Skip to content

Latest commit

 

History

History
123 lines (113 loc) · 14.9 KB

MEMORY_CORRUPTION.md

File metadata and controls

123 lines (113 loc) · 14.9 KB

Windows Kernel Memory Corruption

2005

Link Title
https://cansecwest.com/core05/windowsremotekernel.pdf Remote Windows Kernel Exploitation

2006

Link Title
http://uninformed.org/index.cgi?v=3&a=4&t=sumry windows kernel-mode payload fundamentals

2007

Link Title
http://www.uninformed.org/?v=6&a=2&t=sumry exploiting 802.11 wireless driver vulnerabilities on windows

2008

Link Title
https://blogs.technet.microsoft.com/srd/2008/10/14/ms08-061-the-case-of-the-kernel-mode-double-fetch/ MS08-061 : The case of the kernel mode double-fetch

2009

Link Title
https://blogs.technet.microsoft.com/srd/2009/05/26/safe-unlinking-in-the-kernel-pool/ Safe Unlinking in the Kernel Pool

2010

Link Title
http://magazine.hitb.org/issues/HITB-Ezine-Issue-002.pdf (page 28) Windows Objects in Kernel Vulnerability Exploitation
http://magazine.hitb.org/issues/HITB-Ezine-Issue-003.pdf (pages 35 to 41) Reserve Objects in Windows 7

2011

Link Title
https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf Kernel Pool Exploitation on Windows 7
http://j00ru.vexillium.org/?p=690 Windows Kernel-mode GS Cookies and 1 bit of entropy
http://j00ru.vexillium.org/?p=762 Subtle information disclosure in WIN32K.SYS syscall return values
http://j00ru.vexillium.org/?p=769 nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques
http://j00ru.vexillium.org/?p=783 SMEP: What is it, and how to beat it on Windows
http://www.mista.nu/research/mandt-win32k-paper.pdf Kernel Attacks through User-Mode Callbacks
http://j00ru.vexillium.org/blog/04_12_11/Windows_Kernel_Address_Protection.pdf Windows Security Hardening Through Kernel Address Protection

2012

Link Title
http://hitcon.org/2012/download/0720A5_360.MJ0011_Reversing%20Windows8-Interesting%20Features%20of%20Kernel%20Security.pdf Reversing Windows8: Interesting Features of Kernel Security
http://mista.nu/research/smashing_the_atom.pdf Smashing The Atom: Extraordinary String Based Attacks
http://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf Easy local Windows Kernel exploitation

2013

Link Title
https://labs.mwrinfosecurity.com/blog/mwr-labs-pwn2own-2013-write-up-kernel-exploit/ MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit
http://www.alex-ionescu.com/?p=82 KASLR Bypass Mitigations in Windows 8.1
https://blogs.technet.microsoft.com/srd/2013/11/06/software-defense-safe-unlinking-and-reference-count-hardening/ Software defense: safe unlinking and reference count hardening

2014

Link Title
http://doar-e.github.io/blog/2014/03/11/first-dip-into-the-kernel-pool-ms10-058/ First Dip Into the Kernel Pool: MS10-058
https://labs.mwrinfosecurity.com/blog/windows-8-kernel-memory-protections-bypass/ Windows 8 Kernel Memory Protections Bypass
http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/ An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113)
http://www.alex-ionescu.com/?p=231 Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool

2015

Link Title
https://Fwww.nccgroup.trust/globalassets/newsroom/uk/blog/documents/2015/07/exploiting-cve-2015.pdf Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit
https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/08/2015-08-27_-_ncc_group_-_exploiting_ms15_061_uaf_-_release.pdf Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong)
https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/09/2015-08-28_-_ncc_group_-_exploiting_cve_2015_2426_-_release.pdf Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives Abusing GDI for ring0 exploit primitives
https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/OhFlorio-VB2015.pdf Duqu 2.0 Win32k exploit analysis

2016

Link Title
https://labs.bluefrostsecurity.de/publications/2016/01/07/exploiting-cve-2014-4113-on-windows-8.1/ Exploiting CVE-2014-4113 on Windows 8.1
https://www.coresecurity.com/blog/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-1 Getting Physical: Extreme abuse of Intel based Paging Systems - Part 1
https://www.coresecurity.com/blog/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-2-windows Getting Physical: Extreme abuse of Intel based Paging Systems - Part 2 - Windows
https://www.coresecurity.com/blog/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-3-windows-hals-heap Getting Physical: Extreme abuse of Intel based Paging Systems - Part 3 - Windows HAL's Heap
https://labs.nettitude.com/blog/analysing-the-null-securitydescriptor-kernel-exploitation-mitigation-in-the-latest-windows-10-v1607-build-14393/ Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393
http://blog.rewolf.pl/blog/?p=1683 Leaking EPROCESS address of the specific SYSTEM processes
https://www.coresecurity.com/blog/ms16-039-windows-10-64-bits-integer-overflow-exploitation-by-using-gdi-objects MS16-039 - "Windows 10" 64 bits Integer Overflow exploitation by using GDI objects
https://github.com/IOActive/I-know-where-your-page-lives I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel
https://securingtomorrow.mcafee.com/mcafee-labs/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255/ Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255
http://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild/ One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild
http://cvr-data.blogspot.co.uk/2016/11/windows-10-anniversary-update-gdi.html Windows 10 Anniversary Update: GDI handle management and vulnerabilities exploitation
http://cvr-data.blogspot.co.uk/2016/11/lpe-vulnerabilities-exploitation-on.html LPE vulnerabilities exploitation on Windows 10 Anniversary Update

2017

Link Title
https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/ Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects
http://ricklarabee.blogspot.co.uk/2017/01/virtual-memory-page-tables-and-one-bit.html Virtual Memory, Page Tables, and One Bit - CVE-2016-7255
https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/ Hardening Windows 10 with zero-day exploit mitigations
https://labs.mwrinfosecurity.com/blog/a-tale-of-bitmaps/ A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
https://improsec.com/blog//hardening-windows-10-with-zero-day-exploit-mitigations-under-the-microscope Hardening Windows 10 With Zero Day Exploit Mitigations Under The Microscope
https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-1 Windows Kernel Shellcode on Windows 10 – Part 1
https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-2 Windows Kernel Shellcode on Windows 10 – Part 2
https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-3 Windows Kernel Shellcode on Windows 10 – Part 3
https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-4-there-is-no-code Windows Kernel Shellcode on Windows 10 – Part 4 - There is No Code
https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/ Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/profile/bugdemo.htm Bug Check From User Mode By Profiling
https://researchcenter.paloaltonetworks.com/2017/05/unit42-dissection-esteemaudit-windows-remote-desktop-exploit/ A Dissection of the “EsteemAudit” Windows Remote Desktop Exploit
https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/ Windows 10 HAL’s Heap – Extinction of the "HalpInterruptController" Table Exploitation Technique
https://risksense.com/wp-content/uploads/2018/05/White-Paper_Eternal-Blue.pdf ETERNALBLUE: Exploit Analysis and Port to Microsoft Windows 10
http://www.iceswordlab.com/2017/06/14/Automatically-Discovering-Windows-Kernel-Information-Leak-Vulnerabilities_en/ Automatically Discovering Windows Kernel Information Leak Vulnerabilities
https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security
https://blogs.technet.microsoft.com/srd/2017/06/20/tales-from-the-msrc-from-pixels-to-poc/ Tales from the MSRC: from pixels to POC
https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/ Eternal Champion Exploit Analysis
https://blogs.technet.microsoft.com/srd/2017/07/13/eternal-synergy-exploit-analysis/ Eternal Synergy Exploit Analysis
https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/ EnglishmansDentist Exploit Analysis
https://sensepost.com/blog/2017/abusing-gdi-objects-for-ring0-primitives-revolution/ Abusing GDI Objects for ring0 Primitives Revolution
https://improsec.com/blog//data-only-attacks-are-still-alive Data Only Attacks Are Still Alive
https://www.blackhat.com/docs/us-17/wednesday/us-17-Schenk-Taking-Windows-10-Kernel-Exploitation-To-The-Next-Level%E2%80%93Leveraging-Write-What-Where-Vulnerabilities-In-Creators-Update-wp.pdf TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL – LEVERAING WRITE-WHAT-WHERE VULNERABILITIES IN CREATORS UPDATE
http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool
https://googleprojectzero.blogspot.co.uk/2017/10/using-binary-diffing-to-discover.html Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html Kernel Exploitation Case Study - "Wild" Pool Overflow on Win10 x64 RS2 (CVE-2016-3309 Reloaded)
https://blog.xpnsec.com/windows-warbird-privesc/ Kernel Exploit Demo - Windows 10 privesc via WARBIRD

2018

Link Title
https://sww-it.ru/2018-01-29/1532 Decrement Windows kernel for fun and profit
https://blog.quarkslab.com/reverse-engineering-the-win32k-type-isolation-mitigation.html Reverse Engineering the Win32k Type Isolation Mitigation