LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Recommendations

Info

Objects on GDI pool • We can get addresses of different object/structures allocated in GDI pool. Description Disclose method Examples USER objects Reading gSharedInfo WinEvent, Clip data… Pointers to structures allocated in GDI pool Pointers to data allocated in GDI pool Reading content of user objects, allocated in desktop heap. Reading content of user objects, allocated in desktop heap. tagCLS.pdce tagCLS.lpszMenuName
Useful objects/structures in GDI pool • Some USER objects/structures isn’t possible to use during <strong>exploitation</strong> because we can’t easily allocate/control them. • We made list of potentially “exploitable” objects and structures with their pros and cons. • Demo of usage of accelerator tables and clip data was shown at Ekoparty 2016. We’ll show alternative. • Following list is incomplete, there are other candidates. Object/structure Type Size (x64) Pros Cons Clip data USER object Controlled Controlled size Need clipboard access, which can be restricted by some sandboxes WinEvent USER object 0x60 Easy allocation and destruction Static object size Timer USER object 0x88 Easy allocation and destruction Static object size, need to scan user handle table to get object address as SetTimer doesn’t return handle tagCURSOR USER object 0x98 Easy allocation and destruction Static object size Accelerator table USER object Controlled Easy allocation and destruction, controlled size tagCLS.lpszMenuName USER data Controlled Easy allocation and destruction, controlled size (size of unicode string) tagCLS.pdce (tagDCE) GDI structure 0x60 Easy allocation and destruction Static structure size We need to count tagACCEL to calculate size of allocation
Page 1 and 2: LPE vulner
Page 3 and 4: GDI handle table before updates •
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25 and 26: Arbitrary read/write via user objec
Page 27 and 28: • Preparing memory and use old SU
Page 29 and 30: GDI structure address leak Getting
Page 31 and 32: Getting address of tagCLS.pdce We c
Page 33: Getting address of tagCLS.lpszMenuN
Page 37 and 38: tagCLS.lpszMenuName spray advantage
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?