ATTACKING WINDOWS BY WINDOWS

Recommendations

Info

Real Case: CVE-2016-0174 1Load a font to create a PFFOBJ 2Free a PFFOBJ 3Replace the freed Obj 4Free the font 5or dword ptr [rax+0Ch], 2 rax rax+0Ch tagWND ……… +0x0DF ……… +0x0E8 +0x0E9 +0x0EA +0x0EB cbwndExtra offset 0xEB 0xEA 0xE9 0xE8 • Bin: 0000 0000┆0000 0000┆0000 0000┆0000 0000 • Bin: 0000 0010┆0000 0000┆0000 0000┆0000 0000 • cbwndExtra: 0 → 0x2000000
Pwn2Own 2016 Flash
Page 1 and 2: ATTACKING WINDOWS BY WINDOWS Yin Li
Page 3 and 4: About us Team member: • xin, godz
Page 5 and 6: • 46 acknowledgments!
Page 7 and 8: Old days.. Q1: Where to write? •
Page 9 and 10: Where to write?
Page 11 and 12: What to write?
Page 13 and 14: Window Extra Data • Two APIs: LON
Page 15 and 16: If we change a bit… • Bin: 1000
Page 17 and 18: Read from anywhere • Two APIs: LO
Page 19: Steal SYSTEM Token My Window (tagWN
Page 23 and 24: How to exploit 0 → 1 Q1: Where to
Page 25 and 26: The Function - CVE-2016-3355 DWORD
Page 27 and 28: My Exploit 1Create memory font 2Cre
Page 29 and 30: The Refcount! • Win32k object: 1:
Page 31 and 32: Make a Use-After-Free • API: BOOL
Page 33 and 34: Fake tagMENU Window Text (Fake tagM
Page 35 and 36: Let`s rule them all!
Page 37 and 38: Summary All Windows OS Trigger one

ATTACKING WINDOWS BY WINDOWS

Create successful ePaper yourself

Delete template?

Save as template?