exploitation techniques for nt kernel
play

Exploitation techniques for NT kernel Introduction General - PowerPoint PPT Presentation

Dec 08, 2023 •147 likes •623 views

Exploitation techniques for NT kernel Adrien Adr1 Garin Exploitation techniques for NT kernel Introduction General concepts Internals Adrien Adr1 Garin Exploitation Stack overflow Integer overflow Write What Where EPITA

  1. Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Exploitation techniques for NT kernel Introduction General concepts Internals Adrien ‘Adr1’ Garin Exploitation Stack overflow Integer overflow Write What Where EPITA Shellcode CVEs CVE-2016-0040 July 14, 2016 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 1 / 47

  2. Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Introduction Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 2 / 47

  3. Introduction Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction Lot of security measure in userland General concepts bypassing sandboxes Internals ring0 privileges Exploitation Stack overflow UAC bypass Integer overflow Write What Where Lots of signed drivers are vulnerable Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 3 / 47

  4. Introduction Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction An error at the kernel level = BSoD General concepts The kernel is a large and complex system Internals lots of interconnected subsystems that you have to deeply Exploitation Stack overflow understand Integer overflow less likely to be bug-free Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 4 / 47

  5. Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation General concepts Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 5 / 47

  6. General concepts Exploitation find the location or o ff sets of critical structures in kernel techniques for NT kernel memory Adrien ‘Adr1’ find addresses of kernel API functions Garin two possibilities for code execution Introduction code located in user space (easier) General code located in kernel space (harder but SMEP bypass) concepts Internals Exploitation Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Figure 1:Shellcode type overview Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 6 / 47

  7. General concepts Exploitation techniques for NT kernel List modules Adrien ‘Adr1’ Garin PRTL_PROCESS_MODULES m = VirtualAlloc(NULL, 1024 * 1024, Introduction MEM_COMMIT, General PAGE_READWRITE); concepts Internals NtQuerySystemInformation(SystemModuleInformation, Exploitation m, 1024 * 1024, NULL); Stack overflow Integer overflow for (SIZE_T i = 0; i < m->NumberOfModules; ++i) { Write What Where Shellcode printf("Image base: %p\n", m->Modules[i].ImageBase); CVEs printf("Image name: %s\n", CVE-2016-0040 m->Modules[i].FullPathName + m->Modules[i].OffsetToFileName); Mitigations } KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 7 / 47

  8. Output Image base: FFFFF8008B683000 Exploitation techniques for Image name: ntoskrnl.exe NT kernel Adrien ‘Adr1’ Image base: FFFFF8008B610000 Garin Image name: hal.dll Introduction General Image base: FFFFF8008A005000 concepts Image name: kd.dll Internals Exploitation Image base: FFFFF8003D4C0000 Stack overflow Image name: mcupdate_GenuineIntel.dll Integer overflow Write What Where Shellcode Image base: FFFFF8003D550000 CVEs Image name: werkernel.sys CVE-2016-0040 Mitigations Image base: FFFFF8003D560000 KASLR Integrity levels Image name: CLFS.SYS DEP/NX [...] SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 8 / 47

  9. General concepts Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General Now we can load these module in user-space with LoadLibrary concepts and use GetProcAddress to compute o ff set Internals Exploitation return GetProcAddress(ntoskrnl, "NtCreateFile) - ntoskrnl; Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 9 / 47

  10. General concepts Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Figure 2:System process Stack overflow Integer overflow Write What Where Shellcode CVEs Privilege escalation CVE-2016-0040 Elevate privileges of the user-mode process Mitigations KASLR Copy the System token and overwrite the current process Integrity levels DEP/NX access token SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 10 / 47

  11. General concepts Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction Enumerate EPROCESS structures in kernel memory General concepts find the System process Internals copy the pointer to the token structure of System to the Exploitation current process Stack overflow Integer overflow Write What Where Now the process receives the SID S-1-5-18 Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 11 / 47

  12. DACL Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin Introduction General concepts Internals Exploitation Stack overflow Integer overflow Write What Where Shellcode Figure 3:DACL CVEs CVE-2016-0040 Mitigations KASLR Discretionary access control list (DACL) Integrity levels DEP/NX Specifies who has what access to the object SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 12 / 47

  13. ACL Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin WinDbg Introduction lkd> !process 0 0 explorer.exe General PROCESS ffffe0005168a840 concepts SessionId: 1 Cid: 1690 Peb: 00b85000 ParentCid: 1664 Internals DirBase: 191e8c000 ObjectTable: ffffc001f211eb80 Exploitation Image: explorer.exe Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 13 / 47

  14. ACL Exploitation techniques for NT kernel WinDbg Adrien ‘Adr1’ Garin lkd> !process 1690 1 Searching for Process with Cid == 1690 Introduction PROCESS ffffe0005168a840 General concepts SessionId: 1 Cid: 1690 Peb: 00b85000 ParentCid: 1664 DirBase: 191f0c000 ObjectTable: ffffc001f211eb80 Internals Image: explorer.exe Exploitation DeviceMap ffffc001dd5cd760 Stack overflow Integer overflow Token ffffc001f212a960 Write What Where [...] Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 14 / 47

  15. ACL WinDbg Exploitation techniques for lkd> !token ffffc001f212a960 NT kernel _TOKEN ffffc001f212a960 Adrien ‘Adr1’ Garin TS Session ID: 0x1 User: S-1-5-21-542871337-1692334756-291223173-1001 Introduction User Groups: General 00 S-1-5-21-542871337-1692334756-291223173-513 concepts Attributes - Mandatory Default Enabled Internals 01 S-1-1-0 Exploitation Attributes - Mandatory Default Enabled Stack overflow [...] Integer overflow Write What Where Primary Group: S-1-5-21-542871337-1692334756-291223173-513 Shellcode Privs: CVEs 19 0x000000013 SeShutdownPrivilege Attributes - CVE-2016-0040 23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Mitigations KASLR 25 0x000000019 SeUndockPrivilege Attributes - Integrity levels 33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - DEP/NX SMEP / SMAP 34 0x000000022 SeTimeZonePrivilege Attributes - CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 15 / 47

  16. ACL Exploitation techniques for NT kernel Adrien ‘Adr1’ Garin WinDbg Introduction lkd> !object ffffe0005168a840 General concepts Object: ffffe0005168a840 Type: (ffffe0004ba88480) Process ObjectHeader: ffffe0005168a810 (new version) Internals HandleCount: 14 PointerCount: 421752 Exploitation Stack overflow Integer overflow Write What Where Shellcode CVEs CVE-2016-0040 Mitigations KASLR Integrity levels DEP/NX SMEP / SMAP CET Conclusion Adrien ‘Adr1’ Garin (EPITA) Exploitation techniques for NT kernel July 14, 2016 16 / 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis

Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis

Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis argp@census-labs.com Outline Introduction Why target the kernel? Why target FreeBSD? Background Related work Exploitation

1.55k views • 56 slides
Kernel Exploitation via Uninitialized Stack http://people.canonical.com/~kees/defcon19/ Kees

Kernel Exploitation via Uninitialized Stack http://people.canonical.com/~kees/defcon19/ Kees

Kernel Exploitation via Uninitialized Stack http://people.canonical.com/~kees/defcon19/ Kees Cook kees.cook@canonical.com www.canonical.com DefCon 19, August 2011 20 Minutes! introduction quick Linux kernel exploitation basics

549 views • 31 slides
! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security Researcher at Norman Malware Detection Team (MDT) Interests Vulnerability research Operating systems internals Exploit mitigations

2.17k views • 100 slides
Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki 2013-06-06 Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses &amp; Mitigation Techniques

899 views • 51 slides
CS533 Concepts of Operating Systems Linux Kernel Locking Techniques Intro to kernel locking

CS533 Concepts of Operating Systems Linux Kernel Locking Techniques Intro to kernel locking

CS533 Concepts of Operating Systems Linux Kernel Locking Techniques Intro to kernel locking techniques (Linux) Why do we need locking in the kernel? o Which problems are we trying to solve? What implementation choices do we have? o Is

407 views • 30 slides
A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory STORM STrategic

A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory STORM STrategic

A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory STORM STrategic Offensive Research &amp; Mitigations Intel Corporation Rodrigo Branco, Kekai Hu, Henrique Kawakami , and Ke Sun. Motivation One of the most

306 views • 12 slides
Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

September 2016 BalCCon 2k16 Kernel Exploitation and Hardening Why we could have nice things! (using Split Kernel) Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel Vulnerabilities Kernel

1.07k views • 39 slides
Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu Yun , Dhaval Kapil, and Taesoo Kim Georgia Institute of Technology 1 Heap vulnerabilities are the most common, yet serious security issues. %

387 views • 34 slides
FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III Web Browser

2.56k views • 17 slides
New PHP Exploitation Techniques Johannes Dahse, PHP.RUHR 2018 Dortmund, Germany, 08.11.2018

New PHP Exploitation Techniques Johannes Dahse, PHP.RUHR 2018 Dortmund, Germany, 08.11.2018

New PHP Exploitation Techniques Johannes Dahse, PHP.RUHR 2018 Dortmund, Germany, 08.11.2018 Intro Johannes Dahse Capture The Flag, 5 years Security Consultant, 5 years Developer RIPS open source (2009-2013) Ph.D. Static Code Analysis @

856 views • 36 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube Tabbed Browsing Rich Content Mash-ups Cookies JSON Ajax Implication of Cross Domain Attacks Implication of Cross Domain Attacks

580 views • 31 slides
Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak

Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak

Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak nEINEI, Research Scientist @ McAfee Labs Chong Xu, Director of IPS Research @ McAfee Labs CanSecWest2014 March 20, 2014 Bio nEINEI

546 views • 31 slides
Kernel Testing: Tool and Techniques Matt Porter Texas Instruments 21 February 2013 Overview

Kernel Testing: Tool and Techniques Matt Porter Texas Instruments 21 February 2013 Overview

Kernel Testing: Tool and Techniques Matt Porter Texas Instruments 21 February 2013 Overview Why? Frameworks Lab Tools Tools Techniques (or Test Cases) What Else? It's a BOF! This is an interactive session I want

358 views • 18 slides
Unleashing Use-After-Free Vulnerabilities in Linux Kernel Wen Xu , Juanru Li, Junliang Shu, Wenbo

Unleashing Use-After-Free Vulnerabilities in Linux Kernel Wen Xu , Juanru Li, Junliang Shu, Wenbo

From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel Wen Xu , Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, Dawu Gu Group of Software Security In Progress Lab of Cryptology and Computer

584 views • 25 slides
Trusted Components Bertrand Meyer Lecture 9: Testing Object-Oriented Software Ilinca Ciupa

Trusted Components Bertrand Meyer Lecture 9: Testing Object-Oriented Software Ilinca Ciupa

Trusted Components Bertrand Meyer Lecture 9: Testing Object-Oriented Software Ilinca Ciupa Chair of Software Engineering Agenda for today 2 Introduction What is software testing? Why do we need software testing? Testing

1.05k views • 58 slides
Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX

Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX

Concurrent Device Drivers Martin Ellis Motivation Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX Drivers in CSP Previous Work The Problem Our Technique Resource Driver Martin Ellis

605 views • 32 slides
Dynamic HTML 5 using jQuery for Perl Devs Pete Krawczyk June 14, 2012 1 Get it early:

Dynamic HTML 5 using jQuery for Perl Devs Pete Krawczyk June 14, 2012 1 Get it early:

Get it early: http://bit.ly/htmljspp Dynamic HTML 5 using jQuery for Perl Devs Pete Krawczyk June 14, 2012 1 Get it early: http://bit.ly/htmljspp Intro My name: Pete Krawczyk My job: Developer for book wholesaler You know: Perl,

734 views • 48 slides
TheReleaseofProofofConcept CodeintotheWild An exploit

TheReleaseofProofofConcept CodeintotheWild An exploit

TheReleaseofProofofConcept CodeintotheWild An exploit isapieceofsoftware,achunkof data,orsequenceofcommandsthattake

398 views • 24 slides
Taxing Carbon along the Value Chain. A WIOD CGE Application. Oliver Schenker, Simon Koesler,

Taxing Carbon along the Value Chain. A WIOD CGE Application. Oliver Schenker, Simon Koesler,

Motivation WIOD CGE Model Simulation Results Conclusion www.zew.de www.zew.eu Taxing Carbon along the Value Chain. A WIOD CGE Application. Oliver Schenker, Simon Koesler, Andreas Lschel Zentrum fr Europische Wirtschaftsforschung

610 views • 16 slides
Partial Evaluation Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of

Partial Evaluation Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of

Introduction Interpreters and Compilers Partial Evaluation Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer Science Introduction Interpreters and Compilers Objectives You should be able to... Explain

300 views • 13 slides
Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

494 views • 38 slides
Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad

Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad

Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad University and Rice University Rigorous Simulation Aaron Ames, Kevin Atkinson , Jerker Bengtsson, Raktim Bhattacharya, Paul Brauner, Robert Cartwright,

887 views • 44 slides

More recommend