Microsoft Windows Kernel整数截断本地权限提升漏洞:触发原因-汇编形态

 

Microsoft Windows Kernel整数截断本地权限提升漏洞 http://sebug.net/vulndb/20361/ 上面的代码在vs2008下能直接编译 vc6.0编译错误一大堆().. 了解下触发原因及汇编形态: IOCTL_WMI_TRACE_MESSAGE： D:/Windows驱动开发/系统源码/wrk/wrk-v1.2/wrk/wrk/base/ntos/wmi/wmi.c case IOCTL_WMI_TRACE_MESSAGE: { // NOTE: This relies on WmiTraceUserMessage to probe the buffer! OutBufferLen = 0; if ( InBufferLen < sizeof(MESSAGE_TRACE_USER) ) { Status = STATUS_UNSUCCESSFUL; break; } Status = WmiTraceUserMessage( (PMESSAGE_TRACE_USER) irpStack->Parameters.DeviceIoControl.Type3InputBuffer, InBufferLen ); break; } dump： WRITE_ADDRESS: e11a6000 Paged pool FAULTING_IP: nt!WmiTraceMessageVa+25e 80531d10 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] MM_INTERNAL_CODE: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: kernel.exe TRAP_FRAME: ee8aaad8 -- (.trap 0xffffffffee8aaad8) ErrCode = 00000002 eax=00010ff0 ebx=e11a405c ecx=00003c13 edx=00010ff0 esi=005a2038 edi=e11a6000 eip=80531d10 esp=ee8aab4c ebp=ee8aabd4 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 nt!WmiTraceMessageVa+0x25e: 80531d10 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope LAST_CONTROL_TRANSFER: from 804f8b27 to 8052816c STACK_TEXT: ee8aa614 804f8b27 00000003 e11a6000 00000000 nt!RtlpBreakWithStatusInstruction ee8aa660 804f9714 00000003 00000000 c0708d30 nt!KiBugCheckDebugBreak+0x19 ee8aaa40 804f9c3f 00000050 e11a6000 00000001 nt!KeBugCheck2+0x574 ee8aaa60 8051d22b 00000050 e11a6000 00000001 nt!KeBugCheckEx+0x1b ee8aaac0 80540aac 00000001 e11a6000 00000000 nt!MmAccessFault+0x8e7 ee8aaac0 80531d10 00000001 e11a6000 00000000 nt!KiTrap0E+0xcc ee8aabd4 80531da9 12340002 c0dec0de c0c0dede nt!WmiTraceMessageVa+0x25e ee8aabf4 8065ba1b 12340002 c0dec0de c0c0dede nt!WmiTraceMessage+0x1d ee8aac48 805fb391 ee8aad00 80575b3b 8621e4f0 nt!WmiTraceUserMessage+0x59 ee8aac50 80575b3b 8621e4f0 00000001 005a0068 nt!WmipFastIoDeviceControl+0x43 ee8aad00 8056e81e 00000038 00000000 00000000 nt!IopXxxControlFile+0x261 ee8aad34 8053dbc8 00000038 00000000 00000000 nt!NtDeviceIoControlFile+0x2a ee8aad34 7c92eb94 00000038 00000000 00000000 nt!KiFastCallEntry+0xf8 0012fc8c 7c92d8ef 7c801671 00000038 00000000 ntdll!KiFastSystemCallRet 0012fc90 7c801671 00000038 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc 0012fcf0 0042dff8 00000038 002280a3 005a0068 kernel32!DeviceIoControl+0xdd 0012fe88 0042d757 00000038 0007da50 7c92e1fe kernel!trigger+0x1e8 [e:/myprojects/???′2aê?/kernel/kernel.cpp @ 248] 0012ff6c 0042eff7 00000001 003c2f50 003c2fc0 kernel!main+0x67 [e:/myprojects/???′2aê?/kernel/kernel.cpp @ 96] 0012ffb8 0042eecf 0012fff0 7c816ff7 0007da50 kernel!__tmainCRTStartup+0x117 [f:/dd/vctools/crt_bld/self_x86/crt/src/crt0.c @ 266] 0012ffc0 7c816ff7 0007da50 7c92e1fe 7ffdd000 kernel!mainCRTStartup+0xf [f:/dd/vctools/crt_bld/self_x86/crt/src/crt0.c @ 182] 0012fff0 00000000 0042bbbd 00000000 78746341 kernel32!BaseProcessStart+0x23 STACK_COMMAND: kb FOLLOWUP_IP: nt!WmiTraceMessageVa+25e 80531d10 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] SYMBOL_STACK_INDEX: 6 SYMBOL_NAME: nt!WmiTraceMessageVa+25e FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlpa.exe DEBUG_FLR_IMAGE_TIMESTAMP: 45e54849 FAILURE_BUCKET_ID: 0x50_nt!WmiTraceMessageVa+25e BUCKET_ID: 0x50_nt!WmiTraceMessageVa+25e Followup: MachineOwner --------- kd> .trap 0xffffffffee8aaad8 ErrCode = 00000002 eax=00010ff0 ebx=e11a405c ecx=00003c13 edx=00010ff0 esi=005a2038 edi=e11a6000 eip=80531d10 esp=ee8aab4c ebp=ee8aabd4 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 nt!WmiTraceMessageVa+0x25e: 80531d10 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] kd> dd 005a2038 005a2038 41414141 41414141 41414141 41414141 005a2048 41414141 41414141 41414141 41414141 005a2058 41414141 41414141 41414141 41414141 005a2068 41414141 41414141 41414141 41414141 005a2078 41414141 41414141 41414141 41414141 005a2088 41414141 41414141 41414141 41414141 005a2098 41414141 41414141 41414141 41414141 005a20a8 41414141 41414141 41414141 41414141 kd> dd e11a6000 e11a6000 ???????? ???????? ???????? ???????? e11a6010 ???????? ???????? ???????? ???????? e11a6020 ???????? ???????? ???????? ???????? e11a6030 ???????? ???????? ???????? ???????? e11a6040 ???????? ???????? ???????? ???????? e11a6050 ???????? ???????? ???????? ???????? e11a6060 ???????? ???????? ???????? ???????? 用ida反汇编ntkrnlpa.exe中的WmiTraceMessageVa ..... .text:00459B5E mov esi, ebx //EBX=MessageGuid .text:00459B60 shr esi, 2 .text:00459B63 and esi, 8 .text:00459B66 add esi, [ebp+var_28] .text:00459B69 add esi, eax .text:00459B6B add esi, [ebp+totalsize] //totalsize就是传进来的Message.DataSize .text:00459B6E mov [ebp+var_60], esi 此时esi=11014 上面汇编代码对应的c代码如wrk中traceapi.C 中的WmiTraceMessageVa size = (USHORT) ((MessageFlags&TRACE_MESSAGE_SEQUENCE ? sizeof(ULONG):0) + (MessageFlags&TRACE_MESSAGE_GUID ? sizeof(GUID):0) + (MessageFlags&TRACE_MESSAGE_COMPONENTID ? sizeof(ULONG):0) + (MessageFlags&(TRACE_MESSAGE_TIMESTAMP | TRACE_MESSAGE_PERFORMANCE_TIMESTAMP) ? sizeof(LARGE_INTEGER):0) + (MessageFlags&TRACE_MESSAGE_SYSTEMINFO ? 2 * sizeof(ULONG):0) + sizeof (MESSAGE_TRACE_HEADER) + dataBytes); //wrk的解释：// We can ONLY log 64K (USHORT) data for a message. If the message is going // to be larger than we could log, fail it. 只支持64KB的消息数据。 ...... 下面分配内存 .text:00459BF8 lea eax, [ebp+var_1C] .text:00459BFB push eax .text:00459BFC movzx edx, si ; 整数截断 esi=11014 edx=1014; 后面拷贝用的还是原来的totalsize=10ff0 漏洞触发点 .text:00459BFF call @WmipReserveTraceBuffer@12 ; WmipReserveTraceBuffer(x,x,x) 只分配了1014字节大小的内存. .... 下面开始拷贝 .text:00459CFB mov [ebp+var_7C], eax ; eax=00010ff0 .text:00459CFE test eax, eax .text:00459D00 jle short loc_459CDC .text:00459D02 cmp [ebp+totalsize], eax ; [EBP-2C]=00010ff0 .text:00459D05 jl short loc_459D23 .text:00459D07 mov ecx, eax .text:00459D09 mov edi, ebx ; .text:00459D0B mov edx, ecx .text:00459D0D shr ecx, 2 .text:00459D10 rep movsd //按10ff0拷贝 整数截断经常容易发生 值得引起注意。 how to exploi?I don't kown !