A New CVE-2015-0057 Exploit Technology

Recommendations

Info

Obstacles Solutions 1. Manipulating the tagWND.pSBInfo field by pointing it to the tagWND.strName, and then rewriting tagWND's strName.Buffer field indirectly through SetScrollInfo means obstacle 1 is solved. 2. The full control of the Zombie tagPROPLIST object means obstacle 2 is solved. U-A-F tagPROPLIST cEntries && iFirstFree Zombie tagPROPLIST 1 cEntries && iFirstFree 2 tagWND tagWND.pSBInfo 3 SetScrollInfo Routine tagWND.strName.Buffer …… Arbitrary Write 5 Arbitrary Read 4
NCC Group's 64-bit <strong>Exploit</strong> Method 1. Overwrite Window Text 1 block's _HEAP_ENTRY based on the U-A- F tagPROPLIST object's Out-Of-Bounds write. 2. Reconstruct an ideal heap layout by using a specially crafted _HEAP_ENTRY for Window Text 1 and another faked _HEAP_ENTRY which is stored in Window Text 2. 3. Due to the fake _HEAP_ENTRY for Window Text 1, a free operation on Window Text 1 causes following tagWND object to be freed as well. 4. Rebuild a new tagWND object based on information leaked from User32!gSharedInfo. 5. Finally, having the tagWND's strName.Buffer field under control means that the exploit code is able to read and write arbitrary kernel memory.
Page 1 and 2: A New CVE-2015-0057 Exploit Technol
Page 3 and 4: Introduction - About me (yu.wang@fi
Page 5 and 6: Part Two Background of the Vulnerab
Page 7 and 8: Timeline 2015 July December 2016 -
Page 9 and 10: The Old-school Kernel Attack Surfac
Page 11 and 12: Which Object Can Be Used? 1 typedef
Page 13 and 14: tagPROP and InternalSetProp Pseudoc
Page 15 and 16: Two Obstacles 1. The write ability
Page 17: NCC Group's 32-bit Exploit Method 1
Page 21 and 22: Part Four A New CVE-2015-0057 Explo
Page 23 and 24: Obstacles Solutions 1. The full con
Page 25 and 26: Misaligned tagPROPLIST +-> | | | |
Page 27 and 28: Obstacles Solutions 1. Using the Zo
Page 29 and 30: DEMO - A New CVE-2015-0057 Exploit
Page 31 and 32: Other Problems - Heap Data Repair -
Page 33 and 34: Dead Code? 1 /* 2 * update the disp
Page 35 and 36: MS15-010
Page 37 and 38: User32!gSharedInfo
Page 39 and 40: Think Deeply - Win32K subsystem's l
Page 41: Q&A yu.wang@fireeye.com

A New CVE-2015-0057 Exploit Technology

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?