LPE vulnerabilities exploitation on Windows 10 Anniversary Update

More documents

Recommendations

Info

Windows 10 KASLR Improvements • Windows 10 Anniversary update contains many new exploit mitigations. • Windows Kernel KASLR Updates for 10 x64 only. • We’ll focus on KASLR Improvements. • We will describe bypass of GDI objects addresses mitigation (PEB.GDISharedHandleTable doesn’t disclose GDI objects addresses after update).
GDI handle table before updates • GDI objects - Bitmap, Brush, Pen, DC, Font .. etc • Every GDI object must be added to the handle table after creation. • Every object in handle table described by following structure • typedef struct { PVOID64 pKernelAddress; USHORT wProcessId; USHORT wCount; USHORT wUpper; USHORT wType; PVOID64 pUserAddress; } GDICELL64; • Handle table pointer saved in win32k variable gpentHmgr in kernel mode. • Pointer to GDICELL array is located in PEB.GdiSharedHandleTable in usermode. • So, we could get GDI objects kernel addresses from usermode by PEB.GdiSharedHandleTable.
Page 1: LPE vulner
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25 and 26: Arbitrary read/write via user objec
Page 27 and 28: • Preparing memory and use old SU
Page 29 and 30: GDI structure address leak Getting
Page 31 and 32: Getting address of tagCLS.pdce We c
Page 33 and 34: Getting address of tagCLS.lpszMenuN
Page 35 and 36: Useful objects/structures in GDI po
Page 37 and 38: tagCLS.lpszMenuName spray advantage
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?