A New CVE-2015-0057 Exploit Technology

Recommendations

Info

64-bit <strong>Exploit</strong> Method 1. Use the U-A-F tagPROPLIST object's Out-Of-Bounds write capabilities to manipulate Zombie tagPROPLIST's properties. 2. Use the corrupted Zombie tagPROPLIST object to rewrite the adjacent tagWND object's ppropList field. 3. Point the tagWND.ppropList field to a fake tagPROPLIST object containing use-controlled 'invalid' values. 4. Use the Zombie tagPROPLIST and the misaligned tagPROPLIST object alternately. 5. With tagWND's rgItems field fully under control, the exploit code achieves arbitrary kernel memory read and write.
Obstacles Solutions 1. Using the Zombie tagPROPLIST and the crafted, fake tagPROPLIST object alternately to modify the rgItems and cItems fields of tagMENU means that obstacle 1 is solved. 2. Having full control over the cEntries and iFirstFree fields of the Zombie tagPROPLIST object means that obstacle 2 is solved.
Page 1 and 2: A New CVE-2015-0057 Exploit Technol
Page 3 and 4: Introduction - About me (yu.wang@fi
Page 5 and 6: Part Two Background of the Vulnerab
Page 7 and 8: Timeline 2015 July December 2016 -
Page 9 and 10: The Old-school Kernel Attack Surfac
Page 11 and 12: Which Object Can Be Used? 1 typedef
Page 13 and 14: tagPROP and InternalSetProp Pseudoc
Page 15 and 16: Two Obstacles 1. The write ability
Page 17 and 18: NCC Group's 32-bit Exploit Method 1
Page 19 and 20: NCC Group's 64-bit Exploit Method 1
Page 21 and 22: Part Four A New CVE-2015-0057 Explo
Page 23 and 24: Obstacles Solutions 1. The full con
Page 25: Misaligned tagPROPLIST +-> | | | |
Page 29 and 30: DEMO - A New CVE-2015-0057 Exploit
Page 31 and 32: Other Problems - Heap Data Repair -
Page 33 and 34: Dead Code? 1 /* 2 * update the disp
Page 35 and 36: MS15-010
Page 37 and 38: User32!gSharedInfo
Page 39 and 40: Think Deeply - Win32K subsystem's l
Page 41: Q&A yu.wang@fireeye.com

A New CVE-2015-0057 Exploit Technology

Create successful ePaper yourself

Delete template?

Save as template?