Win32k elevation of privilege vulnerability, CVE-2 0 1 5-1 7 0 1-exp-vulnerability warning-the black bar safety net

Win32k elevation of privilege vulnerability – CVE-2 0 1 5-1 7 0 1
If Win32k.sys kernel-mode driver improperly handles objects in memory, then there is a privilege elevation vulnerability. Successful exploitation of this vulnerability an attacker can run arbitrary code in kernel mode is. An attacker could then install programs; view, change, or delete data; or create with full user permissions to the new account. The update addresses the vulnerabilities by correcting Windows kernel-mode driver handles objects in memory to resolve the vulnerability.
To exploit this vulnerability, an attacker must be logged in to the system. Then, the attacker can run a to exploit this vulnerability a specially crafted application, so complete control of the affected system.
This vulnerability has been publicly disclosed. This security Bulletin was issued, Microsoft has informed that will exploit the vulnerability to very limited, targeted attacks.
https://technet.microsoft.com/library/security/MS15-051

Win32k Elevation of Privilege Vulnerability.
The original source of information is the Fireye reported in the Russian APT28 team with the 0day to:
Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

Protection
Apply MS15-0 5 1 for fix. https://technet.microsoft.com/library/security/MS15-051

Download
Taihou64.exe 和 Taihou32.exe
https://github.com/hfiref0x/CVE-2015-1701/tree/master/Compiled
Source: https://github.com/hfiref0x/CVE-2015-1701/tree/master/Source

Test as shown in Figure:
!

ms15-0 5 1 modified version
Plus a 2 0 0 3 Support, and the streamlining of the part of the code, together with the ntdll. lib the library, and finally support in the webshell.
The original code is even compiled into 2 0 0 3-compatible format in 0 3 is not performed, because of win7 the following system does not export user32! gSharedInfo, only parsing the pdb or search pattern to locate; in addition to the different systems of the EPROCESS->Token offset is also different, these modifications in engineering have been added.
Engineering is the vs2010 source code can be directly compiled. Project comes with two compiled exp, in 2 0 0 3 6 4-bit and 3 2 bits are tested successful. I tested with the virtual machine version is sp2, does not guarantee that other versions can be used.
If you find a version can not be used while the version number to tell me, I then modify(with a corresponding version of the system is a mirror download address is the best though).
This vulnerability does not affect Windows 8 and above versions, so can only do these.
Note: the attachment in the exe with a kitchen knife to perform the words not taken back significantly, in fact, the command has been executed, if the output of the pid.
In aspxspy execution is not a problem, the chopper of the asp of the horse can use the following script:
set x=createobject(“wscript. shell”). exec(“c:\inetpub\wwwroot\ms15-051.exe ““whoami /all”””)
response. write (x. stdout. readall & x. stderr. readall)

The source code has been updated, re-compile again no problem.
Test screenshot:
! [](/Article/UploadPic/2015-5/2 0 1 5 5 2 3 2 3 3 8 3 2 1 8 3. png)

Download:
! [](/Article/UploadPic/2015-5/2 0 1 5 5 2 3 2 3 3 8 3 4 4 4 4. png)
ms15-051.zip
Baidu network disk: the http://pan.baidu.com/s/1eQ1ZOzC
Unzip password see note