An old vulnerability NtUserQueryUserCounters found
NtUserQueryUserCounters () is currently only supported by win2k and winxp, and there is an overflow. However, winxp has been patched. I do not know if the last version of win2k has been patched, but my VM has not been patched. Since win2k is no longer supported, it is possible that win2k has not been repaired.
The pseudocode is roughly as follows:
NtUserQueryUserCounters (in dword QueryType, in lpvoid pIn, in dword InSize, out lpvoid Result, in dword OutSize) {if (QueryType = QUERY_USER_HANDLES) {if (InSize & 3) | OutSize! = HANDS_TYPES * InSize) {/* parameter check, but the integer overflow is not taken into account. The patch considers * // *, which is not necessarily a patch. The Compiler considers overflow for multiplication, when ULOGLONGTOULONG is called, an error is returned. */Goto error;} ProbeForRead (pIn, InSize, sizeof (DWORD); In = malloc (InSize); CopyMemory (In, pIn, InSize); ProbeForWrite (Result, OutSize, sizeof (DWORD); Out = malloc (OutSize); _ QueryUserHandles (In, InSize/sizeof (DWORD), (DWORD (*) [HAND_CTYPES]) Out ); /* Heap Overflow may occur after integer overflow */CopyMemory (Result, Out, OutSize); error :}}
In pIn, the process id table is used to query the counts of various win32 objects of a specified process, you can set the process id to skip unnecessary operations in the Out. After calculating the Out memory allocation address or getting the Out address through leakage, you can also directly rewrite the content of any specified address in the kernel to facilitate compilation and utilization.