SCF Advanced Search

  • Total Posts: 40150
  • Total Topics: 14260
  • Online Today: 750
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Analyzing the Recent Windows Zero-Day Escalation of Privilege Exploit  (Read 1768 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Analyzing the Recent Windows Zero-Day Escalation of Privilege Exploit

Recently we caught a malicious sample that exploits a PDF vulnerability–CVE-2013-3346, we believe–and executes after a use-after-free condition occurs. During our analysis we noticed that this PDF sample also exploits a zero-day local Windows vulnerability–CVE-2013-5065–to escalate privilege. This zero-day occurs in NDProxy.sys under Windows XP and 2003. The exploitation of this flaw is similar to CVE-2010-2743, known as the Win32k keyboard layout vulnerability. Let’s take a closer look.

After the PDF exploit succeeds and shellcode executes, it fills the first page in memory, starting from address 0, with hundreds of NOP instructions and then fills with kernel shellcode. Next it gets a handle to \\.\NDProxy via the API CreateFileA, and then uses this handle by calling the API DeviceIoControl with the IOCTL code 0x8fff23c8. Next the execution flaw goes into the NDProxy!PxIoDispatch function in Ring 0. (PxIoDispatch is the function that handles input-output control coming from user mode.)

("click the images to make them larger")

While coming to the branch that handles IOCTL code 0x8fff23c8, PxIoDispatch processes the input buffer supplied by the attacker:

The esi register points to the input buffer coming from user mode, and the content of input buffer is set like this:

After calculating, the eax value is (0×7030125-0×7030101)*3*4=0x1b0, which will be used as an index to a function table later:

Now for the vulnerability: Let’s see how long the function table is that resides at off_18008. The beginning of the table:

The end of the table:

The end offset, 0x181b0, minus the beginning offset, 0×18008, gives us 0x1a8. In our case the index is 0x1b0, which is already out of the table, and references the second dword at the next table, with the value 0×38. So the execution flaw now goes to address 0×38 thanks to the call instruction, and everything is under the attacker’s control.

In the kernel shellcode, the exploit replaces the current process’ token with the SYSTEM process’ token, which should escalate its privilege as SYSTEM, and return to the caller. Now the following user mode shellcode will run at privileged level. The exploit then drops a temp file with a random name such as xxx.tmp, a Trojan, in the temporary directory, and launches it by calling the API WinExec.

Original article: By Xing Su on Dec 07, 2013
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising