NTSTATUS
TriggerNullPointerDereference(
_In_ PVOID UserBuffer
)
{
ULONG UserValue
=
0
;
ULONG MagicValue
=
0xBAD0B0B0
;
NTSTATUS Status
=
STATUS_SUCCESS;
PNULL_POINTER_DEREFERENCE NullPointerDereference
=
NULL;
PAGED_CODE();
__try
{
/
/
/
/
Verify
if
the
buffer
resides
in
user mode
/
/
ProbeForRead(UserBuffer, sizeof(NULL_POINTER_DEREFERENCE), (ULONG)__alignof(UCHAR));
/
/
/
/
Allocate Pool chunk
/
/
NullPointerDereference
=
(PNULL_POINTER_DEREFERENCE)ExAllocatePoolWithTag(
NonPagedPool,
sizeof(NULL_POINTER_DEREFERENCE),
(ULONG)POOL_TAG
);
if
(!NullPointerDereference)
{
/
/
/
/
Unable to allocate Pool chunk
/
/
DbgPrint(
"[-] Unable to allocate Pool chunk\n"
);
Status
=
STATUS_NO_MEMORY;
return
Status;
}
else
{
DbgPrint(
"[+] Pool Tag: %s\n"
, STRINGIFY(POOL_TAG));
DbgPrint(
"[+] Pool Type: %s\n"
, STRINGIFY(NonPagedPool));
DbgPrint(
"[+] Pool Size: 0x%X\n"
, sizeof(NULL_POINTER_DEREFERENCE));
DbgPrint(
"[+] Pool Chunk: 0x%p\n"
, NullPointerDereference);
}
/
/
/
/
Get the value
from
user mode
/
/
UserValue
=
*
(PULONG)UserBuffer;
DbgPrint(
"[+] UserValue: 0x%p\n"
, UserValue);
DbgPrint(
"[+] NullPointerDereference: 0x%p\n"
, NullPointerDereference);
/
/
/
/
Validate the magic value
/
/
if
(UserValue
=
=
MagicValue)
{
NullPointerDereference
-
>Value
=
UserValue;
NullPointerDereference
-
>Callback
=
&NullPointerDereferenceObjectCallback;
DbgPrint(
"[+] NullPointerDereference->Value: 0x%p\n"
, NullPointerDereference
-
>Value);
DbgPrint(
"[+] NullPointerDereference->Callback: 0x%p\n"
, NullPointerDereference
-
>Callback);
}
else
{
DbgPrint(
"[+] Freeing NullPointerDereference Object\n"
);
DbgPrint(
"[+] Pool Tag: %s\n"
, STRINGIFY(POOL_TAG));
DbgPrint(
"[+] Pool Chunk: 0x%p\n"
, NullPointerDereference);
/
/
/
/
Free the allocated Pool chunk
/
/
ExFreePoolWithTag((PVOID)NullPointerDereference, (ULONG)POOL_TAG);
/
/
/
/
Set
to NULL to avoid dangling pointer
/
/
NullPointerDereference
=
NULL;
}
/
/
/
/
Secure Note: This
is
secure because the developer
is
checking
if
/
/
'NullPointerDereference'
is
not
NULL before calling the callback function
/
/
if
(NullPointerDereference)
{
NullPointerDereference
-
>Callback();
}
DbgPrint(
"[+] Triggering Null Pointer Dereference\n"
);
/
/
/
/
Vulnerability Note: This
is
a vanilla Null Pointer Dereference vulnerability
/
/
because the developer
is
not
validating
if
'NullPointerDereference'
is
NULL
/
/
before calling the callback function
/
/
NullPointerDereference
-
>Callback();
/
/
漏洞点
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Status
=
GetExceptionCode();
DbgPrint(
"[-] Exception Code: 0x%X\n"
, Status);
}
return
Status;
}