Fix up changes from timwr's review so long
This commit is contained in:
parent
780a9370a2
commit
3af93cbacc
|
@ -4,7 +4,7 @@ A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k
|
|||
an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact
|
||||
that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers
|
||||
can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object
|
||||
that is referenced byt his handle being freed. The attacker can then replace the memory referenced by the handle
|
||||
that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle
|
||||
with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the
|
||||
attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the
|
||||
kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM.
|
||||
|
|
|
@ -17,13 +17,13 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
update_info(
|
||||
info,
|
||||
{
|
||||
'Name' => '',
|
||||
'Name' => 'Win32k NtGdiResetDC Use After Free Local Privilege Elevation',
|
||||
'Description' => %q{
|
||||
A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by
|
||||
an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact
|
||||
that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers
|
||||
can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object
|
||||
that is referenced byt his handle being freed. The attacker can then replace the memory referenced by the handle
|
||||
that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle
|
||||
with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the
|
||||
attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the
|
||||
kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM.
|
||||
|
@ -80,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
|
||||
end
|
||||
|
||||
build_num_raw = session.shell_command_token('cmd.exe /c ver')
|
||||
build_num_raw = cmd_exec('cmd.exe /c ver')
|
||||
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
|
||||
if build_num.nil?
|
||||
print_error("Couldn't retrieve the target's build number!")
|
||||
|
|
Loading…
Reference in New Issue