Lucene search

K
exploitpackSiberasEXPLOITPACK:4A77EECB9028940AD78AE18FF52B3DC8
HistoryOct 06, 2017 - 12:00 a.m.

Microsoft Windows 10 RS2 (x64) - win32kfull!bFill Pool Overflow

2017-10-0600:00:00
siberas
14

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

Microsoft Windows 10 RS2 (x64) - win32kfull!bFill Pool Overflow

Sources:
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
https://github.com/siberas/CVE-2016-3309_Reloaded

Exploits for the recently-patched win32kfull!bFill vulnerability. Executing the Palette or Bitmap exploit will give you SYSTEM privileges on the affected system. The exploits should work fine on Windows 10 x64 with Creators Update, build 15063.540 (latest version of Win10 before the release of Microsoft's September Updates).

The Visual Studio solution contains three exploits:

CVE-2016-3309_Reloaded_Bitmaps: Exploit using the Bitmaps technique
CVE-2016-3309_Reloaded_Palettes: Exploit using the Palettes technique
CVE-2016-3309_Reloaded_Deadlock: POC exploit showcasing the system deadlock which happens due to improved Handle validation

We also published a blog post (https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html) which goes into detail about the exploitation of this "wild" Pool-based overflow.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42960.zip

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

Related for EXPLOITPACK:4A77EECB9028940AD78AE18FF52B3DC8