Name | ms16_032 |
CVE | CVE-2016-0099 |
Exploit Pack | CANVAS |
Description | MS16-032 Seclogon Thread Handle Leak |
Notes | CVE Name: CVE-2016-0099 VENDOR: Microsoft Notes: Our exploit module is really two modules: #1 An exploit, based off of Google Project Zero's post by James Foreshaw. It is extremely reliable if the target is a non-virtualized (and multicore) machine. #2 An Immunity-written exploit for handling the case of non-virtualized systems. It is *much* less reliable. We discuss that below. IMPORTANT NOTE: we assume that almost every bare-metal system this will run on will have multiple cores. Thus we only check whether a system is virtualized or not to determine which exploit binary to execute. NOTES ON EXPLOIT #2 It should be noted that this exploit has reliability issues, namely stemming from SuspendThread and SetThreadContext providing unreliable process suspension and register writing primitives. Many techniques have been tried to maintain control over the thread after we suspend it, but they have proven unreliable in general. This exploit *will* crash SecLogon and a number of other Windows services all at the same time if successful. Even if the exploit is unsuccessful, it may crash those services as well. However, it should be noted that these services will in fact restart. Win7 / Win10 are the most reliable targets. It also takes a long time to work. A few minutes should suffice, but not more than 5. X86: Windows XP Home SP0 - FAILED, incorrect handle number duplicated - likely not exploitable Windows 8.1 SP1 - SUCCESS - Exploit created. Windows 7 Ultimate SP1 - SUCCESS - Exploit created. Windows 10 Enterprise - SUCCESS - Exploit created. X86_64: Windows Server 2008 R2 - VULNERABLE Windows 8.1 Pro SP1 - VULNERABLE Windows 10 Enterprise - SUCCESS - Exploit created. Repeatability: Infinite References: ['https://technet.microsoft.com/en-us/library/security/ms16-032.aspx', 'http://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0099'] CVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0099 |
Learn more about the CANVAS Exploit Pack here: CANVAS |