Windows SMEP bypass: U=S

Windows SMEP bypass: U=S

Friday, October 23, 2015
Nicolas Economou, Enrique Nissim
Ekoparty
With the emergence of the “Supervisor Mode Execution Prevention” Intel feature and its inclusion on Windows 8 as a default exploit mitigation system, it was necessary
to improve local kernel exploitation techniques to be up to date. As a well known technique, we can mention turning off SMEP by ROPing to disable the 20th bit in CR4
register. From Windows 2000 to Windows 10, Microsoft "forgot" to randomize the most basic and important structures of the operating system since the Intel 80386
cpu. In this presentation we are going to show how we combined a third party kernel driver vulnerability with a kernel MMU flaw in order to bypass this security feature
on "Windows 10 64 bits" by abusing of the Paging Mechanism.
Attachment: