Windows SMEP bypass: U=S

With the emergence of the “Supervisor Mode Execution Prevention” Intel feature and its inclusion on Windows 8 as a default exploit mitigation system, it was necessary to improve local kernel exploitation techniques to be up to date. As a well known technique, we can mention turning off SMEP by ROPing to disable the 20th bit in CR4 register. From Windows 2000 to Windows 10, Microsoft "forgot" to randomize the most basic and important structures of the operating system since the Intel 80386 cpu. In this presentation we are going to show how we combined a third party kernel driver vulnerability with a kernel MMU flaw in order to bypass this security feature on "Windows 10 64 bits" by abusing of the Paging Mechanism.