| Name | ms15_051 |
| CVE | CVE-2015-1701 |
| Exploit Pack | CANVAS |
| Description | win32k.sys bServerSideWindowProc flag logic issue |
| Notes | Repeatability: Infinite Notes: This module exploits a vulnerability on the win32k.sys driver. The bServerSideWindowProc flag on the window's handle structure is meant to be used to improve the performance of usercallbacks by replacing the call to a userland function with a kernel one. Setting this flag allows the window procedure to run on kernel mode. When creating a new window, after calling the ClientCopyImage usercallback, the kernel doesn't check the possibility that the bServerSideWindowProc could have been raised. And thus, execution continues as if the flag was unset. By hooking ClientCopyImage it is possible to set the bServerSideWindowProc and define a new window procedure by calling the SetWindowLongPtr function on the newly created window. This will lead to the executon of the defined window procedure on kernel mode. Tested on: Windows XP SP3 x86 Windows 7 Professional x86 Windows 7 Professional SP1 x64 Windows Server 2003 Standard x64 Windows Server 2008 R2 Standard x64 SP1 This exploit doesn't work on Windows 8.1 VENDOR: Microsoft CVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701 CVE Name: CVE-2015-1701 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |