LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Recommendations

Info

Spray approach (tagCLS.lpszMenuName) 1. Allocate tagCLS structure by calling RegisterClass with controlled lpszMenuName. 2. Allocate Window for class (as we don’t want to scan desktop heap) and get addresses of allocated tagCLS.lpszMenuName. 3. DestroyWindow and free tagCLS by UnregisterClass. 4. Allocate SURFOBJ (Bitmap)*. 5. Now, we can expect that SURFOBJ will be allocated on place of lpszMenuName. *As there is lookaside list for previous GDI objects allocations, we need to fill lookaside before trying to allocated bitmap on freed space.
tagCLS.lpszMenuName spray advantages • Easy allocation and destruction. • We can control size of tagCLS.lpszMenuName. • tagCLS.lpszMenuName field allocated on GDI pool. • We can easily get address of field. • Method is working under low integrity process. • Big strings are allowed (> 4kb).
Page 1 and 2: LPE vulner
Page 3 and 4: GDI handle table before updates •
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25 and 26: Arbitrary read/write via user objec
Page 27 and 28: • Preparing memory and use old SU
Page 29 and 30: GDI structure address leak Getting
Page 31 and 32: Getting address of tagCLS.pdce We c
Page 33 and 34: Getting address of tagCLS.lpszMenuN
Page 35: Useful objects/structures in GDI po
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Create successful ePaper yourself

Delete template?

Save as template?