LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Recommendations

Info

GDI structure address leak
Getting address of tagCLS.pdce We can get pdce pointer by using following code DWORD64 pWndUMAddr = GetUserObjectKAddr(hWnd) - dwClientDelta; DWORD64 pClassUMAddress = *(DWORD64 *)(pWndUMAddr + 0x98) - dwClientDelta; DWORD64 pDceAddress = *(DWORD64 *)(pClassUMAddress + 0x18);
Page 1 and 2: LPE vulner
Page 3 and 4: GDI handle table before updates •
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25 and 26: Arbitrary read/write via user objec
Page 27 and 28: • Preparing memory and use old SU
Page 29: GDI structure address leak Getting
Page 33 and 34: Getting address of tagCLS.lpszMenuN
Page 35 and 36: Useful objects/structures in GDI po
Page 37 and 38: tagCLS.lpszMenuName spray advantage
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?