-
-
[分享] (未完,挂分享保存下先)CVE-2017-0263 win32k 内核提权漏洞分析
-
发表于: 2023-1-24 15:59
-
参考链接:
https://xiaodaozhi.com/exploit/71.html
漏洞出现在win32k的xxxMNEndMenuState中,存在释放后未对指针置空
此处贴上nt4的源码,也添加了附件,可自行查看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | /***************************************************************************\* MNEndMenuState** This funtion must be called to clean up pMenuState after getting out* of menu mode. It must be called by the same thread that initialized* pMenuState either manually or by calling xxxMNStartMenuState.** 05-20-96 GerardoB Created\***************************************************************************/void MNEndMenuState (BOOL fFreePopup){ PTHREADINFO ptiCurrent; PMENUSTATE pMenuState; ptiCurrent = PtiCurrent(); pMenuState = ptiCurrent->pMenuState; UserAssert(ptiCurrent->pMenuState != NULL); UserAssert(ptiCurrent == pMenuState->ptiMenuStateOwner); MNEndMenuStateNotify(pMenuState); if (fFreePopup) { UserAssert(pMenuState->pGlobalPopupMenu->fIsMenuBar || pMenuState->pGlobalPopupMenu->fDestroyed); MNFreePopup(pMenuState->pGlobalPopupMenu); } else { /* * This means that we're ending the menustate but the popup menu * window is still around. This can happen when called from * xxxDestroyThreadInfo. */ UserAssert(pMenuState->pGlobalPopupMenu->fIsTrackPopup); pMenuState->pGlobalPopupMenu->fDelayedFree = FALSE; } if (pMenuState == &gpMenuState) { UserAssert(gfMenuStateInUse); gfMenuStateInUse = FALSE; } else { /* * Don't use UserFreePool so the debug code below will work right */ ExFreePool(pMenuState); } ptiCurrent->pMenuState = NULL; /* * This menu mode is off */ UserAssert(guMenuStateCount != 0); guMenuStateCount--;} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | VOID MNFreePopup( PPOPUPMENU ppopupmenu){ PMENU pmenu; PMENU pmenuSys; if (IsRootPopupMenu(ppopupmenu)) { MNFlushDestroyedPopups (ppopupmenu, TRUE); } /* * This app is finished using the global system menu: unlock any objects * it is using! * * NOTE: This global system menu thing doesn't work: two apps can use * it at the same time: which would be a disasterous bug! */ if (ppopupmenu->spwndNotify != NULL) { pmenuSys = ppopupmenu->spwndNotify->head.rpdesk->spmenuSys; if (pmenuSys != NULL) { Unlock(&pmenuSys->spwndNotify); if ((pmenu = _GetSubMenu(pmenuSys, 0)) != NULL) Unlock(&pmenu->spwndNotify); } Unlock(&ppopupmenu->spwndNotify); } Unlock(&ppopupmenu->spwndPopupMenu); Unlock(&ppopupmenu->spwndNextPopup); Unlock(&ppopupmenu->spwndPrevPopup); Unlock(&ppopupmenu->spmenu); Unlock(&ppopupmenu->spmenuAlternate); Unlock(&ppopupmenu->spwndActivePopup); if (ppopupmenu == &gpopupMenu) { UserAssert(gfPopupInUse); gfPopupInUse = FALSE; } else { UserFreePool(ppopupmenu); }} |
nt4源码与win7中win32k中有部分不一样,但不影响
运行poc,触发漏洞
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
