A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos...
-
Upload
nguyenxuyen -
Category
Documents
-
view
218 -
download
4
Transcript of A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos...
![Page 1: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/1.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
A look inside the Windows Kernel
Bruno Pujos
LSE
July 18, 2013
![Page 2: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/2.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Plan
1 Introduction
![Page 3: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/3.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Introduction
What this talk is about?
• Security of the Windows Kernel• Presentation of some exploits• What changed in the security of the kernel, since
Windows NT 5.1 (Windows XP)
Motivation for attacking the kernel
• Sandbox bypassing• Full access to everything• The fun
![Page 4: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/4.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Plan
1 Introduction
2 Basics of Windows Kernel
3 CVE-2011-1237
4 Evolution from XP to 8
5 CVE-2013-3660
6 Conclusion
![Page 5: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/5.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Plan
2 Basics of Windows Kernel
![Page 6: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/6.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Basics of Windows Kernel
![Page 7: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/7.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
HAL
• HAL : The hardware abstraction layer (hal.dll)• ”a layer of software that deals directly with your
computer hardware.” (msdn)• Layer for suporting different hardware with the same
software• HalDispatchTable : holds the addresses of a few
HAL routines
![Page 8: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/8.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Win32k.sys
• Kernel mode driver• Introduce in NT 4.0 for performance reason• Two parts :
• The Graphics Device Interface (GDI)• The Window Manager
![Page 9: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/9.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
User objects
• User entities (Windows, menu, keyboard layout. . . )• Managed by the Window Manager• Represented by a handle• Handle table keeps track of each user object
• The address of the object• The type of the object• A flag• The owner and a wUniq value
![Page 10: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/10.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
User objects
• User entities (Windows, menu, keyboard layout. . . )• Managed by the Window Manager• Represented by a handle• Handle table keeps track of each user object
• The address of the object• The type of the object• A flag• The owner and a wUniq value
![Page 11: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/11.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
User objects
• User entities (Windows, menu, keyboard layout. . . )• Managed by the Window Manager• Represented by a handle• Handle table keeps track of each user object
• The address of the object• The type of the object• A flag• The owner and a wUniq value
![Page 12: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/12.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
User-Mode Callback
• A way to communicate between kernel and user:• access to some structures in user mode• used to support hooking• . . .
• CBT-Hook: receive notifications from windows• WindowProc: callback function wich processes the
messages sent to a window
![Page 13: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/13.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
User-Mode Callback
• A way to communicate between kernel and user:• access to some structures in user mode• used to support hooking• . . .
• CBT-Hook: receive notifications from windows• WindowProc: callback function wich processes the
messages sent to a window
![Page 14: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/14.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Plan
3 CVE-2011-1237
![Page 15: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/15.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tarjei Mandt(@kernelpool), based on his paper Kernel Attacksthrough User-Mode Callbacks
• Use After Free of a window object (User Object)• During the creation of a new window, you can give a
parent in a CBT-Hook• Using another hook during the creation, you can
destroy this window• We have a way to allocate a buffer with our content
and the size we want with SetWindowTextW. We willuse it to put what we want at the position of the freewindow
• The parent is used at the end of LinkWindow, and ithas been freed
• We can map the Null page and put our shellcode init, in userland. Our goal is to call it
![Page 16: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/16.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tarjei Mandt(@kernelpool), based on his paper Kernel Attacksthrough User-Mode Callbacks
• Use After Free of a window object (User Object)• During the creation of a new window, you can give a
parent in a CBT-Hook• Using another hook during the creation, you can
destroy this window• We have a way to allocate a buffer with our content
and the size we want with SetWindowTextW. We willuse it to put what we want at the position of the freewindow
• The parent is used at the end of LinkWindow, and ithas been freed
• We can map the Null page and put our shellcode init, in userland. Our goal is to call it
![Page 17: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/17.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tarjei Mandt(@kernelpool), based on his paper Kernel Attacksthrough User-Mode Callbacks
• Use After Free of a window object (User Object)• During the creation of a new window, you can give a
parent in a CBT-Hook• Using another hook during the creation, you can
destroy this window• We have a way to allocate a buffer with our content
and the size we want with SetWindowTextW. We willuse it to put what we want at the position of the freewindow
• The parent is used at the end of LinkWindow, and ithas been freed
• We can map the Null page and put our shellcode init, in userland. Our goal is to call it
![Page 18: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/18.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tarjei Mandt(@kernelpool), based on his paper Kernel Attacksthrough User-Mode Callbacks
• Use After Free of a window object (User Object)• During the creation of a new window, you can give a
parent in a CBT-Hook• Using another hook during the creation, you can
destroy this window• We have a way to allocate a buffer with our content
and the size we want with SetWindowTextW. We willuse it to put what we want at the position of the freewindow
• The parent is used at the end of LinkWindow, and ithas been freed
• We can map the Null page and put our shellcode init, in userland. Our goal is to call it
![Page 19: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/19.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tarjei Mandt(@kernelpool), based on his paper Kernel Attacksthrough User-Mode Callbacks
• Use After Free of a window object (User Object)• During the creation of a new window, you can give a
parent in a CBT-Hook• Using another hook during the creation, you can
destroy this window• We have a way to allocate a buffer with our content
and the size we want with SetWindowTextW. We willuse it to put what we want at the position of the freewindow
• The parent is used at the end of LinkWindow, and ithas been freed
• We can map the Null page and put our shellcode init, in userland. Our goal is to call it
![Page 20: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/20.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tarjei Mandt(@kernelpool), based on his paper Kernel Attacksthrough User-Mode Callbacks
• Use After Free of a window object (User Object)• During the creation of a new window, you can give a
parent in a CBT-Hook• Using another hook during the creation, you can
destroy this window• We have a way to allocate a buffer with our content
and the size we want with SetWindowTextW. We willuse it to put what we want at the position of the freewindow
• The parent is used at the end of LinkWindow, and ithas been freed
• We can map the Null page and put our shellcode init, in userland. Our goal is to call it
![Page 21: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/21.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tarjei Mandt(@kernelpool), based on his paper Kernel Attacksthrough User-Mode Callbacks
• Use After Free of a window object (User Object)• During the creation of a new window, you can give a
parent in a CBT-Hook• Using another hook during the creation, you can
destroy this window• We have a way to allocate a buffer with our content
and the size we want with SetWindowTextW. We willuse it to put what we want at the position of the freewindow
• The parent is used at the end of LinkWindow, and ithas been freed
• We can map the Null page and put our shellcode init, in userland. Our goal is to call it
![Page 22: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/22.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Link Window
• Basically, it just adds an element in a double chainedlist of windows
• clockObj: part of each User Object, referencecounter
• Since we control one of the objects we candecrement an arbitrary a word by one
• If the clockObj is null, it calls the functionHMDestroyUnlockedObject
![Page 23: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/23.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Link Window
• Basically, it just adds an element in a double chainedlist of windows
• clockObj: part of each User Object, referencecounter
• Since we control one of the objects we candecrement an arbitrary a word by one
• If the clockObj is null, it calls the functionHMDestroyUnlockedObject
![Page 24: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/24.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Link Window
• Basically, it just adds an element in a double chainedlist of windows
• clockObj: part of each User Object, referencecounter
• Since we control one of the objects we candecrement an arbitrary a word by one
• If the clockObj is null, it calls the functionHMDestroyUnlockedObject
![Page 25: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/25.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Link Window
• Basically, it just adds an element in a double chainedlist of windows
• clockObj: part of each User Object, referencecounter
• Since we control one of the objects we candecrement an arbitrary a word by one
• If the clockObj is null, it calls the functionHMDestroyUnlockedObject
![Page 26: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/26.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Link Window
![Page 27: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/27.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Link Window
![Page 28: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/28.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Link Window
![Page 29: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/29.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Link Window
![Page 30: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/30.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Decrement by one
• Create two windows (A & B)• Activate the hook• Create a third window (E)
• HCBT_CREATEWND: link with the window A• WM_NCCREATE: destroy A (DestroyWindow),
realloc with a fake object (SetWindowTextW on B)• LinkWindow: decrement by one where we want
![Page 31: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/31.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Decrement by one
• Create two windows (A & B)• Activate the hook• Create a third window (E)
• HCBT_CREATEWND: link with the window A• WM_NCCREATE: destroy A (DestroyWindow),
realloc with a fake object (SetWindowTextW on B)• LinkWindow: decrement by one where we want
![Page 32: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/32.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Decrement by one
• Create two windows (A & B)• Activate the hook• Create a third window (E)
• HCBT_CREATEWND: link with the window A• WM_NCCREATE: destroy A (DestroyWindow),
realloc with a fake object (SetWindowTextW on B)• LinkWindow: decrement by one where we want
![Page 33: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/33.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Decrement by one
• Create two windows (A & B)• Activate the hook• Create a third window (E)
• HCBT_CREATEWND: link with the window A• WM_NCCREATE: destroy A (DestroyWindow),
realloc with a fake object (SetWindowTextW on B)• LinkWindow: decrement by one where we want
![Page 34: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/34.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Decrement by one
• Create two windows (A & B)• Activate the hook• Create a third window (E)
• HCBT_CREATEWND: link with the window A• WM_NCCREATE: destroy A (DestroyWindow),
realloc with a fake object (SetWindowTextW on B)• LinkWindow: decrement by one where we want
![Page 35: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/35.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Decrement by one
• Create two windows (A & B)• Activate the hook• Create a third window (E)
• HCBT_CREATEWND: link with the window A• WM_NCCREATE: destroy A (DestroyWindow),
realloc with a fake object (SetWindowTextW on B)• LinkWindow: decrement by one where we want
![Page 36: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/36.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
HMDestroyUnlockedObject
HMDestroyUnlockedObject
• HMDestroyUnlockedObject : takes the handle fromthe user object given as argument
• check this condition: (flag & 1) && !(flag & 2)• if it is true, calls the destroying function for the object
depending on his type• If the type is 0 (already free): calls the null page
Standard
• the type for a window is 1• in a standard moment the flag is 00
![Page 37: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/37.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
HMDestroyUnlockedObject
HMDestroyUnlockedObject
• HMDestroyUnlockedObject : takes the handle fromthe user object given as argument
• check this condition: (flag & 1) && !(flag & 2)• if it is true, calls the destroying function for the object
depending on his type• If the type is 0 (already free): calls the null page
Standard
• the type for a window is 1• in a standard moment the flag is 00
![Page 38: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/38.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
HMDestroyUnlockedObject
HMDestroyUnlockedObject
• HMDestroyUnlockedObject : takes the handle fromthe user object given as argument
• check this condition: (flag & 1) && !(flag & 2)• if it is true, calls the destroying function for the object
depending on his type• If the type is 0 (already free): calls the null page
Standard
• the type for a window is 1• in a standard moment the flag is 00
![Page 39: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/39.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
HMDestroyUnlockedObject
HMDestroyUnlockedObject
• HMDestroyUnlockedObject : takes the handle fromthe user object given as argument
• check this condition: (flag & 1) && !(flag & 2)• if it is true, calls the destroying function for the object
depending on his type• If the type is 0 (already free): calls the null page
Standard
• the type for a window is 1• in a standard moment the flag is 00
![Page 40: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/40.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
HMDestroyUnlockedObject
HMDestroyUnlockedObject
• HMDestroyUnlockedObject : takes the handle fromthe user object given as argument
• check this condition: (flag & 1) && !(flag & 2)• if it is true, calls the destroying function for the object
depending on his type• If the type is 0 (already free): calls the null page
Standard
• the type for a window is 1• in a standard moment the flag is 00
![Page 41: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/41.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
HMDestroyUnlockedObject
HMDestroyUnlockedObject
• HMDestroyUnlockedObject : takes the handle fromthe user object given as argument
• check this condition: (flag & 1) && !(flag & 2)• if it is true, calls the destroying function for the object
depending on his type• If the type is 0 (already free): calls the null page
Standard
• the type for a window is 1• in a standard moment the flag is 00
![Page 42: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/42.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Calling the null page
• We create a first window (U)• We decremant the flag of the handle of U by 3 using
the use-after-free (0xFD)• We decrement the type of the handle of U by 1 (0)• We trigger once again the use-after-free
• In LinkWindow we put a clockObj to 1, and thehandler of the window U
• when clockObj is decremented, call toHMDestroyUnlockedObject is done, that passes thetest and calls the null page
![Page 43: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/43.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Calling the null page
• We create a first window (U)• We decremant the flag of the handle of U by 3 using
the use-after-free (0xFD)• We decrement the type of the handle of U by 1 (0)• We trigger once again the use-after-free
• In LinkWindow we put a clockObj to 1, and thehandler of the window U
• when clockObj is decremented, call toHMDestroyUnlockedObject is done, that passes thetest and calls the null page
![Page 44: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/44.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Calling the null page
• We create a first window (U)• We decremant the flag of the handle of U by 3 using
the use-after-free (0xFD)• We decrement the type of the handle of U by 1 (0)• We trigger once again the use-after-free
• In LinkWindow we put a clockObj to 1, and thehandler of the window U
• when clockObj is decremented, call toHMDestroyUnlockedObject is done, that passes thetest and calls the null page
![Page 45: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/45.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Calling the null page
• We create a first window (U)• We decremant the flag of the handle of U by 3 using
the use-after-free (0xFD)• We decrement the type of the handle of U by 1 (0)• We trigger once again the use-after-free
• In LinkWindow we put a clockObj to 1, and thehandler of the window U
• when clockObj is decremented, call toHMDestroyUnlockedObject is done, that passes thetest and calls the null page
![Page 46: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/46.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Calling the null page
• We create a first window (U)• We decremant the flag of the handle of U by 3 using
the use-after-free (0xFD)• We decrement the type of the handle of U by 1 (0)• We trigger once again the use-after-free
• In LinkWindow we put a clockObj to 1, and thehandler of the window U
• when clockObj is decremented, call toHMDestroyUnlockedObject is done, that passes thetest and calls the null page
![Page 47: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/47.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Exploitation - Calling the null page
• We create a first window (U)• We decremant the flag of the handle of U by 3 using
the use-after-free (0xFD)• We decrement the type of the handle of U by 1 (0)• We trigger once again the use-after-free
• In LinkWindow we put a clockObj to 1, and thehandler of the window U
• when clockObj is decremented, call toHMDestroyUnlockedObject is done, that passes thetest and calls the null page
![Page 48: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/48.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Plan
4 Evolution from XP to 8
![Page 49: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/49.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
From XP to 8
• Kernel ASLR• Kernel Address = User Address - Local module base
+ Kernel module base
• Enhanced /GS• Guard pages• DEP improvements• NULL dereference protection• Kernel pool integrity checks• SMEP/PXN
![Page 50: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/50.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
From XP to 8
• Kernel ASLR• Kernel Address = User Address - Local module base
+ Kernel module base
• Enhanced /GS• Guard pages• DEP improvements• NULL dereference protection• Kernel pool integrity checks• SMEP/PXN
![Page 51: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/51.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
From XP to 8
• Kernel ASLR• Kernel Address = User Address - Local module base
+ Kernel module base
• Enhanced /GS• Guard pages• DEP improvements• NULL dereference protection• Kernel pool integrity checks• SMEP/PXN
![Page 52: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/52.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
From XP to 8
• Kernel ASLR• Kernel Address = User Address - Local module base
+ Kernel module base
• Enhanced /GS• Guard pages• DEP improvements• NULL dereference protection• Kernel pool integrity checks• SMEP/PXN
![Page 53: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/53.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
From XP to 8
• Kernel ASLR• Kernel Address = User Address - Local module base
+ Kernel module base
• Enhanced /GS• Guard pages• DEP improvements• NULL dereference protection• Kernel pool integrity checks• SMEP/PXN
![Page 54: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/54.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
From XP to 8
• Kernel ASLR• Kernel Address = User Address - Local module base
+ Kernel module base
• Enhanced /GS• Guard pages• DEP improvements• NULL dereference protection• Kernel pool integrity checks• SMEP/PXN
![Page 55: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/55.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
From XP to 8
• Kernel ASLR• Kernel Address = User Address - Local module base
+ Kernel module base
• Enhanced /GS• Guard pages• DEP improvements• NULL dereference protection• Kernel pool integrity checks• SMEP/PXN
![Page 56: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/56.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
SMEP/PXN
• Supervisor Mode Execution Protection / PrivilegedExecute Never
• Depends on the processor• Prevents a kernel thread to execute code in userland• SMEP is enabled or disabled via CR4 control register• Possible to bypass
• ROP• Store the shellcode into kernel space
![Page 57: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/57.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
SMEP/PXN
• Supervisor Mode Execution Protection / PrivilegedExecute Never
• Depends on the processor• Prevents a kernel thread to execute code in userland• SMEP is enabled or disabled via CR4 control register• Possible to bypass
• ROP• Store the shellcode into kernel space
![Page 58: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/58.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
SMEP/PXN
• Supervisor Mode Execution Protection / PrivilegedExecute Never
• Depends on the processor• Prevents a kernel thread to execute code in userland• SMEP is enabled or disabled via CR4 control register• Possible to bypass
• ROP• Store the shellcode into kernel space
![Page 59: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/59.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
SMEP/PXN
• Supervisor Mode Execution Protection / PrivilegedExecute Never
• Depends on the processor• Prevents a kernel thread to execute code in userland• SMEP is enabled or disabled via CR4 control register• Possible to bypass
• ROP• Store the shellcode into kernel space
![Page 60: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/60.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
SMEP/PXN
• Supervisor Mode Execution Protection / PrivilegedExecute Never
• Depends on the processor• Prevents a kernel thread to execute code in userland• SMEP is enabled or disabled via CR4 control register• Possible to bypass
• ROP• Store the shellcode into kernel space
![Page 61: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/61.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Plan
5 CVE-2013-3660
![Page 62: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/62.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tavis Ormandy (@taviso)• Exploit by Tavis Ormandy and progmboy• In win32k!EPATHOBJ::pprFlattenRec• Uninitialized pointer for the next in a double linked list
(part of a Path object in the GDI in win32k)• To-userspace dereferences vulnerability• We want to trigger a write-what-where vulnerability
![Page 63: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/63.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tavis Ormandy (@taviso)• Exploit by Tavis Ormandy and progmboy• In win32k!EPATHOBJ::pprFlattenRec• Uninitialized pointer for the next in a double linked list
(part of a Path object in the GDI in win32k)• To-userspace dereferences vulnerability• We want to trigger a write-what-where vulnerability
![Page 64: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/64.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tavis Ormandy (@taviso)• Exploit by Tavis Ormandy and progmboy• In win32k!EPATHOBJ::pprFlattenRec• Uninitialized pointer for the next in a double linked list
(part of a Path object in the GDI in win32k)• To-userspace dereferences vulnerability• We want to trigger a write-what-where vulnerability
![Page 65: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/65.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tavis Ormandy (@taviso)• Exploit by Tavis Ormandy and progmboy• In win32k!EPATHOBJ::pprFlattenRec• Uninitialized pointer for the next in a double linked list
(part of a Path object in the GDI in win32k)• To-userspace dereferences vulnerability• We want to trigger a write-what-where vulnerability
![Page 66: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/66.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Vulnerability
• Vulnerability discovered by Tavis Ormandy (@taviso)• Exploit by Tavis Ormandy and progmboy• In win32k!EPATHOBJ::pprFlattenRec• Uninitialized pointer for the next in a double linked list
(part of a Path object in the GDI in win32k)• To-userspace dereferences vulnerability• We want to trigger a write-what-where vulnerability
![Page 67: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/67.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Pathrec struct
struct _PATHRECORD {struct _PATHRECORD ∗ next ;struct _PATHRECORD ∗ prev ;ULONG f l a g s ;ULONG count ;POINTFIX po in t s [ x ] ;
}
![Page 68: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/68.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Go to userspace
• We need to make a specific AllocObject fail to triggerthe exploitable condition: we need memory pressure.
• Allocation of the struct of a PATHREC is done of twopossible ways• The PATHALLOC system use HeavyAllocPool for
allocating object but have is own implementation ofthe free list
• After allocating from HeavyAllocPool, it memsets to 0• But in the case of taking an element of the freelist it’s
not set to 0
• If we can spam the freelist with what we want wehave big chances to have the next pointer where wewant (in userspace)
• We can do that easily by flattening path with a lot ofpoints we control
• We put a structure we created in userspace and weforce the kernel to consider that is the next of his list
![Page 69: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/69.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Go to userspace
• We need to make a specific AllocObject fail to triggerthe exploitable condition: we need memory pressure.
• Allocation of the struct of a PATHREC is done of twopossible ways• The PATHALLOC system use HeavyAllocPool for
allocating object but have is own implementation ofthe free list
• After allocating from HeavyAllocPool, it memsets to 0• But in the case of taking an element of the freelist it’s
not set to 0
• If we can spam the freelist with what we want wehave big chances to have the next pointer where wewant (in userspace)
• We can do that easily by flattening path with a lot ofpoints we control
• We put a structure we created in userspace and weforce the kernel to consider that is the next of his list
![Page 70: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/70.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Go to userspace
• We need to make a specific AllocObject fail to triggerthe exploitable condition: we need memory pressure.
• Allocation of the struct of a PATHREC is done of twopossible ways• The PATHALLOC system use HeavyAllocPool for
allocating object but have is own implementation ofthe free list
• After allocating from HeavyAllocPool, it memsets to 0• But in the case of taking an element of the freelist it’s
not set to 0
• If we can spam the freelist with what we want wehave big chances to have the next pointer where wewant (in userspace)
• We can do that easily by flattening path with a lot ofpoints we control
• We put a structure we created in userspace and weforce the kernel to consider that is the next of his list
![Page 71: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/71.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Go to userspace
• We need to make a specific AllocObject fail to triggerthe exploitable condition: we need memory pressure.
• Allocation of the struct of a PATHREC is done of twopossible ways• The PATHALLOC system use HeavyAllocPool for
allocating object but have is own implementation ofthe free list
• After allocating from HeavyAllocPool, it memsets to 0• But in the case of taking an element of the freelist it’s
not set to 0
• If we can spam the freelist with what we want wehave big chances to have the next pointer where wewant (in userspace)
• We can do that easily by flattening path with a lot ofpoints we control
• We put a structure we created in userspace and weforce the kernel to consider that is the next of his list
![Page 72: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/72.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Go to userspace
• We need to make a specific AllocObject fail to triggerthe exploitable condition: we need memory pressure.
• Allocation of the struct of a PATHREC is done of twopossible ways• The PATHALLOC system use HeavyAllocPool for
allocating object but have is own implementation ofthe free list
• After allocating from HeavyAllocPool, it memsets to 0• But in the case of taking an element of the freelist it’s
not set to 0
• If we can spam the freelist with what we want wehave big chances to have the next pointer where wewant (in userspace)
• We can do that easily by flattening path with a lot ofpoints we control
• We put a structure we created in userspace and weforce the kernel to consider that is the next of his list
![Page 73: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/73.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Go to userspace
• We need to make a specific AllocObject fail to triggerthe exploitable condition: we need memory pressure.
• Allocation of the struct of a PATHREC is done of twopossible ways• The PATHALLOC system use HeavyAllocPool for
allocating object but have is own implementation ofthe free list
• After allocating from HeavyAllocPool, it memsets to 0• But in the case of taking an element of the freelist it’s
not set to 0
• If we can spam the freelist with what we want wehave big chances to have the next pointer where wewant (in userspace)
• We can do that easily by flattening path with a lot ofpoints we control
• We put a structure we created in userspace and weforce the kernel to consider that is the next of his list
![Page 74: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/74.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Go to userspace
• We need to make a specific AllocObject fail to triggerthe exploitable condition: we need memory pressure.
• Allocation of the struct of a PATHREC is done of twopossible ways• The PATHALLOC system use HeavyAllocPool for
allocating object but have is own implementation ofthe free list
• After allocating from HeavyAllocPool, it memsets to 0• But in the case of taking an element of the freelist it’s
not set to 0
• If we can spam the freelist with what we want wehave big chances to have the next pointer where wewant (in userspace)
• We can do that easily by flattening path with a lot ofpoints we control
• We put a structure we created in userspace and weforce the kernel to consider that is the next of his list
![Page 75: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/75.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Go to userspace
• We need to make a specific AllocObject fail to triggerthe exploitable condition: we need memory pressure.
• Allocation of the struct of a PATHREC is done of twopossible ways• The PATHALLOC system use HeavyAllocPool for
allocating object but have is own implementation ofthe free list
• After allocating from HeavyAllocPool, it memsets to 0• But in the case of taking an element of the freelist it’s
not set to 0
• If we can spam the freelist with what we want wehave big chances to have the next pointer where wewant (in userspace)
• We can do that easily by flattening path with a lot ofpoints we control
• We put a structure we created in userspace and weforce the kernel to consider that is the next of his list
![Page 76: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/76.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
bFlatten and pprFlatten
• EPATHOBJ::bFlatten just goes through a list andcalls pprFlattenRec if a flag is set on the element
• EPATHOBJ::pprFlattenRec• allocates a new pathrec• initialises the new (but not the next at this point)• sets the next of previous of the new to himself
new−>previous−>next = new ;
• ...
• if we control the struct we can write the position ofthe new struct created by pprFlattenRec
![Page 77: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/77.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
bFlatten and pprFlatten
• EPATHOBJ::bFlatten just goes through a list andcalls pprFlattenRec if a flag is set on the element
• EPATHOBJ::pprFlattenRec• allocates a new pathrec• initialises the new (but not the next at this point)• sets the next of previous of the new to himself
new−>previous−>next = new ;
• ...
• if we control the struct we can write the position ofthe new struct created by pprFlattenRec
![Page 78: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/78.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
bFlatten and pprFlatten
• EPATHOBJ::bFlatten just goes through a list andcalls pprFlattenRec if a flag is set on the element
• EPATHOBJ::pprFlattenRec• allocates a new pathrec• initialises the new (but not the next at this point)• sets the next of previous of the new to himself
new−>previous−>next = new ;
• ...
• if we control the struct we can write the position ofthe new struct created by pprFlattenRec
![Page 79: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/79.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
bFlatten and pprFlatten
• EPATHOBJ::bFlatten just goes through a list andcalls pprFlattenRec if a flag is set on the element
• EPATHOBJ::pprFlattenRec• allocates a new pathrec• initialises the new (but not the next at this point)• sets the next of previous of the new to himself
new−>previous−>next = new ;
• ...
• if we control the struct we can write the position ofthe new struct created by pprFlattenRec
![Page 80: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/80.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
bFlatten and pprFlatten
• EPATHOBJ::bFlatten just goes through a list andcalls pprFlattenRec if a flag is set on the element
• EPATHOBJ::pprFlattenRec• allocates a new pathrec• initialises the new (but not the next at this point)• sets the next of previous of the new to himself
new−>previous−>next = new ;
• ...
• if we control the struct we can write the position ofthe new struct created by pprFlattenRec
![Page 81: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/81.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Getting execution
• We can write the address of something we don’tcontrol but we control the contents of the first pointerin it: it’s the address of our next element in the list
• We can write in the HalDispatchTable our pointer onthe next will be considered as code when calling thefunction.
• So we need an address which is a valid pointer forthe bFlatten loop and a valid code for execution like
inc eax ; 0x40jmp dword ptr [ ebp+0x40 ] ; 0x f f6540
• We will rewrite the HALDispatchTable[1], called byNtQueryIntervalProfile and not used for a lot of otherthings
• The ebp+0x40 corresponds to the second argumentof the NtQueryIntervalProfile where we put theaddress of our shellcode
![Page 82: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/82.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Getting execution
• We can write the address of something we don’tcontrol but we control the contents of the first pointerin it: it’s the address of our next element in the list
• We can write in the HalDispatchTable our pointer onthe next will be considered as code when calling thefunction.
• So we need an address which is a valid pointer forthe bFlatten loop and a valid code for execution like
inc eax ; 0x40jmp dword ptr [ ebp+0x40 ] ; 0x f f6540
• We will rewrite the HALDispatchTable[1], called byNtQueryIntervalProfile and not used for a lot of otherthings
• The ebp+0x40 corresponds to the second argumentof the NtQueryIntervalProfile where we put theaddress of our shellcode
![Page 83: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/83.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Getting execution
• We can write the address of something we don’tcontrol but we control the contents of the first pointerin it: it’s the address of our next element in the list
• We can write in the HalDispatchTable our pointer onthe next will be considered as code when calling thefunction.
• So we need an address which is a valid pointer forthe bFlatten loop and a valid code for execution like
inc eax ; 0x40jmp dword ptr [ ebp+0x40 ] ; 0x f f6540
• We will rewrite the HALDispatchTable[1], called byNtQueryIntervalProfile and not used for a lot of otherthings
• The ebp+0x40 corresponds to the second argumentof the NtQueryIntervalProfile where we put theaddress of our shellcode
![Page 84: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/84.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Getting execution
• We can write the address of something we don’tcontrol but we control the contents of the first pointerin it: it’s the address of our next element in the list
• We can write in the HalDispatchTable our pointer onthe next will be considered as code when calling thefunction.
• So we need an address which is a valid pointer forthe bFlatten loop and a valid code for execution like
inc eax ; 0x40jmp dword ptr [ ebp+0x40 ] ; 0x f f6540
• We will rewrite the HALDispatchTable[1], called byNtQueryIntervalProfile and not used for a lot of otherthings
• The ebp+0x40 corresponds to the second argumentof the NtQueryIntervalProfile where we put theaddress of our shellcode
![Page 85: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/85.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Getting execution
• We can write the address of something we don’tcontrol but we control the contents of the first pointerin it: it’s the address of our next element in the list
• We can write in the HalDispatchTable our pointer onthe next will be considered as code when calling thefunction.
• So we need an address which is a valid pointer forthe bFlatten loop and a valid code for execution like
inc eax ; 0x40jmp dword ptr [ ebp+0x40 ] ; 0x f f6540
• We will rewrite the HALDispatchTable[1], called byNtQueryIntervalProfile and not used for a lot of otherthings
• The ebp+0x40 corresponds to the second argumentof the NtQueryIntervalProfile where we put theaddress of our shellcode
![Page 86: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/86.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Getting execution
![Page 87: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/87.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Chronology
• Get the addresses in the kernel we need for theexploit (HALDispatchTable, . . . )
• Allocate three structs PATHRECORD that we need,in particular the one at a precise address(0x4065ff40)
• Put memory pressure• Put the address of our first PATHRECORD that we
want into the freelist• Flatten the path => write in the HALDispatchTable• Call NtQueryIntervalProfile => get shellcode
executed
![Page 88: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/88.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Chronology
• Get the addresses in the kernel we need for theexploit (HALDispatchTable, . . . )
• Allocate three structs PATHRECORD that we need,in particular the one at a precise address(0x4065ff40)
• Put memory pressure• Put the address of our first PATHRECORD that we
want into the freelist• Flatten the path => write in the HALDispatchTable• Call NtQueryIntervalProfile => get shellcode
executed
![Page 89: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/89.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Chronology
• Get the addresses in the kernel we need for theexploit (HALDispatchTable, . . . )
• Allocate three structs PATHRECORD that we need,in particular the one at a precise address(0x4065ff40)
• Put memory pressure• Put the address of our first PATHRECORD that we
want into the freelist• Flatten the path => write in the HALDispatchTable• Call NtQueryIntervalProfile => get shellcode
executed
![Page 90: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/90.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Chronology
• Get the addresses in the kernel we need for theexploit (HALDispatchTable, . . . )
• Allocate three structs PATHRECORD that we need,in particular the one at a precise address(0x4065ff40)
• Put memory pressure• Put the address of our first PATHRECORD that we
want into the freelist• Flatten the path => write in the HALDispatchTable• Call NtQueryIntervalProfile => get shellcode
executed
![Page 91: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/91.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Chronology
• Get the addresses in the kernel we need for theexploit (HALDispatchTable, . . . )
• Allocate three structs PATHRECORD that we need,in particular the one at a precise address(0x4065ff40)
• Put memory pressure• Put the address of our first PATHRECORD that we
want into the freelist• Flatten the path => write in the HALDispatchTable• Call NtQueryIntervalProfile => get shellcode
executed
![Page 92: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/92.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Chronology
• Get the addresses in the kernel we need for theexploit (HALDispatchTable, . . . )
• Allocate three structs PATHRECORD that we need,in particular the one at a precise address(0x4065ff40)
• Put memory pressure• Put the address of our first PATHRECORD that we
want into the freelist• Flatten the path => write in the HALDispatchTable• Call NtQueryIntervalProfile => get shellcode
executed
![Page 93: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/93.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Plan
6 Conclusion
![Page 94: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/94.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Conclusion
• A lot of improvements between XP and Windows 8• Lot of checks so exploits are really harder• Still doable
![Page 95: A look inside the Windows Kernel · · 2018-03-12A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660](https://reader031.fdocuments.us/reader031/viewer/2022030522/5acb4bf07f8b9a73128b7b58/html5/thumbnails/95.jpg)
A look inside theWindows Kernel
Bruno Pujos
Introduction
Basics of WindowsKernel
CVE-2011-1237
Evolution from XPto 8
CVE-2013-3660
Conclusion
Questions ?
Questions ?
• Tarjei Mandt (@kernelpool)• Tavis Ormandy (@taviso)• Mateusz Jurvczyk (@j00ru)• Alex Ionescu (@aionescu)• Ivanlefou (@Ivanlef0u)