Open saaramar opened 7 years ago
Thanks , I will try but this will be more complicated inside vmware.
Hello,
I am trying to replicate the exploit but i get a BSOD when start debugging vmware-vmx. Analyzing the different dumps the crash occurs in nt!NtWaitForDebugEvent+2bf but not sure why. Did you experience this issue while developing the exploit?
Thanks, best regards. Víctor
First of all - great repo! Thanks for sharing. About the stability issue - you exploited the vulnerability in the DND/CopyPaste mechanism, right? you have corruption in the memcpy in DnDCPMsgV4_UnserializeMultiple(), due to the flawed check in DnDCPMsgV4IsPacketValid(). The issue is that the LFH allocations in the userblocks are randomized, since win8 drop the FreeEntryOffset. But - you have alloc and free primitives. Why not using the randomization vulnerability, and do something like that - https://github.com/saaramar/Deterministic_LFH ? (It would work until build 16179, but still, that would be pretty cool, isn't it? :) ) Thanks!