0x00漏洞信息
漏洞影响:本地提权
漏洞文件:win32kfull.sys
漏洞函数:GreResetDCInternal
漏洞原因:释放重引用
漏洞日期:2021年 10月12号
【漏洞分析合集】
0x01漏洞分析
利用链
00 fffffe0b`1b6d1318 ffffd058`52015fac win32kfull!pppUserModeCallback 回到3环 释放dc 造成释放重引用
01 fffffe0b`1b6d1320 ffffd058`52014ec1 win32kfull!ClientPrinterThunk+0x68
02 fffffe0b`1b6d1360 ffffd058`5210720d win32kfull!UMPDOBJ::Thunk+0x6d
03 fffffe0b`1b6d13d0 ffffd058`523d4ecb win32kfull!UMPDDrvEnablePDEV+0x2ad
04 fffffe0b`1b6d1550 ffffd058`523d5771 win32kbase!PDEVOBJ::EnablePDEV+0x7f
05 fffffe0b`1b6d15c0 ffffd058`523f0518 win32kbase!PDEVOBJ::PDEVOBJ+0x1e1
06 fffffe0b`1b6d1850 ffffd058`5212eeaf win32kbase!hdcOpenDCW+0x298
07 fffffe0b`1b6d1950 ffffd058`5212ed3a win32kfull!GreResetDCInternal+0x10f
08 fffffe0b`1b6d1a10 fffff800`a55fc553 win32kfull!NtGdiResetDC+0xca
09 fffffe0b`1b6d1a90 00007ffc`022c6aa4 nt!KiSystemServiceCopyEnd+0x13
0a 00000004`77b6fc48 00007ffc`0215f0ae win32u!NtGdiResetDC+0x14
0b 00000004`77b6fc50 00007ffc`0218ff8d gdi32full!ResetDCWInternal+0x15e
0c 00000004`77b6fd50 00007ff7`50171ecb gdi32full!ResetDCA+0x3d
0x02参考链接
https://blog.csdn.net/qq_41252520/article/details/123716934
https://bbs.pediy.com/thread-269930.htm
https://www.anquanke.com/post/id/260841
https://xz.aliyun.com/t/10979?page=1#toc-1