LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Recommendations

Info

Pros and Cons Pros: 1. Easy to implement. 2. Can be used under wow64 process and pure x64 process. 3. Access to full address space on x64. 4. Works under low integrity process. Cons (Limitation): 1. We need vulnerability, which can corrupt memory in desktop heap or vulnerability where we can write specific address (tagWND. cbwndExtra offset). 2. Desktop heap must be mapped in <strong>exploitation</strong> context.
• Preparing memory and use old SURFACE technique: GDI pool addresses leaks • We can leak addresses of some GDI structures or USER structures/data allocated on GDI pool. • We can find USER objects which are allocated on the GDI pool. • Based on both methods we can prepare memory for <strong>exploitation</strong>. • Main technique is allocation of GDI object (SURFOBJ) on place of freed object/structure which address we can get. Then we can use old SURFACE corruption technique. • Using of USER objects was described at Ekoparty 2016, we’ll show using of data and structures.
Page 1 and 2: LPE vulner
Page 3 and 4: GDI handle table before updates •
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25: Arbitrary read/write via user objec
Page 29 and 30: GDI structure address leak Getting
Page 31 and 32: Getting address of tagCLS.pdce We c
Page 33 and 34: Getting address of tagCLS.lpszMenuN
Page 35 and 36: Useful objects/structures in GDI po
Page 37 and 38: tagCLS.lpszMenuName spray advantage
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Create successful ePaper yourself

Delete template?

Save as template?