Classic kernel vulnerabilities debugging notes bis-vulnerability warning-the black bar safety net

2016-11-15T00:00:00
ID MYHACK58:62201681225
Type myhack58
Reporter 佚名
Modified 2016-11-15T00:00:00

Description

Foreword The last time I sent an article yourself in a classic kernel Vulnerability CVE-2 0 1 4-4 1 1 3 struggling experience, and some debugging details of the share summary after feel the harvest a lot, and later an accidental opportunity, I saw the Baidu security Labs issued an article that is about another classic of the kernel vulnerability, which is today the protagonist of the----CVE-2 0 1 5-2 5 4 6 this vulnerability from the patch comparison to the Trojan analysis: http://xlab.baidu.com/cve-2015-2546%ef%bc%9a%e4%bb%8e%e8%a1%a5%e4%b8%81%e6%af%94%e5%af%b9%e5%88%b0exploit/ The same feeling of full harvest, in this analysis, summarizes the vulnerability of Genesis, and the configuration of the reduction technique, the benefits, but did not provide the Virus, so according to this analysis, I try to write about the Exploit, this time is really very hard, while reverse debugging, while write Trojan, stumbling the completion of this exploits, but my previous analysis of the same, in the debugging process, there are a lot of very interesting process, so to summarize a bit, come up and share with everyone. Start following me this Diamondback birds provide the right trip. From the CVE-2 0 1 4-4 1 1 3 to CVE-2 0 1 5-2 5 4 6 First, I describe the vulnerability of the process: in the Create pop-up menu, when the mouse operation will trigger mouse events, causing the win32k. sys under the one called MNMouseMove function, in this function the process will involve a called MNHideNextHierarchy Function, This function will be passed one parameter, this parameter is a named tagPOPUPMENU the structure of the object, since for this object does not have to be checked, can result in through the front SendMessage asynchronous method, use the this object is freed, then use a fake_tag for the placeholder, so this fake_tag incoming MNHideNextHierarchy, and in this function will process one 1E4 message in here due to the fake_tag relationship, resulting in the release of after reuse, resulting in the Ring0 layer performs the Shellcode, and finally the completion of extraction rights. First saw this vulnerability, I think this use of the process and CVE-2 0 1 4-4 1 1 3 very much alike, are in the SendMessage to complete use, that is, use call [esi+60h]this Assembly instructions. To trigger this vulnerability, we must first think of a way to perform to MNMouseMove, we together to analyze what from where can be performed to MNMouseMove it. ! This process is not very familiar with, from TrackPopupMenuEx to MNLoop to HandleMenuMessages, and finally to the MNMouseMove it. Our previous debugging CVE-2 0 1 4-4 1 1 3 This is the process, the previous vulnerabilities occurred in the HandleMenuMessage, and the CVE-2 0 1 5-2 5 4 6 occurs in HandleMenuMessages inside of another call, then I produce an idea, CVE-2 0 1 4-4 1 1 3 Exploit we can in this exploit used? (Afterwards proved, think, easier said than done, but the process is very interesting.) We're from the CVE-2 0 1 4-4 1 1 3 This Exploit from the start, to the completion of the CVE-2 0 1 5-2 5 4 6. rights. And the kernel against the day First we look at the CVE-2 0 1 4-4 1 1 3 and CVE-2 0 1 5-2 5 4 6 How many relationships, relevant content, you can look at the comments. if ( v5 > 0x104 ) { if ( v5 > 0x202 ) { ...... } ...... if ( v20 ) { v21 = v20 - 1; if ( v21 ) { ...... v13 = xxxMNFindWindowFromPoint(v3, (int)&UnicodeString, (int)v7); v52 = IsMFMWFPWindow(v13); if ( v52 ) ...... if ( v13 == -1 ) xxxMNButtonDown((PVOID)v3, v12, UnicodeString, 1); else xxxSendMessage((PVOID)v13, -19, UnicodeString, 0);// CVE-2 0 1 4-4 1 1 3 vulnerability location if ( ! ((_DWORD )(v12 + 4) & 0x100) ) xxxMNRemoveMessage((_DWORD )(a1 + 4), 5 1 6); } return 0; } goto LABEL_59; } ...... LABEL_59: ...... xxxMNMouseMove(v3, a2, (int)v7); // CVE-2 0 1 5-2 5 4 6 vulnerability location return 1; } } Can be seen, the two vulnerabilities of the location are in HandleMenuMessages of the function, after the CVE-2 0 1 4-4 1 1 3 analysis, we found that this process is required by calling the PostMessage function, which relates to the window of operation in the CVE-2 0 1 4-4 1 1 3, through the WNDCLASS class lpfnWndProc defines the callback function MyWndProc is responsible for handling the window function, where the use of the PostMessage method. So, in order to make the program execution to MNMouseMove, I need to set a mouse event, and the inspiration here comes from Baidu laboratory analysis articles, so I consider using. //The WM_SYSCOMMAND message processing PostMessage(hwnd,WM_SYSCOMMAND,0,0);//send the WM_SYSCOMMAND //Mouse events PostMessage(hwnd,WM_LBUTTONDOWN,0,0);//left mouse button pressed PostMessage(hwnd,WM_LBUTTONUP,0,0);//left mouse button is lifted But after debugging, I found that in any case also can not reach the Debug location so that I need to consider why they were unable to reach the Debug position, in the analysis of the process found an interesting thing, first of all, in the CVE-2 0 1 4-4 1 1 3, Using TrackPopupMenu will create a pop-up menu.

[1] [2] [3] [4] [5] [6] [7] [8] next