LPE vulnerabilities exploitation on Windows 10 Anniversary Update

More documents

Recommendations

Info

GDI structure address leak We can get address of specific GDI structure by reading Desktop heap. Base information: • Every window class (RegisterClass API) described by tagCLS structure. • tagCLS contains pointer to tagDCE structure (pdce field) if class was created with CS_CLASSDC style. • tagCLS is located on Desktop Heap, so we can read it content. • tagDCE is allocated on PagedSessionPool as GDI objects (CreateCacheDC). • tagDCE has constant length – 0x60 (Win 10 x64)
GDI structure address leak Getting tagDCE pointer: 1. RegisterClass with CS_CLASSDC style. 2. Create window for this class in order to cache DC and allocate tagDCE. 3. Get pointer to tagWND, then to tagCLS (tagWND.pcls) and finally tagCLS.pdce. We need to call DestroyWindow + UnregisterClass in order to free tagDCE.
Page 1 and 2: LPE vulner
Page 3 and 4: GDI handle table before updates •
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25 and 26: Arbitrary read/write via user objec
Page 27: • Preparing memory and use old SU
Page 31 and 32: Getting address of tagCLS.pdce We c
Page 33 and 34: Getting address of tagCLS.lpszMenuN
Page 35 and 36: Useful objects/structures in GDI po
Page 37 and 38: tagCLS.lpszMenuName spray advantage
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Create successful ePaper yourself

Delete template?

Save as template?