POC详情: e0506a8304d0c0cc913aad3d9a3dd5912c8e8286

来源
https://github.com/robotMD5/CVE-2022-24481-POC
关联漏洞
标题: Microsoft Windows Common Log File System Driver 权限许可和访问控制问题漏洞 (CVE-2022-24481)
描述:Microsoft Windows Common Log File System Driver是美国微软(Microsoft)公司的通用日志文件系统 (CLFS) API 提供了一个高性能、通用的日志文件子系统,专用客户端应用程序可以使用该子系统并且多个客户端可以共享以优化日志访问。 Microsoft Windows Common Log File System Driver存在权限许可和访问控制问题漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Sy
描述
POC for CLFS CVE-2022-24481
介绍
# CVE-2022-24481-POC

## TL;DR
This poc is reversed from exp(SHA1:fec933b0c46366a1fb272bfaf82a8262597a8d75) and many AV engine detected it as CVE-2022-24521. After analyze it, I find that it maybe the exp for CVE-2022-24481, bacause CVE-2022-24521 is not a type confusion vulnerability.
The bug cause by incorrect of point CLFS_CONTAINER_CONTEXT.pContainer, it will be called in function CClfsContainer::Close, so if it was modified before, and it will execute any code. but how to modify this point?
the RCA of exp(fec933b0c46366a1fb272bfaf82a8262597a8d75) is as follow:
1. exp modify CLFS_BASE_RECORD_HEADER.rgClients to the offset of CLFS_CONTAINER_CONTEXT.
2. in function CClfsLogFcbPhysical::Initialize, read some value into memory from CLFS_BASE_RECORD_HEADER.rgClients(the offset of CLFS_CONTAINER_CONTEXT).
3. CClfsBaseFilePersisted::LoadContainerQ, it will generate the class Container point and fill into CLFS_CONTAINER_CONTEXT.pContainer.
4. in function CClfsRequest::Cleanup, write the value from step 2 into client context which is the same as container context in the memory.
5. in function CClfsRequest::Close, parse CLFS_CONTAINER_CONTEXT and call pContainer(trigger).
文件快照

 [4.0K]  /data/pocs/e0506a8304d0c0cc913aad3d9a3dd5912c8e8286
├── [ 21K]  CVE-2022-24481-POC.cpp
└── [1.2K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。