Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[REVS] Remote Windows Kernel Exploitation - Step Into the Ring 0

from [SecuriTeam] Network Security [Permanent Link]
Subject: [REVS] Remote Windows Kernel Exploitation - Step Into the Ring 0
Date: 21 Feb 2005 10:52:43 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Remote Windows Kernel Exploitation - Step Into the Ring 0
------------------------------------------------------------------------


SUMMARY

Over eight years have passed and almost every possible method and 
technique regarding Windows exploitation has been discussed in depth. 
Surprisingly, a topic that has yet to be touched on publicly is the remote 
exploitation of Win32 kernel vulnerabilities; a number of kernel 
vulnerabilities have been published, yet no exploit code has surfaced in 
the public arena.

DETAILS

Introduction:
It was almost a decade ago when Solar Designer posted a message to the 
Bugtraq mailing list providing exploit code and detailing a remote buffer 
overflow in the product Website v1.1e for Windows NT.

This was probably the first published buffer overflow exploit for Windows. 
Over eight years have passed and almost every possible method and 
technique regarding Windows exploitation has been discussed in depth. 
Surprisingly, a topic that has yet to be touched on publicly is the remote 
exploitation of Win32 kernel vulnerabilities; a number of kernel 
vulnerabilities have been published, yet no exploit code has surfaced in 
the public arena.

It is predicted we will see more kernel vulnerabilities in the future, 
since more and more networking services are being implemented at the 
driver level. One good example of this is Internet Information Services, 
which now contains a network driver that performs processing of HTTP 
requests. With the release of XP SP2 and wide use of personal firewalls, 
many software and security companies are making claims of secure systems. 
Those wishing to disprove this claim are going to have to adapt to new 
methods of exploitation. But a firewall is a security product; therefore 
it must be secure, right? After all, it has been designed to protect 
against the very type of threats that are proposed here.

Don't be discouraged though, if the last two years have shown us anything, 
it is that security solutions have the same bugs and vulnerabilities as 
every other piece of software out there.
Certainly, the developers of kernel code are of a very high caliber, and 
are few and far between. For this exact same reason, the code may not 
undergo the same level of peer scrutiny as that of a user based 
application. It only takes one mistake. In the article that follows, we 
will walk through the remote exploitation of a kernel-based vulnerability. 
The example used here was a flaw in the Symantec line of personal 
firewalls. The flaw existed due to incorrect handling of DNS responses. 
This issue was patched long ago, but it was chosen as it demonstrates 
certain obstacles relating to the communication layers that must be 
overcome when exploiting a host-based firewall.

Provided in the document are two shell code examples: the first is a  
kernel loader , which will allow you to plug in and execute any user-land 
code you wish; the second operates entirely at the kernel level. A 
keystroke logger is installed and the keystroke buffer may be retrieved 
from a remote system. This example demonstrates more of an old school 
software crack than that of network shell code. This article assumes the 
reader has knowledge of x86 assembler language, and previous experience 
with Win32 exploitation.


ADDITIONAL INFORMATION

The original article can be found at:  
<http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.pdf> 
http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.pdf



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [REVS] Remote Windows Kernel Exploitation - Step Into the Ring 0, SecuriTeam <=
Previous by Date:  [EXPL] 3com 3CDaemon FTP Unauthorized "USER" Buffer Overflow (Windows/POSIX), SecuriTeam
Next by Date:  [UNIX] Multiple Vulnerabilities in glFTPd's Plugins, SecuriTeam
Previous by Thread:  [EXPL] 3com 3CDaemon FTP Unauthorized "USER" Buffer Overflow (Windows/POSIX), SecuriTeam
Next by Thread:  [UNIX] Multiple Vulnerabilities in glFTPd's Plugins, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]