Jailbreak for Windows RT


    After a little more than 2 months, the long-awaited jailbreak for Windows RT appeared on the network. A vulnerability was found in the Windows kernel that allowed the launch of unsigned Desktop applications. Unfortunately, this jailbreak is tied, because after a reboot, it turns into a pumpkin.
    It's funny that the vulnerability was found on the desktop Windows 8, and from there it migrated to Windows RT. Read more about this process here .

    Installation


    The jailbreak process itself is nontrivial, you need a computer with Windows 8 and Visual Studio 2012. But a craftsman with XDA allowed you to do this directly on the device.
    • Download the archive and unzip it on your device
    • Run runExploit.bat
    • Follow the onscreen instructions
    • When “Please press VOLUME DOWN now.” Appears on the screen. press the volume down button


    Let me remind you that Windows RT is a Windows 8 edition for ARM devices such as Microsoft Surface.

    And how does it all actually work?


    The text below is a free translation of the retelling of Circumventing Windows RT's Code Integrity Mechanism . I omitted a lot of details, because this is a Friday post :)


    In the Windows kernel, the minimum required digital signature is set by the variable. In Windows 8, its value is 0 (Unsigned), i.e. Windows does not require a digital signature to run the application. But on Windows RT, its value is 8 (Microsoft). All jailbreak comes down to the banal zeroing of this variable. It looks simple.
    In fact, it is very difficult to do, because Windows Store applications can only use signed binaries, and from such an application you cannot get the security context necessary for attaching to other processes.
    But here Microsoft went to a meeting and released a remote debugger for Windows RT, which perfectly clings to Desktop applications. With it, you can cling to
    CSRSS process and modify its memory directly. The latter, in turn, calls the vulnerable kernel function (NtUserSetInformationThread).
    One of these calls (found in winsrv.dll):
    TerminalServerRequestThread+0x230
    MOVS R3, #0xC
    ADD R2, SP, #0x58
    MOVS R1, #9
    MOV R0, 0xFFFFFFFE
    BL NtUserSetInformationThread
    

    Using a breakpoint, we can change the structure at R2, just before calling NtUserSetInformationThread.
    A kernel base address is also required. It can be obtained by calling NtQuerySystemInformation. This function returns a list of all loaded drivers and their base address.
    Now it remains only to make an injection into winsrv.dll (for this, use a half-empty page with an offset of 0 × 10800) and after the breakpoint is triggered, change the IP register to the beginning of our code.
    That's all :)

    Conclusion


    For those who still read to the end, I give a link to a post with a collection of compiled for ARM programs. Notepad ++, 7-Zip and VNC client are already there.
    You can also build software yourself, read this . If you need static libraries that are not in the Windows SDK, then you can use this tool .

    Also popular now: