Microsoft Windows Kernel整数截断本地权限提升漏洞:触发原因-汇编形态

 

Microsoft Windows Kernel整数截断本地权限提升漏洞 http://sebug.net/vulndb/20361/上面的代码在vs2008下能直接编译 vc6.0编译错误一大堆()..了解下触发原因及汇编形态:IOCTL_WMI_TRACE_MESSAGE：D:/Windows驱动开发/系统源码/wrk/wrk-v1.2/wrk/wrk/base/ntos/wmi/wmi.ccase IOCTL_WMI_TRACE_MESSAGE: { // NOTE: This relies on WmiTraceUserMessage to probe the buffer! OutBufferLen = 0; if ( InBufferLen < sizeof(MESSAGE_TRACE_USER) ) { Status = STATUS_UNSUCCESSFUL; break; } Status = WmiTraceUserMessage( (PMESSAGE_TRACE_USER) irpStack->Parameters.DeviceIoControl.Type3InputBuffer, InBufferLen ); break; }dump：WRITE_ADDRESS: e11a6000 Paged poolFAULTING_IP: nt!WmiTraceMessageVa+25e80531d10 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]MM_INTERNAL_CODE: 1DEFAULT_BUCKET_ID: DRIVER_FAULTBUGCHECK_STR: 0x50PROCESS_NAME: kernel.exeTRAP_FRAME: ee8aaad8 -- (.trap 0xffffffffee8aaad8)ErrCode = 00000002eax=00010ff0 ebx=e11a405c ecx=00003c13 edx=00010ff0 esi=005a2038 edi=e11a6000eip=80531d10 esp=ee8aab4c ebp=ee8aabd4 iopl=0 nv up ei pl nz na pe nccs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206nt!WmiTraceMessageVa+0x25e:80531d10 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]Resetting default scopeLAST_CONTROL_TRANSFER: from 804f8b27 to 8052816cSTACK_TEXT: ee8aa614 804f8b27 00000003 e11a6000 00000000 nt!RtlpBreakWithStatusInstructionee8aa660 804f9714 00000003 00000000 c0708d30 nt!KiBugCheckDebugBreak+0x19ee8aaa40 804f9c3f 00000050 e11a6000 00000001 nt!KeBugCheck2+0x574ee8aaa60 8051d22b 00000050 e11a6000 00000001 nt!KeBugCheckEx+0x1bee8aaac0 80540aac 00000001 e11a6000 00000000 nt!MmAccessFault+0x8e7ee8aaac0 80531d10 00000001 e11a6000 00000000 nt!KiTrap0E+0xccee8aabd4 80531da9 12340002 c0dec0de c0c0dede nt!WmiTraceMessageVa+0x25eee8aabf4 8065ba1b 12340002 c0dec0de c0c0dede nt!WmiTraceMessage+0x1dee8aac48 805fb391 ee8aad00 80575b3b 8621e4f0 nt!WmiTraceUserMessage+0x59ee8aac50 80575b3b 8621e4f0 00000001 005a0068 nt!WmipFastIoDeviceControl+0x43ee8aad00 8056e81e 00000038 00000000 00000000 nt!IopXxxControlFile+0x261ee8aad34 8053dbc8 00000038 00000000 00000000 nt!NtDeviceIoControlFile+0x2aee8aad34 7c92eb94 00000038 00000000 00000000 nt!KiFastCallEntry+0xf80012fc8c 7c92d8ef 7c801671 00000038 00000000 ntdll!KiFastSystemCallRet0012fc90 7c801671 00000038 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc0012fcf0 0042dff8 00000038 002280a3 005a0068 kernel32!DeviceIoControl+0xdd0012fe88 0042d757 00000038 0007da50 7c92e1fe kernel!trigger+0x1e8 [e:/myprojects/???′2aê?/kernel/kernel.cpp @ 248]0012ff6c 0042eff7 00000001 003c2f50 003c2fc0 kernel!main+0x67 [e:/myprojects/???′2aê?/kernel/kernel.cpp @ 96]0012ffb8 0042eecf 0012fff0 7c816ff7 0007da50 kernel!__tmainCRTStartup+0x117 [f:/dd/vctools/crt_bld/self_x86/crt/src/crt0.c @ 266]0012ffc0 7c816ff7 0007da50 7c92e1fe 7ffdd000 kernel!mainCRTStartup+0xf [f:/dd/vctools/crt_bld/self_x86/crt/src/crt0.c @ 182]0012fff0 00000000 0042bbbd 00000000 78746341 kernel32!BaseProcessStart+0x23STACK_COMMAND: kbFOLLOWUP_IP: nt!WmiTraceMessageVa+25e80531d10 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]SYMBOL_STACK_INDEX: 6SYMBOL_NAME: nt!WmiTraceMessageVa+25eFOLLOWUP_NAME: MachineOwnerMODULE_NAME: ntIMAGE_NAME: ntkrnlpa.exeDEBUG_FLR_IMAGE_TIMESTAMP: 45e54849FAILURE_BUCKET_ID: 0x50_nt!WmiTraceMessageVa+25eBUCKET_ID: 0x50_nt!WmiTraceMessageVa+25eFollowup: MachineOwner---------kd> .trap 0xffffffffee8aaad8ErrCode = 00000002eax=00010ff0 ebx=e11a405c ecx=00003c13 edx=00010ff0 esi=005a2038 edi=e11a6000eip=80531d10 esp=ee8aab4c ebp=ee8aabd4 iopl=0 nv up ei pl nz na pe nccs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206nt!WmiTraceMessageVa+0x25e:80531d10 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]kd> dd 005a2038 005a2038 41414141 41414141 41414141 41414141005a2048 41414141 41414141 41414141 41414141005a2058 41414141 41414141 41414141 41414141005a2068 41414141 41414141 41414141 41414141005a2078 41414141 41414141 41414141 41414141005a2088 41414141 41414141 41414141 41414141005a2098 41414141 41414141 41414141 41414141005a20a8 41414141 41414141 41414141 41414141kd> dd e11a6000e11a6000 ???????? ???????? ???????? ????????e11a6010 ???????? ???????? ???????? ????????e11a6020 ???????? ???????? ???????? ????????e11a6030 ???????? ???????? ???????? ????????e11a6040 ???????? ???????? ???????? ????????e11a6050 ???????? ???????? ???????? ????????e11a6060 ???????? ???????? ???????? ????????用ida反汇编ntkrnlpa.exe中的WmiTraceMessageVa......text:00459B5E mov esi, ebx //EBX=MessageGuid.text:00459B60 shr esi, 2.text:00459B63 and esi, 8.text:00459B66 add esi, [ebp+var_28].text:00459B69 add esi, eax.text:00459B6B add esi, [ebp+totalsize] //totalsize就是传进来的Message.DataSize .text:00459B6E mov [ebp+var_60], esi此时esi=11014上面汇编代码对应的c代码如wrk中traceapi.C 中的WmiTraceMessageVa size = (USHORT) ((MessageFlags&TRACE_MESSAGE_SEQUENCE ? sizeof(ULONG):0) + (MessageFlags&TRACE_MESSAGE_GUID ? sizeof(GUID):0) + (MessageFlags&TRACE_MESSAGE_COMPONENTID ? sizeof(ULONG):0) + (MessageFlags&(TRACE_MESSAGE_TIMESTAMP | TRACE_MESSAGE_PERFORMANCE_TIMESTAMP) ? sizeof(LARGE_INTEGER):0) + (MessageFlags&TRACE_MESSAGE_SYSTEMINFO ? 2 * sizeof(ULONG):0) + sizeof (MESSAGE_TRACE_HEADER) + dataBytes);//wrk的解释：// We can ONLY log 64K (USHORT) data for a message. If the message is going // to be larger than we could log, fail it. 只支持64KB的消息数据。......下面分配内存.text:00459BF8 lea eax, [ebp+var_1C].text:00459BFB push eax.text:00459BFC movzx edx, si ; 整数截断 esi=11014 edx=1014; 后面拷贝用的还是原来的totalsize=10ff0 漏洞触发点.text:00459BFF call @WmipReserveTraceBuffer@12 ; WmipReserveTraceBuffer(x,x,x)只分配了1014字节大小的内存.....下面开始拷贝.text:00459CFB mov [ebp+var_7C], eax ; eax=00010ff0.text:00459CFE test eax, eax.text:00459D00 jle short loc_459CDC.text:00459D02 cmp [ebp+totalsize], eax ; [EBP-2C]=00010ff0.text:00459D05 jl short loc_459D23.text:00459D07 mov ecx, eax.text:00459D09 mov edi, ebx ;.text:00459D0B mov edx, ecx.text:00459D0D shr ecx, 2.text:00459D10 rep movsd //按10ff0拷贝整数截断经常容易发生 值得引起注意。how to exploi?I don't kown !