Abstract: This paper describes some possible ways of exploiting kernel-mode write-what-where vulnerabilities in a stable manner, on Microsoft Windows NT-family systems. The techniques presented in this document are mostly based on altering processor-specific structures (such as the Global Descriptor Table and Local Descriptor Table). This publication does not cover any revolutionary 0-day bugs, nor does it characterize any new vulnerability class. However, it aims to show some interesting methods that could be employed by exploit developers, in order to gain more stability in comparison to existing techniques. Moreover, all hardware-specific information included in this paper is only confirmed to be valid on 32-bit x86 platforms.
Download: call_gate_exploitation.pdf