1: kd> p
win32k!ReadLayoutFile+0x123:
bf89edb7 7407 je win32k!ReadLayoutFile+0x12c (bf89edc0)
1: kd> p
win32k!ReadLayoutFile+0x125:
bf89edb9 0fb703 movzx eax,word ptr [ebx] 原本这个内存范围是从e294b008--e294ba68,此时这个指针已经被改写了
1: kd> db ebx
e294a008 49 a5 1e 82 ff 03 1f 00-00 00 00 00 0c 08 00 00 I...............
e294a018 00 00 00 00 10 08 00 00-00 00 00 00 14 08 00 00 ................
e294a028 00 00 00 00 18 08 00 00-00 00 00 00 1c 08 00 00 ................
e294a038 00 00 00 00 20 08 00 00-00 00 00 00 24 08 00 00 .... .......$...
e294a048 00 00 00 00 28 08 00 00-00 00 00 00 2c 08 00 00 ....(.......,...
e294a058 00 00 00 00 30 08 00 00-00 00 00 00 34 08 00 00 ....0.......4...
e294a068 00 00 00 00 38 08 00 00-00 00 00 00 3c 08 00 00 ....8.......<...
e294a078 00 00 00 00 40 08 00 00-00 00 00 00 44 08 00 00 ....@.......D...
1: kd> .trap 0xffffffffb235689c
ErrCode = 00000000
eax=e2954551 ebx=e294a008 ecx=e294a008 edx=e294b008 esi=00000000 edi=fffff000
eip=bf89edc2 esp=b2356910 ebp=b2356944 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
win32k!ReadLayoutFile+0x12e:
bf89edc2 3930 cmp dword ptr [eax],esi ds:0023:e2954551=????????
这个漏洞之前看过
.text:BF882230 mov edi, [ebp+arg_8_is_tainted]
.text:BF882233 sub edi, [eax+0Ch]
这个地方的Section RVA 过大会导致上面分配的内存指针被改写了
当时在idb里面写了句注释
并没有对下面仔细看了,因为这个漏洞在win7下面必须要是管理员权限,xp sp3 下微软也不会重视? 漏洞意义不大,草草看完了事.......