Credits to @kasif dekel for discovering the vulnerability. Their repository is linked here.
This exploit will be ported to Windows 10 64-bit soon after I finish researching EPROCESS
pointer leaks. The general idea for this technique is that we will overwrite a system process' security descriptor with null bytes, then injecting code into the process to launch an elevated shell. There are two things to note, however.
- We must bypass the
BAD_OBJECT_HEADER
bug check. To do this, we can either overwrite theSecurityRequired
field within the process object'sObjectType
structure, or we can simply null out as many bytes as we need to do (perhaps the first 7 bytes?). - We must leak an
EPROCESS
pointer to a system process, perhapswinlogon.exe
will be our best bet. While I do recall writing code to leak the main systemEPROCESS
pointer, I was unable to inject code into this process nonetheless. I will have to find a way to leak pointers to anyEPROCESS
structure if I want to go through with this exploit.