SlideShare uma empresa Scribd logo

Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

I
inaz2

2015/11/14 AVTOKYO2015 Japanese version is available at http://www.slideshare.net/inaz2/abusing-interrupts-for-reliable-windows-kernel-exploitation-ja

Tecnologia
1 de 28
Baixar para ler offline
Abusing Interrupts for Reliable Windows Kernel Exploitation 2015/11/14 AVTOKYO2015 inaz2
About me • inaz2 • Security engineer & Python programmer • Working at NTT Communications • Weblog “momoiro technology” • http://inaz2.hatenablog.com/ 2
Windows kernel exploitation • Attacks that exploit the vulnerability in the kernel land • Including the vulnerability in device drivers • Write-what-where condition/vulnerability is widely used • Enables to write an arbitrary value to the arbitrary address • Execute the shellcode to escalate privilege of the attacking process • Then launch the administrator command prompt 3
Classic technique: halDispatchTable overwrite • nt!NtQueryIntervalProfile internal API • call [nt!halDispatchTable+4] via nt!KeQueryIntervalProfile • Overwrite [nt!halDispatchTable+4] to shellcode 4
Replace token shellcode • Copy the token object from System process (PID=4) 5 Replace 41414141h to the attacking process’ PID
It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 6
It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 7
x86 interrupt handling • There are hardware interrupts (keyboard etc.) and software interrupts (zero division etc.) • Software interrupts are triggered by “int n” instruction • Interrupt Descriptor Table (IDT) • Stores the addresses of hander functions (Interrupt Software Routines; ISR) in each entry (interrupt gate) • ISRs are executed in Ring 0 • Can do everything 8
x86 privilege levels (protection rings) • 4 privilege levels numbered from 0 to 3 • The greater number means lesser privileges • Most OS including Windows use only two rings • Ring 0 corresponding to kernel mode and Ring 3 to user mode 9
Interrupt Descriptor Table (1/4) • Intel Developer’s Manual Volume 3, Chapter 6 10
Interrupt Descriptor Table (2/4) • Intel Developer’s Manual Volume 3, Chapter 6 11 Can be interrupted from Ring 3 if DPL=3
Interrupt Descriptor Table (3/4) • WinDbg (KD) view 12
Interrupt Descriptor Table (4/4) • Overwrite the interrupt gate for interrupt #0 13 414184fc 000884fc 4141ee00 DPL=3
IDT overwrite technique 14 Get the IDT address Overwrite the interrupt gate for interrupt #n Trigger interrupt #n by “int n” instruction Execute shellcode
Detailed procedure 16
Find the write-what-where vulnerability • Write and install the vulnerable device driver • Enables to attack write-what-where vulnerability via IOCTL 17
Get the IDT address (1/2) 18 Can be used even in Ring 3!
Get the IDT address (2/2) • The function that returns the IDT address 19 Disable alignment
Write the Interrupt Software Routine (ISR) • Switch the value of fs segment register • 0x33 (TEB) → 0x30 (KPCR) • Call the shellcode right after ISR • Return by iretd instruction instead of ret 20
Allocate memory & put the codes • Allocate nop-sled from 0x41410000 to 0x41420000 • Put the ISR code + shellcode from 0x41420000 21
Overwrite the interrupt gate • Write 0x4141ee00 to the latter half of the interrupt gate for interrupt #32 • #32-255 are designated as user-defined interrupts (not reserved) 22
Trigger the software interrupt • Execute “int 32” • Shellcode is executed via ISR • Then launch cmd.exe 23
Demo 24
What about 64 bit Windows? • The size of interrupt gate increases to 16 bytes • As 0x100000000 bytes nop-sled is quite hard, overwriting entire interrupt gate is required (i.e. write 2 times) • However, my VirtualBox VM hangs up when the interrupt is triggered (PatchGuard??) 25
Comparison with halDispatchTable overwrite • Pros • Reliable against all versions of x86-based Windows • Easy to determine the address to be overwritten • Cons • Need to prepare the ISR code • Need to allocate nop-sled • Not confirmed on 64 bit 26
Recap • IDT overwrite technique is reliable against all versions of x86-based Windows • Independent with kernel implementation changes • We can get the IDT address even in Ring 3 • There’s more than one way to do it  27
References • Windowsでデバイスドライバの脆弱性からの権限昇格をやってみる - もも いろテクノロジー • http://inaz2.hatenablog.com/entry/2015/09/15/121926 • Project Zero: One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation • http://googleprojectzero.blogspot.jp/2015/08/one-font-vulnerability-to-rule- them-all_21.html • Interrupt Service Routines - OSDev Wiki • http://wiki.osdev.org/Interrupt_Service_Routines • SIMPLE IS BETTER: Kernel Information Leak with Unprivileged Instructions (SIDT, SGDT) on x86 - WHY ? • http://hypervsir.blogspot.jp/2014/10/kernel-information-leak-with.html 28
Thank you! inaz2 29

Recomendados

Linux Instrumentation
Linux InstrumentationLinux Instrumentation
Linux InstrumentationDarkStarSword
 
LCA14: LCA14-306: CPUidle & CPUfreq integration with scheduler
LCA14: LCA14-306: CPUidle & CPUfreq integration with schedulerLCA14: LCA14-306: CPUidle & CPUfreq integration with scheduler
LCA14: LCA14-306: CPUidle & CPUfreq integration with schedulerLinaro
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel ExploitationScio Security
 
GDB Rocks!
GDB Rocks!GDB Rocks!
GDB Rocks!Kent Chen
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 National Cheng Kung University
 
Q2.12: Debugging with GDB
Q2.12: Debugging with GDBQ2.12: Debugging with GDB
Q2.12: Debugging with GDBLinaro
 

Recomendados

Linux Instrumentation
Linux InstrumentationLinux Instrumentation
Linux InstrumentationDarkStarSword
 
LCA14: LCA14-306: CPUidle & CPUfreq integration with scheduler
LCA14: LCA14-306: CPUidle & CPUfreq integration with schedulerLCA14: LCA14-306: CPUidle & CPUfreq integration with scheduler
LCA14: LCA14-306: CPUidle & CPUfreq integration with schedulerLinaro
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel ExploitationScio Security
 
GDB Rocks!
GDB Rocks!GDB Rocks!
GDB Rocks!Kent Chen
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 National Cheng Kung University
 
Q2.12: Debugging with GDB
Q2.12: Debugging with GDBQ2.12: Debugging with GDB
Q2.12: Debugging with GDBLinaro
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Hadoop and Kerberos
Hadoop and KerberosHadoop and Kerberos
Hadoop and KerberosYuta Imai
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and ToolsBrendan Gregg
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDBNational Cheng Kung University
 
The Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEPThe Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEPGregor Schmidt
 
The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" ProgramNational Cheng Kung University
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet FiltersKernel TLV
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux InterruptsKernel TLV
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARMNational Cheng Kung University
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例National Cheng Kung University
 
【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain Attack【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain AttackHacks in Taiwan (HITCON)
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxData
 
Construct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTConstruct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTNational Cheng Kung University
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)inaz2
 

Mais conteúdo relacionado

Mais procurados

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Hadoop and Kerberos
Hadoop and KerberosHadoop and Kerberos
Hadoop and KerberosYuta Imai
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and ToolsBrendan Gregg
 
The Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEPThe Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEPGregor Schmidt
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet FiltersKernel TLV
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux InterruptsKernel TLV
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例National Cheng Kung University
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxData
 

Mais procurados (20)

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Hadoop and Kerberos
Hadoop and KerberosHadoop and Kerberos
Hadoop and Kerberos
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
 
The Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEPThe Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEP
 
The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" Program
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf tools
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet Filters
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux Interrupts
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARM
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
 
【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain Attack【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain Attack
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)
 
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
 
Construct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTConstruct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoT
 

Destaque

Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)inaz2
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primerinaz2
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwordsinaz2
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?inaz2
 
Rechkov. Lomonosov Report
Rechkov. Lomonosov ReportRechkov. Lomonosov Report
Rechkov. Lomonosov ReportAnton Rechkov
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profitinaz2
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksinaz2
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~inaz2
 
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...Tomohiro Hanada
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)inaz2
 

Destaque (15)

Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primer
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?
 
Rechkov. Lomonosov Report
Rechkov. Lomonosov ReportRechkov. Lomonosov Report
Rechkov. Lomonosov Report
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profit
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocks
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
 
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
 
Ch12 microprocessor interrupts
Ch12 microprocessor interruptsCh12 microprocessor interrupts
Ch12 microprocessor interrupts
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
 
Operating Systems
Operating SystemsOperating Systems
Operating Systems
 

Semelhante a Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Security Session
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Black Duck by Synopsys
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
OpenCORD MiniSummit - Physical POD test and deployments
OpenCORD MiniSummit - Physical POD test and deploymentsOpenCORD MiniSummit - Physical POD test and deployments
OpenCORD MiniSummit - Physical POD test and deploymentsOpen Networking Summit
 
63071507 interrupts-up
63071507 interrupts-up63071507 interrupts-up
63071507 interrupts-uptt_aljobory
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computingYongraeJo
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 

Semelhante a Abusing Interrupts for Reliable Windows Kernel Exploitation (en) (20)

Deep hooks
Deep hooksDeep hooks
Deep hooks
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
OpenCORD MiniSummit - Physical POD test and deployments
OpenCORD MiniSummit - Physical POD test and deploymentsOpenCORD MiniSummit - Physical POD test and deployments
OpenCORD MiniSummit - Physical POD test and deployments
 
63071507 interrupts-up
63071507 interrupts-up63071507 interrupts-up
63071507 interrupts-up
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computing
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 

Último

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

  • 1. Abusing Interrupts for Reliable Windows Kernel Exploitation 2015/11/14 AVTOKYO2015 inaz2
  • 2. About me • inaz2 • Security engineer & Python programmer • Working at NTT Communications • Weblog “momoiro technology” • http://inaz2.hatenablog.com/ 2
  • 3. Windows kernel exploitation • Attacks that exploit the vulnerability in the kernel land • Including the vulnerability in device drivers • Write-what-where condition/vulnerability is widely used • Enables to write an arbitrary value to the arbitrary address • Execute the shellcode to escalate privilege of the attacking process • Then launch the administrator command prompt 3
  • 4. Classic technique: halDispatchTable overwrite • nt!NtQueryIntervalProfile internal API • call [nt!halDispatchTable+4] via nt!KeQueryIntervalProfile • Overwrite [nt!halDispatchTable+4] to shellcode 4
  • 5. Replace token shellcode • Copy the token object from System process (PID=4) 5 Replace 41414141h to the attacking process’ PID
  • 6. It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 6
  • 7. It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 7
  • 8. x86 interrupt handling • There are hardware interrupts (keyboard etc.) and software interrupts (zero division etc.) • Software interrupts are triggered by “int n” instruction • Interrupt Descriptor Table (IDT) • Stores the addresses of hander functions (Interrupt Software Routines; ISR) in each entry (interrupt gate) • ISRs are executed in Ring 0 • Can do everything 8
  • 9. x86 privilege levels (protection rings) • 4 privilege levels numbered from 0 to 3 • The greater number means lesser privileges • Most OS including Windows use only two rings • Ring 0 corresponding to kernel mode and Ring 3 to user mode 9
  • 10. Interrupt Descriptor Table (1/4) • Intel Developer’s Manual Volume 3, Chapter 6 10
  • 11. Interrupt Descriptor Table (2/4) • Intel Developer’s Manual Volume 3, Chapter 6 11 Can be interrupted from Ring 3 if DPL=3
  • 12. Interrupt Descriptor Table (3/4) • WinDbg (KD) view 12
  • 13. Interrupt Descriptor Table (4/4) • Overwrite the interrupt gate for interrupt #0 13 414184fc 000884fc 4141ee00 DPL=3
  • 14. IDT overwrite technique 14 Get the IDT address Overwrite the interrupt gate for interrupt #n Trigger interrupt #n by “int n” instruction Execute shellcode
  • 16. Find the write-what-where vulnerability • Write and install the vulnerable device driver • Enables to attack write-what-where vulnerability via IOCTL 17
  • 17. Get the IDT address (1/2) 18 Can be used even in Ring 3!
  • 18. Get the IDT address (2/2) • The function that returns the IDT address 19 Disable alignment
  • 19. Write the Interrupt Software Routine (ISR) • Switch the value of fs segment register • 0x33 (TEB) → 0x30 (KPCR) • Call the shellcode right after ISR • Return by iretd instruction instead of ret 20
  • 20. Allocate memory & put the codes • Allocate nop-sled from 0x41410000 to 0x41420000 • Put the ISR code + shellcode from 0x41420000 21
  • 21. Overwrite the interrupt gate • Write 0x4141ee00 to the latter half of the interrupt gate for interrupt #32 • #32-255 are designated as user-defined interrupts (not reserved) 22
  • 22. Trigger the software interrupt • Execute “int 32” • Shellcode is executed via ISR • Then launch cmd.exe 23
  • 24. What about 64 bit Windows? • The size of interrupt gate increases to 16 bytes • As 0x100000000 bytes nop-sled is quite hard, overwriting entire interrupt gate is required (i.e. write 2 times) • However, my VirtualBox VM hangs up when the interrupt is triggered (PatchGuard??) 25
  • 25. Comparison with halDispatchTable overwrite • Pros • Reliable against all versions of x86-based Windows • Easy to determine the address to be overwritten • Cons • Need to prepare the ISR code • Need to allocate nop-sled • Not confirmed on 64 bit 26
  • 26. Recap • IDT overwrite technique is reliable against all versions of x86-based Windows • Independent with kernel implementation changes • We can get the IDT address even in Ring 3 • There’s more than one way to do it  27
  • 27. References • Windowsでデバイスドライバの脆弱性からの権限昇格をやってみる - もも いろテクノロジー • http://inaz2.hatenablog.com/entry/2015/09/15/121926 • Project Zero: One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation • http://googleprojectzero.blogspot.jp/2015/08/one-font-vulnerability-to-rule- them-all_21.html • Interrupt Service Routines - OSDev Wiki • http://wiki.osdev.org/Interrupt_Service_Routines • SIMPLE IS BETTER: Kernel Information Leak with Unprivileged Instructions (SIDT, SGDT) on x86 - WHY ? • http://hypervsir.blogspot.jp/2014/10/kernel-information-leak-with.html 28