Skip to content

SMEP: What is it, and how to beat it on Windows

Ten post nie jest dostępny w języku polskim!

{ 3 } Comments

  1. NCR | 06-cze-11 at 06:17:14 | Permalink

    Hey!, nice post! our work is getting harder! ;P anyways, we always have a way to bypass it.

  2. j00ru | 07-cze-11 at 02:06:00 | Permalink

    @NCR: Hello! It is harder and harder indeed, but that’s the funny thing about security ;> Additionally, I don’t think that the SMEP protection is going to make much of a difference, since there are sooo many ways of storing the payload in kernel memory areas, and as many kernel-address information leaks ;>

  3. arebc | 07-cze-11 at 19:25:44 | Permalink

    Thanks j00ru, this is a great write up.

{ 14 } Trackbacks

  1. […] SMEP: What is It, and How to Beat It on Linux SMEP: What is it, and how to beat it on Windows […]

  2. […] are quite a few articles about methods to bypass SMEP, for example here. Some of them will work in a vSentry micro-VM. Still, enabling SMEP raises the bar for the […]

  3. […] are quite a few articles about methods to bypass SMEP, for example here. Some of them will work in a vSentry micro-VM. Still, enabling SMEP raises the bar for the […]

  4. […] into kernel-mode. A good description of Intel SMEP as exploit protection technology can be found here. The SMEP technology in Windows 8 for x64 can be bypassed using a ROP (Return-Oriented Programming) […]

  5. […] Guard, this technique is no longer reliable — a direct user-mode address cannot be used, and other techniques must be employed […]

  6. […] hardening mechanisms, in the past year we have seen some notable presentations that demonstrated techniques to bypass these protections.The vulnerability which we describe in this entry, is a newly disclosed […]

  7. […] attack, like previous hacks, bypassed kernel protection mechanisms including kernel address space layout randomisation and data […]

  8. […] running process, elevating its privileges – this also sidesteps protection mechanisms (such as SMEP) that try to prevent malicious code execution. Google Chrome’s sandbox feature defeats this […]

  9. […] running process, elevating its privileges – this also sidesteps protection mechanisms (such as SMEP) that try to prevent malicious code execution. Google Chrome’s sandbox feature defeats this […]

  10. […] running process, elevating its privileges – this also sidesteps protection mechanisms (such as SMEP) that try to prevent malicious code execution. Google Chrome’s sandbox feature defeats this […]

  11. […] [6] http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/ [7] http://j00ru.vexillium.org/?p=783 [8] http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf […]

  12. […] Point mentions that security mitigations such as SMEP (Supervisor Mode Execution Protection, also discussed here) and SMAP Supervisor Mode Access Prevention will make exploitation of this issue more […]

  13. […] [1] http://breakingmalware.com/vulnerabilities/one-bit-rule-bypassing-windows-10-protections-using-single-bit/%5B2%5D https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html%5B3%5D https://www.nccgroup.trust/globalassets/newsroom/uk/blog/documents/2015/07/exploiting-cve-2015.pdf%5B4%5D https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf%5B5%5D http://recon.cx/2013/slides/Recon2013-Alex%20Ionescu-I%20got%2099%20problems%20but%20a%20kernel%20pointer%20ain't%20one.pdf%5B6%5D http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/%5B7%5D http://j00ru.vexillium.org/?p=783%5B8%5D http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf %5B9%5D http://illmatics.com/Understanding_the_LFH.pdf%5B10%5D http://illmatics.com/Windows%208%20Heap%20Internals.pdf […]

  14. […] [6] http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/ [7] http://j00ru.vexillium.org/?p=783 [8] http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf [9] […]

Post a Comment

Your email is never published nor shared. Required fields are marked *