThread
+  - IoGetCurrentProcess
+  - IofCompleteRequest
+  - KeWaitForSingleObject
+  - PsGetCurrentProcessId
+  - ZwOpenFile
+  - wcsncmp
+  - IoReleaseCancelSpinLock
+  - MmIsNonPagedSystemAddressValid
+  - IoAcquireCancelSpinLock
+  - DbgPrint
+  - ZwOpenKey
+  - KeAcquireSpinLockRaiseToDpc
+  - ExAllocatePoolWithTag
+  - ZwOpenProcess
+  - RtlCopyUnicodeString
+  - swprintf
+  - RtlUpcaseUnicodeChar
+  - tolower
+  - ZwSetInformationFile
+  - IoReuseIrp
+  - IoGetBaseFileSystemDeviceObject
+  - IoGetRelatedDeviceObject
+  - MmBuildMdlForNonPagedPool
+  - ZwCreateFile
+  - IoFreeIrp
+  - IoAllocateIrp
+  - IoAllocateMdl
+  - IofCallDriver
+  - KeBugCheckEx
+  - IoDeleteSymbolicLink
+  - IoRegisterShutdownNotification
+  - IoDeleteDevice
+  - IoUnregisterShutdownNotification
+  - IoCreateSymbolicLink
+  - IoCreateDevice
+  - ZwQueryInformationFile
+  - ZwWriteFile
+  - ZwSetValueKey
+  - ZwEnumerateValueKey
+  - ZwEnumerateKey
+  - PsCreateSystemThread
+  - __chkstk
+  - __C_specific_handler
+  Signatures:
+  - CertificatesInfo: ''
+    SignerInfo: ''
+    Certificates:
+    - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer ,
+        G2
+      ValidFrom: '2007-06-15 00:00:00'
+      ValidTo: '2012-06-14 23:59:59'
+      Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233
+      SignatureAlgorithmOID: 1.2.840.113549.1.1.5
+      IsCertificateAuthority: false
+      SerialNumber: 3825d7faf861af9ef490e726b5d65ad5
+      Version: 3
+      TBS:
+        MD5: d6c7684e9aaa508cf268335f83afe040
+        SHA1: 18066d20ad92409c567cdfde745279ff71c75226
+        SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff
+        SHA384: 35c249d6ad0261a6229b2a727067ac6ba32a5d24b30b9249051f748c7735fbe2ec2ef26a702c50df1790fbe32a65aee7
+    - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA
+      ValidFrom: '2003-12-04 00:00:00'
+      ValidTo: '2013-12-03 23:59:59'
+      Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a
+      SignatureAlgorithmOID: 1.2.840.113549.1.1.5
+      IsCertificateAuthority: true
+      SerialNumber: 47bf1995df8d524643f7db6d480d31a4
+      Version: 3
+      TBS:
+        MD5: 518d2ea8a21e879c942d504824ac211c
+        SHA1: 21ce87d827077e61abddf2beba69fde5432ea031
+        SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7
+        SHA384: 53e346bbde23779a5d116cc9d86fdd71c97b1f1b343439f8a11aa1d3c87af63864bb8488a5aeb2d0c26a6a1e0b15f03f
+    - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use
+        at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004
+        CA
+      ValidFrom: '2004-07-16 00:00:00'
+      ValidTo: '2014-07-15 23:59:59'
+      Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5
+      SignatureAlgorithmOID: 1.2.840.113549.1.1.5
+      IsCertificateAuthority: true
+      SerialNumber: 4191a15a3978dfcf496566381d4c75c2
+      Version: 3
+      TBS:
+        MD5: 41011f8d0e7c7a6408334ca387914c61
+        SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5
+        SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0
+        SHA384: a00aa5ed457c41e37967882644d63366bae014f03a986576d8514164d7027acf7d0b5e03d764db2558f60db148954459
+    - Subject: C=US, ST=Florida, L=Boynton Beach, O=iS3, Inc., OU=Digital ID Class
+        3 , Microsoft Software Validation v2, OU=Technology, CN=iS3, Inc.
+      ValidFrom: '2009-04-23 00:00:00'
+      ValidTo: '2012-04-22 23:59:59'
+      Signature: 6ba64a9cead5d92fb6f5659b343281f596a8d79f550a5fc7d8f6bffc19132bce36dbbd685da570a5c7ce12a16c503c353e7be570f15e7133bae99cb5e64cfcf044f989345466feb5a0f06713b9aa982786013bcf1a88a9ef5b1dae8aad91838742876eb9014f83d5d037fb93bb2ae06eed0702110f25d00c66ca554fc2b7e73b07b426e1b3c1673c3671c96b421b991bef95f8412c6fa16a4ffe261822d38ec97e63b7890e7f6c7a7105a99664000ebed8ea390d74ef6eb6471fe51d23d5d794bfd111727fb62aa9252b509eadb6dfb300024c17c526fb6cc51682519891a1f785b8188858f77f9c97a0328a89ca049d2617fa6d6e8517a1ba29e888216e4383
+      SignatureAlgorithmOID: 1.2.840.113549.1.1.5
+      IsCertificateAuthority: false
+      SerialNumber: 62cbc29a336a0ac6486b699bddb44775
+      Version: 3
+      TBS:
+        MD5: 444683938e8730c9f041139b55f53200
+        SHA1: 967c2149fe1b6b5e943e379e3eebe6348854257f
+        SHA256: fa40c70ff827045085bc3735824d13649713c5ddcc5b0efe9fa898502ecf3c29
+        SHA384: 688a757994b6a32948f7b8ef5350ffd188785ed7844846c9e22286a8ec80b32bb3f0a16cf20b7f0299140af3174ed584
+    - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
+      ValidFrom: '2006-05-23 17:01:29'
+      ValidTo: '2016-05-23 17:11:29'
+      Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665
+      SignatureAlgorithmOID: 1.2.840.113549.1.1.5
+      IsCertificateAuthority: true
+      SerialNumber: 610c120600000000001b
+      Version: 3
+      TBS:
+        MD5: 53c41bc1164e09e0cd1617a5bf913efd
+        SHA1: 93c03aac8951d494ecd5696b1c08658541b18727
+        SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b
+        SHA384: f51d4e75ba638f7314cd59b8d6d45f3b34d35ce6986e9d205cd6f333e8e8d8e9c91f636e6bc84731b6661673f40963d8
+    Signer:
+    - SerialNumber: 62cbc29a336a0ac6486b699bddb44775
+      Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at
+        https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004
+        CA
+      Version: 1
+Tags:
+- szkg64.sys