SlideShare une entreprise Scribd logo

Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

I
inaz2

2015/11/14 AVTOKYO2015 Japanese version is available at http://www.slideshare.net/inaz2/abusing-interrupts-for-reliable-windows-kernel-exploitation-ja

Technologie
1  sur  28
Télécharger pour lire hors ligne
Abusing Interrupts for Reliable Windows Kernel Exploitation 2015/11/14 AVTOKYO2015 inaz2
About me • inaz2 • Security engineer & Python programmer • Working at NTT Communications • Weblog “momoiro technology” • http://inaz2.hatenablog.com/ 2
Windows kernel exploitation • Attacks that exploit the vulnerability in the kernel land • Including the vulnerability in device drivers • Write-what-where condition/vulnerability is widely used • Enables to write an arbitrary value to the arbitrary address • Execute the shellcode to escalate privilege of the attacking process • Then launch the administrator command prompt 3
Classic technique: halDispatchTable overwrite • nt!NtQueryIntervalProfile internal API • call [nt!halDispatchTable+4] via nt!KeQueryIntervalProfile • Overwrite [nt!halDispatchTable+4] to shellcode 4
Replace token shellcode • Copy the token object from System process (PID=4) 5 Replace 41414141h to the attacking process’ PID
It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 6
It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 7
x86 interrupt handling • There are hardware interrupts (keyboard etc.) and software interrupts (zero division etc.) • Software interrupts are triggered by “int n” instruction • Interrupt Descriptor Table (IDT) • Stores the addresses of hander functions (Interrupt Software Routines; ISR) in each entry (interrupt gate) • ISRs are executed in Ring 0 • Can do everything 8
x86 privilege levels (protection rings) • 4 privilege levels numbered from 0 to 3 • The greater number means lesser privileges • Most OS including Windows use only two rings • Ring 0 corresponding to kernel mode and Ring 3 to user mode 9
Interrupt Descriptor Table (1/4) • Intel Developer’s Manual Volume 3, Chapter 6 10
Interrupt Descriptor Table (2/4) • Intel Developer’s Manual Volume 3, Chapter 6 11 Can be interrupted from Ring 3 if DPL=3
Interrupt Descriptor Table (3/4) • WinDbg (KD) view 12
Interrupt Descriptor Table (4/4) • Overwrite the interrupt gate for interrupt #0 13 414184fc 000884fc 4141ee00 DPL=3
IDT overwrite technique 14 Get the IDT address Overwrite the interrupt gate for interrupt #n Trigger interrupt #n by “int n” instruction Execute shellcode
Detailed procedure 16
Find the write-what-where vulnerability • Write and install the vulnerable device driver • Enables to attack write-what-where vulnerability via IOCTL 17
Get the IDT address (1/2) 18 Can be used even in Ring 3!
Get the IDT address (2/2) • The function that returns the IDT address 19 Disable alignment
Write the Interrupt Software Routine (ISR) • Switch the value of fs segment register • 0x33 (TEB) → 0x30 (KPCR) • Call the shellcode right after ISR • Return by iretd instruction instead of ret 20
Allocate memory & put the codes • Allocate nop-sled from 0x41410000 to 0x41420000 • Put the ISR code + shellcode from 0x41420000 21
Overwrite the interrupt gate • Write 0x4141ee00 to the latter half of the interrupt gate for interrupt #32 • #32-255 are designated as user-defined interrupts (not reserved) 22
Trigger the software interrupt • Execute “int 32” • Shellcode is executed via ISR • Then launch cmd.exe 23
Demo 24
What about 64 bit Windows? • The size of interrupt gate increases to 16 bytes • As 0x100000000 bytes nop-sled is quite hard, overwriting entire interrupt gate is required (i.e. write 2 times) • However, my VirtualBox VM hangs up when the interrupt is triggered (PatchGuard??) 25
Comparison with halDispatchTable overwrite • Pros • Reliable against all versions of x86-based Windows • Easy to determine the address to be overwritten • Cons • Need to prepare the ISR code • Need to allocate nop-sled • Not confirmed on 64 bit 26
Recap • IDT overwrite technique is reliable against all versions of x86-based Windows • Independent with kernel implementation changes • We can get the IDT address even in Ring 3 • There’s more than one way to do it  27
References • Windowsでデバイスドライバの脆弱性からの権限昇格をやってみる - もも いろテクノロジー • http://inaz2.hatenablog.com/entry/2015/09/15/121926 • Project Zero: One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation • http://googleprojectzero.blogspot.jp/2015/08/one-font-vulnerability-to-rule- them-all_21.html • Interrupt Service Routines - OSDev Wiki • http://wiki.osdev.org/Interrupt_Service_Routines • SIMPLE IS BETTER: Kernel Information Leak with Unprivileged Instructions (SIDT, SGDT) on x86 - WHY ? • http://hypervsir.blogspot.jp/2014/10/kernel-information-leak-with.html 28
Thank you! inaz2 29

Recommandé

CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Stefano Stabellini
 
Windows kernel basic exploit
Windows kernel basic exploitWindows kernel basic exploit
Windows kernel basic exploitKyoungseok Yang
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 

Recommandé

CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Stefano Stabellini
 
Windows kernel basic exploit
Windows kernel basic exploitWindows kernel basic exploit
Windows kernel basic exploitKyoungseok Yang
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Ninja Build: Simple Guide for Beginners
Ninja Build: Simple Guide for BeginnersNinja Build: Simple Guide for Beginners
Ninja Build: Simple Guide for BeginnersChang W. Doh
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on LinuxEtsuji Nakai
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3NGINX, Inc.
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Winton Winton
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Phil Estes
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
How to Build a High Performance Application with PHP and Swoole?
How to Build a High Performance Application with PHP and Swoole?How to Build a High Performance Application with PHP and Swoole?
How to Build a High Performance Application with PHP and Swoole?Albert Chen
 
PHP ve NATS ile
 Mikroservis Mesajlaşma Sistemi
PHP ve NATS ile
 Mikroservis Mesajlaşma SistemiPHP ve NATS ile
 Mikroservis Mesajlaşma Sistemi
PHP ve NATS ile
 Mikroservis Mesajlaşma SistemiErhan Yakut
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Vietnam Open Infrastructure User Group
 
Containerization & Docker - Under the Hood
Containerization & Docker - Under the HoodContainerization & Docker - Under the Hood
Containerization & Docker - Under the HoodImesha Sudasingha
 
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick GuideJi-Woong Choi
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX ContainerAraf Karsh Hamid
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
快速上手 Windows Containers 容器技術 (Docker Taipei)
快速上手 Windows Containers 容器技術 (Docker Taipei)快速上手 Windows Containers 容器技術 (Docker Taipei)
快速上手 Windows Containers 容器技術 (Docker Taipei)Will Huang
 
Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
Introduction to Return-Oriented Exploitation on ARM64 - Billy EllisIntroduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
Introduction to Return-Oriented Exploitation on ARM64 - Billy EllisBillyEllis3
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)inaz2
 

Contenu connexe

Tendances

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Ninja Build: Simple Guide for Beginners
Ninja Build: Simple Guide for BeginnersNinja Build: Simple Guide for Beginners
Ninja Build: Simple Guide for BeginnersChang W. Doh
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on LinuxEtsuji Nakai
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3NGINX, Inc.
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Phil Estes
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
How to Build a High Performance Application with PHP and Swoole?
How to Build a High Performance Application with PHP and Swoole?How to Build a High Performance Application with PHP and Swoole?
How to Build a High Performance Application with PHP and Swoole?Albert Chen
 
PHP ve NATS ile
 Mikroservis Mesajlaşma Sistemi
PHP ve NATS ile
 Mikroservis Mesajlaşma SistemiPHP ve NATS ile
 Mikroservis Mesajlaşma Sistemi
PHP ve NATS ile
 Mikroservis Mesajlaşma SistemiErhan Yakut
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Vietnam Open Infrastructure User Group
 
Containerization & Docker - Under the Hood
Containerization & Docker - Under the HoodContainerization & Docker - Under the Hood
Containerization & Docker - Under the HoodImesha Sudasingha
 
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick GuideJi-Woong Choi
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
快速上手 Windows Containers 容器技術 (Docker Taipei)
快速上手 Windows Containers 容器技術 (Docker Taipei)快速上手 Windows Containers 容器技術 (Docker Taipei)
快速上手 Windows Containers 容器技術 (Docker Taipei)Will Huang
 
Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
Introduction to Return-Oriented Exploitation on ARM64 - Billy EllisIntroduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
Introduction to Return-Oriented Exploitation on ARM64 - Billy EllisBillyEllis3
 

Tendances (20)

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Ninja Build: Simple Guide for Beginners
Ninja Build: Simple Guide for BeginnersNinja Build: Simple Guide for Beginners
Ninja Build: Simple Guide for Beginners
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
 
Container Security
Container SecurityContainer Security
Container Security
 
How to Build a High Performance Application with PHP and Swoole?
How to Build a High Performance Application with PHP and Swoole?How to Build a High Performance Application with PHP and Swoole?
How to Build a High Performance Application with PHP and Swoole?
 
PHP ve NATS ile
 Mikroservis Mesajlaşma Sistemi
PHP ve NATS ile
 Mikroservis Mesajlaşma SistemiPHP ve NATS ile
 Mikroservis Mesajlaşma Sistemi
PHP ve NATS ile
 Mikroservis Mesajlaşma Sistemi
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
 
Containerization & Docker - Under the Hood
Containerization & Docker - Under the HoodContainerization & Docker - Under the Hood
Containerization & Docker - Under the Hood
 
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
快速上手 Windows Containers 容器技術 (Docker Taipei)
快速上手 Windows Containers 容器技術 (Docker Taipei)快速上手 Windows Containers 容器技術 (Docker Taipei)
快速上手 Windows Containers 容器技術 (Docker Taipei)
 
Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
Introduction to Return-Oriented Exploitation on ARM64 - Billy EllisIntroduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 

En vedette

Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)inaz2
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primerinaz2
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwordsinaz2
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?inaz2
 
Rechkov. Lomonosov Report
Rechkov. Lomonosov ReportRechkov. Lomonosov Report
Rechkov. Lomonosov ReportAnton Rechkov
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profitinaz2
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksinaz2
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~inaz2
 
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...Tomohiro Hanada
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)inaz2
 

En vedette (15)

Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primer
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?
 
Rechkov. Lomonosov Report
Rechkov. Lomonosov ReportRechkov. Lomonosov Report
Rechkov. Lomonosov Report
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profit
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocks
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
 
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
 
Ch12 microprocessor interrupts
Ch12 microprocessor interruptsCh12 microprocessor interrupts
Ch12 microprocessor interrupts
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
 
Operating Systems
Operating SystemsOperating Systems
Operating Systems
 

Similaire à Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Security Session
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Black Duck by Synopsys
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
OpenCORD MiniSummit - Physical POD test and deployments
OpenCORD MiniSummit - Physical POD test and deploymentsOpenCORD MiniSummit - Physical POD test and deployments
OpenCORD MiniSummit - Physical POD test and deploymentsOpen Networking Summit
 
63071507 interrupts-up
63071507 interrupts-up63071507 interrupts-up
63071507 interrupts-uptt_aljobory
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computingYongraeJo
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 

Similaire à Abusing Interrupts for Reliable Windows Kernel Exploitation (en) (20)

Deep hooks
Deep hooksDeep hooks
Deep hooks
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
OpenCORD MiniSummit - Physical POD test and deployments
OpenCORD MiniSummit - Physical POD test and deploymentsOpenCORD MiniSummit - Physical POD test and deployments
OpenCORD MiniSummit - Physical POD test and deployments
 
63071507 interrupts-up
63071507 interrupts-up63071507 interrupts-up
63071507 interrupts-up
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computing
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 

Dernier

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Dernier (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

  • 1. Abusing Interrupts for Reliable Windows Kernel Exploitation 2015/11/14 AVTOKYO2015 inaz2
  • 2. About me • inaz2 • Security engineer & Python programmer • Working at NTT Communications • Weblog “momoiro technology” • http://inaz2.hatenablog.com/ 2
  • 3. Windows kernel exploitation • Attacks that exploit the vulnerability in the kernel land • Including the vulnerability in device drivers • Write-what-where condition/vulnerability is widely used • Enables to write an arbitrary value to the arbitrary address • Execute the shellcode to escalate privilege of the attacking process • Then launch the administrator command prompt 3
  • 4. Classic technique: halDispatchTable overwrite • nt!NtQueryIntervalProfile internal API • call [nt!halDispatchTable+4] via nt!KeQueryIntervalProfile • Overwrite [nt!halDispatchTable+4] to shellcode 4
  • 5. Replace token shellcode • Copy the token object from System process (PID=4) 5 Replace 41414141h to the attacking process’ PID
  • 6. It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 6
  • 7. It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 7
  • 8. x86 interrupt handling • There are hardware interrupts (keyboard etc.) and software interrupts (zero division etc.) • Software interrupts are triggered by “int n” instruction • Interrupt Descriptor Table (IDT) • Stores the addresses of hander functions (Interrupt Software Routines; ISR) in each entry (interrupt gate) • ISRs are executed in Ring 0 • Can do everything 8
  • 9. x86 privilege levels (protection rings) • 4 privilege levels numbered from 0 to 3 • The greater number means lesser privileges • Most OS including Windows use only two rings • Ring 0 corresponding to kernel mode and Ring 3 to user mode 9
  • 10. Interrupt Descriptor Table (1/4) • Intel Developer’s Manual Volume 3, Chapter 6 10
  • 11. Interrupt Descriptor Table (2/4) • Intel Developer’s Manual Volume 3, Chapter 6 11 Can be interrupted from Ring 3 if DPL=3
  • 12. Interrupt Descriptor Table (3/4) • WinDbg (KD) view 12
  • 13. Interrupt Descriptor Table (4/4) • Overwrite the interrupt gate for interrupt #0 13 414184fc 000884fc 4141ee00 DPL=3
  • 14. IDT overwrite technique 14 Get the IDT address Overwrite the interrupt gate for interrupt #n Trigger interrupt #n by “int n” instruction Execute shellcode
  • 16. Find the write-what-where vulnerability • Write and install the vulnerable device driver • Enables to attack write-what-where vulnerability via IOCTL 17
  • 17. Get the IDT address (1/2) 18 Can be used even in Ring 3!
  • 18. Get the IDT address (2/2) • The function that returns the IDT address 19 Disable alignment
  • 19. Write the Interrupt Software Routine (ISR) • Switch the value of fs segment register • 0x33 (TEB) → 0x30 (KPCR) • Call the shellcode right after ISR • Return by iretd instruction instead of ret 20
  • 20. Allocate memory & put the codes • Allocate nop-sled from 0x41410000 to 0x41420000 • Put the ISR code + shellcode from 0x41420000 21
  • 21. Overwrite the interrupt gate • Write 0x4141ee00 to the latter half of the interrupt gate for interrupt #32 • #32-255 are designated as user-defined interrupts (not reserved) 22
  • 22. Trigger the software interrupt • Execute “int 32” • Shellcode is executed via ISR • Then launch cmd.exe 23
  • 24. What about 64 bit Windows? • The size of interrupt gate increases to 16 bytes • As 0x100000000 bytes nop-sled is quite hard, overwriting entire interrupt gate is required (i.e. write 2 times) • However, my VirtualBox VM hangs up when the interrupt is triggered (PatchGuard??) 25
  • 25. Comparison with halDispatchTable overwrite • Pros • Reliable against all versions of x86-based Windows • Easy to determine the address to be overwritten • Cons • Need to prepare the ISR code • Need to allocate nop-sled • Not confirmed on 64 bit 26
  • 26. Recap • IDT overwrite technique is reliable against all versions of x86-based Windows • Independent with kernel implementation changes • We can get the IDT address even in Ring 3 • There’s more than one way to do it  27
  • 27. References • Windowsでデバイスドライバの脆弱性からの権限昇格をやってみる - もも いろテクノロジー • http://inaz2.hatenablog.com/entry/2015/09/15/121926 • Project Zero: One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation • http://googleprojectzero.blogspot.jp/2015/08/one-font-vulnerability-to-rule- them-all_21.html • Interrupt Service Routines - OSDev Wiki • http://wiki.osdev.org/Interrupt_Service_Routines • SIMPLE IS BETTER: Kernel Information Leak with Unprivileged Instructions (SIDT, SGDT) on x86 - WHY ? • http://hypervsir.blogspot.jp/2014/10/kernel-information-leak-with.html 28