LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Recommendations

Info

Arbitrary read/write via USER objects • It is possible to read/write different fields of menu items via WinAPI functions (GetMenuItemRect,GetMenuItemInfo/SetMenuItemInfo). • We can easily place tagWND before tagMENU in memory (because we can get addresses of both objects). • If tagWND.cbwndExtra was corrupted because of some vulnerability, we can read/write tagMENU.rgItems pointer via SetWindowLongPtr. • When pointer to rgItems was replaced to some arbitrary address, we can read/write it via menu items API.
• Arbitrary read Arbitrary read via USER objects 1. tagITEM structure is located on desktop heap. Windows API GetMenuItemInfo is using this fact to read item’s content from usermode. So, if we replaced tagITEM pointer in tagMENU to arbitrary kernel address, we have to use another api, which can get info from kernel mode. 2. GetMenuItemRect is able to do that, but it returns result in specific format. 3. GetMenuItemRect reads 2 fields – tagITEM.cxItem, tagITEM.cyItem, so we can calculate 64-bit value from 2 dwords.
Page 1 and 2: LPE vulner
Page 3 and 4: GDI handle table before updates •
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17: Arbitrary read/write via USER objec
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25 and 26: Arbitrary read/write via user objec
Page 27 and 28: • Preparing memory and use old SU
Page 29 and 30: GDI structure address leak Getting
Page 31 and 32: Getting address of tagCLS.pdce We c
Page 33 and 34: Getting address of tagCLS.lpszMenuN
Page 35 and 36: Useful objects/structures in GDI po
Page 37 and 38: tagCLS.lpszMenuName spray advantage
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Create successful ePaper yourself

Delete template?

Save as template?