For many years, Windows drivers have been a great attack vector in order to elevate privileges and acquire kernel execution.
And for many years, Microsoft has been working to mitigate those attacks, increasing the security for each version of Windows.
A few years ago, Tarjei Mandt released his paper "Kernel Pool Exploitation on Windows 7", a must read that deobfuscate the pool internals, and presents a bunch of generic attacks against the pool.
All methods presented in this paper have been patched in Windows 8, and since then, exploitations through the Kernel Pool are quite difficult.
But this conference will focus on a subject that didn't change since Windows 7, and is very efficient when attacking the kernel pool : Pool spraying.
Windows API calls provides a lot of tools to make the pool predictible at 100%, making the attacks way easier to perform.
Leaking kernel adresses, defeating PoolCookie, exploiting a Pool Buffer overflow, everything is still possible.
The speaker will finally apply this to the real world, with a concrete case of vulnerable driver from Sophos Company, with a kernel pool overflow exploited on the last version of Windows leading to privilege escalation.
About Corentin BAYET @TheDuck
Corentin Bayet is a 20 years old french student at 42 born2code school and is currently in his final internship at Armature Technologies where he is working as a security researcher.
He has been particulary interested in applicative security and low levels exploitations.
Since he began working at Armature Technologies, he has been working on Windows kernel exploitations and mitigations, and developped multiple generic methods against ring 0.