Demystifying Windows Kernel Exploitation by Abusing GDI Objects.

Presented at DEF CON 25 (2017), July 29, 2017, 1 p.m. (45 minutes)

Windows kernel exploitation is a difficult field to get into. Learning the field well enough to write your own exploits require full walkthroughs and few of those exist. This talk will do that, release two exploits and a new GDI object abuse technique. We will provide all the detailed steps taken to develop a full privilege escalation exploit. The process includes reversing a Microsoft's patch, identifying and analyzing two bugs, developing PoCs to trigger them, turning them into code execution and then putting it all together. The result is an exploit for Windows 8.1 x64 using GDI bitmap objects and a new, previously unreleased Windows 7 SP1 x86 exploit involving the abuse of a newly discovered GDI object abuse technique.

Presenters:

• 5A1F (Saif El-Sherei) - Security Analyst, SensePost
  Saif is a senior analyst with SensePost. He has a keen interest in exploit development and sharing everything he learns. Over the years he has released several exploitation tutorials, examples and a grammar-based browser fuzzer, wadi (DEF CON 23). @saif_sherei

Links:

• https://defcon.org/html/defcon-25/dc-25-speakers.html#El-Sherei
• https://infocon.org/cons/DEF CON/DEF CON 25/DEF CON 25 video and slides/DEF CON 25 - Saif El-Sherei - Demystifying Windows Kernel Exploitation by Abusing GDI Objects.mp4
• https://infocon.org/cons/DEF CON/DEF CON 25/DEF CON 25 video and slides/DEF CON 25 - Saif El-Sherei - Demystifying Windows Kernel Exploitation by Abusing GDI Objects.srt (subtitles)
• https://www.youtube.com/watch?v=2chDv_wTymc

Similar Presentations:

• Black Hat Europe 2016 / Attacking Windows by Windows
• Black Hat Europe 2020 Virtual / Discovering 20 Year Old Vulnerabilities in Modern Windows Kernel
• DEF CON 12 (2004) / Shoot the Messenger - Using Window Messages to Exploit Local win32 Applications