-
-
[分享] (未完,挂分享保存下先)CVE-2017-0263 win32k 内核提权漏洞分析
-
发表于: 2023-1-24 15:59
-
参考链接:
7b3K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6^5K9h3q4G2k6r3q4G2P5X3S2A6i4K6u0W2j5$3!0E0i4K6u0r3k6i4S2H3L8r3!0A6N6q4)9J5c8U0M7I4i4K6u0W2K9s2c8E0L8l9`.`.
漏洞出现在win32k的xxxMNEndMenuState中,存在释放后未对指针置空
此处贴上nt4的源码,也添加了附件,可自行查看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | /***************************************************************************\* MNEndMenuState** This funtion must be called to clean up pMenuState after getting out* of menu mode. It must be called by the same thread that initialized* pMenuState either manually or by calling xxxMNStartMenuState.** 05-20-96 GerardoB Created\***************************************************************************/void MNEndMenuState (BOOL fFreePopup){ PTHREADINFO ptiCurrent; PMENUSTATE pMenuState; ptiCurrent = PtiCurrent(); pMenuState = ptiCurrent->pMenuState; UserAssert(ptiCurrent->pMenuState != NULL); UserAssert(ptiCurrent == pMenuState->ptiMenuStateOwner); MNEndMenuStateNotify(pMenuState); if (fFreePopup) { UserAssert(pMenuState->pGlobalPopupMenu->fIsMenuBar || pMenuState->pGlobalPopupMenu->fDestroyed); MNFreePopup(pMenuState->pGlobalPopupMenu); } else { /* * This means that we're ending the menustate but the popup menu * window is still around. This can happen when called from * xxxDestroyThreadInfo. */ UserAssert(pMenuState->pGlobalPopupMenu->fIsTrackPopup); pMenuState->pGlobalPopupMenu->fDelayedFree = FALSE; } if (pMenuState == &gpMenuState) { UserAssert(gfMenuStateInUse); gfMenuStateInUse = FALSE; } else { /* * Don't use UserFreePool so the debug code below will work right */ ExFreePool(pMenuState); } ptiCurrent->pMenuState = NULL; /* * This menu mode is off */ UserAssert(guMenuStateCount != 0); guMenuStateCount--;} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | VOID MNFreePopup( PPOPUPMENU ppopupmenu){ PMENU pmenu; PMENU pmenuSys; if (IsRootPopupMenu(ppopupmenu)) { MNFlushDestroyedPopups (ppopupmenu, TRUE); } /* * This app is finished using the global system menu: unlock any objects * it is using! * * NOTE: This global system menu thing doesn't work: two apps can use * it at the same time: which would be a disasterous bug! */ if (ppopupmenu->spwndNotify != NULL) { pmenuSys = ppopupmenu->spwndNotify->head.rpdesk->spmenuSys; if (pmenuSys != NULL) { Unlock(&pmenuSys->spwndNotify); if ((pmenu = _GetSubMenu(pmenuSys, 0)) != NULL) Unlock(&pmenu->spwndNotify); } Unlock(&ppopupmenu->spwndNotify); } Unlock(&ppopupmenu->spwndPopupMenu); Unlock(&ppopupmenu->spwndNextPopup); Unlock(&ppopupmenu->spwndPrevPopup); Unlock(&ppopupmenu->spmenu); Unlock(&ppopupmenu->spmenuAlternate); Unlock(&ppopupmenu->spwndActivePopup); if (ppopupmenu == &gpopupMenu) { UserAssert(gfPopupInUse); gfPopupInUse = FALSE; } else { UserFreePool(ppopupmenu); }} |
nt4源码与win7中win32k中有部分不一样,但不影响
运行poc,触发漏洞
[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
