-
-
[原创]WIN7 键盘布局鸡肋的本地蓝屏xx
-
发表于: 2011-11-20 23:26
-
WIN7 键盘布局鸡肋的本地蓝屏
Xp/win7同样存在这个问题(WIN7 /WIN32K.SYS 6.1.7601.17697)
这年头真不容易,据说一年全世界也就有几个能稳定利用的远程攻击漏洞(os),稳定利用的例如word flash啥的也就十几个(道听途说不知道是不是真的:)
哎太搓了你想想 就一个蓝屏它都要最长时间跑三分钟。。。而且win7的键盘布局文件必须放到system32目录下面才会加载….多么搓 多么鸡肋..伤不起:)
仅供娱乐:)哈哈
挖漏洞跟足球射门一样,你可能射很多次但是一次不进,但是你一次不射门,就会永远不进球!额,遇到乌龙球那就没办法啦呵呵
Crash: /* win7 Access violation - code c0000005 (!!! second chance !!!) win32k!ReadLayoutFile+0x62: 9566d591 8b4834 mov ecx,dword ptr [eax+34h] kd> r eax=ffffffe8 ebx=00000000 ecx=fe978b2e edx=000000e0 esi=fe4e0168 edi=00000000 eip=9566d591 esp=985ad8a0 ebp=985ad8bc iopl=0 nv up ei pl nz ac pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217 win32k!ReadLayoutFile+0x62: 9566d591 8b4834 mov ecx,dword ptr [eax+34h] ds:0023:0000001c=???????? kd> kb ChildEBP RetAddr Args to Child 985acf5c 83d1b083 00000003 bc9827e2 00000065 nt!RtlpBreakWithStatusInstruction 985acfac 83d1bb81 00000003 985ad3b0 00000000 nt!KiBugCheckDebugBreak+0x1c 985ad370 83d1af20 0000008e c0000005 9566d591 nt!KeBugCheck2+0x68b 985ad394 83cf108c 0000008e c0000005 9566d591 nt!KeBugCheckEx+0x1e 985ad7bc 83c7add6 985ad7d8 00000000 985ad82c nt!KiDispatchException+0x1ac 985ad824 83c7ad8a 985ad8bc 9566d591 badb0d00 nt!CommonDispatchException+0x4a 985ad8bc 9566dc6a fe4e0168 80000984 00000160 nt!Kei386EoiHelper+0x192 985ad8dc 95669b7b 80000984 00000160 000001ae win32k!LoadKeyboardLayoutFile+0x70 985ad968 9567c21e 883bf4b0 80000984 08040804 win32k!xxxLoadKeyboardLayoutEx+0x1be 985ad9a4 9566a275 883bf4b0 80000984 08040804 win32k!xxxSafeLoadKeyboardLayoutEx+0x93 985add0c 83c7a1ea 00000038 00000160 000001ae win32k!NtUserLoadKeyboardLayoutEx+0x119 985add0c 777970b4 00000038 00000160 000001ae nt!KiFastCallEntry+0x12a 001ff470 0111c58c 0111c76a 00000038 00000160 ntdll!KiFastSystemCallRet WARNING: Stack unwind information not available. Following frames may be wrong. 001ff9f8 0111c956 00000000 00000000 7ffd9000 ms10_73+0x2c58c Details: WIN7 .text:BF80D538 push eax ; int .text:BF80D539 push 40000h ; int .text:BF80D53E push 40h ; int .text:BF80D540 push [ebp+start_buffer] ; FileHandle .text:BF80D543 mov [ebp+plength], ebx .text:BF80D546 mov [ebp+ppbuffer], ebx .text:BF80D549 mov [ebp+var_10], ebx .text:BF80D54C call _LoadFileContent@20 ; LoadFileContent(x,x,x,x,x) .text:BF80D551 test eax, eax .text:BF80D553 jl loc_BF80D6F1 .text:BF80D559 mov ecx, [ebp+ppbuffer] 构造堆地址+3ch处的dword =0xffffffxx 即可绕过检测,导致BSOD .text:BF80D55C mov eax, [ecx+3Ch] //需要猜测堆的地址 .text:BF80D55F add eax, ecx .text:BF80D561 cmp eax, ecx .text:BF80D563 jb loc_BF80D6F1 .text:BF80D569 mov ecx, [ebp+plength] .text:BF80D56C mov edx, [ebp+ppbuffer] .text:BF80D56F add ecx, edx .text:BF80D571 lea edx, [eax+0F8h] .text:BF80D577 mov [ebp+plength], ecx .text:BF80D57A cmp edx, ecx .text:BF80D57C jnb loc_BF80D6F1 .text:BF80D582 mov ecx, [eax+34h] ----->crash winxp .text:BF8821D7 push eax ; ViewSize .text:BF8821D8 push esi ; SectionOffset .text:BF8821D9 push esi ; CommitSize .text:BF8821DA push esi ; ZeroBits .text:BF8821DB lea eax, [ebp+BaseAddress] .text:BF8821DE push eax ; BaseAddress .text:BF8821DF push 0FFFFFFFFh ; ProcessHandle .text:BF8821E1 push [ebp+Handle] ; SectionHandle .text:BF8821E4 call ds:__imp__ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x) .text:BF8821EA test eax, eax .text:BF8821EC jl loc_BF88238A .text:BF8821F2 mov ecx, [ebp+BaseAddress] .text:BF8821F5 mov eax, [ecx+3Ch] .text:BF8821F8 add eax, ecx .text:BF8821FA movzx edx, word ptr [eax+6] -----〉crash
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
顶一个
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
顶顶更健康
|
|
|
|
|
|
|
|
|
|
|
|
|
