OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Saturday, January 16 2010 19:01.29 CST

Printer Friendly ...

GDT / LDT Windows Kernel Exploitation article

Author: j00ru

# Views: 1215

Hi,

A few weeks ago, me and Gynvael had a chance to dive into the Global/Local Descriptor Table management in 32-bit Windows, and how it can be used to accomplish something, in the context of write-what-where ring-0 exploitation.

To sum-up everything we've came across during this research, a "GDT and LDT in Windows kernel vulnerability exploitation" paper was created.

Table of Contents:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments

My blog entry: http://j00ru.vexillium.org/?p=290&lang=en
Gynvael blog: http://gynvael.coldwind.pl/?id=274

The article itself: http://vexillium.org/dl.php?call_gate_exploitation.pdf

Have fun!

Blog Comments

DelightedZuk	Posted: Sunday, January 31 2010 10:15.42 CST
Good read. thanks.

Active in Last 5 Minutes
	dvvord

There are 16,646 total registered users.

Recently Created Topics
SSL keyfindert plugi...	Mar/15
ApiHooks.com down	Mar/15
how to crate a PATC...	Mar/10
wsnpoem audio.dll	Mar/09
suggestions - RE tra...	Mar/09
Requesting Suggestio...	Mar/06
Force enable debug p...	Mar/05
upgrading new image ...	Mar/03
upgrading new image ...	Mar/03
upgrading new image ...	Mar/03

Recent Forum Posts
suggestions - RE tra...	enm16
wsnpoem audio.dll	zhane
suggestions - RE tra...	Silkut
how to crate a PATC...	Silkut
suggestions - RE tra...	RolfRolles
wsnpoem audio.dll	debbie
Requesting Suggestio...	secursig
Requesting Suggestio...	phn1x
how to get executabl...	RabidCi...
how to get executabl...	RabidCi...

Recent Blog Entries
	RolfRolles	Mar/08
Compiler Optimizations for ...
	ReWolf	Mar/04
When memory management goes...
	thesprawler	Feb/20
log1949.txt -- Wondering ho...
	thesprawler	Feb/20
log1949.log -- created on C...
	thesprawler	Feb/17
Trying to reverse the firmw...
More ...

Recent Blog Comments
	Boken on:	Mar/12
Compiler Optimizations for ...
	wildinto on:	Mar/10
Compiler Optimizations for ...
	Orr on:	Mar/10
Compiler Optimizations for ...
	bughoho on:	Mar/09
Compiler Optimizations for ...
	cliffwolf on:	Mar/08
Compiler Optimizations for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit