[原创]cve-2016-0051简要分析
发表于:
2016-3-8 23:24
8192
cve-2016-0051为基于webdav的windows本地提权漏洞
先大概描述一下漏洞。
漏洞是在mrxdav.sys这个驱动程序里面的mrxdav!MRxDAVDevFcbXXXControlFile函数。
在发送畸形的web请求时候,这个函数里面验证不严的话会调用这个函数MRxDAVCreateContinuation,大概是在MRxDAVCreateContinuation+0x254位置处。会造成固定地址写入固定值类型的漏洞,具体看ida的代码吧。
-----------------------------------------------------------------------------------------------------
代码片段1:
DevObj__ = *(v5 + 104);
if ( !*(pRelevantSrvOpen + 32) )
{
v21 = ExAllocatePoolWithTag(v14, 0x40ui64, 0x6F535644u);
*(pRelevantSrvOpen + 32) = v21;
if ( !v21 )
{
v8 = -1073741670;
v18 = &WPP_GLOBAL_Control;
if ( WPP_GLOBAL_Control == &WPP_GLOBAL_Control )
return v8;
if ( !_bittest(WPP_GLOBAL_Control + 11, 0xDu) )
goto LABEL_254;
LODWORD(v19) = PsGetCurrentThreadId(v17, v16);
v20 = 61i64;
goto LABEL_15;
}
memset(v21, 0, 0x40ui64);
if ( !*(*(pprx_context + 80) + 40i64) )
{
*(*(pprx_context + 80) + 40i64) = ExAllocatePoolWithTag(PagedPool, 0x820ui64, 0x6F465644u);
v100 = *(*(pprx_context + 80) + 40i64);
if ( v100 )
{
memset(v100, 0, 0x820ui64);
}
v68 = ExAllocatePoolWithTag(PagedPool, 0x40ui64, 0x69465644u);
v31 = 0;
v9 = v68;
if ( !v68 )
{
v8 = -1073741670;
v17 = &WPP_GLOBAL_Control;
if ( WPP_GLOBAL_Control != &WPP_GLOBAL_Control &&
_bittest(WPP_GLOBAL_Control + 11, 0xDu) )
{
LODWORD(v69) = PsGetCurrentThreadId(&WPP_GLOBAL_Control, v16);
WPP_SF_qd(*(WPP_GLOBAL_Control + 3), 65i64, &qword_3207580, v69);
}
goto LABEL_245;
}
memset(v68, 0, 0x40ui64);
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件: