关联漏洞
标题:
Microsoft Windows 特权提升漏洞
(CVE-2016-0040)
描述:Microsoft Windows是美国微软(Microsoft)公司发布的一系列操作系统。 Microsoft Windows的内核中存在特权提升漏洞,该漏洞源于程序不正确地处理内存中的对象。本地攻击者可利用该漏洞在内核模式下运行任意代码。以下产品受到影响:Microsoft Windows Vista SP2,Windows Server 2008 SP2和R2 SP1,Windows 7 SP1。
描述
CVE-2016-0040 Privilege Escalation Exploit For WMI Receive Notification Vulnerability (x86-64)
介绍
CVE-2016-0040
This exploit builds upon SMMRootkit's 32Bit project (https://github.com/Rootkitsmm/cve-2016-0040) which causes this vulnerability to trigger a BSoD with all 'a's in RCX and 'B's in RAX.
It was ported to 64Bit Windows 7 SP1 and doesn't use the "mov [rcx+06h], rax" instruction for inital stage exploitation but instead the "mov [rdx+8h], rdx instruction to place a self-referencing pointer into a bitmap's pvScan0 variable".
In order to cleanup from side-effect corruptions the win32k heap 4096 bitmaps were allocated which made the addresses of corruption in the target bitmap predictable so they could be restored. In order to build read/write
primitives Core Security's, "Abusing GDI for Ring0 Exploit Primities" (https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives) was referenced but build out Manager and Worker
bitmaps that could be used to perform system process token stealing.
文件快照
[4.0K] /data/pocs/5d9870b40948758aec8942bee048546f6dcc45c6
├── [4.0K] Application
│ ├── [ 249] Application.c
│ └── [4.5K] Application.vcxproj
├── [1.1M] Artifacts.zip
├── [2.6K] CVE-2016-0040.sln
├── [4.0K] Library
│ ├── [9.2K] Library.c
│ ├── [2.0K] Library.h
│ └── [3.9K] Library.vcxproj
├── [4.0K] Metasploit
│ ├── [ 74K] inject.exe
│ ├── [ 451] install.sh
│ ├── [ 21K] Metasploit.c
│ ├── [7.2K] Metasploit.h
│ ├── [5.3K] Metasploit.vcxproj
│ ├── [4.3K] module.rb
│ └── [ 285] uninstall.sh
├── [ 922] README.md
├── [ 29] requirements.txt
├── [103K] Screenshot.png
└── [1.3K] Test.py
3 directories, 18 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。