SlideShare a Scribd company logo

Attack on the Core

Download as PPTX, PDF
P
Peter Hlavaty

Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode! In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.

Education
1 of 52
Attack on the Core! @zer0mem
#whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
Part 1 -> KernelIo tech
Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
Read & Write boosting [windows]
 KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress Read & Write boosting http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
[linux / droids]  PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo Read & Write boosting http://vulnfactory.org/research/stackjacking-infiltrate11.pdf
Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
Part 2 -> cases
Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO -SMAP 5. but sometimes PXN
Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/
Part 3 -> design features (flaws)
Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
Part 4 -> state of exploitation
before win8.1 POOL HARDENING SMEP SMAP PLAIN PTRS “KASLR” NtQuerySysInfo even kids … … do pwn
Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented  Strong complex access control policy Well randomized kernel space  Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
Rebirth to K E R N E L Developing begins
CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
Kernel monitoring [IoCompletion] ▪ IoCompletion – Monitor ALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
C++ come on … why shellcoding or pure c ?
Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
KERNEL as exploitation VECTOR 1. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); 2. 3. Fix Rellocations 4. resolve kernel part of Import table Ready for exec with CPL0! CPL Teleport
Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C
C++ ‘shellcoding’ framework https://github.com/k33nteam/cc-shellcoding releasing very soon @K33nTeam
materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture-client/ KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
Acknowledge Thanks to : jfang liac rafal wojtczuk wushi nforest NTarakanov j00ru aionescu cesarcer dan rosenberg krzywix maxim
We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS, WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
follow us @K33nTeam Thank You. Q & A peter (at) keencloudtech.com

Recommended

Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 

Recommended

Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
Packers
PackersPackers
Packers
Ange Albertini
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
Peter Hlavaty
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
Quinn Wilton
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 

More Related Content

What's hot

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 

What's hot (20)

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Packers
PackersPackers
Packers
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 

Viewers also liked

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
Nicholas Davis
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Vijay Amarnath - Updated
Vijay Amarnath - UpdatedVijay Amarnath - Updated
Vijay Amarnath - Updated
Vijay Amarnath
 

Viewers also liked (20)

How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Generic attack detection engine
Generic attack detection engineGeneric attack detection engine
Generic attack detection engine
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in Perl
 
EvasionTechniques
EvasionTechniquesEvasionTechniques
EvasionTechniques
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Vijay Amarnath - Updated
Vijay Amarnath - UpdatedVijay Amarnath - Updated
Vijay Amarnath - Updated
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernel
 

Similar to Attack on the Core

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
WSO2
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
Priyanka Aash
 
OSDC 2017 | Open POWER for the data center by Werner Fischer
OSDC 2017 | Open POWER for the data center by Werner FischerOSDC 2017 | Open POWER for the data center by Werner Fischer
OSDC 2017 | Open POWER for the data center by Werner Fischer
NETWAYS
 
OSDC 2017 - Werner Fischer - Open power for the data center
OSDC 2017 - Werner Fischer - Open power for the data centerOSDC 2017 - Werner Fischer - Open power for the data center
OSDC 2017 - Werner Fischer - Open power for the data center
NETWAYS
 

Similar to Attack on the Core (20)

Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
 
What Linux can learn from Solaris performance and vice-versa
What Linux can learn from Solaris performance and vice-versaWhat Linux can learn from Solaris performance and vice-versa
What Linux can learn from Solaris performance and vice-versa
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK
StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UKStorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK
StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
OSDC 2017 | Open POWER for the data center by Werner Fischer
OSDC 2017 | Open POWER for the data center by Werner FischerOSDC 2017 | Open POWER for the data center by Werner Fischer
OSDC 2017 | Open POWER for the data center by Werner Fischer
 
OSDC 2017 - Werner Fischer - Open power for the data center
OSDC 2017 - Werner Fischer - Open power for the data centerOSDC 2017 - Werner Fischer - Open power for the data center
OSDC 2017 - Werner Fischer - Open power for the data center
 

Recently uploaded

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 

Recently uploaded (20)

ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 

Attack on the Core

  • 1. Attack on the Core! @zer0mem
  • 2. #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
  • 3. outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
  • 4. Part 1 -> KernelIo tech
  • 5. Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
  • 6. Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
  • 7. Read & Write boosting [windows]
  • 8.  KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress Read & Write boosting http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
  • 9. Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
  • 10. [linux / droids]  PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo Read & Write boosting http://vulnfactory.org/research/stackjacking-infiltrate11.pdf
  • 11. Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
  • 12. MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
  • 13. Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
  • 14. KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
  • 15. Part 2 -> cases
  • 16. Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO -SMAP 5. but sometimes PXN
  • 17. Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
  • 18. kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
  • 19. KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
  • 20. KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/
  • 21. Part 3 -> design features (flaws)
  • 22. Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
  • 23. Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
  • 24. Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
  • 25.
  • 26. Part 4 -> state of exploitation
  • 27. before win8.1 POOL HARDENING SMEP SMAP PLAIN PTRS “KASLR” NtQuerySysInfo even kids … … do pwn
  • 28. Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
  • 29. Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented  Strong complex access control policy Well randomized kernel space  Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
  • 30. Rebirth to K E R N E L Developing begins
  • 31. CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
  • 32. Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
  • 33. Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
  • 34. Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
  • 35. Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
  • 36. Kernel monitoring [IoCompletion] ▪ IoCompletion – Monitor ALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
  • 37. Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
  • 38. SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
  • 39. C++ come on … why shellcoding or pure c ?
  • 40. Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
  • 41. Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
  • 42. Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
  • 43. KERNEL as exploitation VECTOR 1. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); 2. 3. Fix Rellocations 4. resolve kernel part of Import table Ready for exec with CPL0! CPL Teleport
  • 44. Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
  • 45. Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
  • 46. C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C
  • 47. C++ ‘shellcoding’ framework https://github.com/k33nteam/cc-shellcoding releasing very soon @K33nTeam
  • 48. materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture-client/ KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
  • 49. Acknowledge Thanks to : jfang liac rafal wojtczuk wushi nforest NTarakanov j00ru aionescu cesarcer dan rosenberg krzywix maxim
  • 50. We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS, WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
  • 51. 2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
  • 52. follow us @K33nTeam Thank You. Q & A peter (at) keencloudtech.com