Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-3309 PoC — Microsoft Win32k 特权提升漏洞

Source
https://github.com/siberas/CVE-2016-3309_Reloaded
Associated Vulnerability
Title:Microsoft Win32k 特权提升漏洞 (CVE-2016-3309)
Description:The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.
Description
Exploits for the win32kfull!bFill vulnerability on Win10 x64 RS2 using Bitmap or Palette techniques
Readme
## Kernel Exploitation Case Study - "Wild" Pool Overflow on Win10 x64 RS2 (CVE-2016-3309 Reloaded)

This Github repo contains exploits for the recently-patched win32kfull!bFill vulnerability. Executing the Palette or Bitmap exploit will give you SYSTEM privileges on the affected system. The exploits should work fine on Windows 10 x64 with Creators Update, build 15063.540 (latest version of Win10 before the release of Microsoft's September Updates).

The Visual Studio solution contains three exploits:

- CVE-2016-3309_Reloaded_Bitmaps: Exploit using the Bitmaps technique
- CVE-2016-3309_Reloaded_Palettes: Exploit using the Palettes technique
- CVE-2016-3309_Reloaded_Deadlock: POC exploit showcasing the system deadlock which happens due to improved Handle validation

We also published a [blog post](https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html) which goes into detail about the exploitation of this "wild" Pool-based overflow.
File Snapshot

 [4.0K]  /data/pocs/c0ec2cfeaa0e37350f5f25143ce89d28e91061ef
├── [4.0K]  CVE-2016-3309_Reloaded_Bitmaps
│   ├── [7.3K]  CVE-2016-3309_Reloaded_Bitmaps.vcxproj
│   ├── [ 964]  CVE-2016-3309_Reloaded_Bitmaps.vcxproj.filters
│   └── [ 23K]  main_bitmaps.cpp
├── [4.0K]  CVE-2016-3309_Reloaded_Deadlock
│   ├── [7.3K]  CVE-2016-3309_Reloaded_Deadlock.vcxproj
│   ├── [ 965]  CVE-2016-3309_Reloaded_Deadlock.vcxproj.filters
│   └── [8.7K]  main_deadlock.cpp
├── [4.0K]  CVE-2016-3309_Reloaded_Palettes
│   ├── [7.3K]  CVE-2016-3309_Reloaded_Palettes.vcxproj
│   ├── [ 965]  CVE-2016-3309_Reloaded_Palettes.vcxproj.filters
│   └── [ 21K]  main_palettes.cpp
├── [2.9K]  CVE-2016-3309_Reloaded.sln
├── [ 50K]  CVE-2016-3309_Reloaded.suo
└── [1007]  README.md

3 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →