Saturday, October 28, 2017

kex - python kernel exploit library - major update

I made a major update to my Python kernel exploitation 'library' (kex). In short:

  • GDI abuse functions (original source:
  • Wrapper functions for GDI abuse to mask the platform (Will work from Win7x64 to Win10x64 v1703 universally using different methods based on the platform)
  • Calculate bitmap sizes based on platform (Win7x64 SP1 - Win10 v1607)
  • Added lots of x64 struct constants (KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token)
  • Lot's of comments
I also uploaded an example to show how it can ease exploit development. The use case is the HackSysExtremeVulnerbaleDriver Arbitrary overwrite, where it will do it with GDI abuse. Under the hood it will do different techniques related to the platform.


Some items from my todo list:
  • pool spraying with bitmaps
  • PALETTE objects
  • other kernel pool spraying techniques
  • enable GDI abuse techniques for x86
If I made any errors submit a pull request or leave a comment.

No comments: