Integer overflow in the ordered_malloc function in boost/pool/pool.hpp in Boost Pool

...

Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Sophos Hitmanpro

引用 这篇文章的目的是介绍一种基于内核态内存的越界写入通用利用技术和相关工具复现. toc 简介 笔者的在原作者池风水利用工具以下简称工具基础上进行二次开发,新增了全自动获取内核调试模块符号的偏移量及配置参数和不同漏洞利用方式优化等功能, 解决了不同Windows版本适配问题,工具包括适配驱动和利用程序两部分组成,实现了在Windows 10 19H1之后任意版本包括满补丁系统上的稳定利用. 自Windows 10 19H1开始，用户层段堆（Segment Heap）结构后端逻辑被用于内核层，主要分为低碎片化堆Low-fragmentation Heap与VS堆Variable Size...

HEVD pool overflow analysis-vulnerability warning-the black bar safety net

Prepare the environment Win 10 64-bit host + win 7 32-bit virtual machine Windbg: a debugger VirtualKD-3.0: double-click the debug tool InstDrv: the drive is installed, run the tool HEVD: a Windows kernel vulnerability training project, which almost covers the kernel may exist, all vulnerability...

CVE-2018-19523

DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL 0x80002068 with a user defined buffer size. If the size of the buffer is less than 512 bytes, then the driver will overwrite the next pool header if there is one next to the user buffer's pool...

CVE-2018-19523

DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL 0x80002068 with a user defined buffer size. If the size of the buffer is less than 512 bytes, then the driver will overwrite the next pool header if there is one next to the user buffer's pool...

Design/Logic Flaw

DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL 0x80002068 with a user defined buffer size. If the size of the buffer is less than 512 bytes, then the driver will overwrite the next pool header if there is one next to the user buffer's pool...

MS09-0 0 1 Analysis-vulnerability warning-the black bar safety net

HD Moore moves really fast, the analysis has come out. The effect is only a DOS, not use. This update contains three vulnerabilities, the first one in the last 9 months out, only DOS, after two rather special, is not utilized, the reason is more complex, he is so described: The next two bugs CVE-...