Month: January 2010

Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, example source code snippets are available (attached to the document), so that the reader can check their effectiveness on their own.

I would like to say thank you to Unavowed and Agnieszka Zerka for their comments and help in the process of assembling this publication.

A complete package, including a PDF file “GDT and LDT in Windows kernel vulnerability exploitation” (with the source.zip file enclosed to the paper) can be downloaded from here (682 kB).

Read more

What I would like to write about today is a subject I have been playing with for quite some time – Windows kernel vulnerability exploitation techniques. While digging through various articles and other materials, I appeared to find bunches of interesting facts that are worth being described here. The post presented today aims to describe various ways of obtaining kernel-mode addresses from the user-mode (application) level.

One could ask, what would we want to retrieve any internal system addresses for. Well, it is indeed a very good question – as for me, the kernel addresses become most useful in the vulnerability exploitation process. Since a majority of bugs found in device drivers belong, directly (pointer validation) or indirectly (pool buffer overflow), to the write-what-where condition family, one must know the exact address to be overwritten before performing the operation. This basically means that the more information about kernel memory layout we can gather, the more stable and effective attacks can be conducted.

The idea I am writing about is not new, for sure. A great part of kernel exploits programmers has already used such techniques in their source code. However, I haven’t ever found any publication that would thoroughly describe every possible vector of obtaining somewhat “sensitive” kernel data (addresses) from within user-mode. Hence, I would like to present a short introduction of each method I could think of – a longer article will presumably be released within a few days. Huh, let’s get to the point, already!

Read more