LPE vulnerabilities exploitation on Windows 10 Anniversary Update

More documents

Recommendations

Info

USER structures/data allocated on GDI pool • Some user objects are allocated on GDI pool, but they are not alone! • There are many user structures allocated on GDI pool (tagPOPUPMENU, tagWND.pTransform, tagSBTRACK …). We can get their addresses by reading object’s content from desktop heap (as USER objects contain pointers to this structures). • We found, that tagCLS.lpszMenuName (see previous slide) allocated on GDI pool. • This tagCLS field represents WNDCLASSEX.lpszMenuName (UNICODE). • We can easily allocate it by RegisterClass and free by UnregisterClass. • Also we can control size of this allocation.
Getting address of tagCLS.lpszMenuName We can easily get lpzsMenuName address by using following code DWORD64 pWndUMAddr = GetUserObjectKAddr(hWnd) - dwClientDelta; DWORD64 pClassUMAddress = *(DWORD64 *)(pWndUMAddr + 0x98) - dwClientDelta; DWORD64 lpszMenuName = *(DWORD64 *)(pClassUMAddress + 0x88);
Page 1 and 2: LPE vulner
Page 3 and 4: GDI handle table before updates •
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25 and 26: Arbitrary read/write via user objec
Page 27 and 28: • Preparing memory and use old SU
Page 29 and 30: GDI structure address leak Getting
Page 31: Getting address of tagCLS.pdce We c
Page 35 and 36: Useful objects/structures in GDI po
Page 37 and 38: tagCLS.lpszMenuName spray advantage
Page 39 and 40: DEMO
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Create successful ePaper yourself

Delete template?

Save as template?