ATTACKING WINDOWS BY WINDOWS

Recommendations

Info

The Problem Thread A Thread B 1Select small ranges font 1Get ranges size 2Allocate a temp buffer 2Select bigger ranges font 3Get ranges with buffer 4Copy to user Overflow 5Free temp buffer
My Exploit 1Create memory font 2Create two threads 3Do race condition job 4Overflow 5and dword ptr [r15], 0FFFFFFFBh • Hex: 0xFFFFFFFB • Bin: 1111 …… 1111 1011 Pos 31 7 3 2 1 0
Page 1 and 2: ATTACKING WINDOWS BY WINDOWS Yin Li
Page 3 and 4: About us Team member: • xin, godz
Page 5 and 6: • 46 acknowledgments!
Page 7 and 8: Old days.. Q1: Where to write? •
Page 9 and 10: Where to write?
Page 11 and 12: What to write?
Page 13 and 14: Window Extra Data • Two APIs: LON
Page 15 and 16: If we change a bit… • Bin: 1000
Page 17 and 18: Read from anywhere • Two APIs: LO
Page 19 and 20: Steal SYSTEM Token My Window (tagWN
Page 21 and 22: Pwn2Own 2016 Flash
Page 23 and 24: How to exploit 0 → 1 Q1: Where to
Page 25: The Function - CVE-2016-3355 DWORD
Page 29 and 30: The Refcount! • Win32k object: 1:
Page 31 and 32: Make a Use-After-Free • API: BOOL
Page 33 and 34: Fake tagMENU Window Text (Fake tagM
Page 35 and 36: Let`s rule them all!
Page 37 and 38: Summary All Windows OS Trigger one

ATTACKING WINDOWS BY WINDOWS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?