SlideShare a Scribd company logo

Exploiting the windows kernel

Download as PPTX, PDF
Japneet Singh
Japneet Singh

Explains how kernel exploits work using an example from HackSys team's vulnerable driver. The example exploit works on vanilla Windows 7 machine.

1 of 32
Exploiting the Windows kernel By Japneet Singh
Agenda • An unwelcome Guest! • Warmup: Windows internals • Windows kernel attack surface • Exploit details
An unwelcome Guest! • Demo components • HEVD • Exploit executable
Windows internals: Memory layout • User mode • Thread Stacks • Heaps • Mapped modules (EXEs and DLLs) • Kernel mode • Thread stacks • Paged and Non-paged pools (heap in kernel mode memory) • Mapped modules (Windows kernel, kernel mode DLLs, drivers)
CPU MEMORY I/O I/O I/O Kernel Process P1 Driver D1 Driver D2 Privileged instructions Non-Privileged instructions Paged Pool Non paged Pool Stacks Stacks DLL 2 DLL 1Heaps EXE When Thread of Process P1 is running
CPU MEMORY I/O I/O I/O Kernel Process P2 Driver D1 Driver D2 Privileged instructions Non-Privileged instructions Paged Pool Non paged Pool Stacks Stacks DLL 2 DLL 1Heaps EXE When Thread of Process P2 is running
Windows internals: System calls
Windows internals: Io Controls • System call served by specific driver • Send messages to a driver, and receive response • Each message is assigned different identifier unique to that driver
Windows internals: Access token • Every process running on Windows has an associated Primary token • Token consists of • User Security Identifier (SID) • Group memberships • Privileges • Etc. • Token is part of EPROCESS structure
Windows internals: Heaps/Pools • Functionality • Support API to allocate/deallocate • Track allocated and free memory • Handle internal fragmentation • Troubleshooting aspects • Structurally support ways to detect heap/pool corruptions • Provide debugging aids • Performance aspects • Handle external fragmentation • Coalesce adjacent memory areas when memory gets free
Windows kernel attack surface
Windows kernel attack surface GDI APIs Device drivers IoCtls Win32 APIs
Exploit details • What we want to achieve? • Use after Free • Kernel pool spray • Shellcode execution • Token stealing
What we want to achieve? • We want to steal System token from System Process
What we want to achieve? • We want to steal System token from System Process • We need to find a vulnerability in a driver
What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing
What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing • We know of a vulnerable kernel driver which has two vulnerabilities • It allows Use After Free (will see shortly) • It allows us to place a buffer of arbitrary size in kernel mode memory. Contents of the buffer are in our control.
What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing • We know of a vulnerable kernel driver which has two vulnerabilities • V1 - It allows Use After Free (will see shortly) • V2 - It allows us to place a buffer of arbitrary size in kernel mode memory. Contents of the buffer are in our control. • We exploit the kernel driver vulnerability V2 to place a pointer to our shellcode in kernel memory, and achieve execution of it using vulnerability V1
What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing • We know of a vulnerable kernel driver which has two vulnerabilities • V1 - It allows Use After Free (will see shortly) • V2 - It allows us to place a buffer of arbitrary size in kernel mode memory. Contents of the buffer are in our control. • We exploit the kernel driver vulnerability V2 to place a pointer to our shellcode in kernel memory, and achieve execution of it using vulnerability V1 • Finally shellcode gets executed and we get System privilege by stealing System Token
What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing • We know of a vulnerable kernel driver which has two vulnerabilities • V1 - It allows Use After Free (will see shortly) • V2 - It allows us to place a buffer of arbitrary size in kernel mode memory. Contents of the buffer are in our control. • We exploit the kernel driver vulnerability V2 to place a pointer to our shellcode in kernel memory, and achieve execution of it using vulnerability V1 • Finally shellcode gets executed and we get System privilege by stealing System Token • Then we launch cmd.exe as System user
Step 1: Allocation Step 2: Free Step 3: Use Use after Free Buffer Callback PTR Buffer Callback PTR PTR->Callback();
Step 1: Allocation Step 2: Free Step 2.5: Allocate at freed loc Step 3: Use (Ab)Use after Free Buffer Callback PTR Buffer Callback PTR PTR->Callback(); Buffer Callback PTR
Question • How can we allocate a controlled object at pre-determined location?
Kernel pool spray aka Grooming • A - Allocate large number of objects to remove fragmentation • B - Allocate large number of objects to create a big chunk of allocation • Create holes in B by deallocating alternate objects in B to make further allocations deterministic • Any further allocation of similar sized object would be in one of the holes created in B
Pool grooming
Pool grooming: 1st spray
Pool grooming: 2nd spray
Pool grooming: Creating holes
Pool grooming: Filling holes with fake objects
Full sequence of exploit • Groom the pool to create holes • Allocate and free • Allocate - Allocation will happen in one of the holes • Deallocate – now we can place fake objects • Create fake objects containing callback pointer to our shellcode • Place fake objects • Fill all the holes with fake objects • Trigger UaF • This leads to callback to our shellcode • Shellcode performs Token stealing • Now launch cmd.exe using stolen token
Token stealing • Find EPROCESS of a System process • Jump to token offset in the EPROCESS • Copy token privileges into current EPROCESS token
References • https://github.com/hacksysteam/HackSysExtremeVulnerableDriver • http://fuzzysecurity.com/tutorials/expDev/19.html • http://www.mista.nu/research/MANDT-kernelpool-PAPER.pdf • https://hshrzd.wordpress.com/2017/06/22/starting-with-windows- kernel-exploitation-part-3-stealing-the-access-token/

Recommended

Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux Kernel
Kernel TLV
 
Device Drivers in Linux
Device Drivers in LinuxDevice Drivers in Linux
Device Drivers in Linux
Shreyas MM
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
RajKumar Rampelli
 
Device drivers Introduction
Device drivers IntroductionDevice drivers Introduction
Device drivers Introduction
vijay selva
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
YourHelper1
 
Linux IO
Linux IOLinux IO
Linux IO
Liran Ben Haim
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
The Linux Foundation
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’s
Rashmi Warghade
 

Recommended

Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux Kernel
Kernel TLV
 
Device Drivers in Linux
Device Drivers in LinuxDevice Drivers in Linux
Device Drivers in Linux
Shreyas MM
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
RajKumar Rampelli
 
Device drivers Introduction
Device drivers IntroductionDevice drivers Introduction
Device drivers Introduction
vijay selva
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
YourHelper1
 
Linux IO
Linux IOLinux IO
Linux IO
Liran Ben Haim
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
The Linux Foundation
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’s
Rashmi Warghade
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
Eddy Reyes
 
Linux internal
Linux internalLinux internal
Linux internal
mcganesh
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
mukul bhardwaj
 
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Linaro
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System calls
Zubair Nabi
 
Gnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semGnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-sem
Sagun Baijal
 
LINUX Device Drivers
LINUX Device DriversLINUX Device Drivers
LINUX Device Drivers
Partha Bhattacharya
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205
Linaro
 
Linuxdd[1]
Linuxdd[1]Linuxdd[1]
Linuxdd[1]
mcganesh
 
brief intro to Linux device drivers
brief intro to Linux device driversbrief intro to Linux device drivers
brief intro to Linux device drivers
Alexandre Moreno
 
Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)
Tushar B Kute
 
Kernel Module Programming
Kernel Module ProgrammingKernel Module Programming
Kernel Module Programming
Saurabh Bangad
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
Morteza Nourelahi Alamdari
 
Kernel compilation
Kernel compilationKernel compilation
Kernel compilation
mcganesh
 
Linux Programming
Linux ProgrammingLinux Programming
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
Kernel modules
Kernel modulesKernel modules
Kernel modules
Elmàgic Àlàâ
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
Emertxe Information Technologies Pvt Ltd
 
Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and Compilation
Bud Siddhisena
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Tour
samrat das
 
Kernel module programming
Kernel module programmingKernel module programming
Kernel module programming
Vandana Salve
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
Luis Grangeia
 
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...
Felipe Prado
 

More Related Content

What's hot

Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
Eddy Reyes
 
Linux internal
Linux internalLinux internal
Linux internal
mcganesh
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
mukul bhardwaj
 
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Linaro
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System calls
Zubair Nabi
 
Gnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semGnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-sem
Sagun Baijal
 
LINUX Device Drivers
LINUX Device DriversLINUX Device Drivers
LINUX Device Drivers
Partha Bhattacharya
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205
Linaro
 
Linuxdd[1]
Linuxdd[1]Linuxdd[1]
Linuxdd[1]
mcganesh
 
brief intro to Linux device drivers
brief intro to Linux device driversbrief intro to Linux device drivers
brief intro to Linux device drivers
Alexandre Moreno
 
Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)
Tushar B Kute
 
Kernel Module Programming
Kernel Module ProgrammingKernel Module Programming
Kernel Module Programming
Saurabh Bangad
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
Morteza Nourelahi Alamdari
 
Kernel compilation
Kernel compilationKernel compilation
Kernel compilation
mcganesh
 
Linux Programming
Linux ProgrammingLinux Programming
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
Kernel modules
Kernel modulesKernel modules
Kernel modules
Elmàgic Àlàâ
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
Emertxe Information Technologies Pvt Ltd
 
Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and Compilation
Bud Siddhisena
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Tour
samrat das
 
Kernel module programming
Kernel module programmingKernel module programming
Kernel module programming
Vandana Salve
 

What's hot (20)

Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
 
Linux internal
Linux internalLinux internal
Linux internal
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System calls
 
Gnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semGnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-sem
 
LINUX Device Drivers
LINUX Device DriversLINUX Device Drivers
LINUX Device Drivers
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205
 
Linuxdd[1]
Linuxdd[1]Linuxdd[1]
Linuxdd[1]
 
brief intro to Linux device drivers
brief intro to Linux device driversbrief intro to Linux device drivers
brief intro to Linux device drivers
 
Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)
 
Kernel Module Programming
Kernel Module ProgrammingKernel Module Programming
Kernel Module Programming
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
Kernel compilation
Kernel compilationKernel compilation
Kernel compilation
 
Linux Programming
Linux ProgrammingLinux Programming
Linux Programming
 
Kernel modules
Kernel modulesKernel modules
Kernel modules
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and Compilation
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Tour
 
Kernel module programming
Kernel module programmingKernel module programming
Kernel module programming
 

Similar to Exploiting the windows kernel

Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
Luis Grangeia
 
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...
Felipe Prado
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat Security Conference
 
Signature verification of hibernate snapshot
Signature verification of hibernate snapshotSignature verification of hibernate snapshot
Signature verification of hibernate snapshot
joeylikernel
 
Eusecwest
EusecwestEusecwest
Eusecwest
zynamics GmbH
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!
Zubair Nabi
 
Deep hooks
Deep hooksDeep hooks
Deep hooks
Yarden Shafir
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theoryEmbedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
EmbeddedFest
 
Hypervisors
HypervisorsHypervisors
Hypervisors
SrikantMishra12
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Odinot Stanislas
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
Priyanka Aash
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JIT
Marcus Denker
 

Similar to Exploiting the windows kernel (20)

Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
 
Signature verification of hibernate snapshot
Signature verification of hibernate snapshotSignature verification of hibernate snapshot
Signature verification of hibernate snapshot
 
Eusecwest
EusecwestEusecwest
Eusecwest
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!
 
Deep hooks
Deep hooksDeep hooks
Deep hooks
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theoryEmbedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
 
Hypervisors
HypervisorsHypervisors
Hypervisors
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JIT
 

More from Japneet Singh

Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
Japneet Singh
 
Polarbear recent windows 0day
Polarbear recent windows 0dayPolarbear recent windows 0day
Polarbear recent windows 0day
Japneet Singh
 
Code signing and trust
Code signing and trustCode signing and trust
Code signing and trust
Japneet Singh
 
Tor the onion router
Tor the onion routerTor the onion router
Tor the onion router
Japneet Singh
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
Japneet Singh
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
Japneet Singh
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
Japneet Singh
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 

More from Japneet Singh (8)

Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
 
Polarbear recent windows 0day
Polarbear recent windows 0dayPolarbear recent windows 0day
Polarbear recent windows 0day
 
Code signing and trust
Code signing and trustCode signing and trust
Code signing and trust
 
Tor the onion router
Tor the onion routerTor the onion router
Tor the onion router
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 

Recently uploaded

5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
ihlasbinance2003
 
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECTCHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
jpsjournal1
 
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
ML Based Model for NIDS MSc Updated Presentation.v2.pptxML Based Model for NIDS MSc Updated Presentation.v2.pptx
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
JamalHussainArman
 
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
University of Maribor
 
Heat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation pptHeat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation ppt
mamunhossenbd75
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
anoopmanoharan2
 
Exception Handling notes in java exception
Exception Handling notes in java exceptionException Handling notes in java exception
Exception Handling notes in java exception
Ratnakar Mikkili
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
gestioneergodomus
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
Hitesh Mohapatra
 
Wearable antenna for antenna applications
Wearable antenna for antenna applicationsWearable antenna for antenna applications
Wearable antenna for antenna applications
Madhumitha Jayaram
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
KrishnaveniKrishnara1
 
ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024
Rahul
 
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdfIron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
RadiNasr
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
IJECEIAES
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
thanhdowork
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
SUTEJAS
 
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student MemberIEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
VICTOR MAESTRE RAMIREZ
 
Question paper of renewable energy sources
Question paper of renewable energy sourcesQuestion paper of renewable energy sources
Question paper of renewable energy sources
mahammadsalmanmech
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
SyedAbiiAzazi1
 

Recently uploaded (20)

5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
 
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECTCHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
 
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
ML Based Model for NIDS MSc Updated Presentation.v2.pptxML Based Model for NIDS MSc Updated Presentation.v2.pptx
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
 
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
 
Heat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation pptHeat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation ppt
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
 
Exception Handling notes in java exception
Exception Handling notes in java exceptionException Handling notes in java exception
Exception Handling notes in java exception
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
 
Wearable antenna for antenna applications
Wearable antenna for antenna applicationsWearable antenna for antenna applications
Wearable antenna for antenna applications
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
 
ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024
 
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdfIron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
 
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student MemberIEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
 
Question paper of renewable energy sources
Question paper of renewable energy sourcesQuestion paper of renewable energy sources
Question paper of renewable energy sources
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
 

Exploiting the windows kernel

  • 2. Agenda • An unwelcome Guest! • Warmup: Windows internals • Windows kernel attack surface • Exploit details
  • 3. An unwelcome Guest! • Demo components • HEVD • Exploit executable
  • 4. Windows internals: Memory layout • User mode • Thread Stacks • Heaps • Mapped modules (EXEs and DLLs) • Kernel mode • Thread stacks • Paged and Non-paged pools (heap in kernel mode memory) • Mapped modules (Windows kernel, kernel mode DLLs, drivers)
  • 8. Windows internals: Io Controls • System call served by specific driver • Send messages to a driver, and receive response • Each message is assigned different identifier unique to that driver
  • 9. Windows internals: Access token • Every process running on Windows has an associated Primary token • Token consists of • User Security Identifier (SID) • Group memberships • Privileges • Etc. • Token is part of EPROCESS structure
  • 10. Windows internals: Heaps/Pools • Functionality • Support API to allocate/deallocate • Track allocated and free memory • Handle internal fragmentation • Troubleshooting aspects • Structurally support ways to detect heap/pool corruptions • Provide debugging aids • Performance aspects • Handle external fragmentation • Coalesce adjacent memory areas when memory gets free
  • 12. Windows kernel attack surface GDI APIs Device drivers IoCtls Win32 APIs
  • 13. Exploit details • What we want to achieve? • Use after Free • Kernel pool spray • Shellcode execution • Token stealing
  • 14. What we want to achieve? • We want to steal System token from System Process
  • 15. What we want to achieve? • We want to steal System token from System Process • We need to find a vulnerability in a driver
  • 16. What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing
  • 17. What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing • We know of a vulnerable kernel driver which has two vulnerabilities • It allows Use After Free (will see shortly) • It allows us to place a buffer of arbitrary size in kernel mode memory. Contents of the buffer are in our control.
  • 18. What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing • We know of a vulnerable kernel driver which has two vulnerabilities • V1 - It allows Use After Free (will see shortly) • V2 - It allows us to place a buffer of arbitrary size in kernel mode memory. Contents of the buffer are in our control. • We exploit the kernel driver vulnerability V2 to place a pointer to our shellcode in kernel memory, and achieve execution of it using vulnerability V1
  • 19. What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing • We know of a vulnerable kernel driver which has two vulnerabilities • V1 - It allows Use After Free (will see shortly) • V2 - It allows us to place a buffer of arbitrary size in kernel mode memory. Contents of the buffer are in our control. • We exploit the kernel driver vulnerability V2 to place a pointer to our shellcode in kernel memory, and achieve execution of it using vulnerability V1 • Finally shellcode gets executed and we get System privilege by stealing System Token
  • 20. What we want to achieve? • We want to steal System token from System Process • We need to gain RCE in kernel mode to execute our shellcode which performs Token stealing • We know of a vulnerable kernel driver which has two vulnerabilities • V1 - It allows Use After Free (will see shortly) • V2 - It allows us to place a buffer of arbitrary size in kernel mode memory. Contents of the buffer are in our control. • We exploit the kernel driver vulnerability V2 to place a pointer to our shellcode in kernel memory, and achieve execution of it using vulnerability V1 • Finally shellcode gets executed and we get System privilege by stealing System Token • Then we launch cmd.exe as System user
  • 21. Step 1: Allocation Step 2: Free Step 3: Use Use after Free Buffer Callback PTR Buffer Callback PTR PTR->Callback();
  • 22. Step 1: Allocation Step 2: Free Step 2.5: Allocate at freed loc Step 3: Use (Ab)Use after Free Buffer Callback PTR Buffer Callback PTR PTR->Callback(); Buffer Callback PTR
  • 23. Question • How can we allocate a controlled object at pre-determined location?
  • 24. Kernel pool spray aka Grooming • A - Allocate large number of objects to remove fragmentation • B - Allocate large number of objects to create a big chunk of allocation • Create holes in B by deallocating alternate objects in B to make further allocations deterministic • Any further allocation of similar sized object would be in one of the holes created in B
  • 29. Pool grooming: Filling holes with fake objects
  • 30. Full sequence of exploit • Groom the pool to create holes • Allocate and free • Allocate - Allocation will happen in one of the holes • Deallocate – now we can place fake objects • Create fake objects containing callback pointer to our shellcode • Place fake objects • Fill all the holes with fake objects • Trigger UaF • This leads to callback to our shellcode • Shellcode performs Token stealing • Now launch cmd.exe using stolen token
  • 31. Token stealing • Find EPROCESS of a System process • Jump to token offset in the EPROCESS • Copy token privileges into current EPROCESS token
  • 32. References • https://github.com/hacksysteam/HackSysExtremeVulnerableDriver • http://fuzzysecurity.com/tutorials/expDev/19.html • http://www.mista.nu/research/MANDT-kernelpool-PAPER.pdf • https://hshrzd.wordpress.com/2017/06/22/starting-with-windows- kernel-exploitation-part-3-stealing-the-access-token/

Editor's Notes

  1. Usermode accesses System functionality using System calls
  2. Usermode accesses System functionality using System calls
  3. Allocate an object Global object Object has a callback pointer Deallocate the object Free the object Pointer not set to NULL Use the object Invoke the callback