Generic Windows 7,8,10 SMEP, KASLR & DEP Bypass Using the Page Table’s Self-reference Entry

This is a generic mitigation bypass technique for Windows kernel exploitation. It requires a kernel mode vulnerability that enables certain control over values at arbitrary virtual addresses, and when triggered, enables a full & generic bypass of both SMEP, KASLR & DEP. In my PoC I relied on a Vulnerable Driver I wrote (http://bit.ly/2TDvOzp) which exposes a write-what-where vulnerability.

It relies on a deterministic procedure that allows deducing of PTE address of every virtual address; the technique describes such procedure that requires no vulnerability.

It was found by MWR intern Jérémy Fetiveau, detailed in an article named Windows 8 Kernel Memory Protections Bypass.

I implemented this technique in my Privilege Escalation Framework project.

For full technical coverage, read in my OneNote notebook here: http://bit.ly/2HzBhA7 Or as PDF: http://bit.ly/2W0uwv5

Windows had only fixed this issue in Windows 10 Redstone 1. This fix, along with really interesting background on page table management in general under Windows, can also be found on my notebook, here: http://bit.ly/2T6M2vC Or as PDF: http://bit.ly/2F5xPdx

For the complete OneNote exported as PDFs: http://bit.ly/2HjkySp

Feel free to ask questions!

Leave a Reply

Your email address will not be published. Required fields are marked *