windows-kernel-exploits icon indicating copy to clipboard operation
windows-kernel-exploits copied to clipboard

verified publisher icon xct

Metadata

Some of my windows kernel exploits for learning purposes

Windows-Exploits

Some kernel exploits I used to learn about the topic, mainly for OSEE. These probably contain code snippets from other exploits - if I missed references/authors please send me a message and I'll add them.

Kernel

HEVD

Most exploits are vs. Win10 1909 x64 targetting https://github.com/hacksysteam/HackSysExtremeVulnerableDriver .

  • StackOverflow (Medium Integrity)
  • StackOverflow Data Only (ROP/PreviousMode Overwrite, Medium Intregity)
  • StackOverflow with GS (Medium Integrity)
  • TypeConfusion (Medium Integrity)
  • TypeConfusion with StackPivot (Medium Integrity)
  • User-After-Free (Medium Integrity)
  • Pool Overflow Win7 x64 w ProcessBilled Overwrite (Medium Integrity)
  • NullPtr Dereference Win7 x64 (Medium Integrity)

Misc Drivers

All exploits are vs. Win10 1909 x64.

  • CVE-2018-19320 (Gigabyte Driver, Medium Integrity)
  • CVE-2018-19320 + CVE-2018-19323 (Gigabyte Driver, Low Integrity)

Notes/Misc

  • KUSER_SHARED_DATA, at offset 0x800 (0xFFFFF78000000800) in ntoskrnl.exe contains a writable code cave
  • Ways to SYSTEM: Steal Token, Overwrite HAL Dispatch (or another ptr with a ptr to sc), ACL Editing
  • Ways to get Page RW/RX: Flip bit like with U/S, WriteProcessMemory, VirtualProtect
  • Bypass SMEP: Rop to 20th bit of CR4, Flip U/S, Write Code to Kernel Mem (using U/S trick to fix memory protections)
  • KCFG is only enforced when Hyper-V is enabled (it would prevent ptr overwrites to sc)
  • Dangerous functions to look for in drivers: MmMapIoSpace, __readmsr/__writemsr,memmove
  • Compile Shellcode: nasm shellcode.asm -o shellcode.bin -f bin, radare2 -b 32 -c 'pc' ./shellcode.bin

Resources

  • https://kristal-g.github.io/
  • https://h0mbre.github.io
  • https://blog.xpnsec.com/
  • https://voidsec.com/
  • https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/using-the-kernel-debugger-to-find-a-kernel-mode-memory-leak
  • https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less/
  • https://www.crowdstrike.com/blog/cve-2021-21551-learning-through-exploitation/
  • https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf
  • https://github.com/synacktiv/Windows-kernel-SegmentHeap-Aligned-Chunk-Confusion

Metadata

78
Stars
13
Forks
Watchers

Owner

verified publisher icon xct

Metadata

Some of my windows kernel exploits for learning purposes

Back