NVIDIA Driver 375.70 – DxgkDdiEscape 0x100008b Out-of-Bounds Read/Write

• Exploit Database
• 18 阅读

• 作者： Google Security Research
  日期： 2017-02-15
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/41364/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=985
  
  The DxgkDdiEscape handler for 0x100008b accepts a user supplied size as the
  limit for a loop, leading to OOB reads and writes.
  
  The supplied PoC passes an invalid size of 0x41414141, which causes a crash in:
  
  __int64 sub_30A500(__int64 a1, __int64 a2, _DWORD *ptr, unsigned int user_supplied_size)
  {
  __int64 i; // r11@2
  
  if ( user_supplied_size )
  {
  i = user_supplied_size;
  do
  {
  if ( *ptr == 3 || (unsigned int)(*ptr - 9) <= 1 )
  *ptr = 0;
  ptr += 3;
  --i;
  }
  while ( i );
  
  Crashing context on Win 10 x64, driver version 375.70:
  
  TRAP_FRAME:ffffd000266219e0 -- (.trap 0xffffd000266219e0)
  NOTE: The trap frame does not contain all registers.
  Some register values may be zeroed or incorrect.
  rax=00000000fffffff7 rbx=0000000000000000 rcx=ffffe000d6315000
  rdx=ffffe000d691b000 rsi=0000000000000000 rdi=0000000000000000
  rip=fffff8010e34a50b rsp=ffffd00026621b78 rbp=ffffe000d691b000
   r8=ffffd000266228a8r9=0000000041414141 r10=ffffd00026623004
  r11=00000000414140a4 r12=0000000000000000 r13=0000000000000000
  r14=0000000000000000 r15=0000000000000000
  iopl=0 nv up ei pl nz na pe nc
  nvlddmkm+0x2fa50b:
  fffff801`0e34a50b 418b02mov eax,dword ptr [r10] ds:ffffd000`26623004=????????
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41364.zip