! 1. Case description: 2 0 1 4 years 1 0 month 1 4 day, CrowdStrike and FireEye, two IT companies each publish a blog post, in which are invariably introduced a Windows-based system to the new kernel privilege elevation vulnerability. CrowdStrike, the company mentioned in the article: they are on the track of a named Hurricane Panda city Panda the hack organization in the process, discovered and confirmed the vulnerability. The vulnerability on the Internet at least has been active for 5 months. Reportedly, this vulnerability is by CrowdStrike and FireEye also found and submitted to Microsoft a Microsoft, then Microsoft will name them in order: MS14-0 5 8, while providing a repair patch. In the vulnerability after the submission shortly, many security researchers in the respective blog post has mentioned this vulnerability and describes some of the details. At the time of writing this article, I had read a number of articles on the description of CVE-2 0 1 4-4 1 1 3 vulnerability the article and learn the many authors of the analysis ideas. In one article, The author from the binary-based with the Metasploit penetration Framework, a combination of perspective, a detailed analysis of the vulnerability. This analysis of the ideas apply in addition to the Windows 8 and Windows 8.1, all Windows 3 2 and 6 4 bitoperating system. Microsoft indicated that the CVE-2 0 1 4-4 1 1 3 vulnerability affects multiple versions of Windows operating systems, including Windows 8.1. Interestingly, FireEye the company mentioned in the article: in Windows 8, Windows Server 2 0 1 2 as well as later versions, but not the presence of the vulnerability. This vulnerability of the use of the program is the hacker group Hurricane Panda first releases, and the program is only for Windows 7 and Windows 8 system effective. Therefore, I'm very curious about Is: this vulnerability is in how multiple versions of Windows systems to be reflected and utilized. In the following, I will introduce the reader to I for the vulnerability analysis process, as well as in Windows 8 and Windows 8.1 on the system to achieve the use of the step. 2. Vulnerability details: I used the analysis of the test environment is Windows 7 6 4 bit system. In the analysis process, I also will give to readers to share some valuable information. These through the analysis of the test shellcode code has MD5 checksum capabilities. Since before many of the articles are detailed description of the vulnerability of the overall situation, therefore, here, I'm more concerned about the vulnerability of some specific details. CVE-2 0 1 4-4 1 1 3 vulnerability exists because: in the Win 32K. sys driver, The code appears missing return value check. Win 32K. sys driver is responsible for managing the Windows system kernel mode, the process Windows System Resource Management, and to provide graphical programming the drive interface and the processing kernel of other business. The use of the user 3 on 2! Module in the TrackPopupMenu function, you can trigger a user-mode vulnerabilities. The kernel is responsible for handling the API function is: Win 32K on! xxxHandleMenuMessages, the function to be able to call the Win 32K on! xxxMNFindWindowsFromPoint API function. Win 32K on! xxxMNFindWindowsFromPoint API function's return value is a win32k all! tagWND structure pointer. However, the call fails, the function will return an error code-1 and-5 of. And call the procedure in checking the return value, just check the A-1, and no check-5, which appeared to perform error. At the same time because the system itself is also not found the error, thus making the function will continue to default-5 is the correct value, while continuing to provide an effective win32k all! tagWND structure of the pointer; in fact, the function has been used is the error code-5 out of 0xfffffffb it. This code when executed, will be-5 is passed as a parameter to the Win 32K on! xxxSendMessage function. And the function is exactly the Win32K is! xxxSendMessageTimeout a lightweight package function. In Windows 8.1 on the name of: win32k! xxxSendTransformableMessageTimeout it. The vulnerability is a common use of rules is: in the user mode address 0xfffffffb place, with ZwAllocateVirtualMemoryAPI function to allocate memory space, and in this place to store a win32k all! tagWND structure pointer. In the kernel, in user mode access to the structure, it will trigger the vulnerability. And win32k are! tagWND structure pointer is also ready, after that you will perform win32k all! tagWND structure in the function. The function pointer points to a simple kernel permissions shellcode, this shellcode to overwrite the original function return address. The function is a EPROCESS structure function, having system privileges running under capacity. 3. Windows 8.1 kernel using This vulnerability is disclosed the use of the program does not directly apply to Windows 8 system, this is because SMEP, management mode execution protection mechanisms will protect the user-mode shellcode execution process. This implementation process is actually in the kernel's context. When the CPU in the win32k! xxxSendTransformableMessageTimeout function execution instruction, which is wrong to use the shellcode in Windows 8 system still exists. And Windows 8.1 completely replaced that code, at the same time pay more attention to the array bounds check. ! Therefore, in Windows 8.1, the system would not be in the program flow to continue to use the call instruction. However, as we have seen, in the next section, The use of a carefully designed win32k all! tagWND structure function can be successfully reached using the vulnerability of the object. 3.1 design of win32k is! tagWND structure In order to be able to on Windows 8.1 exploit this vulnerability, I'm in user mode, construct a fake win32k! the tagWND structure, and assign it a memory space. When this vulnerability is triggered when the win32k! xxxSendTransformableMessageTimeout function will first read a 6 4-bit data. The data is stored in an offset address 0x10 of the space, and the win32k is! tagWND structure also happens in the memory. The program will with the win32k! gptiCurrent pointer for comparison. If we in this place to provide an invalid data, then run the program an error occurs. Next, the program will be in the offset Address 0 of the place, read a byte of data, and as a memory address of the index entry. In the index entry pointing to the memory space stores a piece of data, the data will be used with the data 0x01 for comparison. ! If we win32k all! tagWND structure the first two bytes set to 0, then after the 0x1 of the check will fail, while code execution will be in the call to win32k! xxxInterSendMessageEx function at the end, the premise is we have the this pointer as the first to be passed to the win32k! the tagWND structure parameters.