Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
canvasImmunity CanvasMS15_051
HistoryApr 21, 2015 - 10:59 a.m.

Immunity Canvas: MS15_051

2015-04-2110:59:00
Immunity Canvas
exploitlist.immunityinc.com
75

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.005 Low

EPSS

Percentile

74.4%

JSON
Name ms15_051
CVE CVE-2015-1701 Exploit Pack
Notes:
This module exploits a vulnerability on the win32k.sys driver.
The bServerSideWindowProc flag on the window’s handle structure is meant to be used to improve the performance of usercallbacks by replacing the call to a userland function with a kernel one.
Setting this flag allows the window procedure to run on kernel mode.
When creating a new window, after calling the ClientCopyImage usercallback, the kernel doesn’t check the possibility that the bServerSideWindowProc could have been raised. And thus, execution continues as if the flag was unset.
By hooking ClientCopyImage it is possible to set the bServerSideWindowProc and define a new window procedure by calling the SetWindowLongPtr function on the newly created window.
This will lead to the executon of the defined window procedure on kernel mode.

Tested on:
Windows XP SP3 x86
Windows 7 Professional x86
Windows 7 Professional SP1 x64
Windows Server 2003 Standard x64
Windows Server 2008 R2 Standard x64 SP1

This exploit doesn’t work on Windows 8.1

VENDOR: Microsoft
CVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701
CVE Name: CVE-2015-1701

Related

symantec 1
prion 1
packetstorm 2
zdt 2
myhack58 2
exploitpack 1
metasploit 1
fireeye 3
seebug 1
cve 1
checkpoint_advisories 1
attackerkb 1
cisa_kev 1
exploitdb 2
threatpost 5
korelogic 1
thn 1
talosblog 1
trellix 2
mskb 1
nessus 1
kaspersky 1
securityvulns 1
symantec
symantec
Microsoft Windows CVE-2015-1701 Local Privilege Escalation Vulnerability
2015-04-18 00:00:00
prion
prion
Privilege escalation
2015-04-21 10:59:00
packetstorm
packetstorm
Microsoft Windows ClientCopyImage Improper Object Handling
2015-06-22 00:00:00
Cellebrite UFED 7.5.0.845 Desktop Escape / Privilege Escalation
2020-05-14 00:00:00
zdt
zdt
Microsoft Windows ClientCopyImage Improper Object Handling Exploit
2015-06-23 00:00:00
Cellebrite UFED 7.5.0.845 Desktop Escape / Privilege Escalation Vulnerability
2020-05-14 00:00:00
myhack58
myhack58
About 1 5 years 5 months to repair the two 0day-vulnerability warning-the black bar safety net
2015-05-13 00:00:00
Win32k elevation of privilege vulnerability, CVE-2 0 1 5-1 7 0 1-exp-vulnerability warning-the black bar safety net
2015-05-24 00:00:00
exploitpack
exploitpack
Microsoft Windows - Local Privilege Escalation (MS15-051)
2015-05-18 00:00:00
metasploit
metasploit
Windows ClientCopyImage Win32k Exploit
2015-06-03 11:48:23
fireeye
fireeye
Lessons from Operation RussianDoll
2016-03-09 11:00:00
The EPS Awakens - Part 2
2015-12-20 19:45:00
The EPS Awakens
2015-12-16 08:00:00
seebug
seebug
MS15-051 Win32k ClientCopyImage Elevation of Privilege Vulnerability (CVE-2015-1701)
2017-04-25 00:00:00
cve
cve
CVE-2015-1701
2015-04-21 10:59:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows System CallBack Privilege Escalation (CVE-2015-1701)
2015-04-21 00:00:00
attackerkb
attackerkb
CVE-2015-1701
2015-04-21 00:00:00
cisa_kev
cisa_kev
Microsoft Win32k Privilege Escalation Vulnerability
2022-03-03 00:00:00
exploitdb
exploitdb
Microsoft Windows - ClientCopyImage Win32k (MS15-051) (Metasploit)
2015-06-24 00:00:00
Microsoft Windows - Local Privilege Escalation (MS15-051)
2015-05-18 00:00:00
threatpost
threatpost
Researchers Crack Furtim, SFG Malware Connection
2016-07-18 13:26:09
APT Groups Exploiting Patch Microsoft Office Flaw CVE-2015-2545
2016-05-25 12:58:57
Malware Dropper Built to Target European Energy Company
2016-07-12 09:31:54
korelogic
korelogic
Cellebrite Restricted Desktop Escape and Escalation of User Privilege
2020-05-14 00:00:00
thn
thn
State-Sponsored SCADA Malware targeting European Energy Companies
2016-07-13 00:12:00
talosblog
talosblog
China Chopper still active 9 years later
2019-08-27 08:14:42
trellix
trellix
Take a "NetWalk" on the Wild Side
2020-08-03 00:00:00
Take a "NetWalk" on the Wild Side
2020-08-03 00:00:00
mskb
mskb
MS15-051: Vulnerabilities in Windows kernel-mode drivers could allow information disclosure: May 12, 2015
2015-05-12 00:00:00
nessus
nessus
MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)
2015-05-12 00:00:00
kaspersky
kaspersky
KLA10580 Multiple vulnerabilities in Microsoft products
2015-05-12 00:00:00
securityvulns
securityvulns
Microsoft Windows multiple security vulnerabilities
2015-05-13 00:00:00

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.005 Low

EPSS

Percentile

74.4%

JSON
Related for MS15_051
symantec1prion1packetstorm2zdt2myhack582exploitpack1metasploit1fireeye3seebug1cve1checkpoint_advisories1attackerkb1cisa_kev1exploitdb2threatpost5korelogic1thn1talosblog1trellix2mskb1nessus1kaspersky1securityvulns1