关联漏洞
描述
A PoC for CVE-2018-7250
介绍
# SecDrvPoolLeak - A PoC for CVE-2018-7250
### Description
An issue was discovered in secdrv.sys as shipped in Microsoft Windows Vista, Windows 7, Windows 8, and Windows 8.1 before KB3086255, and as shipped in Macrovision SafeDisc. An uninitialized kernel pool allocation in IOCTL 0xCA002813 allows a local unprivileged attacker to leak 16 bits of uninitialized kernel PagedPool data.
The vulnerability was reported to Microsoft, and since it does not affect an up-to-date Windows machine (only versions prior to KB3086255), they will not take any action. Was tested and exploited successfully on Windows 7 x86.
Also related to [CVE-2018-7249](https://github.com/Elvin9/NotSecDrv), the link contains details about both vulnerabilities.
### Screenshots
The allocated PagedPool chunk uninitialized:
The uninitialized part copied to usermode:
### Test Enviroment
**OS:** Windows 7 Kernel Version 7600 MP (1 procs) Free x86 compatible Built by: 7600.16385.x86fre.win7_rtm.090713-1255
**VM:** 4GB RAM, 1 CPU
**Hardware:** Windows 10 Pro 64 bit, Motherboard Gigabyte Z370 HD3, 16GB RAM, Intel i5-8400 2.80GHz (6 CPUs)
文件快照
[4.0K] /data/pocs/0ac836b37039b735b0be7cedbdd308cfbc976afc
├── [8.8K] allocation.png
├── [ 11K] leak.png
├── [1.2K] README.md
├── [4.0K] SecDrvPoolLeak
│ ├── [3.4K] SecDrvPoolLeak.cpp
│ ├── [7.9K] SecDrvPoolLeak.vcxproj
│ ├── [1.2K] SecDrvPoolLeak.vcxproj.filters
│ ├── [ 604] stdafx.cpp
│ ├── [ 642] stdafx.h
│ └── [ 630] targetver.h
└── [1.4K] SecDrvPoolLeak.sln
1 directory, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。