Patrick Domingues

Windows has recently released a patch for a vulnerability exploit in the windows operating system which was unknown to many people until last week. The vulnerability would allow a hacker to open a door for full system control.

Discovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab on St. Patrick’s Day this year, the flaw (CVE-2019-0859) is a use-after-free issue in the Windows kernel that allows local privilege escalation (LPE). It’s being used in advanced persistent threat (APT) campaigns targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10).

win32k!xxxFreeWindow+0x1344 on up-to-date Windows 7 SP1 x64

The exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR.

After a successful exploitation, the exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script.

Third stage PowerShell script

The third script is very simple and does the following:

• Unpacks shellcode
• Allocates executable memory
• Copies shellcode to allocated memory
• Calls CreateThread to execute shellcode

Shellcode from PowerShell script

The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim’s system.

Thankfully there is an update for this vulnerability at the Microsoft website

Details provided from SecureList

• PowerShell Script to Force Uninstall Umbrella Roaming Client
• How to Install Moodle on a Ubuntu 24.04 VPS with a Scripted Guide
• Automating System Updates with Unattended-Upgrades on Ubuntu
• How to Add a Large Disk Partition as Storage in Proxmox VE
• How to Remove Radmin Viewer with PowerShell

Patrick Domingues

See Full Bio