Microsoft Windows Kernel – ‘win32k!vSolidFillRect’ Buffer Overflow (MS15-061)

Exploit Database
110 阅读

作者： Nils Sommer

日期： 2015-09-22
类别：
- dos
平台：
- windows_x86
来源：https://www.exploit-db.com/exploits/38270/

Source: https://code.google.com/p/google-security-research/issues/detail?id=313

The PoC triggers a pool buffer overflow in win32k!vSolidFillRect. When using Special Pool we get the crash immediately on the overwrite. Without Special Pool we often get a crash in the same function, but sometimes it crashes in a different function (similar to another issue, however with a different offset). This might be a result of the memory corruption or an out-of-memory condition before the overflow is triggered. Debugger output for all three different crashes attached.

Proof of Concept:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38270.zip

last Exploits
Microsoft Windows Kernel – ‘win32k!vSolidFillRect’ Buffer Overflow (MS15-061)的更多信息

MySQL 5.5.8 – Remote Denial of Service：
Microsoft Windows – CSRSS BaseSrvCheckVDM Session 0 Process Creation Privilege Escalation (MS16-048)：
Embedthis Appweb 3.1.2 – Remote Denial of Service：
WebKit – Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive：
Microsoft Office PowerPoint 2010 – GDI ‘GDI32!ConvertDxArray’ Insufficient Bounds Check：
net-snmp 5.7.3 – (Authenticated) Denial of Service (PoC)：
WhatsApp – RTP Processing Heap Corruption：
XnView 1.98 – Denial of Service (PoC)：