26 matches found
How to Enable Special Pool Tagging for a Driver
If the stack of a process is overrun by another process, analysis of the dump is not possible because the crash occurs when the original process writes to the kernel space which is already occupied by the other, misbehaving component. Enabling Special Pool Tagging causes the driver to crash as so...
Windows kernel NtUserScrollDC memory corruption
The attached testcases crashes Windows 7 x86 with Special Pool enabled on win32k. The crash occurs while accessing unmapped memory. The bogus address is returned by a call to FastWindowFromDC. This is likely to be a freed window object. Recent assessments: busterb at May 09, 2019 5:57pm UTC...
Microsoft Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (2)
Microsoft Windows 7 - win32k Bitmap Use-After-Free MS16-062 2 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=747 The attached PoC crashes 32-bit Windows 7 with special pool enabled on win32k.sys. It might take several runs in order to reproduce. Tested the PoC on a single core...
Microsoft Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (1)
Microsoft Windows 7 - win32k Bitmap Use-After-Free MS16-062 1 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=746 The attached PoC triggers a blue screen on Windows 7 with special pool enabled on win32k.sys . A reference to the bitmap object still exists in the device context...
Microsoft Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (2)
Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=747 The attached PoC crashes 32-bit Windows 7 with special pool enabled on win32k.sys. It might take several runs in order to reproduce. Tested the PoC on a single core VM. Proof o...
win32k Clipboard Bitmap - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=533 This PoC triggers a crash on Windows 7 32-bit with Special Pool enabled on win32k.sys. The kernel crashes due to a use-after-free condition with bitmaps in the clipboard. --- Note that multiple PoC executions and...
win32k Clipboard Bitmap - Use-After-Free
win32k Clipboard Bitmap - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=533 This PoC triggers a crash on Windows 7 32-bit with Special Pool enabled on win32k.sys. The kernel crashes due to a use-after-free condition with bitmaps in the clipboard. ---...
Microsoft Windows - ndis.sys IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) Pool Buffer Overflow (MS15-117)
Microsoft Windows - ndis.sys IOCTL 0x170034 ndis!ndisNsiGetIfNameForIfIndex Pool Buffer Overflow MS15-117 Source: https://code.google.com/p/google-security-research/issues/detail?id=516 The attached testcase crashes Windows 7 32-bit due to a pool buffer overflow in an ioctl handler. Enabling...
Microsoft Windows Kernel - Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)
Source: https://code.google.com/p/google-security-research/issues/detail?id=505 The attached testcase triggers a use-after-free condition in win32k. The attached debugger output was triggered on Windows 7 with Special Pool enabled on win32k.sys. --- Proof of Concept:...
Microsoft Windows Kernel - Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)
Microsoft Windows Kernel - Device Contexts and NtGdiSelectBitmap Use-After-Free MS15-115 Source: https://code.google.com/p/google-security-research/issues/detail?id=505 The attached testcase triggers a use-after-free condition in win32k. The attached debugger output was triggered on Windows 7 wit...
Microsoft Windows - Race Condition DestroySMWP Use-After-Free (MS15-115)
Source: https://code.google.com/p/google-security-research/issues/detail?id=509 The attached testcase crashes Window 7 32-bit with Special Pool enabled on win32k.sys due to a use-after-free condition. The bug appears to be a race condition between two threads and multiple runs on the PoC might be...
Microsoft Windows Kernel - NtGdiBitBlt Buffer Overflow (MS15-097)
Microsoft Windows Kernel - NtGdiBitBlt Buffer Overflow MS15-097 Source: https://code.google.com/p/google-security-research/issues/detail?id=474 --- The attached PoC triggers a buffer overflow in the NtGdiBitBlt system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on...
Microsoft Windows Kernel - 'NtGdiBitBlt' Buffer Overflow (MS15-097)
Source: https://code.google.com/p/google-security-research/issues/detail?id=474 --- The attached PoC triggers a buffer overflow in the NtGdiBitBlt system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys --- Proof of Concept:...
Microsoft Windows Kernel - 'bGetRealizedBrush' Use-After-Free (MS15-097)
Source: https://code.google.com/p/google-security-research/issues/detail?id=458 --- The attached testcase crashes Win 7 with Special Pool on win32k while accessing freed memory in bGetRealizedBrush. --- Proof of Concept:...
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)
Source: https://code.google.com/p/google-security-research/issues/detail?id=311 Bitmap object Use-after-Free 2 The attached PoC triggers a blue screen due to a use after free vulnerability. The crashes are unreliable, however you can use Special Pool in order to get reliable crashes. The crashes...
Microsoft Windows Kernel - UserCommitDesktopMemory Use-After-Free (MS15-073)
Microsoft Windows Kernel - UserCommitDesktopMemory Use-After-Free MS15-073 Source: https://code.google.com/p/google-security-research/issues/detail?id=335 Freed memory is accessed after switching between two desktops of which one is closed. The testcase crashes with and without special pool...
Microsoft Windows Kernel - 'UserCommitDesktopMemory' Use-After-Free (MS15-073)
Source: https://code.google.com/p/google-security-research/issues/detail?id=335 Freed memory is accessed after switching between two desktops of which one is closed. The testcase crashes with and without special pool enabled. The attached crash output is with special enabled on win32k.sys and...
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)
Microsoft Windows Kernel - Bitmap Handling Use-After-Free MS15-061 2 Source: https://code.google.com/p/google-security-research/issues/detail?id=311 Bitmap object Use-after-Free 2 The attached PoC triggers a blue screen due to a use after free vulnerability. The crashes are unreliable, however yo...
Microsoft Windows Kernel - NtGdiStretchBlt Pool Buffer Overflow (MS15-097)
Microsoft Windows Kernel - NtGdiStretchBlt Pool Buffer Overflow MS15-097 Source: https://code.google.com/p/google-security-research/issues/detail?id=415 --- Tested on Win 7 32-bit with Special Pool enabled. Multiple pool buffer overflows can be triggered through the NtGdiStretchBlt system call. T...
Microsoft Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)
Microsoft Windows Kernel - bGetRealizedBrush Use-After-Free MS15-097 Source: https://code.google.com/p/google-security-research/issues/detail?id=458 --- The attached testcase crashes Win 7 with Special Pool on win32k while accessing freed memory in bGetRealizedBrush. --- Proof of Concept:...