Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, example source code snippets are available (attached to the document), so that the reader can check their effectiveness on their own.
A complete package, including a PDF file “GDT and LDT in Windows kernel vulnerability exploitation” (with the source.zip file enclosed to the paper) can be downloaded from here (682 kB).
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
Have fun && Leave your comments!