A New CVE-2015-0057 Exploit Technology

Recommendations

Info

The Old-school Kernel Attack Surface <strong>Exploit</strong> Code 3 DestroyWindow(ScrollHandle) 5 Allocate Object 2 Ring-3 User Mode Callback Callback Return Ring-0 4 RtlpFreeHeap Win32k.sys Desktop Heap xxxEnableWndSBArrows 1 tagSBINFO Array . Size 6 7 xxxEnableWndSBArrows Use-After-Free chunk #02 chunk #02 Array . Size chunk #03 chunk #03 chunk #03 8 Arbitrary Memory Write …….. …….. ……..
Which Object Can Be Used? 1 typedef struct tagSBINFO { 2 INT WSBflags; 3 SBDATA Horz; 4 SBDATA Vert; 5 } SBINFO, *PSBINFO; 1 typedef struct tagPROPLIST { 2 UINT cEntries; 3 UINT iFirstFree; 4 tagPROP aprop[1]; 5 } SBINFO, *PSBINFO;
Page 1 and 2: A New CVE-2015-0057 Exploit Technol
Page 3 and 4: Introduction - About me (yu.wang@fi
Page 5 and 6: Part Two Background of the Vulnerab
Page 7 and 8: Timeline 2015 July December 2016 -
Page 9: The Old-school Kernel Attack Surfac
Page 13 and 14: tagPROP and InternalSetProp Pseudoc
Page 15 and 16: Two Obstacles 1. The write ability
Page 17 and 18: NCC Group's 32-bit Exploit Method 1
Page 19 and 20: NCC Group's 64-bit Exploit Method 1
Page 21 and 22: Part Four A New CVE-2015-0057 Explo
Page 23 and 24: Obstacles Solutions 1. The full con
Page 25 and 26: Misaligned tagPROPLIST +-> | | | |
Page 27 and 28: Obstacles Solutions 1. Using the Zo
Page 29 and 30: DEMO - A New CVE-2015-0057 Exploit
Page 31 and 32: Other Problems - Heap Data Repair -
Page 33 and 34: Dead Code? 1 /* 2 * update the disp
Page 35 and 36: MS15-010
Page 37 and 38: User32!gSharedInfo
Page 39 and 40: Think Deeply - Win32K subsystem's l
Page 41: Q&A yu.wang@fireeye.com

A New CVE-2015-0057 Exploit Technology

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?