DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1

Black Hat USA 2014

Presented by: Nikita Tarakanov
Date: Wednesday August 06, 2014
Time: 14:15 - 15:15
Location: South Seas CD

Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms - Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel.

Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions.

Then Microsoft eliminated "0xBAD0B0B0" technique in Windows 8.1, and there is no easy technique to exploit Pool Overflows on Windows 8.1 at the moment.

The brand new exploitation technique uses some tricks to convert pool overflow in several primitives:

  1. Arbitrary memory read/write
  2. Hijack of execution flow
  3. Adjacent read/write

This talk presents a new technique of exploiting pool overflows, with very interesting effect: elevating privileges without executing any kernel shellcode or using ROP.

Nikita Tarakanov

I am an independent information security researcher. I have worked as an IS researcher in Positive Technologies, Vupen Security, CISS. I like writing exploits, especially for Windows NT Kernel. I won the PHDays Hack2Own contest in 2011 and 2012. I tried to hack Google Chrome during Pwnium 2 but failed. I have published a few papers about kernel mode drivers and their exploitation. I am currently, engaged in reverse engineering research and vulnerability search automation.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats