0x00漏洞資訊

漏洞影響：本地提權

漏洞檔案：win32kfull.sys

漏洞函式：GreResetDCInternal

漏洞原因：釋放重引用

漏洞日期：2018年 10月9號

【漏洞分析合集】

0x01漏洞分析

利用鏈

00 fffffe0b`1b6d1318 ffffd058`52015fac win32kfull!pppUserModeCallback  回到3環 釋放dc 造成釋放重引用
01 fffffe0b`1b6d1320 ffffd058`52014ec1 win32kfull!ClientPrinterThunk+0x68
02 fffffe0b`1b6d1360 ffffd058`5210720d win32kfull!UMPDOBJ::Thunk+0x6d
03 fffffe0b`1b6d13d0 ffffd058`523d4ecb win32kfull!UMPDDrvEnablePDEV+0x2ad
04 fffffe0b`1b6d1550 ffffd058`523d5771 win32kbase!PDEVOBJ::EnablePDEV+0x7f
05 fffffe0b`1b6d15c0 ffffd058`523f0518 win32kbase!PDEVOBJ::PDEVOBJ+0x1e1
06 fffffe0b`1b6d1850 ffffd058`5212eeaf win32kbase!hdcOpenDCW+0x298
07 fffffe0b`1b6d1950 ffffd058`5212ed3a win32kfull!GreResetDCInternal+0x10f
08 fffffe0b`1b6d1a10 fffff800`a55fc553 win32kfull!NtGdiResetDC+0xca
09 fffffe0b`1b6d1a90 00007ffc`022c6aa4 nt!KiSystemServiceCopyEnd+0x13
0a 00000004`77b6fc48 00007ffc`0215f0ae win32u!NtGdiResetDC+0x14
0b 00000004`77b6fc50 00007ffc`0218ff8d gdi32full!ResetDCWInternal+0x15e
0c 00000004`77b6fd50 00007ff7`50171ecb gdi32full!ResetDCA+0x3d

0x02參考連結

https://blog.csdn.net/qq_41252520/article/details/123716934

https://bbs.pediy.com/thread-269930.htm

https://www.anquanke.com/post/id/260841

https://xz.aliyun.com/t/10979?page=1#toc-1