Skip to content
/ windows_10_rs2_rs3_exploitation_primitives Public

Windows 10 RS2/RS3 exploitation primitives based on the OffensiveCon 2018 talk

55 stars 21 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

CENSUS/windows_10_rs2_rs3_exploitation_primitives

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
GdiMgr
GdiMgr
 
 
rs3ExploitDelayedFree
rs3ExploitDelayedFree
 
 
rs3ExploitPushLock
rs3ExploitPushLock
 
 
README.md
README.md
 
 
filter.py
filter.py
 
 

Repository files navigation

Windows 10 RS2/RS3 exploitation primitives

GdiMgr

A vulnerable driver that imitates the bug that I found. It's a heap overflow in the session heap.

rs3ExploitPushLock

The deadlock-free technique to bypass the GDI pushlock mitigation.

rs3ExploitDelayedFree

Another technique based on reclaiming the heap block to bypass the GDI pushlock mitigation.

filter.py

A pykd script that displays all the allowed/filtered system calls for each filter level. Make sure that you are in the process context of a process running in the session that you want to query.

$>.load pykd.pyd

$>!process 0 0 explorer.exe

PROCESS fffffa800330fb10
    SessionId: 1  Cid: 0580    Peb: 7fffffd7000  ParentCid: 0374
    DirBase: 0cf72000  ObjectTable: fffff8a0013d6c10  HandleCount: 595.
    Image: explorer.exe 

$>.process /i /r fffffa800330fb10
$>g
$>!py filter.py 5 5 0
win32k!_stub_UserSetWindowFeedbackSetting 0x146b
win32k!_stub_UserTransformPoint 0x147c
win32k!_stub_UserTransformRect 0x147d
....

About

Windows 10 RS2/RS3 exploitation primitives based on the OffensiveCon 2018 talk

Resources

Readme
Activity
Custom properties

Stars

55 stars

Watchers

13 watching

Forks

21 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages