The vulnerability exists due to a size miscalculation error in a integer division within the Windows DWM Core Library. A local user can trigger a heap-based buffer overflow in CCommandBuffer::Initialize method in dwmcore.dll and execute arbitrary code to install a Core Impact agent with user DWM with Integrity System privileges.This exploit checks if the target is supported and not patched. If the build is greater or equal than 22631.3593 it means the target is patched. Otherwise it proceeds to exploitation. It loads 3 files with random names in \Users\Public\Documents, the file names can be seen in the Module Log panel. It then performs two exploitation attempts by starting to copy these files into the mentioned public documents folder, after that the exploit will perform a Heap Spray on the DWM process to prepare the memory to finally trigger the Heap Overflow on DWMCORE.DLL Once the exploitation is successful the DWM process will load our DLL that executes our Core Impact agent.When the exploit finishes the files mentioned above will be deleted.
CVE Link
Exploit Platform
Exploit Type
Product Name