LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Recommendations

Info

Usage of GDI objects addresses How attackers used GDI kernel objects addresses during <strong>exploitation</strong> ? More stable <strong>exploitation</strong>: 1) It is possible to check if object was allocated on the right place after spray. 2) It is possible to change memory layout as necessary. Arbitrary read/write: 1) It is possible to change different fields of Bitmap (SURFACE in kernel) and gain arbitrary read and write. We can use GDI objects for <strong>exploitation</strong> even if we have vulnerability in different (not win32k) system component.
Usage of GDI objects addresses • SURFACE (corruption of it’s substructure SURFOBJ) is one of the popular ways to achieve privilege escalation, which is working from Vista to 10.
Page 1 and 2: LPE vulner
Page 3: GDI handle table before updates •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25 and 26: Arbitrary read/write via user objec
Page 27 and 28: • Preparing memory and use old SU
Page 29 and 30: GDI structure address leak Getting
Page 31 and 32: Getting address of tagCLS.pdce We c
Page 33 and 34: Getting address of tagCLS.lpszMenuN
Page 35 and 36: Useful objects/structures in GDI po
Page 37 and 38: tagCLS.lpszMenuName spray advantage
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Create successful ePaper yourself

Delete template?

Save as template?