Re: Remote Windows Kernel Exploitation - Step Into the Ring 0
From: Eirik Schwenke (eirik.schwenke_at_STUDENT.UIB.NO)
Date: Wed, 9 Mar 2005 10:20:46 +0100 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Den 02/17/05 10:00 skrev Marc Maiffret:
> Remote Windows Kernel Exploitation - Step Into the Ring 0
Ah, I love the smell of assembler in the morning ;-p But one thing that struck
me, is (how well) do these exploits work on EMT64/AMD64 windows machines with
the no-exec bit enabled ?
Does anyone on this list know if all kernel code is excepted from NX
restrictions by default ? Because surely a utility-function like the keyboard
buffer, or icmp handler should be read-execute only (ie trying to patch it
should throw an exception of some kind) ?
And if the pages are marked read-only, is it possible to patch the error-handler
for that ?
As the NX handling is toggable, it is obvious that some part of the kernel must
be allowed to change it -- and it sounds reasonable that would mean all kernel
code can change it, due to the NT memory model.
Does anyone have more information on this ?
[OFFTOPIC - PLEASE PUT ON ASBESTOS GEAR BEFORE READING]
> Important Notice: This email is confidential, may be legally privileged,
> and is for the intended recipient only. Access, disclosure, copying,
> distribution, or reliance on any of it by anyone else is prohibited and
> may be a criminal offense. Please delete if obtained in error and email
> confirmation to the sender.
Surely, such a signature goes against the spirit of bugtraq ? I am, in effect,
not allowed to quote your message in my reply to this list ? I realize ofcourse
that this is a standard signature, but it strikes me as somewhat comical that a
message to a list with a publically searchable web-archive should be marked
"confidential" and "... distribution ... on any of it by anyone else is
prohibited". And "may be a criminal offence" ? Where ? What court would hold
forwarding of this message a criminal offense ? Even if I got access to it
because I'm sniffing my local lan, or reviewing my squid cache ?
-- Eirik Schwenke<firstname.lastname@example.org> http://www.student.uib.no/~st05861 "I can't identify the software needed to play [DVDs] in Linux, but you can probably google for it. You may have to learn Norwegian, though." --Tom Brown in http://linuxgazette.net/issue97/defectors2.html -- NTBugtraq Editor's Note: Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered. --