LPE vulnerabilities exploitation on Windows 10 Anniversary Update

More documents

Recommendations

Info

Conclusion • We can use method of arbitrary read/write via USER objects when we can write specific address. • We can use tagCLS.lpszMenuName spray for other <strong>vulnerabilities</strong>. • We also can use prediction of GDI objects addresses to make <strong>exploitation</strong> more stable. • We can use GDI structures(tagDCE), USER objects, USER structures allocated on GDI pool for <strong>exploitation</strong>. Choice of object will depend on vulnerability.
DEMO
Page 1 and 2: LPE vulner
Page 3 and 4: GDI handle table before updates •
Page 5 and 6: Usage of GDI objects addresses •
Page 7 and 8: GDI handle management after updates
Page 9 and 10: BYPASS METHODS
Page 11 and 12: Allocation of GDI and USER objects
Page 13 and 14: Objects/structures in Desktop heap
Page 15 and 16: Bypass methods Our methods are base
Page 17 and 18: Arbitrary read/write via USER objec
Page 19 and 20: • Arbitrary read Arbitrary read v
Page 21 and 22: Arbitrary write via USER objects BO
Page 23 and 24: Read/Write address corrections •
Page 25 and 26: Arbitrary read/write via user objec
Page 27 and 28: • Preparing memory and use old SU
Page 29 and 30: GDI structure address leak Getting
Page 31 and 32: Getting address of tagCLS.pdce We c
Page 33 and 34: Getting address of tagCLS.lpszMenuN
Page 35 and 36: Useful objects/structures in GDI po
Page 37: tagCLS.lpszMenuName spray advantage
Page 41 and 42: QUESTIONS?

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

Create successful ePaper yourself

Delete template?

Save as template?