Abusing GDI for ring0 exploit primitives: Reloaded

Abusing GDI for ring0 exploit primitives: Reloaded

Monday, October 31, 2016
Nicolas Economou, Diego Juarez
Ekoparty

Expanding upon our previous presentation "Abusing GDI for ring0 exploit primitives" first presented at Ekoparty 2015, this time we will show in detail another very effective way to leverage GDI objects from arbitrary writes, for local privilege escalation. We will demonstrate how this technique could be used in a vast majority of arbitrary write scenarios, from single bit flipping to full qword writes. We will also show the technique to be valid in every Windows version, 32-bit or 64-bit, and that it could be used to escape even from Low or AppContainer integrity levels (IE/Chrome/sandboxes). In short, we will present one of the most long lived and convenient ways to abuse kernel mode arbitrary writes known to date. We will demo the technique on "Windows10" 64 bits v.1607 (Anniversary Update) bypassing the latest Windows kernel exploit mitigation.