Skip to content

ZeroNights 2013 and NTVDM vulnerabilities

Ten post nie jest dostępny w języku polskim!

{ 8 } Comments

  1. Yuhong Bao | 14-lis-13 at 20:51:11 | Permalink

    BTW, the privileged instruction emulation in protected mode in NTVDM is there to support DPMI applications.

  2. j00ru | 15-lis-13 at 02:55:47 | Permalink

    @Yuhong Bao: Yeah, I should have mentioned that. Updated the slides with an additional line mentioning DPMI.

  3. 0x16 | 15-lis-13 at 09:30:55 | Permalink

    Hi!Thanks for you work!I make a PoC of CVE-2013-3196 (nt!PushInt write-what-where condition),
    but met trouble:
    I can’t add to the LDT custom Expand Down SS segment.
    Inside PspIsDescriptorValid function this condition doesn’t pass:
    Base == 0x0 ActualLimit == 0xFFFFFFFF
    if (Base > Base + ActualLimit ||
    ((PVOID)(Base + ActualLimit) > MM_HIGHEST_USER_ADDRESS)) {
    return FALSE;
    }
    If we will use usual expand up data-segment we fail inside PushInt:
    cmp edi,[esi].RiSsLimit ; edi==0xDEADBEEF (esp must be below limit)
    jnb err_

    Can you give me a hint?)
    With regards!

  4. j00ru | 16-lis-13 at 09:02:38 | Permalink

    @0x16: which operating system are you targetting? On Windows 7, you can create a custom LDT data segment with Base=0x0 and Limit=0xffffffff without any problems.

  5. vexillium_fan | 16-lis-13 at 12:45:20 | Permalink

    Excellent job. Again. Excellent work. Again. ;)
    Thanks. Again. Keep goin’ – again.

    Take a beer from me. Again. ;)

  6. 0x16 | 16-lis-13 at 16:27:13 | Permalink

    Thanks for answer!Yes it was xp sp3,so now i see that in w7x86 PspIsDescriptorValid totaly different,and not exist all limit-conditions..So it looks like on old windows exploitation not possible…?

  7. j00ru | 16-lis-13 at 16:29:33 | Permalink

    @0x16: pretty much yes.

  8. Yuhong Bao | 16-lis-13 at 18:45:26 | Permalink

    @j00ru: Also note that Protected mode != 32-bit, 16-bit DPMI is also very common.

{ 2 } Trackbacks

  1. […] j00ru hakuje NTVDM […]

  2. […] [1,2,3] с ядром […]

Post a Comment

Your email is never published nor shared. Required fields are marked *