6. Pool corruption
• Pools are memory regions for kernel mode code
• Used by drivers and kernel software
• Standard heap management
• Minimal protection, performance optimization
• Pool corruption: Writing over the end of your
allocated region
8. Attacking the pool (I)
• Windows file sharing listens on port 445 for
imcoming SMB connections
• Network stack is kernel mode code (srvnet.sys)
• Incoming network data is stored in kernel mode
buffer from the non-paged pool
• Problem: Heap allocation ‚fills the holes‘
9. Attacking the pool (II)
• Approach: Allocate large chunks in pool
• Leads to ‚de-randomization‘
• Large chunks become aligned one after the
other
• Exploit triggers this by opening multiple SMB
connections and sending large packages
(grooming)
10. Overflow
• Send large initial SMB1 package
• Kernel needs to store received data
• srvnet.sys allocates space in non-paged pool
• Grooming
• First connection is closed, leaving adjacent hole
• Sending of overflow data, hole is used
11. Overflow
• Overflow overwrites SMB data structure stored in
subsequent memory
• struct SRVNET_POOLHDR
• Contains a pointer being called when finalizing a
SMB request
• If accidental overwriting is done right, then the
callback target is the data we sent before
• Close connection, kernel stack calls our function