We will … Abusing GDI for ring0 exploit primitives: Reloaded; Abusing GDI for ring0 exploit primitives: Reloaded. May 2017: 0-day exploit for MS Word was detected in the wild (EPS exploit + Kernel exploit (CVE-2017-0263)) 11/66. This may be helpful. Arbitrary write-Aka: Write What Where (www)-Result of exploiting a binary bug-Write one value (controllable or not) at an arbitrary address 13/66. Expanding upon our previous presentation "Abusing GDI for ring0 exploit primitives" first presented at Ekoparty 2015, this time we will show in detail another very effective way to leverage GDI objects from arbitrary writes, for local privilege escalation. This stops a guest operating system from taking over the host machine. Arbitrary write - Used a lot in Kernel EoPs - Usually combined with some kind of memory leak (bypass KASLR!) Ekoparty. DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis One week ago today, the Shadow Brokers (an unknown hacking entity) leaked the Equation Group’s (NSA) FuzzBunch software, an exploitation framework similar to Metasploit. The vulnerability was in a driver I was somewhat familiar with ATFMD.SYS. If the program tries to do something naughty like write to a forbidden register or memory address (because of paging), the CPU also calls some kernel callback handler in ring 0. Monday, October 31, 2016. Abusing GDI for ring0 exploit primitives Every once in a while I get to work on something special, something that leaves me with the keys to open new doors. A year later, at Ekoparty 2016, the second version of this talk was presented under the name “Abusing GDI for ring0 exploit primitives: Reloaded”, in which a new technique was introduced, to continue abusing GDI objects. - E.g. Only the OS kernel and device drivers run in ring 0. Allowing arbitrary code to run in ring 0 violates basic OS security principles. The hypervisor, being in ring -1, is protected from the operating systems running in ring 0. Arbitrary write. - The idea is to get … If you want to write ring 0 code, write a Windows device driver. But since the userland was naughty, the kernel might kill the process this time, or give it a warning with a signal. The hypervisor looks after one or more operating systems that live in ring 0. Friday, April 21, 2017 DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis One week ago today, the Shadow Brokers (an unknown hacking entity) leaked the Equation Group's (NSA) FuzzBunch software, an exploitation framework similar to Metasploit. Your PC's hidden creepy janitor

Not long ago I came across a certain font related vulnerability, it was a 0day being exploited in the wild.