d∃adpr∅gramm∑rssoc!∃ty

Blog about RE/VR/ED from a human being who is bad at giving up

Win32k that we lost. In details writeup about CVE-2023-29336


Introduction

Originally this article had been written almost two years ago and now I finally found some time to translate it and publish properly. Enjoy this story of exploiting Win32k at a time when it still didn’t have a garbage collector — and who knows, maybe by the time you’re reading this, Win32k has finally been rewritten in Rust. This exploit wouldn’t be possible without the article by NumenCyber, which provided key insights into the menu layout needed to build a reliable trigger. All expirements are made at pretty old Windows 10 1607 build 10.0.14393.5850 amd64.

Read more ⟶