CVE-2 0 1 4-4 1 1 3 exploit Process Analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201455025
Type myhack58
Reporter 佚名
Modified 2014-10-25T00:00:00


0x00 description

By VMware and Windbg build the 3 2-bit kernel debugging environment, the system is xp sp2, 执行漏洞利用程序win32.exe calc.exe, pop-up a SYSTEM of permissions calc.

! enter image description here

Through the IDA analysis win32.exe can be seen signed int __cdecl sub_4010F2() function by calling ZwQuerySystemInformation leaked kernel module ntkrnlpa.exe base, to give the final PsLookupProcessByProcessId function address, this function is used to exploit code.

! enter image description here

sub_401830 function is the exploit code, the completion of the elevation operation.

! enter image description here

[1] [2] [3] [4] [5] [6] [7] [8] next