GetSbitComponent One parameter is TTF interpreter context Integer overflow leads to kernel pool corruption Corrupts TTF interpreter context! This leads to full pwn at r0(!!!) remotely
Lame lame cybercriminals The guys behind Duqu has failed to exploit this vuln on x64 systems! Actually, its real hardcore: you have to implement ROP program in TTF assembler TODO: go pwn x64, crack your brain!
MS attack vectors TTF – good for Vista/2k8/7/8 DOC – Duqu attack vector DOCX – same as DOC, but OOXML IE – drive by download scenario LPE – no comments…
AV/HIPS vs MS TTF vector detection: Avast,avira,bitdefender,bullguard,escan,gdata,k7,kl,lavasoft,rising,trustport,vipre,zonealarm LPE: FAIL, FAIL, FAIL! Even with MPAA info some AV FAILED to detect mine PoC