KERNEL EXPLOITATION

Windows

We've performed research on how to bypass memory corruption mitigations found in Windows 10 RS2/RS3 and achieve privilege escalation through a data-only attack based on GDI primitives. Our research results were presented at the OffensiveCon 2018 conference.

Linux

Linux kernel allocator study:

Vulnerabilities we have discovered in the Linux kernel:

MacOS XNU

We have presented at the 34th Chaos Communication Congress conference our work on iOS kernel debugging, reverse engineering and implementation of a kernel exploit similar to the one used in the evasion7 jailbreak for the MacOS XNU kernel.

FreeBSD

We have investigated in depth the exploitation of kernel vulnerabilities on the FreeBSD operating system. Our research on this subject is divided into three parts.

The first part covers the exploitation of kernel stack overflow vulnerabilities. In order to assist vulnerability researchers explore the FreeBSD kernel we have prepared a step-by-step debugging guide in the following article:

Our development process for FreeBSD kernel stack exploits has been documented in the article below:

Detailed results on the subject, along with a hands-on workshop, were presented at the University of Piraeus Software Libre Society Event #16 on Computer Security:

The second part of our research focuses on a security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We demonstrate how UMA overflows can lead to arbitrary code execution in the context of the FreeBSD kernel, and we develop an exploitation methodology for privilege escalation and kernel continuation:

Our definitive all-inclusive work on the subject of FreeBSD kernel exploitation was presented in Barcelona at Black Hat Europe 2010 Briefings. The talk included an exploitation demo of a 0-day vulnerability we had discovered (CVE-2010-2020):

The third part of our research consists of vulnerabilities that we have discovered in the FreeBSD kernel and the reliable exploits we have developed for them.

We have also developed exploits for known FreeBSD kernel vulnerabilities, such as the following:

OpenSolaris

Proof-of-concept exploits for known vulnerabilities of the OpenSolaris kernel.