扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=946 There is a missing bounds check in inner loop of the escape handler for 0x7000014 that leads to a stack buffer overflow: ... for (DWORD i = 0; < escape->num_data; ++i) { ... // size is user controlled. size = escape->data[i].size; for (DWORD j = 0; j < size; ++j) { stack_buf[j] = escape->data[...]; } } The attached PoC gives me the following crashing context (Win 10 x64, 372.54): DRIVER_OVERRAN_STACK_BUFFER (f7) A driver has overrun a stack-based buffer.This overrun could potentially allow a malicious user to gain control of this machine. ... ffffd000<code>23f94a78 fffff801</code>6e5deaf2 : ffffd000<code>23f95270 00000000</code>000000f7 ffffd000<code>23f94be0 fffff801</code>6e43c848 : nt!DbgBreakPointWithStatus ffffd000<code>23f94a80 fffff801</code>6e5de4c3 : 00000000<code>00000003 ffffd000</code>23f94be0 fffff801<code>6e56c600 00000000</code>000000f7 : nt!KiBugCheckDebugBreak+0x12 ffffd000<code>23f94ae0 fffff801</code>6e55fa44 : 00000000<code>00000000 00000000</code>00000000 ffffc001<code>c8e7202c fffff801</code>6e7188b8 : nt!KeBugCheck2+0x893 ffffd000<code>23f951f0 fffff800</code>c58e2bc6 : 00000000<code>000000f7 ffffd000</code>23f95270 000044dd<code>b2c37fec ffffbb22</code>4d3c8013 : nt!KeBugCheckEx+0x104 ffffd000<code>23f95230 fffff800</code>c57ba4ce : ffffd000<code>23f95220 ffffe000</code>69a62000 00000000<code>00000001 00000000</code>07000014 : nvlddmkm+0x192bc6 ffffd000<code>23f95270 00000000</code>00000000 : 00000000<code>00000000 00000000</code>00000000 00000000<code>00000000 00000000</code>00000000 : nvlddmkm+0x6a4ce Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40667.zip |
体验盒子
