Abusing GDI for ring0 exploit primitives: Evolution
The evolution in the latest Windows kernel exploitation techniques brought a big effort from the vendors to protect their software with exploit mitigations, including sandbox implementations in Chrome, Edge, Firefox and the latest Office versions.
At the same time, Microsoft incremented its efforts to protect the Windows kernel, specially in Windows 10, adding important exploit mitigations in every release (overall in Anniversary and Creators Update). In 2015, the well known Hacking Team incident leaked some kernel exploits with new techniques about abusing GDI objects, which they were well explained in the original talk “Abusing GDI for ring0 exploit primitives”. With the arrival of Windows 10 “Anniversary Update” (RS1), part of this technique was mitigated. One year later, new techniques to continue abusing of GDI objects were presented in the second version of this talk.
In April of this year, with the new arrival of Windows 10 “Creators Update” (RS2), part of this technique was mitigated again. Despite on the Microsoft effort to mitigate this vector, the latest GDI objects techniques continue being as effective as the original techniques used in the previous versions to “Anniversary Update” (RS1).
In this new presentation, I’ll explain how to use them to continue exploiting Windows 10 “Fall Creators Update” (RS3) in a reliable way. At the end, I’ll show a demo where I’ll escape from the Microsoft Edge sandbox by using the techniques explained in this talk.