C:\>whoami
q-test\qever
C:\>poc
C:\>whoami
nt authority\system
kd> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 0x3d0000
kd> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
92639d14 994bb8d0 0x3d0096
92639d28 83c7f42a win32k!GreEnableEUDC+0x7c
92639d28 772964f4 nt!KiFastCallEntry+0x12a
win32k!GreEnableEUDC+0x77 : call win32k!BuildAndLoadLinkedFontRoutine+0xeb
win32k!BuildAndLoadLinkedFontRoutine+0x19d : call win32k!bAppendSysDirectory+0x209
win32k!bAppendSysDirectory+0x334 : ret 8 //出错!
nt!KiFastCallEntry+0x128 : call ebx (win32k!GreEnableEUDC)
win32k!GreEnableEUDC+0x77 : call win32k!BuildAndLoadLinkedFontRoutine+0xeb
win32k!BuildAndLoadLinkedFontRoutine+0x19d : call win32k!bAppendSysDirectory+0x209
win32k!bAppendSysDirectory+0x2de : call dword ptr [win32k!_imp__RtlQueryRegistryValues (9972f104)]
nt!RtlQueryRegistryValues+0x318 : call nt!RtlpCallQueryRegistryRoutine (83e2ab81)
nt!RtlpCallQueryRegistryRoutine+0x290 : call nt!RtlpQueryRegistryDirect (83e33997)
nt!RtlpQueryRegistryDirect+3D : call nt!memcpy (83c797a0) //溢出
win32k!bAppendSysDirectory+0x334 : ret 8 //出错!
win32k!GreEnableEUDC+0x37:
9956b88b 33f6 xor esi,esi //esi清零
9956b88d 46 inc esi //esi == 1
……
win32k!GreEnableEUDC+0x75:
9956b8c9 56 push esi //参数压栈
9956b8ca 56 push esi //参数压栈
9956b8cb e8b8faffff call win32k!BuildAndLoadLinkedFontRoutine+0xeb (9956b388)
995cb393 be08020000 mov esi,208h
995cb398 56 push esi
995cb399 8d4dfc lea ecx,[ebp-4]
995cb39c e8a6030000 call win32k!MALLOCOBJ::MALLOCOBJ (995cb747) //生成MALLOCOBJ对象
……
995cb3aa 8b5dfc mov ebx,dword ptr [ebp-4]
……
995cb434 6804010000 push 104h
995cb439 53 push ebx
995cb43a e8a0050000 call win32k!bAppendSysDirectory+0x209 (995cb9df)
win32k!bAppendSysDirectory+0x209:
9955b9df 8bff mov edi,edi
9955b9e1 55 push ebp
9955b9e2 8bec mov ebp,esp
9955b9e4 83ec20 sub esp,20h
9955b9e7 53 push ebx
9955b9e8 56 push esi
9955b9e9 57 push edi
9955b9ea be08020000 mov esi,208h
9955b9ef 56 push esi
9955b9f0 8d4df4 lea ecx,[ebp-0Ch] //ebp-0Ch为MALLOCOBJ对象指针
9955b9f3 e84ffdffff call win32k!MALLOCOBJ::MALLOCOBJ (9955b747)
9955b9f8 56 push esi
9955b9f9 8d4dfc lea ecx,[ebp-4] //ebp-4为MALLOCOBJ对象指针
9955b9fc e846fdffff call win32k!MALLOCOBJ::MALLOCOBJ (9955b747)
9955ba01 8b4df4 mov ecx,dword ptr [ebp-0Ch]
9955ba04 33f6 xor esi,esi //esi == 0
9955ba06 3bce cmp ecx,esi
9955ba08 0f84e6000000 je win32k!bAppendSysDirectory+0x31e (9955baf4)
win32k!bAppendSysDirectory+0x238:
9955ba0e 8b7dfc mov edi,dword ptr [ebp-4]
9955ba11 3bfe cmp edi,esi
9955ba13 0f84db000000 je win32k!bAppendSysDirectory+0x31e (9955baf4)
win32k!bAppendSysDirectory+0x243:
9955ba19 33c0 xor eax,eax
9955ba1b 8975f0 mov dword ptr [ebp-10h],esi
9955ba1e 8975ec mov dword ptr [ebp-14h],esi
9955ba21 668901 mov word ptr [ecx],ax
9955ba24 668907 mov word ptr [edi],ax
9955ba27 668945e0 mov word ptr [ebp-20h],ax
9955ba2b b804010000 mov eax,104h
9955ba30 50 push eax
9955ba31 8bd0 mov edx,eax
9955ba33 57 push edi
9955ba34 8975e8 mov dword ptr [ebp-18h],esi
9955ba37 668955e2 mov word ptr [ebp-1Eh],dx
9955ba3b 894de4 mov dword ptr [ebp-1Ch],ecx
9955ba3e e8d7feffff call win32k!GrePolyPolyline+0xa2 (9955b91a) //返回"\REGISTRY\USER\S-1-5-18\EUDC\936"
9955ba43 3bc6 cmp eax,esi
9955ba45 8945f8 mov dword ptr [ebp-8],eax
9955ba48 7c7c jl win32k!bAppendSysDirectory+0x2f0 (9955bac6)
win32k!bAppendSysDirectory+0x274:
9955ba4a 8d45e8 lea eax,[ebp-18h]
9955ba4d 50 push eax
9955ba4e 8d45ec lea eax,[ebp-14h]
9955ba51 50 push eax
9955ba52 8d45f0 lea eax,[ebp-10h]
9955ba55 50 push eax
9955ba56 57 push edi
9955ba57 e850010000 call win32k!AutoResource<&ExFreePool>::~AutoResource<&ExFreePool>+0x177 (9955bbac)
9955ba5c 85c0 test eax,eax
9955ba5e 745f je win32k!bAppendSysDirectory+0x2e9 (9955babf)
win32k!bAppendSysDirectory+0x28a:
9955ba60 3975e8 cmp dword ptr [ebp-18h],esi
9955ba63 745a je win32k!bAppendSysDirectory+0x2e9 (9955babf)
win32k!bAppendSysDirectory+0x28f:
9955ba65 56 push esi
9955ba66 56 push esi
9955ba67 68e0887599 push offset win32k!SharedQueryTable (997588e0)
9955ba6c 57 push edi //"\REGISTRY\USER\S-1-5-18\EUDC\936"
9955ba6d 8d45e0 lea eax,[ebp-20h]
9955ba70 56 push esi
9955ba71 8935e0887599 mov dword ptr [win32k!SharedQueryTable (997588e0)],esi //0
9955ba77 c705e488759924000000 mov dword ptr [win32k!SharedQueryTable+0x4 (997588e4)],24h //24h
9955ba81 c705e888759964a67399 mov dword ptr [win32k!SharedQueryTable+0x8 (997588e8)],offset win32k!`string' (9973a664) //"SystemDefaultEUDCFont"
9955ba8b a3ec887599 mov dword ptr [win32k!SharedQueryTable+0xc (997588ec)],eax //指向函数栈的指针,最终出错也是因为这个参数
9955ba90 8935f0887599 mov dword ptr [win32k!SharedQueryTable+0x10 (997588f0)],esi //0
9955ba96 8935f4887599 mov dword ptr [win32k!SharedQueryTable+0x14 (997588f4)],esi //0
9955ba9c 8935f8887599 mov dword ptr [win32k!SharedQueryTable+0x18 (997588f8)],esi //0
9955baa2 8935fc887599 mov dword ptr [win32k!SharedQueryTable+0x1c (997588fc)],esi //0
9955baa8 893500897599 mov dword ptr [win32k!SharedQueryTable+0x20 (99758900)],esi //0
9955baae 893504897599 mov dword ptr [win32k!SharedQueryTable+0x24 (99758904)],esi //0
9955bab4 ff1504f17299 call dword ptr [win32k!_imp__RtlQueryRegistryValues (9972f104)]
NTSTATUS
RtlQueryRegistryValues(
IN ULONG RelativeTo,
IN PCWSTR Path,
IN PRTL_QUERY_REGISTRY_TABLE QueryTable,
IN PVOID Context,
IN PVOID Environment OPTIONAL
);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
我试着修改一下,我以为只要加上那些注释,就应该能很容易看懂代码了,不过看来大部分人都没兴趣去看汇编神马的~~
对这个漏洞有兴趣的话,可以联系我,大家讨论一下,其实我分析得也不全,只是把漏洞产生过程找出来了而已。
