Windows
We've performed research on how to bypass memory corruption mitigations found in Windows 10 RS2/RS3 and achieve privilege escalation through a data-only attack based on GDI primitives. Our research results were presented at the OffensiveCon 2018 conference.
Linux
Linux kernel allocator study:
Vulnerabilities we have discovered in the Linux kernel:
- Linux kernel SUNRPC off-by-two buffer overflow [official report] [CENSUS advisory]
MacOS XNU
We have presented at the 34th Chaos Communication Congress conference our work on iOS kernel debugging, reverse engineering and implementation of a kernel exploit similar to the one used in the evasion7 jailbreak for the MacOS XNU kernel.
FreeBSD
We have investigated in depth the exploitation of kernel vulnerabilities on the FreeBSD operating system. Our research on this subject is divided into three parts.
The first part covers the exploitation of kernel stack overflow vulnerabilities. In order to assist vulnerability researchers explore the FreeBSD kernel we have prepared a step-by-step debugging guide in the following article:
Our development process for FreeBSD kernel stack exploits has been documented in the article below:
Detailed results on the subject, along with a hands-on workshop, were presented at the University of Piraeus Software Libre Society Event #16 on Computer Security:
- FreeBSD Kernel Stack Overflows [slides (in Greek)]
The second part of our research focuses on a security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We demonstrate how UMA overflows can lead to arbitrary code execution in the context of the FreeBSD kernel, and we develop an exploitation methodology for privilege escalation and kernel continuation:
- Exploiting UMA, FreeBSD's Kernel Memory Allocator [Phrack Volume 0x0d, Issue 0x42]
Our definitive all-inclusive work on the subject of FreeBSD kernel exploitation was presented in Barcelona at Black Hat Europe 2010 Briefings. The talk included an exploitation demo of a 0-day vulnerability we had discovered (CVE-2010-2020):
- Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation, Black Hat Europe 2010 Briefings [slides] [white paper] [source code]
The third part of our research consists of vulnerabilities that we have discovered in the FreeBSD kernel and the reliable exploits we have developed for them.
- FreeBSD kernel nfsclient vulnerabilities (CVE-2010-2020) [official advisory] [CENSUS advisory] [nfs_mount() exploit] [mountnfs() exploit]
We have also developed exploits for known FreeBSD kernel vulnerabilities, such as the following:
- cve-2008-3531-kernelcode.s: Kernel shellcode for vulnerability CVE-2008-3531
- cve-2008-3531.c: Exploit for vulnerability CVE-2008-3531
OpenSolaris
Proof-of-concept exploits for known vulnerabilities of the OpenSolaris kernel.
- cve-2010-0453.c: Exploit for vulnerability CVE-2010-0453