A forum for reverse engineering, OS internals and malware analysis 

MS15-061

Forum for discussion about kernel-mode development.

Re: MS15-061

 #26768  by TETYYSs
 Sun Sep 20, 2015 11:09 am
So, what type of exploit is it? What KB does patch it? And when I tried to test it, it crashed after line 373

Re: MS15-061

 #26769  by R00tKit
 Sun Sep 20, 2015 1:33 pm
this is Use After Free Bug in Win32k.sys Driver call SetClassLongPtr in user mode cause kernel mode call User mode callback in PEB i hooked this callback and free window object inside it then reallocate heap with fack buffer ,....

this is not full weaponized exploit just poc and it worked on my os

Re: MS15-061

 #26772  by EP_X0FF
 Sun Sep 20, 2015 4:40 pm
TETYYSs wrote:So, what type of exploit is it? What KB does patch it?
https://support.microsoft.com/en-us/kb/3057839

P.S.
I don't know why you put assembly here where it is not needed at all.

Re: MS15-061

 #26774  by R00tKit
 Sun Sep 20, 2015 6:47 pm
EP_X0FF wrote:
TETYYSs wrote: P.S.
I don't know why you put assembly here where it is not needed at all.
yes i think just for
Code: Select all
 __asm
    {
            mov     eax, 116Dh
			mov     edx, 7FFE0300h	
			call    dword ptr [edx]
			retn    8
    }
and
Code: Select all
__asm
	{
		mov ax, cs
		mov um, ax
	}
	if(um == 0x1b)
	{
		// USER MODE
	} else
	{
		success=TRUE;
		DebugBreak();

		Shellcode();
	}
needed asm code and using asm code for find pointer inside PEB ,.. is just habit
 Return to “Kernel-Mode Development”