首页
社区
课程
招聘
[分享] (未完,挂分享保存下先)CVE-2017-0263 win32k 内核提权漏洞分析
发表于: 2023-1-24 15:59 8768

[分享] (未完,挂分享保存下先)CVE-2017-0263 win32k 内核提权漏洞分析

2023-1-24 15:59
8768

参考链接:
https://xiaodaozhi.com/exploit/71.html
漏洞出现在win32k的xxxMNEndMenuState中,存在释放后未对指针置空
图片描述
图片描述
此处贴上nt4的源码,也添加了附件,可自行查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
/***************************************************************************\
* MNEndMenuState
*
* This funtion must be called to clean up pMenuState after getting out
*  of menu mode. It must be called by the same thread that initialized
*  pMenuState either manually or by calling xxxMNStartMenuState.
*
* 05-20-96 GerardoB Created
\***************************************************************************/
void MNEndMenuState (BOOL fFreePopup)
{
    PTHREADINFO ptiCurrent;
    PMENUSTATE pMenuState;
 
    ptiCurrent = PtiCurrent();
    pMenuState = ptiCurrent->pMenuState;
    UserAssert(ptiCurrent->pMenuState != NULL);
    UserAssert(ptiCurrent == pMenuState->ptiMenuStateOwner);
 
    MNEndMenuStateNotify(pMenuState);
 
    if (fFreePopup) {
        UserAssert(pMenuState->pGlobalPopupMenu->fIsMenuBar || pMenuState->pGlobalPopupMenu->fDestroyed);
        MNFreePopup(pMenuState->pGlobalPopupMenu);
    } else {
        /*
         * This means that we're ending the menustate but the popup menu
         *  window is still around. This can happen when called from
         *  xxxDestroyThreadInfo.
         */
        UserAssert(pMenuState->pGlobalPopupMenu->fIsTrackPopup);
        pMenuState->pGlobalPopupMenu->fDelayedFree = FALSE;
    }
 
    if (pMenuState == &gpMenuState) {
        UserAssert(gfMenuStateInUse);
        gfMenuStateInUse = FALSE;
    } else {
        /*
         * Don't use UserFreePool so the debug code below will work right
         */
        ExFreePool(pMenuState);
    }
    ptiCurrent->pMenuState = NULL;
 
    /*
     * This menu mode is off
     */
    UserAssert(guMenuStateCount != 0);
    guMenuStateCount--;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
VOID MNFreePopup(
    PPOPUPMENU ppopupmenu)
{
    PMENU pmenu;
    PMENU pmenuSys;
 
    if (IsRootPopupMenu(ppopupmenu)) {
        MNFlushDestroyedPopups (ppopupmenu, TRUE);
    }
 
    /*
     * This app is finished using the global system menu: unlock any objects
     * it is using!
     *
     * NOTE: This global system menu thing doesn't work: two apps can use
     *       it at the same time: which would be a disasterous bug!
     */
    if (ppopupmenu->spwndNotify != NULL) {
        pmenuSys = ppopupmenu->spwndNotify->head.rpdesk->spmenuSys;
        if (pmenuSys != NULL) {
            Unlock(&pmenuSys->spwndNotify);
            if ((pmenu = _GetSubMenu(pmenuSys, 0)) != NULL)
                Unlock(&pmenu->spwndNotify);
        }
 
        Unlock(&ppopupmenu->spwndNotify);
    }
 
    Unlock(&ppopupmenu->spwndPopupMenu);
 
    Unlock(&ppopupmenu->spwndNextPopup);
    Unlock(&ppopupmenu->spwndPrevPopup);
    Unlock(&ppopupmenu->spmenu);
    Unlock(&ppopupmenu->spmenuAlternate);
    Unlock(&ppopupmenu->spwndActivePopup);
 
 
    if (ppopupmenu == &gpopupMenu) {
        UserAssert(gfPopupInUse);
        gfPopupInUse = FALSE;
    } else {
        UserFreePool(ppopupmenu);
    }
}

nt4源码与win7中win32k中有部分不一样,但不影响
运行poc,触发漏洞
图片描述
图片描述


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//