Name | ms15_051 |
---|---|
CVE | CVE-2015-1701 Exploit Pack |
Notes: | |
This module exploits a vulnerability on the win32k.sys driver. | |
The bServerSideWindowProc flag on the window’s handle structure is meant to be used to improve the performance of usercallbacks by replacing the call to a userland function with a kernel one. | |
Setting this flag allows the window procedure to run on kernel mode. | |
When creating a new window, after calling the ClientCopyImage usercallback, the kernel doesn’t check the possibility that the bServerSideWindowProc could have been raised. And thus, execution continues as if the flag was unset. | |
By hooking ClientCopyImage it is possible to set the bServerSideWindowProc and define a new window procedure by calling the SetWindowLongPtr function on the newly created window. | |
This will lead to the executon of the defined window procedure on kernel mode. |
Tested on:
Windows XP SP3 x86
Windows 7 Professional x86
Windows 7 Professional SP1 x64
Windows Server 2003 Standard x64
Windows Server 2008 R2 Standard x64 SP1
This exploit doesn’t work on Windows 8.1
VENDOR: Microsoft
CVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701
CVE Name: CVE-2015-1701