Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Runtime Error with CVE-2023-29336 PoC On Windows 2016 Standard #4

Open
gwillcox-r7 opened this issue Jun 9, 2023 · 4 comments
Open

Runtime Error with CVE-2023-29336 PoC On Windows 2016 Standard #4

gwillcox-r7 opened this issue Jun 9, 2023 · 4 comments

Comments

@gwillcox-r7
Copy link

When running the PoC on a fresh Windows 2016 updated with Feb 2018 patches, I keep getting the following error when trying to run the PoC via a Visual Studio 2022 project:

Exception thrown at <address> in CVE-2023-29336.exe: 0xC00000005: Access violation reading location 0xFFFFFFFFFFFFFFFF

Yet looking at where add is I see its a variable that is seemingly pointing to invalid memory that cannot be read from:

image
@gwillcox-r7
Copy link
Author

gwillcox-r7 commented Jun 12, 2023
edited
Loading

Upon further inspection this is likely being caused by the fact that hardcoded offsets into USER32.dll are being used and I'm guessing 0xbd688 isn't right for Windows Server 2016 EN_US edition. Its possible this might be different on a Chinese or Singaporean system which would explain why this code might work on the author's PC but not on a US system due to strings being encoded in different languages which might end up changing the offset location, or it might be that I'm simply using a different patch version of USER32.dll where a minor update to the code shifted the offset location. In any case I imagine this file could be subject to change from a few angles, will dig deeper and see what I can find.

@gwillcox-r7
Copy link
Author

gwillcox-r7 commented Jun 12, 2023
edited
Loading

Looks like this was designed to be getting the address of HMValidateHandle using a common technique, though the use of a hardcoded address vs checking for specific bytes is a bit different than what I've seen in the past. In reality in my copy the address of IsMenu is at 0x180012b10 whilst the address of HMValidateHandle is at 0x180012100. So HMValidateHandle is actually earlier on in the code, not later on in the code like the code appears to be trying to do.

@gwillcox-r7
Copy link
Author

Okay so turns out the PoC is only designed to work on 14393.rs1_release.230329-2152 and I was testing on 14393.rs1_release.161220-1747 from what I can tell, which explains the differences.

@leexuan
Copy link

leexuan commented Jul 17, 2023

When running the PoC on a fresh Windows 2016 updated with Feb 2018 patches, I keep getting the following error when trying to run the PoC via a Visual Studio 2022 project:

Exception thrown at <address> in CVE-2023-29336.exe: 0xC00000005: Access violation reading location 0xFFFFFFFFFFFFFFFF

Yet looking at where add is I see its a variable that is seemingly pointing to invalid memory that cannot be read from:

image

also encountered this problem. And,have you solved it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leexuan @gwillcox-r7