0x01 – Killing Windows Kernel Mitigations (opens in new tab)

(wetw0rk.github.io)

118 pointsneilwillgettoit1y ago13 comments

13 comments

If you’re following my Windows Kernel Exploitation series the time to bypass modern mitigations is now.

We’ve learned how to exploit a Stack Overflow in Windows 7 (x86) but what has changed since then?

Truthfully a lot, but the core fundamental problem exists and as such we as hackers will always find a way to exploit them.

As part of this tutorial, I will be releasing my technique on bypassing SMEP and VBS I have dubbed Violet Phosphorous. I personally have not seen these mitigations bypassed in this manner so I’m claiming it.

To prove its effectiveness, I installed the latest Windows 11 (x64) build (24H2) and successfully elevated my privileges to NT AUTHORITY/SYSTEM.

The king is dead, long live the king!

LONG LIVE THE STACK OVERFLOW!

cahoot_bird1y ago

Super interesting. At one point thought control flow guard + DEP/ASLR was suppose to prevent this stuff, guess it can't be prevented nearly completely by now. Sounds like this took a lot of work to figure out, well done.

Any comment on reporting to Microsoft or perhaps motivation for this research?

anyfoo1y ago

So called "post-exploit" mitigations are practically always only hardening, i.e. making subsequent attacks harder (and fewer). Ideally much harder. But if you want an absolutely, provably (within limits, i.e. halting problem etc.) secure system, you have to eliminate bugs that can lead to any exploitable situations beforehand. In this case for example, that would mean no situation existing that could cause a buffer overflow in the first place. Memory-safe languages help for this case.

Obviously this is hard, so post-exploit mitigations will likely continue to still make things harder for attackers for quite a while at least.

1 more reply

dang1y ago

(This text was originally part of https://news.ycombinator.com/item?id=42353276 but that got killed by HN's software (bad), so I moved it here to the live post.)

daneel_w1y ago

Was your test install also fully updated, i.e. is your exploit currently valid?

wetw0rk1y ago

Yes the violet phosphorus technique works on the default configuration of the latest build :)

snvzz1y ago

>LONG LIVE THE STACK OVERFLOW!

The mitigation known as Shadow Stack might have something to say here.

wswope1y ago

Gonna have to give it a proper read-through over the weekend, but this looks like a stellar guide at a glance. Sincere thanks for sharing your work and looking forward to further entries in the series!

wetw0rk1y ago

Thank you!

gavinray1y ago

Expect game cheat developers to adopt this within the week.

MortyWaves1y ago

It’s good that it is so well written so that Microsoft know how to fix it

j / k navigate · click thread line to collapse

13 comments

wetw0rk1y ago

If you’re following my Windows Kernel Exploitation series the time to bypass modern mitigations is now.

We’ve learned how to exploit a Stack Overflow in Windows 7 (x86) but what has changed since then?

Truthfully a lot, but the core fundamental problem exists and as such we as hackers will always find a way to exploit them.

To prove its effectiveness, I installed the latest Windows 11 (x64) build (24H2) and successfully elevated my privileges to NT AUTHORITY/SYSTEM.

The king is dead, long live the king!

LONG LIVE THE STACK OVERFLOW!

cahoot_bird1y ago

Any comment on reporting to Microsoft or perhaps motivation for this research?

anyfoo1y ago

Obviously this is hard, so post-exploit mitigations will likely continue to still make things harder for attackers for quite a while at least.

1 more reply

dang1y ago

(This text was originally part of https://news.ycombinator.com/item?id=42353276 but that got killed by HN's software (bad), so I moved it here to the live post.)

daneel_w1y ago

Was your test install also fully updated, i.e. is your exploit currently valid?

wetw0rk1y ago

Yes the violet phosphorus technique works on the default configuration of the latest build :)

snvzz1y ago

>LONG LIVE THE STACK OVERFLOW!

The mitigation known as Shadow Stack might have something to say here.

wswope1y ago

wetw0rk1y ago

Thank you!

gavinray1y ago

Expect game cheat developers to adopt this within the week.

MortyWaves1y ago

It’s good that it is so well written so that Microsoft know how to fix it

j / k navigate · click thread line to collapse