diff --git a/content/24h2-nt-exploit/index.md b/content/24h2-nt-exploit/index.md index 3ef86fb..d4d620f 100644 --- a/content/24h2-nt-exploit/index.md +++ b/content/24h2-nt-exploit/index.md @@ -106,7 +106,7 @@ Source code for this tool can be [found on GitHub](https://github.com/exploits-f At this point we have enough to start building an actual exploit. We have bypassed KASLR and located the base address of the kernel in memory, and we have a vulnerability that allows us to write arbitrary data anywhere in the kernel. In prior versions of Windows it was possible to get the kernel address for a specific object by its handle, which could then be the target for corruption. The only kernel address we have now is the base address of the kernel, so we will need to start by corrupting global objects within the kernel. -## Building a Kernel Read +### Building a Kernel Read Our first task will be building a read primitive. With a write primitive already firmly in hand, having a read will fully open up the kernel for us to do whatever we want. To accomplish this we will need to find global in the kernel which we can target for corruption to create a read primitive. To look for candidates for this I went to the ever helpful [`NtQuerySystemInformation`](https://ntdoc.m417z.com/ntquerysysteminformation) syscall (long a source of KASLR leaks itself). The ideal situation would be to find a case where the syscall uses a global variable storing a pointer, reads the data pointed to by the global, and returns the read data to user mode.