Microsoft Windows Kernel – ‘HmgAllocateObjectAttr’ Use-After-Free (MS15-061)

• Exploit Database
• 15 阅读

• 作者： Nils Sommer
  日期： 2015-09-22
• 类别：

  • dos
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/38269/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=320
  
  The PoC bug checks reliably with Special Pool enabled on writing to freed memory. A reference to the freed memory is held at offset +0x10 of the THREADINFO object. This memory is referenced in HmgAllocateObjectAttr which is called in multiple locations. The freed memory is a struct inside a Brush Object which is freed in the call NtGdiDeleteObjectApp.
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38269.zip