ATTACKING WINDOWS BY WINDOWS

Recommendations

Info

Other Case dec dword ptr [rax] offset 0xEB 0xEA 0xE9 0xE8 • Bin: 0000 0000┆0000 0000┆0000 0000┆0000 0000 • Bin: FFFF FFFF┆FFFF FFFF┆FFFF FFFF┆FFFF FFFF • cbwndExtra: 0-1=0xFFFFFFFF inc dword ptr [r10+8] offset 0xEB 0xEA 0xE9 0xE8 • Bin: 0000 0000┆0000 0000┆0000 0000┆0000 0000 • Bin: 0000 1000┆0000 0000┆0000 0000┆0000 0000 • cbwndExtra: 0 → 0x8000000
How to exploit 0 → 1 Q1: Where to write? • tagWND.cbwndExtra Q2: What to write? • A big value Q3: What can we do now? • Read from anywhere • Write any value to anywhere • Steal csrss.exe`s token
Page 1 and 2: ATTACKING WINDOWS BY WINDOWS Yin Li
Page 3 and 4: About us Team member: • xin, godz
Page 5 and 6: • 46 acknowledgments!
Page 7 and 8: Old days.. Q1: Where to write? •
Page 9 and 10: Where to write?
Page 11 and 12: What to write?
Page 13 and 14: Window Extra Data • Two APIs: LON
Page 15 and 16: If we change a bit… • Bin: 1000
Page 17 and 18: Read from anywhere • Two APIs: LO
Page 19 and 20: Steal SYSTEM Token My Window (tagWN
Page 21: Pwn2Own 2016 Flash
Page 25 and 26: The Function - CVE-2016-3355 DWORD
Page 27 and 28: My Exploit 1Create memory font 2Cre
Page 29 and 30: The Refcount! • Win32k object: 1:
Page 31 and 32: Make a Use-After-Free • API: BOOL
Page 33 and 34: Fake tagMENU Window Text (Fake tagM
Page 35 and 36: Let`s rule them all!
Page 37 and 38: Summary All Windows OS Trigger one

ATTACKING WINDOWS BY WINDOWS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?