SlideShare a Scribd company logo
FROM KERNEL ESCAPE TO SYSTEM CALC
This Time Font
hunt you down
in 4 bytes!
@zer0mem@promised_lu
一步一步
TTF
 what ?
 Pinging TTF
 Different
 start to play
 wild overflow
TECHNIQUE
 data to kernel
 bitmap wants to help!
 bit of math instead write-what
 ruling of bitmap!
 x64, KASLR, NX, SMEP, SMAP, CFG
 echo from the past
 have we problems, security ?
#whoarewe [ KEEN TEAM ]
 We are doing sec research
 We like challenges & security
 pwn2own 2013 / 2014 / 2015
 actively contributing to geek community
 working with project zero
 cve / techs / blog / tools / codes / conferences
 GeekPwn organizer
 #shanghai #beijing
Practical Example
NoSuchCon :
http://www.slideshare.net/PeterHlavaty/
attack-on-the-core
SyScan :
http://www.slideshare.net/PeterHlavaty/
back-to-the-core
http://www.nosuchcon.org/ https://syscan.org/ https://www.syscan360.org/
we were talking before of some issues in kernel … … this time we will show it in practice
TTF, what is that ?
TRUE TYPE FORMAT
TrueType is an outline font standard developed
by Apple and Microsoft in the late 1980s as a
competitor to Adobe's Type 1 fonts used in
PostScript. It has become the most common
format for fonts on both the Mac
OS and Microsoft Windows operating systems.
The primary strength of TrueType was originally
that it offered font developers a high degree of
control over precisely how their fonts are
displayed, right down to particular pixels, at
various font sizes. With widely
varying rendering technologies in use today,
pixel-level control is no longer certain in a
TrueType font.
…
THIS TOOL (IS) FABULOUS
Offers VM, where in certain conditions you can
with your controlled VM instructions achieve :
◦ READ
◦ WRITE
In certain scenario it offers boosting
surrounding structures in the same pool, what
can leads to :
◦ READ
◦ WRITE
+ some other offering in certain conditions
Ok that was .. lazy [ background ]
Nice internals in attackers perspective :
https://cansecwest.com/slides/2013/Analysis%20of%20a%20Windows%20Kernel%20Vuln.pdf
Fuzzing fonts, structure info .. :
https://digteam.github.io/assets/tocttou.pdf
https://media.blackhat.com/us-13/US-13-Chan-Smashing-The-Font-Scaler-Engine-in-Windows-
Kernel-Slides.pdf
Pinging TTF
January meeting
about pwn2own
February decided we will
go after our TTF bugs
March pwn2own, 2 kernel
escapes to system calcs
 building novel TTF fuzzer (@promised_lu)
 let fuzzer run for 3 weeks
 3 *exploitable* bugs discovered at that period
 3-4 weeks for 2 kernel escapes by TTF
 more bugs discovered waiting for review now
This time bit different
TTF from the past
 Bug to modify state of virtual machine
 Using VM instructions to pwn kernel
this TTF
 Bug in building state of VM
 Sequence of instruction (4b) to trigger bug
 No more control from VM :
Shall we play a game ?
#tools & #materials
You will need to parse TTF : TTX
You will need to understand format
to build your own parser / update-er :
View it in human quick & understandable way :
FarManager / ConEmu & plugins
https://pypi.python.org/pypi/FontTools & https://github.com/behdad/fonttools/ http://www.farmanager.com/ https://twitter.com/ConEmuMaximus5
http://www.microsoft.com/typography/otspec/otff.htm
Minimize your problem!
1. As you got crash, problem can be
everywhere
2. Build parsing tools (or use existing ones)
3. Kick all part what is not necessary from
TTF out
4. Start working on minimalized TTF
https://media.blackhat.com/us-13/US-13-Chan-Smashing-The-Font-Scaler-Engine-in-Windows-Kernel-Slides.pdf
gotcha! Wild Overflow
 finally we got root cause!
 Only XX pages to be overflowing in
 need to alter XX pages in kernel pool without crash ?!
No interaction from VM is possible anymore
Take it easy ?!
x64
 got overflow
 Must control data after
 x64 introduce a lot of gaps
 Spraying as was used before is
ineffective
 But …
 …not in the same pool
http://www.alex-ionescu.com/?p=246
Look at your pool
Conditional breakpoint command on ExAllocatePool-0x21 on big allocs & results
controlled size & at byte level
Big Pools
RANDOMIZATION
 Not at big pools
 Making controlled holes at will
 Precise pool layout
SPRAYING
 still highly effective inside targeted pool
 if you know base of pool, you can hardcode
 kmalloc & kfree at your will
wild overflow is no problem anymore!
By Design #1 [ overflows ]
1. Do pool layout
I. spray bitmaps
II. create hole for ttf
2. No PAGE_NOACCESS interaction to care about
3. No crash anymore
4. More complicated when randomization in place, but .. doable ..
http://www.slideshare.net/PeterHlavaty/overflow-48573748
write (overflow) – what ? ... N O !
 follow right path at right
moment
 control output of math
operation - to some extent
going to be complicated ?
You need to
go trough some
math, semi -
controlled write-what
meet some
conditions to write-
semi-what
control kernel
memory
*must* to use
_gre_bitmap header
member!
By Design #2 [ SMAP betrayal ]
Controlled data in kernel, bitmap is just an example! Look more, you will find more …
https://msdn.microsoft.com
win32k!
_GRE_BITMAP
Session Pool
kmalloc – CreateBitmap
kfree – DeleteObject
Controlled – {Set/Get}BitmapBits
Known-PLAIN-state header!
By Design #3 [ plain state, ptr ?! ]
*PLAIN*
header
&buffer
size&lock
feature 1 : user data : kernel data == 1:1
◦ by design #2
feature 2 : *plain* headers [ in general ]
◦ Properties : size, width, height, …
◦ Pointer to buffers
◦ Pointer to function or ‘vtable’
◦ Pointer to another member struct : lock, …
Consequences :
◦ From user mode I know content of header (size, ..)
◦ I can guess content of header (pointers – base, gran)
◦ I can manipulate it if I have tool to do it [our case]
◦ I can use it when it is necessary [our case]
http://www.slideshare.net/PeterHlavaty/attack-on-the-core
Stage #1 [ overflow ]
 What we do :
 Math-calc based overflow
 In right conditions is something
somehow rewritten
 We can rewrite size
 But then we also rewrite Lock
 What we get :
 size is bigger (but still small!)
 Lock - DWORD part is corrupted!
Stage #2 [ full kernel IO ]
* Sometimes getting more tricky
due to more complicated overflow
in our case we need 3 bitmaps
idea is similar ...
 What we do :
 spray, &Lock ptr points to
accessible memory
 SetBitmapBits to boost followed
bitmap size to ~0
 What we get* :
 FULL KERNEL IO
 {Set/Get}BitmapBits at the
second bitmap
wrap up
Wild
overflow
semi-control
overflowing
bytes
Kernel
memory
(part of it)
control
Bug under
control
Full kernel
IO achieved
what now ?
Era of security features ? X64, KASLR, NX, SMAP, SMEP, CFI ?!
Kernel security …
X64 – virtual address space
KASLR – modules
NX – ExAllocatePool nonexec by default
SMEP – no easy exec anymore +-
SMAP – hopefully SOON
CFI – by control flow guard implementation, hopefully SOON
http://www.slideshare.net/PeterHlavaty/guardians-ofyourcode
KASLR
 Randomization of module
addresses
 Randomization of pool addresses
 When you do not know where
your target is then is hard to attack
By Design #4 [ full kernel IO ]
Touching invalid memory ?
[ x64 VAS > PAS ]
Kernel memory layout ?
[ KASLR ]
Leak pointer chain to valid module :
◦ Info-leak bug
◦ _sidt / _sgdt
Turn your bug to pool overflow
◦ misuse object on the pool
* Or use old know technique *
Echo from the past [ wtf ?! ]
 _sidt & _sgdt from wow64 does not leak
 I was lazy to invent new method for second TTF
 Wait, hmm, there was something years ago ..
 I was sure it is fixed already, but worth to check
 Leaking Session Pool objects, problem bro ?
https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_Slides.pdf
gSharedInfo
Echo from the past [ implementation ]
Are we done ?
> Yeah, poping system calcs … but we want kernel EXEC!
Design (#3) strikes back [ plain ptr ]
some good function pointers at windows kernel are free to overwrite!
◦ we skip some good candidates like HalDispatchTable to pinpoint some different …
SMEP
 X86_CR4_SMEP
 Execute user mode code with
kernel mode privileges results in
BSOD
 Previously heavily used as
exploitation shortcut
‘SMAP’
 X86_CR4_SMAP
 In syscall user pass arguments as
well
 Those arguments have to be
readed
 No unified method for read /
write those inputs is problem for
enabling SMAP
NonExec
 Code is special case of data
 If creating data with EXEC
 any data shipped from user mode
to kernel can be executed
 Unless NonPagedPoolNx
take place at ExAllocatePool
SMAP -> SMEP ?
 { ‘by design #2’ + ‘echo’ / overflow } bypass SMAP
 Page Tables to bypass NonExec & SMEP ?
 Lets say some additional protection
 HyperVisor solution – EPT, TrustZone , …
Page Table attack
VadPwn &
PageTablePwn boost
https://labs.mwrinfosecurity.com/blog/2014/08/15/
windows-8-kernel-memory-protections-bypass/
http://www.slideshare.net/PeterHlavaty/back-to-the-core
Insection:
AWEsome ...
http://www.alex-ionescu.com/?cat=2 - intro
ExAllocatePool
We need to get RWE memory
OK, lets allocate it!
* remember we have kernel IO !!
Flags problem, it must be RWE memory !
Address problem, how to leak it back to user ?
Window tricking [ that’s a cheat! ]
There we go, some magic function again
Working with window handles
writeable ‘vtable’
‘Unused’ function pointers there
Returning output back to user
Lets mess little bit with logic!
provide window pointer as ExAllocatePool flags ?
Ensure that window pointer can act as writable & executable flag ;)
WINDOW
handle (user argument)
WINDOW
pointer (kernel argument)
output returned to user
that must be nasty …
http://www.slideshare.net/PeterHlavaty/vulnerability-desing-patterns
Control Flow
Guard
 Indirect calls check
 in kernel mode not so widely used
yet, hopefully will be … soon …
 bitmap & registered functions
Control Flow Guard [ FDA ]
 It covers old way of thinking
 Good for mitigating ROP to some extent
 CFG-bitmap does not care about integrity of objects
 Function-Driven-Attack prone
 FDA is more complicated than ROP but nice way
 You will searching for vfgadgets instead of rop-gadgets
 realize that for now we used function driven attack only (exallocatepool + window tricking) !
http://syssec.rub.de/media/emma/veroeffentlichungen/2015/04/13/COOP-Oakland15_1.pdf http://www.slideshare.net/PeterHlavaty/back-to-the-core
By Design #4 [ CF stack please ]
http://www.slideshare.net/PeterHlavaty/back-to-the-core
 We have just one stack
 Data & Control Flow mixed
 any RW instruction can touch stack
… what CFI we are talking about ? …
Stack hooking
Get address of
stack of your
kernel thread
Use write-where-
what primitive
(kernel IO) to it
Just now, you did
stack hooking of
you own stack
CFI bypassed by
design!
kernelIO.Write(own_stack, own_driver_ep)
poping calcs #2 – d’art
btw. Did you spot something ?
1bit-flip to kernel pwn ?
Any problem here ? [ aftermath ]
pwn2own – recon => XX - days
we found it in 3weeks – for *security* and fun
Other guys spending much more time at TTF, most likely not for fun nor for security
After we got bug under control, we spent 1-2days with executing it
Additional few days with design - d’art 
Exploitation technique ? Nope, it is package of design features.. OS design is bit old ?
Known security issues persist *PUBLIC* for 4+ years
https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf - as a recent example ?
10.24.2015
Pick a device, name your own challenge!
INTERNS WANTED! WE ARE HIRING! :)
@K33nTeam
hr (at) keencloudtech.com
Q & A

More Related Content

What's hot

MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)
Adrian Huang
 
Execution
ExecutionExecution
Execution
Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Will Schroeder
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
Adrian Huang
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
Adrian Huang
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
SeongJae Park
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
Brendan Gregg
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
Angel Boy
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
Adrian Huang
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
Angel Boy
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 

What's hot (20)

MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)
 
Execution
ExecutionExecution
Execution
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
 

Viewers also liked

Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
Simone Onofri
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Sam Thomas
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
__x86
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
_mr_me
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2   steven seeley - ghost in the windows 7 allocatorD2 t2   steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
_mr_me
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
ReCrypt
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Death
nitayart
 
Av power consumption trial executive summary v1 0
Av power consumption trial executive summary v1 0Av power consumption trial executive summary v1 0
Av power consumption trial executive summary v1 0
Anatol Alizar
 

Viewers also liked (20)

Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2   steven seeley - ghost in the windows 7 allocatorD2 t2   steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Death
 
Av power consumption trial executive summary v1 0
Av power consumption trial executive summary v1 0Av power consumption trial executive summary v1 0
Av power consumption trial executive summary v1 0
 

Similar to Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
CONFidence 2015: when something overflowing... - Peter Hlavaty
CONFidence 2015: when something overflowing... - Peter HlavatyCONFidence 2015: when something overflowing... - Peter Hlavaty
CONFidence 2015: when something overflowing... - Peter Hlavaty
PROIDEA
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
rkr10
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
Shane Macaulay
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
Wim Godden
 
Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011
Wim Godden
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
Quey-Liang Kao
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska   Subverting Vista KernelJoanna Rutkowska   Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
guestf1a032
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
LibbySchulze
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Surge2012
Surge2012Surge2012
Surge2012
davidapacheco
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 

Similar to Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes (20)

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
CONFidence 2015: when something overflowing... - Peter Hlavaty
CONFidence 2015: when something overflowing... - Peter HlavatyCONFidence 2015: when something overflowing... - Peter Hlavaty
CONFidence 2015: when something overflowing... - Peter Hlavaty
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska   Subverting Vista KernelJoanna Rutkowska   Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Surge2012
Surge2012Surge2012
Surge2012
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 

More from Peter Hlavaty

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
DbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesDbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slides
Peter Hlavaty
 

More from Peter Hlavaty (6)

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
DbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesDbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slides
 

Recently uploaded

Updated diagnosis. Cause and treatment of hypothyroidism
Updated diagnosis. Cause and treatment of hypothyroidismUpdated diagnosis. Cause and treatment of hypothyroidism
Updated diagnosis. Cause and treatment of hypothyroidism
Faculty of Medicine And Health Sciences
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Access Innovations, Inc.
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
OECD Directorate for Financial and Enterprise Affairs
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij
 
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Dutch Power
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
samililja
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Rosie Wells
 
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
SkillCertProExams
 
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPointMẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
1990 Media
 
Burning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdfBurning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdf
kkirkland2
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx  and their importance in real lifeCarrer goals.pptx  and their importance in real life
Carrer goals.pptx and their importance in real life
artemacademy2
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
Frederic Leger
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
gharris9
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
faizulhassanfaiz1670
 
Tom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issueTom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issue
amekonnen
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
ToshihiroIto4
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
OECD Directorate for Financial and Enterprise Affairs
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
gharris9
 
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Dutch Power
 

Recently uploaded (19)

Updated diagnosis. Cause and treatment of hypothyroidism
Updated diagnosis. Cause and treatment of hypothyroidismUpdated diagnosis. Cause and treatment of hypothyroidism
Updated diagnosis. Cause and treatment of hypothyroidism
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
 
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
 
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
 
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPointMẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
 
Burning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdfBurning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdf
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx  and their importance in real lifeCarrer goals.pptx  and their importance in real life
Carrer goals.pptx and their importance in real life
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
 
Tom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issueTom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issue
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
 
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
 

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes

  • 1. FROM KERNEL ESCAPE TO SYSTEM CALC This Time Font hunt you down in 4 bytes! @zer0mem@promised_lu
  • 2. 一步一步 TTF  what ?  Pinging TTF  Different  start to play  wild overflow TECHNIQUE  data to kernel  bitmap wants to help!  bit of math instead write-what  ruling of bitmap!  x64, KASLR, NX, SMEP, SMAP, CFG  echo from the past  have we problems, security ?
  • 3. #whoarewe [ KEEN TEAM ]  We are doing sec research  We like challenges & security  pwn2own 2013 / 2014 / 2015  actively contributing to geek community  working with project zero  cve / techs / blog / tools / codes / conferences  GeekPwn organizer  #shanghai #beijing
  • 4. Practical Example NoSuchCon : http://www.slideshare.net/PeterHlavaty/ attack-on-the-core SyScan : http://www.slideshare.net/PeterHlavaty/ back-to-the-core http://www.nosuchcon.org/ https://syscan.org/ https://www.syscan360.org/ we were talking before of some issues in kernel … … this time we will show it in practice
  • 5. TTF, what is that ? TRUE TYPE FORMAT TrueType is an outline font standard developed by Apple and Microsoft in the late 1980s as a competitor to Adobe's Type 1 fonts used in PostScript. It has become the most common format for fonts on both the Mac OS and Microsoft Windows operating systems. The primary strength of TrueType was originally that it offered font developers a high degree of control over precisely how their fonts are displayed, right down to particular pixels, at various font sizes. With widely varying rendering technologies in use today, pixel-level control is no longer certain in a TrueType font. … THIS TOOL (IS) FABULOUS Offers VM, where in certain conditions you can with your controlled VM instructions achieve : ◦ READ ◦ WRITE In certain scenario it offers boosting surrounding structures in the same pool, what can leads to : ◦ READ ◦ WRITE + some other offering in certain conditions
  • 6. Ok that was .. lazy [ background ] Nice internals in attackers perspective : https://cansecwest.com/slides/2013/Analysis%20of%20a%20Windows%20Kernel%20Vuln.pdf Fuzzing fonts, structure info .. : https://digteam.github.io/assets/tocttou.pdf https://media.blackhat.com/us-13/US-13-Chan-Smashing-The-Font-Scaler-Engine-in-Windows- Kernel-Slides.pdf
  • 7. Pinging TTF January meeting about pwn2own February decided we will go after our TTF bugs March pwn2own, 2 kernel escapes to system calcs  building novel TTF fuzzer (@promised_lu)  let fuzzer run for 3 weeks  3 *exploitable* bugs discovered at that period  3-4 weeks for 2 kernel escapes by TTF  more bugs discovered waiting for review now
  • 8. This time bit different TTF from the past  Bug to modify state of virtual machine  Using VM instructions to pwn kernel this TTF  Bug in building state of VM  Sequence of instruction (4b) to trigger bug  No more control from VM :
  • 9. Shall we play a game ?
  • 10. #tools & #materials You will need to parse TTF : TTX You will need to understand format to build your own parser / update-er : View it in human quick & understandable way : FarManager / ConEmu & plugins https://pypi.python.org/pypi/FontTools & https://github.com/behdad/fonttools/ http://www.farmanager.com/ https://twitter.com/ConEmuMaximus5 http://www.microsoft.com/typography/otspec/otff.htm
  • 11. Minimize your problem! 1. As you got crash, problem can be everywhere 2. Build parsing tools (or use existing ones) 3. Kick all part what is not necessary from TTF out 4. Start working on minimalized TTF https://media.blackhat.com/us-13/US-13-Chan-Smashing-The-Font-Scaler-Engine-in-Windows-Kernel-Slides.pdf
  • 12. gotcha! Wild Overflow  finally we got root cause!  Only XX pages to be overflowing in  need to alter XX pages in kernel pool without crash ?! No interaction from VM is possible anymore
  • 14. x64  got overflow  Must control data after  x64 introduce a lot of gaps  Spraying as was used before is ineffective  But …  …not in the same pool http://www.alex-ionescu.com/?p=246
  • 15. Look at your pool Conditional breakpoint command on ExAllocatePool-0x21 on big allocs & results controlled size & at byte level
  • 16. Big Pools RANDOMIZATION  Not at big pools  Making controlled holes at will  Precise pool layout SPRAYING  still highly effective inside targeted pool  if you know base of pool, you can hardcode  kmalloc & kfree at your will wild overflow is no problem anymore!
  • 17. By Design #1 [ overflows ] 1. Do pool layout I. spray bitmaps II. create hole for ttf 2. No PAGE_NOACCESS interaction to care about 3. No crash anymore 4. More complicated when randomization in place, but .. doable .. http://www.slideshare.net/PeterHlavaty/overflow-48573748
  • 18. write (overflow) – what ? ... N O !  follow right path at right moment  control output of math operation - to some extent
  • 19. going to be complicated ? You need to go trough some math, semi - controlled write-what meet some conditions to write- semi-what control kernel memory *must* to use _gre_bitmap header member!
  • 20. By Design #2 [ SMAP betrayal ] Controlled data in kernel, bitmap is just an example! Look more, you will find more … https://msdn.microsoft.com
  • 21. win32k! _GRE_BITMAP Session Pool kmalloc – CreateBitmap kfree – DeleteObject Controlled – {Set/Get}BitmapBits Known-PLAIN-state header!
  • 22. By Design #3 [ plain state, ptr ?! ] *PLAIN* header &buffer size&lock feature 1 : user data : kernel data == 1:1 ◦ by design #2 feature 2 : *plain* headers [ in general ] ◦ Properties : size, width, height, … ◦ Pointer to buffers ◦ Pointer to function or ‘vtable’ ◦ Pointer to another member struct : lock, … Consequences : ◦ From user mode I know content of header (size, ..) ◦ I can guess content of header (pointers – base, gran) ◦ I can manipulate it if I have tool to do it [our case] ◦ I can use it when it is necessary [our case] http://www.slideshare.net/PeterHlavaty/attack-on-the-core
  • 23. Stage #1 [ overflow ]  What we do :  Math-calc based overflow  In right conditions is something somehow rewritten  We can rewrite size  But then we also rewrite Lock  What we get :  size is bigger (but still small!)  Lock - DWORD part is corrupted!
  • 24. Stage #2 [ full kernel IO ] * Sometimes getting more tricky due to more complicated overflow in our case we need 3 bitmaps idea is similar ...  What we do :  spray, &Lock ptr points to accessible memory  SetBitmapBits to boost followed bitmap size to ~0  What we get* :  FULL KERNEL IO  {Set/Get}BitmapBits at the second bitmap
  • 25. wrap up Wild overflow semi-control overflowing bytes Kernel memory (part of it) control Bug under control Full kernel IO achieved
  • 26. what now ? Era of security features ? X64, KASLR, NX, SMAP, SMEP, CFI ?!
  • 27. Kernel security … X64 – virtual address space KASLR – modules NX – ExAllocatePool nonexec by default SMEP – no easy exec anymore +- SMAP – hopefully SOON CFI – by control flow guard implementation, hopefully SOON http://www.slideshare.net/PeterHlavaty/guardians-ofyourcode
  • 28. KASLR  Randomization of module addresses  Randomization of pool addresses  When you do not know where your target is then is hard to attack
  • 29. By Design #4 [ full kernel IO ] Touching invalid memory ? [ x64 VAS > PAS ] Kernel memory layout ? [ KASLR ] Leak pointer chain to valid module : ◦ Info-leak bug ◦ _sidt / _sgdt Turn your bug to pool overflow ◦ misuse object on the pool * Or use old know technique *
  • 30. Echo from the past [ wtf ?! ]  _sidt & _sgdt from wow64 does not leak  I was lazy to invent new method for second TTF  Wait, hmm, there was something years ago ..  I was sure it is fixed already, but worth to check  Leaking Session Pool objects, problem bro ? https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_Slides.pdf gSharedInfo
  • 31. Echo from the past [ implementation ]
  • 32. Are we done ? > Yeah, poping system calcs … but we want kernel EXEC!
  • 33. Design (#3) strikes back [ plain ptr ] some good function pointers at windows kernel are free to overwrite! ◦ we skip some good candidates like HalDispatchTable to pinpoint some different …
  • 34. SMEP  X86_CR4_SMEP  Execute user mode code with kernel mode privileges results in BSOD  Previously heavily used as exploitation shortcut
  • 35. ‘SMAP’  X86_CR4_SMAP  In syscall user pass arguments as well  Those arguments have to be readed  No unified method for read / write those inputs is problem for enabling SMAP
  • 36. NonExec  Code is special case of data  If creating data with EXEC  any data shipped from user mode to kernel can be executed  Unless NonPagedPoolNx take place at ExAllocatePool
  • 37. SMAP -> SMEP ?  { ‘by design #2’ + ‘echo’ / overflow } bypass SMAP  Page Tables to bypass NonExec & SMEP ?  Lets say some additional protection  HyperVisor solution – EPT, TrustZone , … Page Table attack VadPwn & PageTablePwn boost https://labs.mwrinfosecurity.com/blog/2014/08/15/ windows-8-kernel-memory-protections-bypass/ http://www.slideshare.net/PeterHlavaty/back-to-the-core Insection: AWEsome ... http://www.alex-ionescu.com/?cat=2 - intro
  • 38. ExAllocatePool We need to get RWE memory OK, lets allocate it! * remember we have kernel IO !! Flags problem, it must be RWE memory ! Address problem, how to leak it back to user ?
  • 39. Window tricking [ that’s a cheat! ] There we go, some magic function again Working with window handles writeable ‘vtable’ ‘Unused’ function pointers there Returning output back to user Lets mess little bit with logic! provide window pointer as ExAllocatePool flags ? Ensure that window pointer can act as writable & executable flag ;) WINDOW handle (user argument) WINDOW pointer (kernel argument) output returned to user
  • 40. that must be nasty … http://www.slideshare.net/PeterHlavaty/vulnerability-desing-patterns
  • 41. Control Flow Guard  Indirect calls check  in kernel mode not so widely used yet, hopefully will be … soon …  bitmap & registered functions
  • 42. Control Flow Guard [ FDA ]  It covers old way of thinking  Good for mitigating ROP to some extent  CFG-bitmap does not care about integrity of objects  Function-Driven-Attack prone  FDA is more complicated than ROP but nice way  You will searching for vfgadgets instead of rop-gadgets  realize that for now we used function driven attack only (exallocatepool + window tricking) ! http://syssec.rub.de/media/emma/veroeffentlichungen/2015/04/13/COOP-Oakland15_1.pdf http://www.slideshare.net/PeterHlavaty/back-to-the-core
  • 43. By Design #4 [ CF stack please ] http://www.slideshare.net/PeterHlavaty/back-to-the-core  We have just one stack  Data & Control Flow mixed  any RW instruction can touch stack … what CFI we are talking about ? …
  • 44. Stack hooking Get address of stack of your kernel thread Use write-where- what primitive (kernel IO) to it Just now, you did stack hooking of you own stack CFI bypassed by design! kernelIO.Write(own_stack, own_driver_ep)
  • 45.
  • 46. poping calcs #2 – d’art
  • 47. btw. Did you spot something ? 1bit-flip to kernel pwn ?
  • 48. Any problem here ? [ aftermath ] pwn2own – recon => XX - days we found it in 3weeks – for *security* and fun Other guys spending much more time at TTF, most likely not for fun nor for security After we got bug under control, we spent 1-2days with executing it Additional few days with design - d’art  Exploitation technique ? Nope, it is package of design features.. OS design is bit old ? Known security issues persist *PUBLIC* for 4+ years https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf - as a recent example ?
  • 49. 10.24.2015 Pick a device, name your own challenge!
  • 50. INTERNS WANTED! WE ARE HIRING! :) @K33nTeam hr (at) keencloudtech.com Q & A