Pool Blade: A new approach for kernel pool exploitation

Abstract

In recent years many methods have been discussed regarding exploitation of pool overflow corruptions. Most of these methods are based on the architecture of Pool manager in windows. In this paper I am going to discuss a generic method that is based on kernel objects and not the pool manager and because of the nature of this technic it is possible to exploit pool overflow vulnerabilities easier and more reliable. So I Introduce Pool Blade helper class that let us exploit pool overflow in a very short time by just calling some interface and triggering the vulnerability. Pool blade and the technic discussed here is just supported by windows XP/2003/vista but it can be extended to support more recent windows operating systems.

 

Q: Why Pool blade?

A: Because this method is fast and reliable

 

Q: How much reliable?

A: By this technic we don’t corrupt anything so the exploit works 100%

 

Q: Fast?

A: You have a pool overflow, you can exploit it in 5 minutes by just knowing size the vulnerable buffer

 

Q: What is the impact?

A: Everyone can exploit local pool overflows on windows easily and reliably to get escalated privilege.

 

Q: What PoolBlade is not?

A: It cannot be used to exploit pool overflow on windows 7 and for small buffer sizes you should find another proper objects. And of course it can be used only in Non-paged pool.

Q: How it can be used?

A: You can use the PoolBlade helper class or read the document and implement more customized version for your own purpose. The method and the helper class is demonstrated by an antivirus driver vulnerability in the following research paper .

white-paper :

PoolBlade

exploit-code:

AhnlabV3MedCoreD

video :

 

 

The demonstrated vulnerability is about the Ahnlab V3 internet security product. Of course the vulnerability is reported to vendor a few month ago.

 

Final note :

as you may know our windows exploitation course which contain kernel exploitation is just released if you like you can take it now !

One thought on “Pool Blade: A new approach for kernel pool exploitation

Leave a Reply

Your email address will not be published. Required fields are marked *