A forum for reverse engineering, OS internals and malware analysis 

CVE-2015-1701

Forum for analysis and discussion about malware.

CVE-2015-1701

 #25852  by EP_X0FF
 Tue May 12, 2015 6:16 pm
Win32k Elevation of Privilege Vulnerability. Allows code to be executed in kernel mode. Used by malware to target Windows 7. Apply MS15-051 for fix.

https://www.fireeye.com/blog/threat-res ... _useo.html

https://github.com/hfiref0x/CVE-2015-1701

Copy in attach.
Attachments
pass: exploit
(36.63 KiB) Downloaded 109 times

Re: CVE-2015-1701

 #25887  by EP_X0FF
 Sun May 17, 2015 3:06 am
Five days results or what this PoC detected:

1) mj0011 is still alive, I'm surprised, miss it since Sysinternals forums went into oblivion;
2) Slowpokes (as usual) with awful (bydlo)code;
3) Fraudulent "security company" run by four script-kiddies;
4) China ripper (as expected).

Details:

1) http://blogs.360.cn/blog/fixed_three_0days_in_may/ <- The only ONE good article about this vulnerability I read so far;
2) http://habrahabr.ru/company/pt/blog/257879/ <- Have no idea who teach them C++, but even first version of HexRays generate better code. Also there a tons of water and useless screenshots (for noobs?);
3) hxxps://www.bsk-consulting.de/team/ German fraudulent company runned by four script-kiddies, detecting "APT" by strings in PoC's, yeah you can do money even from this;
4) hxxp://z-cg.com/post/ms15_051_fixed.html - by "fixing" this guy mean trashing my PoC with idiotic additions and removing all original comments, great (blow)job.

To conclude, it was fun.

Re: CVE-2015-1701

 #25916  by SomeUnusedName
 Fri May 22, 2015 12:35 pm
I don't see what's wrong with the 2 or so C++ screenshots in that second article, or is there some source download I missed which is awful?

Re: CVE-2015-1701

 #25978  by EP_X0FF
 Mon Jun 01, 2015 7:35 am
SomeUnusedName wrote:I don't see what's wrong with the 2 or so C++ screenshots in that second article, or is there some source download I missed which is awful?
Assuming the code you see in this article is a result of "bindiff" discoveries and clearly not from malware that uses this exploit. Malware variant is cleaner, simpler and effective, see attach in dedicated thread. It may miss some details but when it comes to exploitation it doesn't matter. What this bindiff hyenas spawned is a comedy section C++ idiocy (see their token stealing super-duper code), result of bindiffing every MS patch each month in attempt to recover some profit from re-using already patched vuln (for both PR and sell purposes). Also making a "secret" from already patched vulnerability and freely available malware sample with exploit on board is double idiocy. Their post only purpose is self-advertising of suspicious pseudo-security company.
 Return to “Malware”