This Time Font hunt you down in 4 bytes

Presented at REcon 2015, June 19, 2015, 2 p.m. (60 minutes)

In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them… Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism. In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs. Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc).

Presenters:

• Jihui Lu
• Peter Hlavaty

Links:

• https://recon.cx/2015/schedule/events/22.html
• https://infocon.org/cons/REcon/REcon 2015/REcon 2015 videos/peter-hlavaty-jihui-lu-This-Time-Font-hunt-you-down-in-4-bytes.mp4

Similar Presentations:

• Black Hat Europe 2016 / Attacking Windows by Windows
• Black Hat Europe 2021 / Your Trash Kernel Bug, My Precious 0-day
• Black Hat USA 2015 / Ah! Universal Android Rooting is Back