patch is not security.

[ghost]

Hello, I'm sorry, I'm not good at English. Please forgive me my grammer mistakes.

Thanks for your outstanding work. However, I think some mistakes...

https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/master/Driver/UseAfterFree.c#L179

I think the code: g_UseAfterFreeOject = NULL may not secure. because I could do this. 00000000: 00401000(shellcode address)

It is exploited. I'm so sorry, I'm so terrrible in English....

[ghost]

it wil work...

if(g_UseAfterFreeObject) { if(g_UseAfterFreeObject->CallBack) { g_UseAfterFreeObject->CallBack() } }

[hacksysteam]

Hi @redogwu

Thanks for the report.

I don't think this is exploitable in secure version https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/master/Driver/UseAfterFree.c#L179

In UseUaFObject() there is a check:

if (g_UseAfterFreeObject) {
    DbgPrint("[+] Using UaF Object\n");
    DbgPrint("[+] g_UseAfterFreeObject: 0x%p\n", g_UseAfterFreeObject);
    DbgPrint("[+] g_UseAfterFreeObject->Callback: 0x%p\n", g_UseAfterFreeObject->Callback);
    DbgPrint("[+] Calling Callback\n");

    if (g_UseAfterFreeObject->Callback) {
        g_UseAfterFreeObject->Callback();
    }
}

Can you explain more? And don't worry about English, mine is terrible as well.

Do you have a PoC or explaination for the same?

Thanks.

[ghost]

hello, wait me a minute. I will did a simple exp for you.

[ghost]

I'm sorry. I think I'm stupid and foolish. Please ignore it. I'm so sorry