Microsoft MsMpEng – Use-After-Free via Saved Callers

Exploit Database
21 阅读

作者： Google Security Research

日期： 2017-05-30
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/42092/

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259

In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState object(rcx+158h in 64-bit). But the garbage collector doesn't mark this saved value. So it results in a UAF.

Unlike in our test environment(Linux), it doesn't make reliable crashes on Windows. So I used another bug(#1258) to confirm the bug. If the UAF bug doesn't exist, the "crash" function will not be called(See poc.js).

The password of the zip file is "calleruaf"


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42092.zip

last Exploits
Microsoft MsMpEng – Use-After-Free via Saved Callers的更多信息

MemDb – Multiple Remote Denial of Service Vulnerabilities：
Redis 5.0 – Denial of Service：
Netatalk 3.1.12 – Authentication Bypass (PoC)：
TYPSoft FTP Server 1.10 – ‘RETR’ Denial of Service (2)：
libc/glob(3) – Resource Exhaustion / Remote ftpd-anonymous (Denial of Service)：
BulletProof FTP Server 2019.0.0.50 – ‘SMTP Server’ Denial of Service (PoC)：
Vino VNC Server 3.7.3 – Persistent Denial of Service：
Microsoft Windows – SMB2 Negotiate Protocol ‘0x72’ Response Denial of Service：