LPE vulnerabilities exploitation on Windows 10 Anniversary Update

More documents

Recommendations

Info

Arbitrary write via USER objects • Arbitrary write 1. We can use API SetMenuItemInfo(MIIM_DATA) for writing content of arbitrary address. 2. MIIM_DATA allows to write DWORD64 on x64 system. 3. SetMenuItemInfo writes tagITEM.dwItemData field. 4. If we call “write” from wow64 process, we need to call service NtUserThunkedMenuItemInfo directly, because wow64 stub doesn’t allow to use x64 MENUITEMINFOW structure and as the result we can’t write 64 bit field (only 32-bit one). In both cases (read and write) we need to calculate arbitrary address according to tagITEM field offset.
Read/Write address corrections • Set arbitrary address for read (ArbAddr) SetWindowLongPtr(hWndCorrupted, ExtraDataIndex, (LONG_PTR) ArbAddr - 0x48); • Set arbitrary address for write SetWindowLongPtr(hWndCorrupted, ExtraDataIndex, (LONG_PTR) ArbAddr - 0x38);
Page 1 and 2: LPE vulner
Page 3 and 4: GDI handle table before updates •
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21: Arbitrary write via USER objects BO
Page 25 and 26: Arbitrary read/write via user objec
Page 27 and 28: • Preparing memory and use old SU
Page 29 and 30: GDI structure address leak Getting
Page 31 and 32: Getting address of tagCLS.pdce We c
Page 33 and 34: Getting address of tagCLS.lpszMenuN
Page 35 and 36: Useful objects/structures in GDI po
Page 37 and 38: tagCLS.lpszMenuName spray advantage
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Create successful ePaper yourself

Delete template?

Save as template?