“cerber”blackmailer for CVE-2016-7255 exploit analysis-exploit warning-the black bar safety net

0x1 Foreword

360 Internet Security Center recently captured a“ceber”blackmailer Trojan variants, the variants with other“ceber”blackmailer Trojan variants in the code The execution flow and not too big difference. Only it is worth noting that the Trojan exploit CVE-2016-7255 privilege elevation vulnerability on its own. right. This article will analyze the blackmailer for CVE-2016-7255 privilege elevation vulnerability in the use of the process.

0x2 vulnerability details

The problem code is in win32k! xxxNextWindow, due to the lack of the necessary checks directly to the tagWND+0xC0 members offset 0x28 corresponding to the address of the value with 4 or operation, and tagWND+0xC0 is controllable, which leads to arbitrary address write. The vulnerable code is shown below.

! [](/Article/UploadPic/2017-3/201732314417778. png)

Figure 1 vulnerable code

Fig. v12 shows is tagWND structure, the structure as shown in omitted section.

! [](/Article/UploadPic/2017-3/201732314417810. png)

Figure 2 tagWND structure of the body

From the above figure it can be seen, tagWND+0xC0 corresponds spmenu members, if there is a user state function can be the member of the assignment, you can trigger any address write. For 32-bit systems, you can directly call the SetWindowLong function SetWindowLong function will call the kernel mode function NtUserSetWindowLong the completion of this function; for 64-bit systems, does not exist you can use the user state function, but you can use the syscall of the way to call the kernel mode function NtUserSetWindowLong or function NtUserSetWindowLongPtr to complete this work. The following description is NtUserSetWindowLong function, NtUserSetWindowLongPtr the function execution process is the same.

NtUserSetWindowLong function is just a shell, it will pass the parameter to the xxxSetWindowLong and call it, the function is shown below.

! [](/Article/UploadPic/2017-3/201732314417836. png)

Figure 3 xxxSetWindowLong function

In this function, the incoming nIndex judgment, and according to the nIndex value to perform the corresponding operation. For nIndex value of -16, and -20, and -12, and-21 situation, will call xxxSetWindowData function for processing. As shown below.

! [](/Article/UploadPic/2017-3/201732314417404. png)

Figure 4 call xxxSetWindowData function for processing

The function receives xxxSetWindowLong of the parameters, when the nIndex parameter is-12 out of GWL_ID, and the operation of the window style is WS_CHILD or WS_CHILDWINDOW（0x40000000, will be the operation window tagWND structure spmenu members of the value set to dwNewLong it. As shown below.

! [](/Article/UploadPic/2017-3/201732314417349. png)

Figure 5 The trigger of the position of vulnerability

Since dwNewLong is to call NtUserSetWindowLong function when parameters are passed, the user mode process can use the syscall feel free to control it. And win32k! xxxNextWindow function of spmenu+0x28 members of With 4 or operation, thus triggering the arbitrary address write.

0x3 exploit analysis

From the vulnerability detail can be seen, the user mode process have to tagWND structure spmenu members the right to amend, the member is a tagMENU structure body, the structure is defined as shown below.

! [](/Article/UploadPic/2017-3/201732314417245. png)

Figure 6 tagMENU structure of the body

Not difficult to see, xxxNextWindow function to modify the value is spmenu the fFlags member of the offset 0x28, and since the members with 0x4 or operation, and therefore the vulnerability can only be modified 1bit size of the area.

You can only modify 1bit on the surface it looks seemingly of little value, however this Trojan variant is not only to focus on this 1bit, but transferred to the tagWND structure of the cbWNDExtra member that represents the window the additional data size. If you can pass the Modify window the additional data size to cover the key address, and then re-use other way to write data, you can achieve perfect utilization.

Then to complete the cbWNDExtra member of the write operation, it must obtain the cbWNDExtra member of the address or is the cbWNDExtra member relative to a known address offset. Except you must also obtain the additional address of the data or is relative to a known address offset to be calculated and written. For obtaining the cbWNDExtra member of the address, the Trojan creates two window“ExtraWnd1”and“ExtraWND2”, and the two Windows differs in its window class. cbWndExtra member that corresponds exactly to the tagWND the cbWNDExtra member. The program will be two window class. cbWndExtra members were assigned to 0x118 and 0x130, as shown below.

! [](/Article/UploadPic/2017-3/201732314417654. png)

Figure 7 create two Windows

Create a window after is to get the cbWNDExtra member of the tagWND structure of the offset, using HMValidateHandle function. The function and not in user mode export, but there’s a user mode function IsMenu call it. Trojan horse determined by IsMenu related byte code of the location acquisition HMValidateHandle address.

! [](/Article/UploadPic/2017-3/201732314417116. png)

Figure 8 The use of byte-code positioning function

HMValidateHandle function will leak tagWND structure of the content, so the Trojan can easily locate the cbWNDExtra member of the tagWND structure of the offset. For insurance purposes, the Trojan determines the two window tagWND structure of the cbWNDExtra member of the offset, when the two cbWNDExtra to register the window class to set the value of the 0x118 and 0x130 and offset are the same before the description of the offset effective.

! [](/Article/UploadPic/2017-3/201732314417591. png)

[1] [2] [3] next