Microsoft Windows Kernel - UserCommitDesktopMemory Use-After-Free (MS15-073)

2015-09-22T00:00:00
ID EXPLOITPACK:22843168365F47217FB2DAD311906560
Type exploitpack
Reporter Nils Sommer
Modified 2015-09-22T00:00:00

Description

Microsoft Windows Kernel - UserCommitDesktopMemory Use-After-Free (MS15-073)

                                        
                                            Source: https://code.google.com/p/google-security-research/issues/detail?id=335

Freed memory is accessed after switching between two desktops of which one is closed. The testcase crashes with and without special pool enabled. The attached crash output is with special enabled on win32k.sys and ntoskrnl.sys.

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38267.zip