Ten post nie jest dostępny w języku polskim!
Hey!, nice post! our work is getting harder! ;P anyways, we always have a way to bypass it.
@NCR: Hello! It is harder and harder indeed, but that’s the funny thing about security ;> Additionally, I don’t think that the SMEP protection is going to make much of a difference, since there are sooo many ways of storing the payload in kernel memory areas, and as many kernel-address information leaks ;>
Thanks j00ru, this is a great write up.
[…] SMEP: What is It, and How to Beat It on Linux SMEP: What is it, and how to beat it on Windows […]
[…] are quite a few articles about methods to bypass SMEP, for example here. Some of them will work in a vSentry micro-VM. Still, enabling SMEP raises the bar for the […]
[…] into kernel-mode. A good description of Intel SMEP as exploit protection technology can be found here. The SMEP technology in Windows 8 for x64 can be bypassed using a ROP (Return-Oriented Programming) […]
[…] Guard, this technique is no longer reliable — a direct user-mode address cannot be used, and other techniques must be employed […]
[…] hardening mechanisms, in the past year we have seen some notable presentations that demonstrated techniques to bypass these protections.The vulnerability which we describe in this entry, is a newly disclosed […]
[…] attack, like previous hacks, bypassed kernel protection mechanisms including kernel address space layout randomisation and data […]
[…] running process, elevating its privileges – this also sidesteps protection mechanisms (such as SMEP) that try to prevent malicious code execution. Google Chrome’s sandbox feature defeats this […]
[…]  http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/  http://j00ru.vexillium.org/?p=783  http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf […]
[…] Point mentions that security mitigations such as SMEP (Supervisor Mode Execution Protection, also discussed here) and SMAP Supervisor Mode Access Prevention will make exploitation of this issue more […]
[…]  http://breakingmalware.com/vulnerabilities/one-bit-rule-bypassing-windows-10-protections-using-single-bit/%5B2%5D https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html%5B3%5D https://www.nccgroup.trust/globalassets/newsroom/uk/blog/documents/2015/07/exploiting-cve-2015.pdf%5B4%5D https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf%5B5%5D http://recon.cx/2013/slides/Recon2013-Alex%20Ionescu-I%20got%2099%20problems%20but%20a%20kernel%20pointer%20ain't%20one.pdf%5B6%5D http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/%5B7%5D http://j00ru.vexillium.org/?p=783%5B8%5D http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf %5B9%5D http://illmatics.com/Understanding_the_LFH.pdf%5B10%5D http://illmatics.com/Windows%208%20Heap%20Internals.pdf […]