Skip to content
Windows 10 RS2/RS3 exploitation primitives based on the OffensiveCon 2018 talk
C++ C Python
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
GdiMgr
rs3ExploitDelayedFree
rs3ExploitPushLock
README.md
filter.py

README.md

Windows 10 RS2/RS3 exploitation primitives

GdiMgr

A vulnerable driver that imitates the bug that I found. It's a heap overflow in the session heap.

rs3ExploitPushLock

The deadlock-free technique to bypass the GDI pushlock mitigation.

rs3ExploitDelayedFree

Another technique based on reclaiming the heap block to bypass the GDI pushlock mitigation.

filter.py

A pykd script that displays all the allowed/filtered system calls for each filter level. Make sure that you are in the process context of a process running in the session that you want to query.

$>.load pykd.pyd

$>!process 0 0 explorer.exe

PROCESS fffffa800330fb10
    SessionId: 1  Cid: 0580    Peb: 7fffffd7000  ParentCid: 0374
    DirBase: 0cf72000  ObjectTable: fffff8a0013d6c10  HandleCount: 595.
    Image: explorer.exe 

$>.process /i /r fffffa800330fb10
$>g
$>!py filter.py 5 5 0
win32k!_stub_UserSetWindowFeedbackSetting 0x146b
win32k!_stub_UserTransformPoint 0x147c
win32k!_stub_UserTransformRect 0x147d
....
You can’t perform that action at this time.