Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shaping LFH #1

Open
saaramar opened this issue Jul 20, 2017 · 2 comments
Open

Shaping LFH #1

saaramar opened this issue Jul 20, 2017 · 2 comments

Comments

@saaramar
Copy link

First of all - great repo! Thanks for sharing.
About the stability issue - you exploited the vulnerability in the DND/CopyPaste mechanism, right? you have corruption in the memcpy in DnDCPMsgV4_UnserializeMultiple(), due to the flawed check in DnDCPMsgV4IsPacketValid(). The issue is that the LFH allocations in the userblocks are randomized, since win8 drop the FreeEntryOffset. But - you have alloc and free primitives. Why not using the randomization vulnerability, and do something like that - https://github.com/saaramar/Deterministic_LFH ?
(It would work until build 16179, but still, that would be pretty cool, isn't it? :) )
Thanks!
@rip1s
Copy link
Owner

rip1s commented Jul 21, 2017

Thanks , I will try but this will be more complicated inside vmware.

@vportal
Copy link

vportal commented Jun 29, 2022

Hello,

I am trying to replicate the exploit but i get a BSOD when start debugging vmware-vmx. Analyzing the different dumps the crash occurs in nt!NtWaitForDebugEvent+2bf but not sure why. Did you experience this issue while developing the exploit?

Thanks, best regards.
Víctor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rip1s @saaramar @vportal