

Nvidia Display Driver Service Exploit  - idiamin
http://pastebin.com/QP7eZaJt

======
revelation
So theres a somewhat sophisticated message protocol that allows for variable-
length fields that they parse in-situ into a _fixed size_ buffer allocated on
the _stack_?

Come on, its not the 90s anymore.

(Of course, its useful to note that the many mitigations have made this a
difficult exploit for what is at its basis a very old mistake. And the
somewhat unique situation that the code can leak information back, which here
allowed for the bypass of stack cookies (and the virtual base, I guess?))

~~~
daeken
> And the somewhat unique situation that the code can leak information back,
> which here allowed for the bypass of stack cookies

Information leaks are by far the most important class of bugs in modern
exploitation. They're really common, and they generally nullify ASLR
completely. The Array.reduceRight vulnerability in Firefox is a fantastic
example of this: <https://bugzilla.mozilla.org/show_bug.cgi?id=664009> That
bug can be used to leak info about JS objects, which gives you enough
information to circumvent ASLR. The same bug also allows code execution using
that info.

------
0x0
These graphics driver exploits seem to be fairly common.

Here's an older one for linux, which was posted some months ago:
<http://seclists.org/fulldisclosure/2012/Aug/4>

