Wednesday, October 12, 2011

Bypassing Windows 7 Kernel ASLR

Windows 7 has a nice security about kernel space

Many checks of size, integrity controls and access restrictions are available.For example the “security check” protect our stack if a string is used, many functions like “strcpy()” are deprecated (and some are disallowed) to force developers to have a secure coding.This is why, some attacks were presented as heap overflows in local exploitations (recently Tarjei Mandt)but we don’t see any remote exploitation like we saw in SRV.SYS or other drivers.This lack of remote exploits occurs partially because an ASLR (randomization of memory spaces) is enabled in kernel land. If a hacker doesn’t have any possibilities to jump and execute a payload (ROP, Jmp Eax …) exploitation of the bug isn’t possible. Only a magnificent BSOD could appear in most of the cases.This paper will try to explain how to bypass this protection and improve remote kernel vulnerabilities research!For the use of this document we will consider a remote stack overflow as the main vulnerability

Download PDF:

No comments: