The fifth and final blog posts exploring the detailed exploitation of CVE-2018-8611.
Author: Aaron Adams
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
The fourth of five blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
The third of five blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
The second of five blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The first of five blog posts exploring the detailed exploitation of CVE-2018-8611.
libtalloc: A GDB plugin for analysing the talloc heap
tl;dr This post is about a GDB plugin I wrote while researching the Samba exploitation earlier in 2015. There is a python script available. See the README for usage examples. Note that the plugin was thrown together while hacking on bugs. Introduction The Samba project developed a custom heap dubbed the “trivial allocator” aka talloc. A … Continue reading libtalloc: A GDB plugin for analysing the talloc heap
Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
tl;dr Earlier this year I worked on an exploit for an interesting use-after-free vulnerability in win32k.sys (CVE-2015-0057) and was able to develop a reliable exploit on both 32-bit and 64-bit, affecting XP through Windows 8.1 (with a few exceptions). This writeup describes in detail how I approached exploitation on both architectures, which ended up being … Continue reading Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
Some Notes About the Xen XSA-122 Bug
tl;dr; This is a summary of a vulnerability in Xen I found earlier in 2015, and why it’s not very useful in practice. Basically you can leak small amounts of memory from the hypervisor stack, but due to the way the associated hypercall is compiled, it turns out you can’t reliably leak very useful information. … Continue reading Some Notes About the Xen XSA-122 Bug
Xen SMEP (and SMAP) Bypass
Introduction In a previous blog post [1] I talked about my experience exploiting the SYSRET bug on Xen. I noted that I was able to bypass SMEP, but was leaving the information for a future blog post because I wanted to do some additional research -- I thought the technique I found might be something … Continue reading Xen SMEP (and SMAP) Bypass
Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit
tl;dr It was found that Ubuntu 12.04 32-bit and Debian 7 Samba binaries contained a stack layout that was suitable for exploiting the recent _netr_ServerPasswordSet bug. I was able to develop a reliable exploit that grants pre-authenticated remote root against both systems. Introduction On March 2, 2015 I posted a blog entry [1] discussing the … Continue reading Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit