SlideShare uma empresa Scribd logo

GDI Font Fuzzing in Windows Kernel For Fun

M
michelemanzotti
TecnologiaArte e fotografia
1 de 65
Baixar para ler offline
GDI Font Fuzzing in Windows  Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee Ministry of Science, Technology and Innovation
Agenda • Introduction • TrueType Font (.TTF) • TTF Fuzzer • Exploit Demonstration – MS11‐087 • Microsoft Windows Bitmapped font (.fon) Microsoft Windows Bitmapped font ( fon) • FON Fuzzer (by Byoungyoung Lee) with some  modification • Exploit Demonstration – MS11‐077  3/16/2012 2
Introduction • Two groups of categories are exist: o g oups o catego es a e e st: a. GDI Fonts b. Device Fonts b. Device Fonts • GDI fonts which are based in Windows consists of  three types: yp a. raster b. Vector c. TrueType & OpenType Reference: http://msdn.microsoft.com/en‐us/library/dd162893(v=vs.85).aspx Reference: http://msdn microsoft com/en us/library/dd162893(v=vs 85) aspx 3/16/2012 3
Introduction… • Raster fonts: a glyph is a bitmap that uses to Raster fonts: a glyph is a bitmap that uses to  draw a single character in the font • Vector fonts: a glyph is a collection of line Vector fonts: a glyph is a collection of line  endpoints that define the line segments and  uses to draw a character in the font uses to draw a character in the font • TrueType & OpenType fonts: a glyph is a  collection of line and curve commands as well  ll i f li d d ll as a collection of hints 3/16/2012 4
TrueType Fonts (.TTF) TrueType Fonts (.TTF) • TrueType font file contains data, in table TrueType font file contains data, in table  format, that compromises an outline font  • The outlines of glyphs in TrueType fonts are The outlines of glyphs in TrueType fonts are  made of straight line segments and quadratic  Bézier curves • The Windows scale these fonts to any size  using the hints inside the TTF file. • Hints included in TTF files and are used to  correct oversights 3/16/2012 5
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TTF table is designed to keep the entire glyph TTF table is designed to keep the entire glyph  data in various table: a. EBDT: Embedded Bitmap Data Table a EBDT: Embedded Bitmap Data Table b. EBLC: Embedded Bitmap Location Table c. EBSC: Embedded Bitmap Scaling Table EBSC E b dd d Bit S li T bl • The rasterizer uses combination of data from  differents to render the glyph data in the font diff t t d th l h d t i th f t Reference: TrueType 1.0 Font File, Technical Specification Revision 1.66 August 1995 Microsoft R f T T 10F Fil T h i l S ifi i R i i 1 66 A 1995 Mi f 3/16/2012 6
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TrueType embedded bitmaps are also called TrueType embedded bitmaps are also called  ‘scaler bitmaps’ or ‘sbits’ • A set of bitmaps for a face at a given size is A set of bitmaps for a face at a given size is  called a strike 3/16/2012 7
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… .TTF Font Structure TTF Font Structure 3/16/2012 8
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBDT – Embedded Bitmap Data Table: EBDT  Embedded Bitmap Data Table: a. EBDT table stores the glyph bitmap data.  b. The ‘EBDT’ table begins with a header  b h ‘ ’ bl b i ih h d containing simply the table version number c. The rest of the ‘EBDT’ table is a collection of  bitmap data bitmap data 3/16/2012 9
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBDT Table Structure EBDT Table Structure 3/16/2012 10
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBLC – Embedded Bitmap Location Table: a. The ‘EBLC’ table identifies the sizes and glyph  range of the sbits, and keeps offsets to glyph  bitmap data in indexSubTables bit d t i i d S bT bl b. The ‘EBLC’ table begins with a header  (eblcHeader) containing the table version and  (eblcHeader) containing the table version and number of strikes. c. The eblcHeader is followed by the  bitmapSizeTable array(s) d. Each strike is defined by one bitmapSizeTable 3/16/2012 11
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBLC Table Structure 3/16/2012 12
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBSC – Embedded Bitmap Scaling Table: p g a. The ‘EBSC’ table allows a font to define a  bitmap strike as a scaled version of another strike b. The table begins with a header (ebscHeader)  containing the table version and number of strikes c. The ebscHeader is followed immediately by the  bitmapScaleTable array. The numSizes in the  ebscHeader indicates the number of  b H d i di t th b f bitmapScaleTables in the array d. Each strike is defined by one bitmapScaleTable d Each strike is defined by one bitmapScaleTable 3/16/2012 13
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBSC Table Structure 3/16/2012 14
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Glyph Data (glyf) a. This table contains information that  a This table contains information that describes the glyphs in the font b. Table provides instructions for each of the following   tasks: ‐ Pushing data onto the interpreter stack ‐ managing the Storage Area managing the Storage Area ‐ managing the Control Value Table ‐ modifying Graphics State settings y g p g ‐ Managing outlines ‐ General purpose instructions 3/16/2012 15
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TrueType instructions are uniquely specified by  their opcodes.  th i d GLYFDirectoryEntry ‐>  DataGLYFData[x+1]‐> SimpleGLYFData[x]‐> instructions • Examples: Pushing data onto the interpreter stack – function[0xB0]: itrp_PUSHB1 p_ – function[0xB8]: itrp_PUSHW1 3/16/2012 16
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Examples: Managing the flow of control ‐ f ti [0 1C] it JMPR function[0x1C]: itrp_JMPR ‐ function[0x1F]: itrp_LSW ‐ function[0x78]: itrp JROT function[0x78]: itrp_JROT • Examples: Managing the stack ‐ function[0x20]: itrp_DUP ‐ function[0x23]: itrp_SWAP • Examples: Managing the Storage Area ‐ function[0x43]: itrp RS function[0x43]: itrp_RS ‐ function[0x42]: itrp_WS 3/16/2012 17
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Examples: Managing the Control Value Table ‐ function[0x44]: itrp_WCVT ‐ function[0x45]: itrp_RCVT • Examples: Managing the Graphics State Examples: Managing the Graphics State ‐ function[0x4D]: itrp_FLIPON ‐ function[0x4E]: itrp_FLIPOFF • Examples: Arithmetic Functions ‐ function[0x60]: itrp_ADD ‐ function[0x61]: itrp SUB function[0x61]: itrp_SUB Reference: Chapter Appendix B, TrueType 1.0 Font File, Technical Specification Revision 1.66 August 1995  Microsoft 3/16/2012 18
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Important info (1) in exploitation: Important info (1) in exploitation: structure fnt_GlobalGraphicStateType{ stackBase; / the stack area  /*the stack area store; /*the storage area controlValueTable; /*the control value table …… int8 non90DegreeTransformation /*bit0: 1 if non‐90 degree /*bit 1:1 if x scale not equal y scale …… unit16 cvtCount; } fnt_GlobalGraphicStateType; 3/16/2012 19
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Important info (2) in exploitation: p ( ) p ‐ function ‘itrp_InnerExecute’ as the disassembler  engine to process Glyph Data and map to correct  TrueType instructions TrueType instructions • fnt_GlobalGraphicStateType: +0 : stackBase +0 : stackBase +4: store +8: controlValueTable +8: controlValueTable +90h: non90DegreeTransformation +134h: cvtCount 3/16/2012 20
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… The TrueType Instruction Set 3/16/2012 21
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_InnerExecute Glyph data in hexadicimal format 3/16/2012 22
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_InnerExecute Glyph data in hexadicimal format 3/16/2012 23
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_InnerExecute ;Function[0xB0]: itrp_PUSHB1 ;’00’ is parameter of the instruction Glyph data in hexadicimal format 3/16/2012 24
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_PUSHB1 ;ecx: parameter ‘00’ ;esi: pointer structure fnt_GlobalGraphicStateType+0 Glyph data in hexadicimal format 3/16/2012 25
TTF Fuzzer TTF Fuzzer • TTF font fuzzer is created to fuzz the TTF font into  different sizes • In GDI, we can create a font by: a. filling in a LOGFONT structure  b. calling ‘CreateFontIndirect’ which returns a  font handle (HFONT)   c. Work with fonts at a lower level through font  W k ith f t t l l l th hf t APIs: GetFontData, GetGlyphIndices, ExtTextOut  _ _ with ETO_GLYPH_INDEX flag g Reference: http://blogs.msdn.com/b/text/archive/2009/04/15/introducing‐the‐ directwrite‐font‐system.aspx 3/16/2012 26
TTF Fuzzer TTF Fuzzer • The overall process of the fuzzer: a. automating the installation of the crafted  a automating the installation of the crafted font in ‘C:WINDOWSFonts’ folder htr=windll.gdi32.AddFontResourceExA(fileFont, FR_PRIVATE, None)  h dll d dd (f l ) b. Register a window class and creating a new  window to automate the display of the font  window to automate the display of the font text in a range of font size c. Remove the fonts in  C:WINDOWSFonts c Remove the fonts in ‘C:WINDOWSFonts’  folder windll.gdi32.RemoveFontResourceExW(fileFont, FR_PRIVATE, None) windll.gdi32.RemoveFontResourceExW(fileFont, FR PRIVATE, None) 3/16/2012 27
TTF Fuzzer TTF Fuzzer • A range of font size lf=win32gui.LOGFONT() for fontsize in range (0, 100, 1): lf.lfHeight=fontsize lf.lfFaceName="Dexter" lf.lfWidth=0 lf lf d h lf.lfEscapement=0 lf.lfOrientation=0 lf.lfWeight=FW_NORMAL lf lfWeight=FW NORMAL lf.lfItalic=False lf.lfUnderline=False lf.lfStrikeOut False lf lfStrikeOut=False lf.lfCharSet=DEFAULT_CHARSET lf.lfOutPrecision=OUT_DEFAULT_PRECIS f f p _ _ lf.lfClipPrecision=CLIP_DEFAULT_PRECIS lf.lfPitchAndFamily=DEFAULT_PITCH|FF_DONTCARE 3/16/2012 28
TTF Fuzzer TTF Fuzzer • Calling physical font APIs and display the  font text font text windll.gdi32.ExtTextOutW( hdc, 5, 5, ETO_GLYPH_INDEX, None, var1, var1 len(var1), None) 3/16/2012 29
TTF Fuzzer TTF Fuzzer 3/16/2012 30
Exploit MS11 087 Exploit MS11‐087 3/16/2012 31
Exploit MS11 087 Exploit MS11‐087 Name Value Description EBSC.bitmapScaleTable[0].ppemX 0x004 Target horizontal pixels per Em EBSC.bitmapScaleTable[0].ppemY 0x004 Target vertical pixels per Em EBLC.bitmapSizeTable[5].ppemX 0x001 Horizontal pixels per Em EBLC.bitmapSizeTable[5].ppemY EBLC bit Si T bl [5] Y 0x001 Vertical pixels per Em 0 001 V ti l i l E EBDT.bitmapData.EbdtFormat8[11]. 0x001 Number of rows of data smallMetrics.height EBDT.bitmapData.EbdtFormat8[11]. 0x0ff Number of columns of data smallMetrics.width EBDT.bitmapData.EbdtFormat8[11]. 0x040 Position of component left ebdtComponent[0].xOffset EBDT.bitmapData.EbdtFormat8[11]. 0x052 Position of component top ebdtComponent[0].yOffset Important info in exploitation 3/16/2012 32
Exploit MS11 087 Exploit MS11‐087 • usScaleWidth =(EBLC.ppemX+((EBSC.ppemX*2)* EBDT.width))/(2 EBLC.ppemX) EBDT.width))/(2*EBLC.ppemX) =(0x001+((0x004*2)*0x0ff))/(2*0x001) = (0x001+0x7F8)/(0x002) (0 001 0 7F8)/(0 002) = 0x03FC 3/16/2012 33
Exploit MS11 087 Exploit MS11‐087 • usScaleHeight = usScaleHeight =  (EBLC.ppemY+((EBSC.ppemY*2)*EBDT.height)) /(2 EBLC.ppemY) /(2*EBLC ppemY) =(0x001+0x008)/(0x002) = 0x0004 0 0004 3/16/2012 34
Exploit MS11 087 Exploit MS11‐087 • usScaleRowBytes =((usScaledWidth+0x1F)>>3)&(0xFFFC) = ((0x03FC+0x1F)>>3)& (0xFFFC) ((0 03 C 0 ) 3)& (0 C) = (0x85)&(0xFFFC) = 0x80 3/16/2012 35
Exploit MS11 087 Exploit MS11‐087 • usOriginalRowBytes usOriginalRowBytes  = ((EBDT.width+0x1F)>>3)&(0xFFFC) = ((0x0FF+0x1F)>>3)&(0xFFFC) ((0 0 0 ) 3)&(0 C) = 0x20 3/16/2012 36
Exploit MS11 087 Exploit MS11‐087 • Byte of scaling bitmap data Byte of scaling bitmap data =usScaleHeight*usScaleRowBytes = 0x004 0x080 = 0x004*0x080 = 0x200 • R Required byte of scaling bitmap data offset i db t f li bit d t ff t = (EBDT.yOffset)*(usOriginalRowBytes) = 0x52*0x20 = 0x0A40 3/16/2012 37
Exploit MS11 087 Exploit MS11‐087 structure fnt_GlobalGraphicStateType{ stackBase; /*the stack area  store; / the storage area /*the storage area controlValueTable;    /*the control value table …… int8 non90DegreeTransformation  …… unit16 cvtCount; } fnt_GlobalGraphicStateType; BEFORE AFTER 3/16/2012 38
Exploit MS11 087 Exploit MS11‐087 structure fnt_GlobalGraphicStateType{ stackBase; /*the stack area  store; / the storage area /*the storage area controlValueTable;    /*the control value table …… int8 non90DegreeTransformation  …… unit16 cvtCount; } fnt_GlobalGraphicStateType; BEFORE AFTER 3/16/2012 39
Exploit MS11 087 Exploit MS11‐087 fnt_GlobalGraphicStateType+134h  (cvtCount) BEFORE AFTER 3/16/2012 40
Exploit MS11 087 Exploit MS11‐087 3/16/2012 41
Exploit MS11 087 Exploit MS11‐087 3/16/2012 42
Exploit MS11 087 Exploit MS11‐087 ecx: value ‘stackBase+0’ edx: value Control Value Table 3/16/2012 43
Exploit MS11 087 Exploit MS11‐087 3/16/2012 44
Exploit MS11 087 Exploit MS11‐087 3/16/2012 45
Exploit MS11 087 Exploit MS11‐087 Perfectly jump into  Perfectly jump into the shellcode 3/16/2012 46
Demonstration 3/16/2012 47
Microsoft Windows Bitmapped Font  (.fon) (f ) • Microsoft Windows Bitmapped Fonts (.fon) Microsoft Windows Bitmapped Fonts (.fon)  come in two different types:  a. New Executable NE (old format used by  a. New Executable NE (old format used by Windows 3)NE  b. Portable Executable PE (new 32bit  b. Portable Executable PE (new 32bit executable format used in Windows 95 and  above) Note: Can’t find any complete documentation of Microsoft Windows Bitmapped Font. If you have  any, share with me ☺!! 3/16/2012 48
FON FUZZER FON FUZZER • .FON fuzzer consits of 2 files: a. mkwinfont.py k f ‐ written and/or maintained by Simon  Tatham ‐ python script generates NE fon files only python script generates NE .fon files only  b. fuzzer.py  ‐ written by Byoungyoung Lee i b ‐ fuzz the .fon in different width, height 3/16/2012 49
FON FUZZER FON FUZZER • Some modification: a. mkwinfont.py k i f value = string.atol(w, 16) ;support hexadecimal b. fuzzer.py if width ! 0: if width != 0: for j in range(height): fdStr += "A"*width + "n“ fdStr += "n" fd " " 3/16/2012 50
FON FUZZER FON FUZZER 3/16/2012 51
Exploit MS11 077 Exploit MS11‐077 • Discovered by Byoungyoung Lee Discovered by Byoungyoung Lee • BSOD: BAD_POOL_HEADER(19) Interesting bug but based on the analysis,  i b b b d h l i there is very difficult to bypass the ‘safe  unlinking’ in windows kernel pool li ki ’ i i d k l l • BSOD: DRIVER_OVERRAN_STACK_BUFFER(f7) Possible to bypass the Stack‐Canary in Kernel  Land 3/16/2012 52
Exploit MS11 077 Exploit MS11‐077 win32k!BmfdOpenFontContext ;.Fon width=498 (0x1F2) ; eax=(0x1F2)*5=0x9ba 3/16/2012 53
Exploit MS11 077 Exploit MS11‐077 win32k!BmfdOpenFontContext ;the ‘EngAllocMem’ function allocates a block of memory (0x160) and inserts  ;a  ‘Bmfd’ pool tag before the allocation  3/16/2012 54
Exploit MS11 077 Exploit MS11‐077 3/16/2012 55
Exploit MS11 077 Exploit MS11‐077 ;Font data ‘aa’ will process and the result as index to read from the following array: a. _awStretch5W1 a. awStretch5W1 b. _BFA10171 c. _awStretch5W2 d. _BFA10191 e. _ajStretch5B1   jS h5B1 3/16/2012 56
Exploit MS11 077 Exploit MS11‐077 3/16/2012 57
Exploit MS11 077 Exploit MS11‐077 Overwrite 3 bytes in  next pool header lh d 3/16/2012 58
Limitation of Exploit MS11 077 Limitation of Exploit MS11‐077 win32k!vStretchGlyphBitmap 3/16/2012 59
Limitation of Exploit MS11 077 Limitation of Exploit MS11‐077 win32k!vStretchGlyphBitmap 3/16/2012 60
Exploit MS11 077 Exploit MS11‐077 3/16/2012 61
Exploit MS11 077 (another try) Exploit MS11‐077 (another try) 3/16/2012 62
Exploit MS11 077 Exploit MS11‐077 Possible to bypass Kernel Canary in Kernel Land??  Possible to bypass Kernel Canary in Kernel Land?? gave up without detail testing 3/16/2012 63
Demonstration 3/16/2012 64
Thank You Credit to: jvjvlglg, Byoungyoung Lee &  Tarjei Mandt 3/16/2012 65

Recomendados

8086 microprocessor-architecture
8086 microprocessor-architecture8086 microprocessor-architecture
8086 microprocessor-architectureprasadpawaskar
 
The 8086 microprocessor
The 8086 microprocessorThe 8086 microprocessor
The 8086 microprocessorAdarsh College, Hingoli
 
Symbolic instructions for 8086 micro processor
Symbolic instructions for 8086 micro processorSymbolic instructions for 8086 micro processor
Symbolic instructions for 8086 micro processorSaurabh Mehta
 
8086microprocessor 130821100244-phpapp02
8086microprocessor 130821100244-phpapp028086microprocessor 130821100244-phpapp02
8086microprocessor 130821100244-phpapp02raone1989
 
8086microprocessor 130821100244-phpapp02
8086microprocessor 130821100244-phpapp028086microprocessor 130821100244-phpapp02
8086microprocessor 130821100244-phpapp02Murad Mondol
 
5bit field
5bit field5bit field
5bit fieldFrijo Francis
 
8086 microprocessor-architecture-120207111857-phpapp01
8086 microprocessor-architecture-120207111857-phpapp018086 microprocessor-architecture-120207111857-phpapp01
8086 microprocessor-architecture-120207111857-phpapp01jemimajerome
 
SAURABH MITRA-8086 MICROPROCESSOR
SAURABH MITRA-8086 MICROPROCESSORSAURABH MITRA-8086 MICROPROCESSOR
SAURABH MITRA-8086 MICROPROCESSORSAURABH MITRA
 

Recomendados

8086 microprocessor-architecture
8086 microprocessor-architecture8086 microprocessor-architecture
8086 microprocessor-architectureprasadpawaskar
 
The 8086 microprocessor
The 8086 microprocessorThe 8086 microprocessor
The 8086 microprocessorAdarsh College, Hingoli
 
Symbolic instructions for 8086 micro processor
Symbolic instructions for 8086 micro processorSymbolic instructions for 8086 micro processor
Symbolic instructions for 8086 micro processorSaurabh Mehta
 
8086microprocessor 130821100244-phpapp02
8086microprocessor 130821100244-phpapp028086microprocessor 130821100244-phpapp02
8086microprocessor 130821100244-phpapp02raone1989
 
8086microprocessor 130821100244-phpapp02
8086microprocessor 130821100244-phpapp028086microprocessor 130821100244-phpapp02
8086microprocessor 130821100244-phpapp02Murad Mondol
 
5bit field
5bit field5bit field
5bit fieldFrijo Francis
 
8086 microprocessor-architecture-120207111857-phpapp01
8086 microprocessor-architecture-120207111857-phpapp018086 microprocessor-architecture-120207111857-phpapp01
8086 microprocessor-architecture-120207111857-phpapp01jemimajerome
 
SAURABH MITRA-8086 MICROPROCESSOR
SAURABH MITRA-8086 MICROPROCESSORSAURABH MITRA-8086 MICROPROCESSOR
SAURABH MITRA-8086 MICROPROCESSORSAURABH MITRA
 
Intel 8086
Intel 8086Intel 8086
Intel 8086Vatsal Dave
 
Intel 8086
Intel 8086Intel 8086
Intel 8086Sanjeev Kumar
 
INTEL 8086 MICROPROCESSOR
INTEL 8086 MICROPROCESSORINTEL 8086 MICROPROCESSOR
INTEL 8086 MICROPROCESSORSagar Kuntumal
 
3 organization of intel 8086
3 organization of intel 80863 organization of intel 8086
3 organization of intel 8086ELIMENG
 
8086 Microprocessor
8086 Microprocessor8086 Microprocessor
8086 MicroprocessorMd.Galib Hossain
 
Things to Remember When Developing 64-bit Software
Things to Remember When Developing 64-bit SoftwareThings to Remember When Developing 64-bit Software
Things to Remember When Developing 64-bit SoftwareAndrey Karpov
 
intel 8086 introduction
intel 8086 introductionintel 8086 introduction
intel 8086 introductionHomoud Alsohaibi
 
Lecture2
Lecture2Lecture2
Lecture2misgina Mengesha
 
26677766 8086-microprocessor-architecture-110905125037-phpapp02
26677766 8086-microprocessor-architecture-110905125037-phpapp0226677766 8086-microprocessor-architecture-110905125037-phpapp02
26677766 8086-microprocessor-architecture-110905125037-phpapp02Avijeet Negel
 
Intel Hex File for PIC18 and PIC18 trainer design
Intel Hex File for PIC18 and PIC18 trainer design Intel Hex File for PIC18 and PIC18 trainer design
Intel Hex File for PIC18 and PIC18 trainer design raosandy11
 
Embedded C - Lecture 4
Embedded C - Lecture 4Embedded C - Lecture 4
Embedded C - Lecture 4Mohamed Abdallah
 
8086 class notes-Y.N.M
8086 class notes-Y.N.M8086 class notes-Y.N.M
8086 class notes-Y.N.MDr.YNM
 
Flagsregistor
Flagsregistor Flagsregistor
Flagsregistor maamir farooq
 
8086 microprocessor
8086 microprocessor8086 microprocessor
8086 microprocessorganeshbehera6
 
(2) collections algorithms
(2) collections algorithms(2) collections algorithms
(2) collections algorithmsNico Ludwig
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzingVincenzo Iozzo
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 
Less-Dumb Fuzzing and Ruby Metaprogramming
Less-Dumb Fuzzing and Ruby MetaprogrammingLess-Dumb Fuzzing and Ruby Metaprogramming
Less-Dumb Fuzzing and Ruby MetaprogrammingNephi Johnson
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
Theory1&2
Theory1&2Theory1&2
Theory1&2Dr.M.Karthika parthasarathy
 

Mais conteúdo relacionado

Mais procurados

INTEL 8086 MICROPROCESSOR
INTEL 8086 MICROPROCESSORINTEL 8086 MICROPROCESSOR
INTEL 8086 MICROPROCESSORSagar Kuntumal
 
3 organization of intel 8086
3 organization of intel 80863 organization of intel 8086
3 organization of intel 8086ELIMENG
 
Things to Remember When Developing 64-bit Software
Things to Remember When Developing 64-bit SoftwareThings to Remember When Developing 64-bit Software
Things to Remember When Developing 64-bit SoftwareAndrey Karpov
 
26677766 8086-microprocessor-architecture-110905125037-phpapp02
26677766 8086-microprocessor-architecture-110905125037-phpapp0226677766 8086-microprocessor-architecture-110905125037-phpapp02
26677766 8086-microprocessor-architecture-110905125037-phpapp02Avijeet Negel
 
Intel Hex File for PIC18 and PIC18 trainer design
Intel Hex File for PIC18 and PIC18 trainer design Intel Hex File for PIC18 and PIC18 trainer design
Intel Hex File for PIC18 and PIC18 trainer design raosandy11
 
8086 class notes-Y.N.M
8086 class notes-Y.N.M8086 class notes-Y.N.M
8086 class notes-Y.N.MDr.YNM
 
(2) collections algorithms
(2) collections algorithms(2) collections algorithms
(2) collections algorithmsNico Ludwig
 

Mais procurados (15)

Intel 8086
Intel 8086Intel 8086
Intel 8086
 
Intel 8086
Intel 8086Intel 8086
Intel 8086
 
INTEL 8086 MICROPROCESSOR
INTEL 8086 MICROPROCESSORINTEL 8086 MICROPROCESSOR
INTEL 8086 MICROPROCESSOR
 
3 organization of intel 8086
3 organization of intel 80863 organization of intel 8086
3 organization of intel 8086
 
8086 Microprocessor
8086 Microprocessor8086 Microprocessor
8086 Microprocessor
 
Things to Remember When Developing 64-bit Software
Things to Remember When Developing 64-bit SoftwareThings to Remember When Developing 64-bit Software
Things to Remember When Developing 64-bit Software
 
intel 8086 introduction
intel 8086 introductionintel 8086 introduction
intel 8086 introduction
 
Lecture2
Lecture2Lecture2
Lecture2
 
26677766 8086-microprocessor-architecture-110905125037-phpapp02
26677766 8086-microprocessor-architecture-110905125037-phpapp0226677766 8086-microprocessor-architecture-110905125037-phpapp02
26677766 8086-microprocessor-architecture-110905125037-phpapp02
 
Intel Hex File for PIC18 and PIC18 trainer design
Intel Hex File for PIC18 and PIC18 trainer design Intel Hex File for PIC18 and PIC18 trainer design
Intel Hex File for PIC18 and PIC18 trainer design
 
Embedded C - Lecture 4
Embedded C - Lecture 4Embedded C - Lecture 4
Embedded C - Lecture 4
 
8086 class notes-Y.N.M
8086 class notes-Y.N.M8086 class notes-Y.N.M
8086 class notes-Y.N.M
 
Flagsregistor
Flagsregistor Flagsregistor
Flagsregistor
 
8086 microprocessor
8086 microprocessor8086 microprocessor
8086 microprocessor
 
(2) collections algorithms
(2) collections algorithms(2) collections algorithms
(2) collections algorithms
 

Destaque

Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 
Less-Dumb Fuzzing and Ruby Metaprogramming
Less-Dumb Fuzzing and Ruby MetaprogrammingLess-Dumb Fuzzing and Ruby Metaprogramming
Less-Dumb Fuzzing and Ruby MetaprogrammingNephi Johnson
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 

Destaque (6)

Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
 
Less-Dumb Fuzzing and Ruby Metaprogramming
Less-Dumb Fuzzing and Ruby MetaprogrammingLess-Dumb Fuzzing and Ruby Metaprogramming
Less-Dumb Fuzzing and Ruby Metaprogramming
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
 

Semelhante a GDI Font Fuzzing in Windows Kernel For Fun

A Sneak Peek of MLIR in TensorFlow
A Sneak Peek of MLIR in TensorFlowA Sneak Peek of MLIR in TensorFlow
A Sneak Peek of MLIR in TensorFlowKoan-Sin Tan
 
Assemblers: Ch03
Assemblers: Ch03Assemblers: Ch03
Assemblers: Ch03desta_gebre
 
True type font tables
True type font tablesTrue type font tables
True type font tablesomercomail
 
Cauldron_2022_ctf_frame at gcc cauldron 2022 in prague
Cauldron_2022_ctf_frame at gcc cauldron 2022 in pragueCauldron_2022_ctf_frame at gcc cauldron 2022 in prague
Cauldron_2022_ctf_frame at gcc cauldron 2022 in praguessuser866937
 
Use C++ and Intel® Threading Building Blocks (Intel® TBB) for Hardware Progra...
Use C++ and Intel® Threading Building Blocks (Intel® TBB) for Hardware Progra...Use C++ and Intel® Threading Building Blocks (Intel® TBB) for Hardware Progra...
Use C++ and Intel® Threading Building Blocks (Intel® TBB) for Hardware Progra...Intel® Software
 
TensorFlow Quantization Tour
TensorFlow Quantization TourTensorFlow Quantization Tour
TensorFlow Quantization TourKSuzukiii
 
Avro2 tf: a data processing engine for tensorflow
Avro2 tf: a data processing engine for tensorflowAvro2 tf: a data processing engine for tensorflow
Avro2 tf: a data processing engine for tensorflowXuhong Zhang
 
Sterling Integrator Map Editor
Sterling Integrator Map EditorSterling Integrator Map Editor
Sterling Integrator Map EditorJeyhind M
 
Data Type in C Programming
Data Type in C ProgrammingData Type in C Programming
Data Type in C ProgrammingQazi Shahzad Ali
 
Introduction to TensorFlow 2
Introduction to TensorFlow 2Introduction to TensorFlow 2
Introduction to TensorFlow 2Oswald Campesato
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)
 

Semelhante a GDI Font Fuzzing in Windows Kernel For Fun (20)

Theory1&2
Theory1&2Theory1&2
Theory1&2
 
A Sneak Peek of MLIR in TensorFlow
A Sneak Peek of MLIR in TensorFlowA Sneak Peek of MLIR in TensorFlow
A Sneak Peek of MLIR in TensorFlow
 
Assemblers: Ch03
Assemblers: Ch03Assemblers: Ch03
Assemblers: Ch03
 
C programming unit 01
C programming unit 01C programming unit 01
C programming unit 01
 
Lecture 2
Lecture 2Lecture 2
Lecture 2
 
True type font tables
True type font tablesTrue type font tables
True type font tables
 
Cauldron_2022_ctf_frame at gcc cauldron 2022 in prague
Cauldron_2022_ctf_frame at gcc cauldron 2022 in pragueCauldron_2022_ctf_frame at gcc cauldron 2022 in prague
Cauldron_2022_ctf_frame at gcc cauldron 2022 in prague
 
Use C++ and Intel® Threading Building Blocks (Intel® TBB) for Hardware Progra...
Use C++ and Intel® Threading Building Blocks (Intel® TBB) for Hardware Progra...Use C++ and Intel® Threading Building Blocks (Intel® TBB) for Hardware Progra...
Use C++ and Intel® Threading Building Blocks (Intel® TBB) for Hardware Progra...
 
TensorFlow Quantization Tour
TensorFlow Quantization TourTensorFlow Quantization Tour
TensorFlow Quantization Tour
 
C programming part2
C programming part2C programming part2
C programming part2
 
C programming part2
C programming part2C programming part2
C programming part2
 
C programming part2
C programming part2C programming part2
C programming part2
 
Avro2 tf: a data processing engine for tensorflow
Avro2 tf: a data processing engine for tensorflowAvro2 tf: a data processing engine for tensorflow
Avro2 tf: a data processing engine for tensorflow
 
Sterling Integrator Map Editor
Sterling Integrator Map EditorSterling Integrator Map Editor
Sterling Integrator Map Editor
 
A Peek into TFRT
A Peek into TFRTA Peek into TFRT
A Peek into TFRT
 
Advanced+pointers
Advanced+pointersAdvanced+pointers
Advanced+pointers
 
Data Type in C Programming
Data Type in C ProgrammingData Type in C Programming
Data Type in C Programming
 
Introduction to TensorFlow 2
Introduction to TensorFlow 2Introduction to TensorFlow 2
Introduction to TensorFlow 2
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 

Mais de michelemanzotti

Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentationmichelemanzotti
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...michelemanzotti
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controllermichelemanzotti
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controllermichelemanzotti
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Federate Identity and Access Management
Federate Identity and Access ManagementFederate Identity and Access Management
Federate Identity and Access Managementmichelemanzotti
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocolmichelemanzotti
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazionemichelemanzotti
 
L'impatto dei Servizi Applicativi
L'impatto dei Servizi ApplicativiL'impatto dei Servizi Applicativi
L'impatto dei Servizi Applicativimichelemanzotti
 

Mais de michelemanzotti (11)

Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
Federate Identity and Access Management
Federate Identity and Access ManagementFederate Identity and Access Management
Federate Identity and Access Management
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocol
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazione
 
L'impatto dei Servizi Applicativi
L'impatto dei Servizi ApplicativiL'impatto dei Servizi Applicativi
L'impatto dei Servizi Applicativi
 

Último

UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 

Último (20)

UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 

GDI Font Fuzzing in Windows Kernel For Fun

  • 1. GDI Font Fuzzing in Windows  Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee Ministry of Science, Technology and Innovation
  • 2. Agenda • Introduction • TrueType Font (.TTF) • TTF Fuzzer • Exploit Demonstration – MS11‐087 • Microsoft Windows Bitmapped font (.fon) Microsoft Windows Bitmapped font ( fon) • FON Fuzzer (by Byoungyoung Lee) with some  modification • Exploit Demonstration – MS11‐077  3/16/2012 2
  • 3. Introduction • Two groups of categories are exist: o g oups o catego es a e e st: a. GDI Fonts b. Device Fonts b. Device Fonts • GDI fonts which are based in Windows consists of  three types: yp a. raster b. Vector c. TrueType & OpenType Reference: http://msdn.microsoft.com/en‐us/library/dd162893(v=vs.85).aspx Reference: http://msdn microsoft com/en us/library/dd162893(v=vs 85) aspx 3/16/2012 3
  • 4. Introduction… • Raster fonts: a glyph is a bitmap that uses to Raster fonts: a glyph is a bitmap that uses to  draw a single character in the font • Vector fonts: a glyph is a collection of line Vector fonts: a glyph is a collection of line  endpoints that define the line segments and  uses to draw a character in the font uses to draw a character in the font • TrueType & OpenType fonts: a glyph is a  collection of line and curve commands as well  ll i f li d d ll as a collection of hints 3/16/2012 4
  • 5. TrueType Fonts (.TTF) TrueType Fonts (.TTF) • TrueType font file contains data, in table TrueType font file contains data, in table  format, that compromises an outline font  • The outlines of glyphs in TrueType fonts are The outlines of glyphs in TrueType fonts are  made of straight line segments and quadratic  Bézier curves • The Windows scale these fonts to any size  using the hints inside the TTF file. • Hints included in TTF files and are used to  correct oversights 3/16/2012 5
  • 6. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TTF table is designed to keep the entire glyph TTF table is designed to keep the entire glyph  data in various table: a. EBDT: Embedded Bitmap Data Table a EBDT: Embedded Bitmap Data Table b. EBLC: Embedded Bitmap Location Table c. EBSC: Embedded Bitmap Scaling Table EBSC E b dd d Bit S li T bl • The rasterizer uses combination of data from  differents to render the glyph data in the font diff t t d th l h d t i th f t Reference: TrueType 1.0 Font File, Technical Specification Revision 1.66 August 1995 Microsoft R f T T 10F Fil T h i l S ifi i R i i 1 66 A 1995 Mi f 3/16/2012 6
  • 7. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TrueType embedded bitmaps are also called TrueType embedded bitmaps are also called  ‘scaler bitmaps’ or ‘sbits’ • A set of bitmaps for a face at a given size is A set of bitmaps for a face at a given size is  called a strike 3/16/2012 7
  • 8. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… .TTF Font Structure TTF Font Structure 3/16/2012 8
  • 9. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBDT – Embedded Bitmap Data Table: EBDT  Embedded Bitmap Data Table: a. EBDT table stores the glyph bitmap data.  b. The ‘EBDT’ table begins with a header  b h ‘ ’ bl b i ih h d containing simply the table version number c. The rest of the ‘EBDT’ table is a collection of  bitmap data bitmap data 3/16/2012 9
  • 10. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBDT Table Structure EBDT Table Structure 3/16/2012 10
  • 11. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBLC – Embedded Bitmap Location Table: a. The ‘EBLC’ table identifies the sizes and glyph  range of the sbits, and keeps offsets to glyph  bitmap data in indexSubTables bit d t i i d S bT bl b. The ‘EBLC’ table begins with a header  (eblcHeader) containing the table version and  (eblcHeader) containing the table version and number of strikes. c. The eblcHeader is followed by the  bitmapSizeTable array(s) d. Each strike is defined by one bitmapSizeTable 3/16/2012 11
  • 12. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBLC Table Structure 3/16/2012 12
  • 13. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBSC – Embedded Bitmap Scaling Table: p g a. The ‘EBSC’ table allows a font to define a  bitmap strike as a scaled version of another strike b. The table begins with a header (ebscHeader)  containing the table version and number of strikes c. The ebscHeader is followed immediately by the  bitmapScaleTable array. The numSizes in the  ebscHeader indicates the number of  b H d i di t th b f bitmapScaleTables in the array d. Each strike is defined by one bitmapScaleTable d Each strike is defined by one bitmapScaleTable 3/16/2012 13
  • 14. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBSC Table Structure 3/16/2012 14
  • 15. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Glyph Data (glyf) a. This table contains information that  a This table contains information that describes the glyphs in the font b. Table provides instructions for each of the following   tasks: ‐ Pushing data onto the interpreter stack ‐ managing the Storage Area managing the Storage Area ‐ managing the Control Value Table ‐ modifying Graphics State settings y g p g ‐ Managing outlines ‐ General purpose instructions 3/16/2012 15
  • 16. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TrueType instructions are uniquely specified by  their opcodes.  th i d GLYFDirectoryEntry ‐>  DataGLYFData[x+1]‐> SimpleGLYFData[x]‐> instructions • Examples: Pushing data onto the interpreter stack – function[0xB0]: itrp_PUSHB1 p_ – function[0xB8]: itrp_PUSHW1 3/16/2012 16
  • 17. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Examples: Managing the flow of control ‐ f ti [0 1C] it JMPR function[0x1C]: itrp_JMPR ‐ function[0x1F]: itrp_LSW ‐ function[0x78]: itrp JROT function[0x78]: itrp_JROT • Examples: Managing the stack ‐ function[0x20]: itrp_DUP ‐ function[0x23]: itrp_SWAP • Examples: Managing the Storage Area ‐ function[0x43]: itrp RS function[0x43]: itrp_RS ‐ function[0x42]: itrp_WS 3/16/2012 17
  • 18. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Examples: Managing the Control Value Table ‐ function[0x44]: itrp_WCVT ‐ function[0x45]: itrp_RCVT • Examples: Managing the Graphics State Examples: Managing the Graphics State ‐ function[0x4D]: itrp_FLIPON ‐ function[0x4E]: itrp_FLIPOFF • Examples: Arithmetic Functions ‐ function[0x60]: itrp_ADD ‐ function[0x61]: itrp SUB function[0x61]: itrp_SUB Reference: Chapter Appendix B, TrueType 1.0 Font File, Technical Specification Revision 1.66 August 1995  Microsoft 3/16/2012 18
  • 19. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Important info (1) in exploitation: Important info (1) in exploitation: structure fnt_GlobalGraphicStateType{ stackBase; / the stack area  /*the stack area store; /*the storage area controlValueTable; /*the control value table …… int8 non90DegreeTransformation /*bit0: 1 if non‐90 degree /*bit 1:1 if x scale not equal y scale …… unit16 cvtCount; } fnt_GlobalGraphicStateType; 3/16/2012 19
  • 20. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Important info (2) in exploitation: p ( ) p ‐ function ‘itrp_InnerExecute’ as the disassembler  engine to process Glyph Data and map to correct  TrueType instructions TrueType instructions • fnt_GlobalGraphicStateType: +0 : stackBase +0 : stackBase +4: store +8: controlValueTable +8: controlValueTable +90h: non90DegreeTransformation +134h: cvtCount 3/16/2012 20
  • 21. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… The TrueType Instruction Set 3/16/2012 21
  • 22. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_InnerExecute Glyph data in hexadicimal format 3/16/2012 22
  • 23. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_InnerExecute Glyph data in hexadicimal format 3/16/2012 23
  • 24. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_InnerExecute ;Function[0xB0]: itrp_PUSHB1 ;’00’ is parameter of the instruction Glyph data in hexadicimal format 3/16/2012 24
  • 25. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_PUSHB1 ;ecx: parameter ‘00’ ;esi: pointer structure fnt_GlobalGraphicStateType+0 Glyph data in hexadicimal format 3/16/2012 25
  • 26. TTF Fuzzer TTF Fuzzer • TTF font fuzzer is created to fuzz the TTF font into  different sizes • In GDI, we can create a font by: a. filling in a LOGFONT structure  b. calling ‘CreateFontIndirect’ which returns a  font handle (HFONT)   c. Work with fonts at a lower level through font  W k ith f t t l l l th hf t APIs: GetFontData, GetGlyphIndices, ExtTextOut  _ _ with ETO_GLYPH_INDEX flag g Reference: http://blogs.msdn.com/b/text/archive/2009/04/15/introducing‐the‐ directwrite‐font‐system.aspx 3/16/2012 26
  • 27. TTF Fuzzer TTF Fuzzer • The overall process of the fuzzer: a. automating the installation of the crafted  a automating the installation of the crafted font in ‘C:WINDOWSFonts’ folder htr=windll.gdi32.AddFontResourceExA(fileFont, FR_PRIVATE, None)  h dll d dd (f l ) b. Register a window class and creating a new  window to automate the display of the font  window to automate the display of the font text in a range of font size c. Remove the fonts in  C:WINDOWSFonts c Remove the fonts in ‘C:WINDOWSFonts’  folder windll.gdi32.RemoveFontResourceExW(fileFont, FR_PRIVATE, None) windll.gdi32.RemoveFontResourceExW(fileFont, FR PRIVATE, None) 3/16/2012 27
  • 28. TTF Fuzzer TTF Fuzzer • A range of font size lf=win32gui.LOGFONT() for fontsize in range (0, 100, 1): lf.lfHeight=fontsize lf.lfFaceName="Dexter" lf.lfWidth=0 lf lf d h lf.lfEscapement=0 lf.lfOrientation=0 lf.lfWeight=FW_NORMAL lf lfWeight=FW NORMAL lf.lfItalic=False lf.lfUnderline=False lf.lfStrikeOut False lf lfStrikeOut=False lf.lfCharSet=DEFAULT_CHARSET lf.lfOutPrecision=OUT_DEFAULT_PRECIS f f p _ _ lf.lfClipPrecision=CLIP_DEFAULT_PRECIS lf.lfPitchAndFamily=DEFAULT_PITCH|FF_DONTCARE 3/16/2012 28
  • 29. TTF Fuzzer TTF Fuzzer • Calling physical font APIs and display the  font text font text windll.gdi32.ExtTextOutW( hdc, 5, 5, ETO_GLYPH_INDEX, None, var1, var1 len(var1), None) 3/16/2012 29
  • 30. TTF Fuzzer TTF Fuzzer 3/16/2012 30
  • 31. Exploit MS11 087 Exploit MS11‐087 3/16/2012 31
  • 32. Exploit MS11 087 Exploit MS11‐087 Name Value Description EBSC.bitmapScaleTable[0].ppemX 0x004 Target horizontal pixels per Em EBSC.bitmapScaleTable[0].ppemY 0x004 Target vertical pixels per Em EBLC.bitmapSizeTable[5].ppemX 0x001 Horizontal pixels per Em EBLC.bitmapSizeTable[5].ppemY EBLC bit Si T bl [5] Y 0x001 Vertical pixels per Em 0 001 V ti l i l E EBDT.bitmapData.EbdtFormat8[11]. 0x001 Number of rows of data smallMetrics.height EBDT.bitmapData.EbdtFormat8[11]. 0x0ff Number of columns of data smallMetrics.width EBDT.bitmapData.EbdtFormat8[11]. 0x040 Position of component left ebdtComponent[0].xOffset EBDT.bitmapData.EbdtFormat8[11]. 0x052 Position of component top ebdtComponent[0].yOffset Important info in exploitation 3/16/2012 32
  • 33. Exploit MS11 087 Exploit MS11‐087 • usScaleWidth =(EBLC.ppemX+((EBSC.ppemX*2)* EBDT.width))/(2 EBLC.ppemX) EBDT.width))/(2*EBLC.ppemX) =(0x001+((0x004*2)*0x0ff))/(2*0x001) = (0x001+0x7F8)/(0x002) (0 001 0 7F8)/(0 002) = 0x03FC 3/16/2012 33
  • 34. Exploit MS11 087 Exploit MS11‐087 • usScaleHeight = usScaleHeight =  (EBLC.ppemY+((EBSC.ppemY*2)*EBDT.height)) /(2 EBLC.ppemY) /(2*EBLC ppemY) =(0x001+0x008)/(0x002) = 0x0004 0 0004 3/16/2012 34
  • 35. Exploit MS11 087 Exploit MS11‐087 • usScaleRowBytes =((usScaledWidth+0x1F)>>3)&(0xFFFC) = ((0x03FC+0x1F)>>3)& (0xFFFC) ((0 03 C 0 ) 3)& (0 C) = (0x85)&(0xFFFC) = 0x80 3/16/2012 35
  • 36. Exploit MS11 087 Exploit MS11‐087 • usOriginalRowBytes usOriginalRowBytes  = ((EBDT.width+0x1F)>>3)&(0xFFFC) = ((0x0FF+0x1F)>>3)&(0xFFFC) ((0 0 0 ) 3)&(0 C) = 0x20 3/16/2012 36
  • 37. Exploit MS11 087 Exploit MS11‐087 • Byte of scaling bitmap data Byte of scaling bitmap data =usScaleHeight*usScaleRowBytes = 0x004 0x080 = 0x004*0x080 = 0x200 • R Required byte of scaling bitmap data offset i db t f li bit d t ff t = (EBDT.yOffset)*(usOriginalRowBytes) = 0x52*0x20 = 0x0A40 3/16/2012 37
  • 38. Exploit MS11 087 Exploit MS11‐087 structure fnt_GlobalGraphicStateType{ stackBase; /*the stack area  store; / the storage area /*the storage area controlValueTable;    /*the control value table …… int8 non90DegreeTransformation  …… unit16 cvtCount; } fnt_GlobalGraphicStateType; BEFORE AFTER 3/16/2012 38
  • 39. Exploit MS11 087 Exploit MS11‐087 structure fnt_GlobalGraphicStateType{ stackBase; /*the stack area  store; / the storage area /*the storage area controlValueTable;    /*the control value table …… int8 non90DegreeTransformation  …… unit16 cvtCount; } fnt_GlobalGraphicStateType; BEFORE AFTER 3/16/2012 39
  • 40. Exploit MS11 087 Exploit MS11‐087 fnt_GlobalGraphicStateType+134h  (cvtCount) BEFORE AFTER 3/16/2012 40
  • 41. Exploit MS11 087 Exploit MS11‐087 3/16/2012 41
  • 42. Exploit MS11 087 Exploit MS11‐087 3/16/2012 42
  • 43. Exploit MS11 087 Exploit MS11‐087 ecx: value ‘stackBase+0’ edx: value Control Value Table 3/16/2012 43
  • 44. Exploit MS11 087 Exploit MS11‐087 3/16/2012 44
  • 45. Exploit MS11 087 Exploit MS11‐087 3/16/2012 45
  • 46. Exploit MS11 087 Exploit MS11‐087 Perfectly jump into  Perfectly jump into the shellcode 3/16/2012 46
  • 48. Microsoft Windows Bitmapped Font  (.fon) (f ) • Microsoft Windows Bitmapped Fonts (.fon) Microsoft Windows Bitmapped Fonts (.fon)  come in two different types:  a. New Executable NE (old format used by  a. New Executable NE (old format used by Windows 3)NE  b. Portable Executable PE (new 32bit  b. Portable Executable PE (new 32bit executable format used in Windows 95 and  above) Note: Can’t find any complete documentation of Microsoft Windows Bitmapped Font. If you have  any, share with me ☺!! 3/16/2012 48
  • 49. FON FUZZER FON FUZZER • .FON fuzzer consits of 2 files: a. mkwinfont.py k f ‐ written and/or maintained by Simon  Tatham ‐ python script generates NE fon files only python script generates NE .fon files only  b. fuzzer.py  ‐ written by Byoungyoung Lee i b ‐ fuzz the .fon in different width, height 3/16/2012 49
  • 50. FON FUZZER FON FUZZER • Some modification: a. mkwinfont.py k i f value = string.atol(w, 16) ;support hexadecimal b. fuzzer.py if width ! 0: if width != 0: for j in range(height): fdStr += "A"*width + "n“ fdStr += "n" fd " " 3/16/2012 50
  • 51. FON FUZZER FON FUZZER 3/16/2012 51
  • 52. Exploit MS11 077 Exploit MS11‐077 • Discovered by Byoungyoung Lee Discovered by Byoungyoung Lee • BSOD: BAD_POOL_HEADER(19) Interesting bug but based on the analysis,  i b b b d h l i there is very difficult to bypass the ‘safe  unlinking’ in windows kernel pool li ki ’ i i d k l l • BSOD: DRIVER_OVERRAN_STACK_BUFFER(f7) Possible to bypass the Stack‐Canary in Kernel  Land 3/16/2012 52
  • 53. Exploit MS11 077 Exploit MS11‐077 win32k!BmfdOpenFontContext ;.Fon width=498 (0x1F2) ; eax=(0x1F2)*5=0x9ba 3/16/2012 53
  • 54. Exploit MS11 077 Exploit MS11‐077 win32k!BmfdOpenFontContext ;the ‘EngAllocMem’ function allocates a block of memory (0x160) and inserts  ;a  ‘Bmfd’ pool tag before the allocation  3/16/2012 54
  • 55. Exploit MS11 077 Exploit MS11‐077 3/16/2012 55
  • 56. Exploit MS11 077 Exploit MS11‐077 ;Font data ‘aa’ will process and the result as index to read from the following array: a. _awStretch5W1 a. awStretch5W1 b. _BFA10171 c. _awStretch5W2 d. _BFA10191 e. _ajStretch5B1   jS h5B1 3/16/2012 56
  • 57. Exploit MS11 077 Exploit MS11‐077 3/16/2012 57
  • 58. Exploit MS11 077 Exploit MS11‐077 Overwrite 3 bytes in  next pool header lh d 3/16/2012 58
  • 59. Limitation of Exploit MS11 077 Limitation of Exploit MS11‐077 win32k!vStretchGlyphBitmap 3/16/2012 59
  • 60. Limitation of Exploit MS11 077 Limitation of Exploit MS11‐077 win32k!vStretchGlyphBitmap 3/16/2012 60
  • 61. Exploit MS11 077 Exploit MS11‐077 3/16/2012 61
  • 62. Exploit MS11 077 (another try) Exploit MS11‐077 (another try) 3/16/2012 62
  • 63. Exploit MS11 077 Exploit MS11‐077 Possible to bypass Kernel Canary in Kernel Land??  Possible to bypass Kernel Canary in Kernel Land?? gave up without detail testing 3/16/2012 63
  • 65. Thank You Credit to: jvjvlglg, Byoungyoung Lee &  Tarjei Mandt 3/16/2012 65