-
-
[分享] (未完,挂分享保存下先)CVE-2017-0263 win32k 内核提权漏洞分析
-
发表于: 2023-1-24 15:59 8739
-
参考链接:
https://xiaodaozhi.com/exploit/71.html
漏洞出现在win32k的xxxMNEndMenuState中,存在释放后未对指针置空
此处贴上nt4的源码,也添加了附件,可自行查看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | / * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * \ * MNEndMenuState * * This funtion must be called to clean up pMenuState after getting out * of menu mode. It must be called by the same thread that initialized * pMenuState either manually or by calling xxxMNStartMenuState. * * 05 - 20 - 96 GerardoB Created \ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * / void MNEndMenuState ( BOOL fFreePopup) { PTHREADINFO ptiCurrent; PMENUSTATE pMenuState; ptiCurrent = PtiCurrent(); pMenuState = ptiCurrent - >pMenuState; UserAssert(ptiCurrent - >pMenuState ! = NULL); UserAssert(ptiCurrent = = pMenuState - >ptiMenuStateOwner); MNEndMenuStateNotify(pMenuState); if (fFreePopup) { UserAssert(pMenuState - >pGlobalPopupMenu - >fIsMenuBar || pMenuState - >pGlobalPopupMenu - >fDestroyed); MNFreePopup(pMenuState - >pGlobalPopupMenu); } else { / * * This means that we're ending the menustate but the popup menu * window is still around. This can happen when called from * xxxDestroyThreadInfo. * / UserAssert(pMenuState - >pGlobalPopupMenu - >fIsTrackPopup); pMenuState - >pGlobalPopupMenu - >fDelayedFree = FALSE; } if (pMenuState = = &gpMenuState) { UserAssert(gfMenuStateInUse); gfMenuStateInUse = FALSE; } else { / * * Don't use UserFreePool so the debug code below will work right * / ExFreePool(pMenuState); } ptiCurrent - >pMenuState = NULL; / * * This menu mode is off * / UserAssert(guMenuStateCount ! = 0 ); guMenuStateCount - - ; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | VOID MNFreePopup( PPOPUPMENU ppopupmenu) { PMENU pmenu; PMENU pmenuSys; if (IsRootPopupMenu(ppopupmenu)) { MNFlushDestroyedPopups (ppopupmenu, TRUE); } / * * This app is finished using the global system menu: unlock any objects * it is using! * * NOTE: This global system menu thing doesn't work: two apps can use * it at the same time: which would be a disasterous bug! * / if (ppopupmenu - >spwndNotify ! = NULL) { pmenuSys = ppopupmenu - >spwndNotify - >head.rpdesk - >spmenuSys; if (pmenuSys ! = NULL) { Unlock(&pmenuSys - >spwndNotify); if ((pmenu = _GetSubMenu(pmenuSys, 0 )) ! = NULL) Unlock(&pmenu - >spwndNotify); } Unlock(&ppopupmenu - >spwndNotify); } Unlock(&ppopupmenu - >spwndPopupMenu); Unlock(&ppopupmenu - >spwndNextPopup); Unlock(&ppopupmenu - >spwndPrevPopup); Unlock(&ppopupmenu - >spmenu); Unlock(&ppopupmenu - >spmenuAlternate); Unlock(&ppopupmenu - >spwndActivePopup); if (ppopupmenu = = &gpopupMenu) { UserAssert(gfPopupInUse); gfPopupInUse = FALSE; } else { UserFreePool(ppopupmenu); } } |
nt4源码与win7中win32k中有部分不一样,但不影响
运行poc,触发漏洞
赞赏
他的文章
看原图
赞赏
雪币:
留言: