ATTACKING WINDOWS BY WINDOWS

Recommendations

Info

1 → 0
The Function - CVE-2016-3355 DWORD NtGdiGetFontUnicodeRanges(HDC hdc, LPGLYPHSET lpgs) { DWORD PreSize; DWORD PosSize; DWORD ReturnSize; PVOID pTmpBuf; } ReturnSize = 0; PreSize = GreGetFontUnicodeRanges(hdc, 0); if ( PreSize && lpgs ) { pTmpBuf = AllocFreeTmpBuffer(PreSize); if ( pTmpBuf ) { PosSize = GreGetFontUnicodeRanges(hdc, pTmpBuf); if ( PosSize && PreSize == PosSize ) { ProbeAndWriteBuffer(lpgs, pTmpBuf, PreSize); ReturnSize = PreSize; } FreeTmpBuffer(pTmpBuf); } } return ReturnSize; 1Get ranges size 2Allocate a temp buffer 3Get ranges with buffer 4Copy to user 5Free temp buffer
Page 1 and 2: ATTACKING WINDOWS BY WINDOWS Yin Li
Page 3 and 4: About us Team member: • xin, godz
Page 5 and 6: • 46 acknowledgments!
Page 7 and 8: Old days.. Q1: Where to write? •
Page 9 and 10: Where to write?
Page 11 and 12: What to write?
Page 13 and 14: Window Extra Data • Two APIs: LON
Page 15 and 16: If we change a bit… • Bin: 1000
Page 17 and 18: Read from anywhere • Two APIs: LO
Page 19 and 20: Steal SYSTEM Token My Window (tagWN
Page 21 and 22: Pwn2Own 2016 Flash
Page 23: How to exploit 0 → 1 Q1: Where to
Page 27 and 28: My Exploit 1Create memory font 2Cre
Page 29 and 30: The Refcount! • Win32k object: 1:
Page 31 and 32: Make a Use-After-Free • API: BOOL
Page 33 and 34: Fake tagMENU Window Text (Fake tagM
Page 35 and 36: Let`s rule them all!
Page 37 and 38: Summary All Windows OS Trigger one

ATTACKING WINDOWS BY WINDOWS

Create successful ePaper yourself

Delete template?

Save as template?