We will look into how we can bypass kASLR, kLFH, and do hands-on exploitation using data-only attack, which effectively bypasses SMEP and other exploit mitigations.
Upon completion of this training, participants will be able to learn:
- Exploit development process in kernel mode
- Mitigation bypasses
- Pool internals & Feng-Shui
- Arbitrary Read/Write primitive
Syllabus
Day 1
- Exploit Mitigations
- Kernel Address Space Layout Randomization (kASLR)
- Understanding kASLR
- Breaking kASLR using kernel pointer leaks
- Supervisor Mode Execution Prevention (SMEP)
- SMEP concepts
- Breaking/bypassing SMEP
- Kernel Page Table Isolation (KPTI/KVA Shadow)
- KPTI concepts
- Breaking/bypassing KPTI
- Kernel Address Space Layout Randomization (kASLR)
- Exploitation
- Stack Buffer Overflow (SMEP & KPTI enabled)
- Understand the vulnerability
- Achieving code execution
- Arbitrary Memory Overwrite
- Understand the vulnerability
- Achieving privilege escalation
- Stack Buffer Overflow (SMEP & KPTI enabled)
Day 2
- Revision: Day 1 Concepts
- Exploitation
- Memory Disclosure
- Understand the vulnerability
- Leak function pointer
- Calculate driver base address
- Pool Overflow
- Understand the vulnerability
- Finding corruption target
- Memory Disclosure
- Grooming target pool and achieving arbitrary read/write primitive (data-only attack)
- Gaining local privilege escalation
- Different places to corrupt
- Capture The Flag
- Time to finish the CTF
- Discuss any other vulnerability class if the students want and time permits
- Miscellaneous
- Assignment to write a blog post about the vulnerability exploited during CTF
- Q/A and feedback
