A New CVE-2015-0057 Exploit Technology

Recommendations

Info

32-bit <strong>Exploit</strong> Method 1. Use the U-A-F tagPROPLIST object's Out-Of-Bounds write capabilities to manipulate Zombie tagPROPLIST's properties. 2. Use the corrupted Zombie tagPROPLIST object to rewrite the adjacent tagMENU object's rgItems and cItems fields. 3. tagWND's rgItems field fully under control means that the exploit code achieves arbitrary kernel memory read and write.
Obstacles Solutions 1. The full control of the tagMENU.rgItems and tagMENU.cItems fields means obstacle 1 is solved. 2. The full control of the Zombie tagPROPLIST object means obstacle 2 is solved. U-A-F tagPROPLIST cEntries && iFirstFree Zombie tagPROPLIST 1 cEntries && iFirstFree 2 tagMENU 3 ThunkedMenuItemInfo Routine tagMENU.cItems tagMENU.rgItems …… Arbitrary Write 5 Arbitrary Read 4
Page 1 and 2: A New CVE-2015-0057 Exploit Technol
Page 3 and 4: Introduction - About me (yu.wang@fi
Page 5 and 6: Part Two Background of the Vulnerab
Page 7 and 8: Timeline 2015 July December 2016 -
Page 9 and 10: The Old-school Kernel Attack Surfac
Page 11 and 12: Which Object Can Be Used? 1 typedef
Page 13 and 14: tagPROP and InternalSetProp Pseudoc
Page 15 and 16: Two Obstacles 1. The write ability
Page 17 and 18: NCC Group's 32-bit Exploit Method 1
Page 19 and 20: NCC Group's 64-bit Exploit Method 1
Page 21: Part Four A New CVE-2015-0057 Explo
Page 25 and 26: Misaligned tagPROPLIST +-> | | | |
Page 27 and 28: Obstacles Solutions 1. Using the Zo
Page 29 and 30: DEMO - A New CVE-2015-0057 Exploit
Page 31 and 32: Other Problems - Heap Data Repair -
Page 33 and 34: Dead Code? 1 /* 2 * update the disp
Page 35 and 36: MS15-010
Page 37 and 38: User32!gSharedInfo
Page 39 and 40: Think Deeply - Win32K subsystem's l
Page 41: Q&A yu.wang@fireeye.com

A New CVE-2015-0057 Exploit Technology

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?