Arbitrary Code Execution at Ring 0 using CVE-2018-8897

Just a few days ago, a new vulnerability allowing an unprivileged user to run #DB handler with user-mode GSBASE was found by Nick Peterson (@nickeverdox) and Nemanja Mulasmajic (@0xNemi). At the end of the whitepaper they published on triplefault.io, they mentioned that they were able to load and execute unsigned kernel code, which got me interested in…

Making the Perfect Injector: Abusing Windows Address Sanitization and CoW

By the end of this post, I aim to make an injector unlike any other: one that by design makes your DLL not debuggable from UM, makes your pages invisible to NtQueryVirtualMemory and NtReadVirtualMemory, and lets you execute code in target process without even having a valid handle; and while doing this I want it to be compatible with…

Escaping SMEP Hell: Exploiting Capcom Driver In a Safe Manner

Trapped in a SMEP disabled payload not being able to do anything reliably? You have come to the right place. I’ve seen so many people using Capcom driver in an unsafe manner that I wanted to make this post, simply explaining why some practices are incredibly unsafe and how we can fix this. When these problems are pointed out, the…

Splitting Data from Code, Forgotten x86 Feature: Segmentation

With the introduction of sTLB with Intel Nehalem, TLB splitting — once a reliable technique — became a thing of the past. Those who had to hook user-mode stealthily started looking into hypervisors; specifically EPT violations. However, implementing a hypervisor means implementing bloated, platform dependent code which is not the best way to go when you are trying to ship…