NetWare kernel stack overflow exploitation

Presented at REcon 2008, June 13, 2008, 4:30 p.m. (60 minutes).

Although a lot of research has been done into exploiting remote buffer overflows in kernel mode on modern systems like Windows, Linux and BSD, there are really few publications about exploitation on other platforms which are still common in enterprise networks. The main approach in kernel mode exploitation is to inject a payload in user mode. While this method allows to reuse shellcodes and payloads it may not be the best solution when the system is kernel centric. The purpose of this presentation is to describe common and less common kernel-land exploitation techniques applied to the NetWare Operating system. As such, the focus will be on the explanation of a full kernel mode stager and of two different kernel mode stages, a shellcode and an adduser payload.

Presenters:

• Nicolas Pouvesle
  Nicolas Pouvesle is a security researcher at Tenable Network Security where he works on vulnerability analysis and reverse engineering. While at Tenable, Nicolas has partially implemented and reversed many protocols such as SMB, Oracle, WMI, Skype . He also wrote several of the internal tools used by the Tenable research team to improve vulnerability analysis.

Links:

• https://recon.cx/2008/speakers.html#netware
• https://infocon.org/cons/REcon/REcon 2008/REcon 2008 videos/Nicolas Pouvesle-NetWare kernel stack overflow exploitation.mp4
• https://recon.cx/2008/a/nicolas_pouvesle/netware.pdf

Similar Presentations:

• DEF CON 19 (2011) / Owned Over Amateur Radio: Remote Kernel Exploitation in 2011
• Black Hat USA 2011 / Exploiting the iOS Kernel
• Black Hat USA 2018 / Kernel Mode Threats and Practical Defenses