Friday December 25th

Friday December 18th

Thursday December 3rd

Tuesday December 1st

Monday November 16th

Sunday November 15th

Friday November 6th

Tuesday November 3rd

Wednesday October 14th

1 Kicks

Abusing GDI for ring0 exploit primitives

Not long ago I came across a certain font related vulnerability, it was a 0day being exploited in the wild. The vulnerability was in a driver I was somewhat familiar with [1] ATFMD.SYS. But what caught my eye this time was how the exploit was getting System privileges in a very elegant and clean way. The mechanics of this technique involve patching the kernel structure representing a bitmap (SURFOBJ), turning it into a powerful arbitrary read/write primitive. Alex Ionescu touched on the subject of Win32k shared memory regions in his excellent 2013 talk[2]. But he didn’t mention this one, in fact the only previous mention of this technique I could find was by Keen Team in June 2015 [5].


Commenting on Stories is limited for now and will open up to those recommended by the community. Learn how
Loading InfoSecKicks...
brought to you by the Kicks Network