Exploit Microsoft Windows Kernel - Null Pointer Dereference with Window Station and Clipboard (MS15-061)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
38274
Проверка EDB
  1. Пройдено
Автор
NILS SOMMER
Тип уязвимости
DOS
Платформа
WINDOWS_X86
CVE
cve-2015-1721
Дата публикации
2015-09-22
Microsoft Windows Kernel - Null Pointer Dereference with Window Station and Clipboard (MS15-061)
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=294

Platform: Win7 32-bit.
trigger.cpp should fire the issue, with a caveat
- PoC might NOT work if compiled as a debug build.

windbg.txt is a sample crash log.

Analysis from Nils:

---
please find attached a C trigger, windbg output and the minimised testcase of a null pointer issue (exploitable on Win 7 32-bit). The trigger also demonstrates that the null page can be mapped in user mode and accessed from kernel mode.

Quick analysis:

The trigger creates a new window station which is freed during the process clean up. Through the clipboard operations the window's last reference is hold by the clipboard which is freed during the clean up of the window station object. This will also result in destroying the window object at a time where _gptiCurrent (threadinfo) is already set to null. This is used in xxxDestroyWindow in multiple locations. Depending on the window type it is potentially possible to trigger different kinds of crashes, this one demonstrates a write to a chosen memory location:

win32k!HMChangeOwnerThread+0x40:
96979765 ff412c          inc     dword ptr [ecx+2Ch]  ds:0023:bebebeea=????????
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38274.zip
 
Источник
www.exploit-db.com

Похожие темы