Microsoft Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)

2015-09-22T00:00:00
ID EXPLOITPACK:48782BF945F6A661539868E67DCC780D
Type exploitpack
Reporter Nils Sommer
Modified 2015-09-22T00:00:00

Description

Microsoft Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)

                                        
                                            Source: https://code.google.com/p/google-security-research/issues/detail?id=458

---
The attached testcase crashes Win 7 with Special Pool on win32k while accessing freed memory in bGetRealizedBrush​​.
---

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38277.zip