Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
9.3 |
|
AV:N/AC:M/Au:N/C:C/I:C/A:C |
nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 18894
Date de publication : 2012-05-17 22h00 +00:00
Auteur : Cr4sh
EDB Vérifié : Yes
===========
Description
===========
Windows XP keyboard layouts pool corruption 0day PoC, post-MS12-034.
Vulnerability exists in the function win32k!ReadLayoutFile(), that parses
keyboard layout files data. Possible attack vector -- local privileges
escalation.
Similar vuln (CVE-2012-0183) was patched recently, but I wonder, that
Microsoft missed to rewrite vulnerable code on Windows XP, and this PoC
still able to crash fully-patched XP SP3.
However, pool corruption is not fully-controllable, and reliable code execution
exploit development is quite a difficult task.
--------------------------------
By Oleksiuk Dmytro (aka Cr4sh)
http://twitter.com/d_olex
http://blog.cr4.sh
mailto:dmitry@esagelab.com
--------------------------------
Typical bugcheck:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e10650d3, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf881fb6, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)
Debugging Details:
------------------
READ_ADDRESS: e10650d3 Paged pool
FAULTING_IP:
win32k!ReadLayoutFile+183
bf881fb6 803800 cmp byte ptr [eax],0
MM_INTERNAL_CODE: 1
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4f85831a
MODULE_NAME: win32k
FAULTING_MODULE: bf800000 win32k
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: win32k_Keyboard
TRAP_FRAME: b191c884 -- (.trap 0xffffffffb191c884)
ErrCode = 00000000
eax=e10650d3 ebx=e105b008 ecx=e105b008 edx=00000000 esi=e106ac08 edi=e105c008
eip=bf881fb6 esp=b191c8f8 ebp=b191c90c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
win32k!ReadLayoutFile+0x183:
bf881fb6 803800 cmp byte ptr [eax],0 ds:0023:e10650d3=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 804f7b8b to 80527c24
STACK_TEXT:
b191c3c0 804f7b8b 00000003 e10650d3 00000000 nt!RtlpBreakWithStatusInstruction
b191c40c 804f8778 00000003 00000000 c0708328 nt!KiBugCheckDebugBreak+0x19
b191c7ec 804f8ca3 00000050 e10650d3 00000000 nt!KeBugCheck2+0x574
b191c80c 8051cc4f 00000050 e10650d3 00000000 nt!KeBugCheckEx+0x1b
b191c86c 805405f4 00000000 e10650d3 00000000 nt!MmAccessFault+0x8e7
b191c86c bf881fb6 00000000 e10650d3 00000000 nt!KiTrap0E+0xcc
b191c90c bf881e25 e208f8e8 e10611c8 e105c008 win32k!ReadLayoutFile+0x183
b191c92c bf8b9574 800003a4 00000000 00000000 win32k!LoadKeyboardLayoutFile+0x6a
b191c9b4 bf92a002 82273e08 800003a4 04090409 win32k!xxxLoadKeyboardLayoutEx+0x1b1
b191c9f0 bf8b91b5 82273e08 0000003c 04090409 win32k!xxxSafeLoadKeyboardLayoutEx+0xa9
b191cd40 8053d6f8 0000003c 00000000 0012fec8 win32k!NtUserLoadKeyboardLayoutEx+0x164
b191cd40 004011c4 0000003c 00000000 0012fec8 nt!KiFastCallEntry+0xf8
0012ff7c 004015de 00000001 00363c48 00362e80 win32k_KeyboardLayout_expl!NtUserLoadKeyboardLayoutEx+0x14 [x:\dev\_exploits\_local\win32k_keyboardlayout_expl\win32k_keyboardlayout_expl\win32k_keyboardlayout_expl.cpp @ 37]
0012ffc0 7c817077 00330036 00360038 7ffdd000 win32k_KeyboardLayout_expl!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586]
0012fff0 00000000 00401726 00000000 78746341 kernel32!BaseProcessStart+0x23
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!ReadLayoutFile+183
bf881fb6 803800 cmp byte ptr [eax],0
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: win32k!ReadLayoutFile+183
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: 0x50_win32k!ReadLayoutFile+183
BUCKET_ID: 0x50_win32k!ReadLayoutFile+183
Followup: MachineOwner
---------
===
POC
===
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18894.zip
Products Mentioned
Configuraton 0
Microsoft>>Office >> Version 2008
Microsoft>>Office_compatibility_pack >> Version *
Microsoft>>Office_compatibility_pack >> Version *
Microsoft>>Word >> Version 2003
Microsoft>>Word >> Version 2007
Microsoft>>Word >> Version 2007
Références