‘Remote Windows Kernel Exploitation – Step Into the Ring 0’
‘The original article can be found at: http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.pdf‘
It was almost a decade ago when Solar Designer posted a message to the Bugtraq mailing list providing exploit code and detailing a remote buffer overflow in the product Website v1.1e for Windows NT.
This was probably the first published buffer overflow exploit for Windows. Over eight years have passed and almost every possible method and technique regarding Windows exploitation has been discussed in depth. Surprisingly, a topic that has yet to be touched on publicly is the remote exploitation of Win32 kernel vulnerabilities; a number of kernel vulnerabilities have been published, yet no exploit code has surfaced in the public arena.
It is predicted we will see more kernel vulnerabilities in the future, since more and more networking services are being implemented at the driver level. One good example of this is Internet Information Services, which now contains a network driver that performs processing of HTTP requests. With the release of XP SP2 and wide use of personal firewalls, many software and security companies are making claims of secure systems. Those wishing to disprove this claim are going to have to adapt to new methods of exploitation. But a firewall is a security product; therefore it must be secure, right? After all, it has been designed to protect against the very type of threats that are proposed here.
Don’t be discouraged though, if the last two years have shown us anything, it is that security solutions have the same bugs and vulnerabilities as every other piece of software out there.
Certainly, the developers of kernel code are of a very high caliber, and are few and far between. For this exact same reason, the code may not undergo the same level of peer scrutiny as that of a user based application. It only takes one mistake. In the article that follows, we will walk through the remote exploitation of a kernel-based vulnerability. The example used here was a flaw in the Symantec line of personal firewalls. The flaw existed due to incorrect handling of DNS responses. This issue was patched long ago, but it was chosen as it demonstrates certain obstacles relating to the communication layers that must be overcome when exploiting a host-based firewall.
Provided in the document are two shell code examples: the first is a kernel loader , which will allow you to plug in and execute any user-land code you wish; the second operates entirely at the kernel level. A keystroke logger is installed and the keystroke buffer may be retrieved from a remote system. This example demonstrates more of an old school software crack than that of network shell code. This article assumes the reader has knowledge of x86 assembler language, and previous experience with Win32 exploitation.’