@_niklasb I guess you already know the technical details, but I only got around to it now, so FYI in case you're interested. :) the exploit code is at https://gist.github.com/j00ru/2347cf937366e61598d1140c31262b18 …https://twitter.com/j00ru/status/1019595401769422852 …
-
-
Replying to @j00ru
Nice writeup! > with the write-what-where primitive in hand, executing ring-0 shellcode should be just a formality Really, at low integrity? Should require an "0day" GDI infoleak or similar no?
1 reply 0 retweets 4 likes -
Replying to @_niklasb
Thanks, and good question. I mostly meant it as "formality at Medium", but I guess even at low integrity you could leak the addresses of IDT/GDT and attack them, depending on how Windows was running (VM / bare metal etc.)
1 reply 1 retweet 3 likes -
Not to mention there's many "0-day" kernel address leaks from the pools that Microsoft fixes only in the next version of Windows, like https://bugs.chromium.org/p/project-zero/issues/detail?id=1456 … or some similar bugs.
1 reply 1 retweet 8 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.