All the materials in BlueHat 2019 Seattle will be realeased here.
Pool Fengshui in Windows RDP Vulnerability Exploitation
Abstract:
Heap Fengshui is one of the most important techniques in userland vulnerability exploitations under modern mitigations, seemingly Pool Fengshui plays the same role in Windows RDP vulnerability exploitations. In this topic, we will not only introduce three inovative methods for Pool Fengshui with RDP PDUs, but also introduce the idea about how to find those Pool-Fengshui-Friendly PDUs in tons of legitimate PDUs from massive RDP documents. Details from how to construct three different PDUs in the RDP client to how to parse these PDUs and what these PDUs looks like in the kernel memory in the RDP server will all be discussed. Besides, we will also use BlueKeep (CVE-2019-0708) as an example to show how useful and universal these techniques are in Windows RDP vulnerability exploitations. At last, we will show the BlueKeep exploit demo.