index.html

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  
<!-- Google Analytics -->
<script type="text/javascript">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');

ga('create', 'UA-145401438-1', 'auto');
ga('send', 'pageview');

</script>
<!-- End Google Analytics -->


  
  <title>Yuebin Sun&#39;s Blog</title>
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  <meta property="og:type" content="website">
<meta property="og:title" content="Yuebin Sun&#39;s Blog">
<meta property="og:url" content="https://rekken.github.io/index.html">
<meta property="og:site_name" content="Yuebin Sun&#39;s Blog">
<meta property="og:locale">
<meta property="article:author" content="Yuebin Sun">
<meta name="twitter:card" content="summary">
<meta name="twitter:creator" content="@yuebinsun2020">
  
    <link rel="alternate" href="/atom.xml" title="Yuebin Sun&#39;s Blog" type="application/atom+xml">
  
  
    <link rel="icon" href="/favicon.png">
  
  
    <link href="//fonts.googleapis.com/css?family=Source+Code+Pro" rel="stylesheet" type="text/css">
  
  
<link rel="stylesheet" href="/css/style.css">

<meta name="generator" content="Hexo 7.0.0"></head>

<body>
  <div id="container">
    <div id="wrap">
      <header id="header">
  <div id="banner"></div>
  <div id="header-outer" class="outer">
    <div id="header-title" class="inner">
      <h1 id="logo-wrap">
        <a href="/" id="logo">Yuebin Sun&#39;s Blog</a>
      </h1>
      
    </div>
    <div id="header-inner" class="inner">
      <nav id="main-nav">
        <a id="main-nav-toggle" class="nav-icon"></a>
        
          <a class="main-nav-link" href="/">Home</a>
        
          <a class="main-nav-link" href="/archives">Archives</a>
        
          <a class="main-nav-link" href="/about">About</a>
        
      </nav>
      <nav id="sub-nav">
        
          <a id="nav-rss-link" class="nav-icon" href="/atom.xml" title="RSS Feed"></a>
        
        <a id="nav-search-btn" class="nav-icon" title="Search"></a>
      </nav>
      <div id="search-form-wrap">
        <form action="//google.com/search" method="get" accept-charset="UTF-8" class="search-form"><input type="search" name="q" class="search-form-input" placeholder="Search"><button type="submit" class="search-form-submit">&#xF002;</button><input type="hidden" name="sitesearch" value="https://rekken.github.io"></form>
      </div>
    </div>
  </div>
</header>
      <div class="outer">
        <section id="main">
  
    <article id="post-Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently" class="article article-type-post" itemscope itemprop="blogPost">
  <div class="article-meta">
    <a href="/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" class="article-date">
  <time datetime="2020-05-14T09:32:39.000Z" itemprop="datePublished">2020-05-14</time>
</a>
    
  </div>
  <div class="article-inner">
    
    
      <header class="article-header">
        
  
    <h1 itemprop="name">
      <a class="article-title" href="/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/">Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently</a>
    </h1>
  

      </header>
    
    <div class="article-entry" itemprop="articleBody">
      
        <p>Yuebin Sun(<a target="_blank" rel="noopener" href="https://twitter.com/yuebinsun2020">@yuebinsun2020</a>) of Tencent Security Xuanwu Lab</p>
<h2 id="0x0-Summary"><a href="#0x0-Summary" class="headerlink" title="0x0 Summary"></a>0x0 Summary</h2><p>Today, Adobe Acrobat Reader DC for macOS patched three critical vulnerabilities(CVE-2020-9615, CVE-2020-9614, CVE-2020-9613) I reported. The only requirement needed to trigger the vulnerabilities is that Adobe Acrobat Reader DC has been installed. A normal user on macOS(with SIP enabled) can locally exploit this vulnerabilities chain to elevate privilege to the ROOT without a user being aware. In this blog, I will analyze the details of vulnerabilities and show how to exploit them.</p>
<h2 id="0x1-Background"><a href="#0x1-Background" class="headerlink" title="0x1 Background"></a>0x1 Background</h2><p>The root process has superpowers, it almost can do anything, reading&#x2F;writing all sensitive files&#x2F;databases such as Images&#x2F;Calendars. However in modern macOS, root processes outside of sandbox are rare, most macOS built-in services run within a sandbox. They are no longer the king, they imprison themselves in a cage based on declarative sandbox profile rules. </p>
<p>Good news, popular software with high privileged services are new good target in addition to macOS built-in services, so Adobe Acrobat Reader DC catch my attention.</p>
        
          <p class="article-more-link">
            <a href="/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/#more">Read More</a>
          </p>
        
      
    </div>
    <footer class="article-footer">
      <a data-url="https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" data-id="clqrrbkfq0003qxw0c4vue544" class="article-share-link">Share</a>
      
      
  <ul class="article-tag-list" itemprop="keywords"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/macOS/" rel="tag">macOS</a></li></ul>

    </footer>
  </div>
  
</article>


  
    <article id="post-macOS-Security-Framework-and-Previous-CVEs-EN" class="article article-type-post" itemscope itemprop="blogPost">
  <div class="article-meta">
    <a href="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-EN/" class="article-date">
  <time datetime="2020-02-26T09:20:00.000Z" itemprop="datePublished">2020-02-26</time>
</a>
    
  </div>
  <div class="article-inner">
    
    
      <header class="article-header">
        
  
    <h1 itemprop="name">
      <a class="article-title" href="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-EN/">macOS Security Framework and previous CVEs</a>
    </h1>
  

      </header>
    
    <div class="article-entry" itemprop="articleBody">
      
        <p>Yuebin Sun(<a target="_blank" rel="noopener" href="https://twitter.com/yuebinsun2020">@yuebinsun2020</a>) of Tencent Security Xuanwu Lab</p>
<h2 id="Summary"><a href="#Summary" class="headerlink" title="Summary"></a>Summary</h2><p>COVID-19 outbreak keep me from going out，I have been researching macOS’s Security framework in the past two weeks of homeworking.</p>
<p>In this blog, I will try to analyze Security framework, especially Keychain, and previous vulnerabilities of the Secuirty framework。</p>
<h2 id="Security-Framework"><a href="#Security-Framework" class="headerlink" title="Security Framework"></a>Security Framework</h2><p>Security framework is responsible for providing authentication and authorization, secure data storage and transportation, code signing, encryption&#x2F;decryption services. Apps can use this services by using API of Security framework directly without knowing or caring about its implementation details.</p>
<img src="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-EN/security-framework.png" class="" title="Image">

<p>But what are the components which composes the Security framework, and how the components collaborate with each other?</p>
        
          <p class="article-more-link">
            <a href="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-EN/#more">Read More</a>
          </p>
        
      
    </div>
    <footer class="article-footer">
      <a data-url="https://rekken.github.io/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-EN/" data-id="clqrrbkfs0009qxw0em2kb7cc" class="article-share-link">Share</a>
      
      
  <ul class="article-tag-list" itemprop="keywords"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/macOS/" rel="tag">macOS</a></li></ul>

    </footer>
  </div>
  
</article>


  
    <article id="post-macOS-Security-Framework-and-Previous-CVEs-CN" class="article article-type-post" itemscope itemprop="blogPost">
  <div class="article-meta">
    <a href="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-CN/" class="article-date">
  <time datetime="2020-02-26T08:59:00.000Z" itemprop="datePublished">2020-02-26</time>
</a>
    
  </div>
  <div class="article-inner">
    
    
      <header class="article-header">
        
  
    <h1 itemprop="name">
      <a class="article-title" href="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-CN/">macOS Security Framework and previous CVEs</a>
    </h1>
  

      </header>
    
    <div class="article-entry" itemprop="articleBody">
      
        <p>Yuebin Sun(<a target="_blank" rel="noopener" href="https://twitter.com/yuebinsun2020">@yuebinsun2020</a>) of Tencent Security Xuanwu Lab</p>
<h2 id="摘要"><a href="#摘要" class="headerlink" title="摘要"></a>摘要</h2><p>新冠病毒疫情出不了门，在家办公这两周笔者研究了一下 macOS 的 Security Framework。</p>
<p>本文主要分析 Security Framework 尤其是其中 Keychain 的架构，将 Security Framework 近一两年的历史漏洞做个整理。</p>
<h2 id="Security-Framework-简介"><a href="#Security-Framework-简介" class="headerlink" title="Security Framework 简介"></a>Security Framework 简介</h2><p>Security Framework 主要负责为 App 提供认证与授权、安全数据存储与传输（Keychain，App Transport Security）、代码签名、加密解密功能。</p>
<p>第三方 App 通过引用 Security Framework，使用 Apple 提供的 API 就可以直接使用这些功能，不用关心底层实现的细节。</p>
<img src="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-CN/security-framework.png" class="" title="Image">

<p>但 Security Framework 都有哪些组件，又是如何构建起来的呢？</p>
        
          <p class="article-more-link">
            <a href="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-CN/#more">Read More</a>
          </p>
        
      
    </div>
    <footer class="article-footer">
      <a data-url="https://rekken.github.io/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-CN/" data-id="clqrrbkfs0008qxw0gl2e5542" class="article-share-link">Share</a>
      
      
  <ul class="article-tag-list" itemprop="keywords"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/macOS/" rel="tag">macOS</a></li></ul>

    </footer>
  </div>
  
</article>


  
    <article id="post-Analysis-of-Microsoft-Edge-Chakra-OP-NewScObjArray-Type-Confusion-Vulnerability" class="article article-type-post" itemscope itemprop="blogPost">
  <div class="article-meta">
    <a href="/2019/03/31/Analysis-of-Microsoft-Edge-Chakra-OP-NewScObjArray-Type-Confusion-Vulnerability/" class="article-date">
  <time datetime="2019-03-31T09:06:11.000Z" itemprop="datePublished">2019-03-31</time>
</a>
    
  </div>
  <div class="article-inner">
    
    
      <header class="article-header">
        
  
    <h1 itemprop="name">
      <a class="article-title" href="/2019/03/31/Analysis-of-Microsoft-Edge-Chakra-OP-NewScObjArray-Type-Confusion-Vulnerability/">Microsoft Edge Chakra OP_NewScObjArray 类型混淆漏洞分析笔记</a>
    </h1>
  

      </header>
    
    <div class="article-entry" itemprop="articleBody">
      
        <p>Yuebin Sun(<a target="_blank" rel="noopener" href="https://twitter.com/yuebinsun2020">@yuebinsun2020</a>)</p>
<h2 id="1-环境信息"><a href="#1-环境信息" class="headerlink" title="1 环境信息"></a>1 环境信息</h2><ul>
<li>Windows 10 X64 14393 (1607) - 没有安装过任何补丁</li>
<li>Microsoft Edge 38.14393.0.0</li>
<li>Microsoft EdgeHTML 14.14393</li>
</ul>
<h2 id="2-Crash-Point"><a href="#2-Crash-Point" class="headerlink" title="2 Crash Point"></a>2 Crash Point</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line">(1648.f78): Access violation - code c0000005 (first chance)</span><br><span class="line">First chance exceptions are reported before any exception handling.</span><br><span class="line">This exception may be expected and handled.</span><br><span class="line">chakra!Js::DynamicProfileInfo::RecordCallSiteInfo+0x75:</span><br><span class="line">00007ff9`dc43d0c5 66418500        test    word ptr [r8],ax ds:000001e5`b6a4f048=????</span><br><span class="line">0:010&gt; kb</span><br><span class="line"> # RetAddr           : Args to Child                                                           : Call Site</span><br><span class="line">00 00007ff9`dc23d3ea : 000001e5`b6950020 000001e5`d56f01a0 00000000`0000fefa 00007ff9`dc9583c8 : chakra!Js::DynamicProfileInfo::RecordCallSiteInfo+0x75</span><br><span class="line">01 00007ff9`dc23def7 : 000001e5`b8ff97c0 0000004a`3a3fb100 000001e5`d0f407e0 00007ff9`dc37fefa : chakra!Js::ProfilingHelpers::ProfiledNewScObjArray+0x9e</span><br><span class="line">02 00007ff9`dc38d74a : 0000004a`3a3fb410 000001e5`d6f3dc64 000001e5`b7bfa760 00007ff9`dc374943 : chakra!Js::InterpreterStackFrame::OP_NewScObjArray_Impl&lt;Js::OpLayoutT_CallI&lt;Js::LayoutSizePolicy&lt;1&gt; &gt;,0&gt;+0x8f</span><br><span class="line">03 00007ff9`dc374cdd : 0000004a`3a3fb1e8 000001e5`d6f3dc63 000001e5`d6f3dc5f 00000000`00000000 : chakra!Js::JavascriptRegExpConstructor::GetPropertyBuiltIns+0xd22</span><br><span class="line">04 00007ff9`dc374b07 : 0000004a`3a3fb410 00000000`00000000 00000000`00000001 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0xbd</span><br><span class="line">05 00007ff9`dc3736c9 : 0000004a`3a3fb410 0000004a`3a3fb410 0000004a`3a3fb410 00000000`00000001 : chakra!Js::InterpreterStackFrame::Process+0x1a7</span><br><span class="line">06 00007ff9`dc375a04 : 0000004a`3a3fb410 000001e5`d6f3dc47 000001e5`d6f3dc47 00000000`00000000 : chakra!Js::InterpreterStackFrame::OP_TryCatch+0x61</span><br><span class="line">07 00007ff9`dc374b07 : 0000004a`3a3fb410 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0xde4</span><br><span class="line">08 00007ff9`dc378b5e : 0000004a`3a3fb410 000001e5`d56f01a0 0000004a`3a3fbd80 00007ff9`e46a3f00 : chakra!Js::InterpreterStackFrame::Process+0x1a7</span><br><span class="line">09 00007ff9`dc37a265 : 000001e5`d0f407e0 0000004a`3a3fbf50 000001e5`b65b0fba 0000004a`3a3fbf68 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x48e</span><br><span class="line">0a 000001e5`b65b0fba : 0000004a`3a3fbfa0 00000000`00000001 0000004a`3a3fc378 00007ff9`dc4a0fe0 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55</span><br><span class="line">0b 00007ff9`dc4a1393 : 000001e5`d0f407e0 00000000`10000001 000001e5`ce93ff90 00000000`00000001 : 0x000001e5`b65b0fba</span><br><span class="line">0c 00007ff9`dc36ef6d : 000001dd`a72844f0 00000000`00000008 000001e5`d0300110 0000004a`3a3fc001 : chakra!amd64_CallFunction+0x93</span><br><span class="line">0d 00007ff9`dc372797 : 0000004a`3a3fc230 000001e5`d5874036 000001e5`d0f407e0 000001e5`00000001 : chakra!Js::InterpreterStackFrame::OP_CallCommon&lt;Js::OpLayoutDynamicProfile&lt;Js::OpLayoutT_CallIWithICIndex&lt;Js::LayoutSizePolicy&lt;0&gt; &gt; &gt; &gt;+0x15d</span><br><span class="line">0e 00007ff9`dc376842 : 0000004a`3a3fc230 000001e5`d5874036 000001e5`00000119 00000000`00000000 : chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex&lt;Js::OpLayoutT_CallIWithICIndex&lt;Js::LayoutSizePolicy&lt;0&gt; &gt; &gt;+0xa7</span><br><span class="line">0f 00007ff9`dc374aa2 : 0000004a`3a3fc230 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x132</span><br><span class="line">10 00007ff9`dc378b5e : 0000004a`3a3fc230 000001e5`d56f0000 0000004a`3a3fc390 ffffffff`ffffff01 : chakra!Js::InterpreterStackFrame::Process+0x142</span><br><span class="line">11 00007ff9`dc37a265 : 000001e5`d0f40900 0000004a`3a3fc560 000001e5`b65b0fc2 0000004a`3a3fc578 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x48e</span><br><span class="line">12 000001e5`b65b0fc2 : 0000004a`3a3fc5b0 00000000`00000000 00000000`00000000 00007ff9`dc4a0fe0 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55</span><br><span class="line">13 00007ff9`dc4a1393 : 000001e5`d0f40900 00000000`00000000 00000000`00000000 00000000`00000000 : 0x000001e5`b65b0fc2</span><br><span class="line">14 00007ff9`dc36d873 : 000001dd`a72844f0 00000000`00000000 000001e5`d0316f00 00007ff9`dc3d2f87 : chakra!amd64_CallFunction+0x93</span><br><span class="line">15 00007ff9`dc3dc2ec : 000001e5`d0f40900 00007ff9`dc4a15a0 0000004a`3a3fc6c0 000001e5`d030e6d0 : chakra!Js::JavascriptFunction::CallFunction&lt;1&gt;+0x83</span><br><span class="line">16 00007ff9`dc3db8b6 : 000001e5`d0f40900 0000004a`3a3fc7a0 000001e5`d030e6d0 0000004a`3a3fc700 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104</span><br><span class="line">17 00007ff9`dc486259 : 000001e5`d0f40900 0000004a`3a3fc840 000001e5`d030e6d0 00000000`00000000 : chakra!Js::JavascriptFunction::CallRootFunction+0x4a</span><br><span class="line">18 00007ff9`dc3e1d41 : 000001e5`d0f40900 0000004a`3a3fc8a0 00000000`00000000 0000004a`3a3fc880 : chakra!ScriptSite::CallRootFunction+0xb5</span><br><span class="line">19 00007ff9`dc392a1d : 000001e5`d030cf00 000001e5`d0f40900 0000004a`3a3fc950 00000000`00000000 : chakra!ScriptSite::Execute+0x131</span><br><span class="line">...</span><br></pre></td></tr></table></figure>
        
          <p class="article-more-link">
            <a href="/2019/03/31/Analysis-of-Microsoft-Edge-Chakra-OP-NewScObjArray-Type-Confusion-Vulnerability/#more">Read More</a>
          </p>
        
      
    </div>
    <footer class="article-footer">
      <a data-url="https://rekken.github.io/2019/03/31/Analysis-of-Microsoft-Edge-Chakra-OP-NewScObjArray-Type-Confusion-Vulnerability/" data-id="clqrrbkfr0006qxw06wtw4kc5" class="article-share-link">Share</a>
      
      
    </footer>
  </div>
  
</article>


  
    <article id="post-Analysis-and-Exploitation-of-GeekPwn-2016-Windows-Services-EoP-Vulnerability" class="article article-type-post" itemscope itemprop="blogPost">
  <div class="article-meta">
    <a href="/2017/07/23/Analysis-and-Exploitation-of-GeekPwn-2016-Windows-Services-EoP-Vulnerability/" class="article-date">
  <time datetime="2017-07-23T06:11:35.000Z" itemprop="datePublished">2017-07-23</time>
</a>
    
  </div>
  <div class="article-inner">
    
    
      <header class="article-header">
        
  
    <h1 itemprop="name">
      <a class="article-title" href="/2017/07/23/Analysis-and-Exploitation-of-GeekPwn-2016-Windows-Services-EoP-Vulnerability/">GeekPwn 2016 Windows 服务提权漏洞的分析和利用</a>
    </h1>
  

      </header>
    
    <div class="article-entry" itemprop="articleBody">
      
        <p>Yuebin Sun(<a target="_blank" rel="noopener" href="https://twitter.com/yuebinsun2020">@yuebinsun2020</a>)</p>
<h2 id="摘要"><a href="#摘要" class="headerlink" title="摘要"></a>摘要</h2><p>GeekPwn 2016 比赛中有一道 Windows 服务漏洞提权题目，该服务程序会创建命名管道（Named Pipe）服务端接收客户端发送的文件路径然后调用 LoadLibrary 加载，但加载之前有一系列的检查过程，我们的最终目标是绕过这些检查，加载我们指定的 DLL并以 SYSTEM 权限执行任意代码。本文笔者逐一分析该服务的各个验证环节及其绕过方法，以及如何组合他们最终启动 SYSTEM 权限的计算器。</p>
<p>服务端的处理逻辑: </p>
<ol>
<li><p>服务端创建命名管道，等待客户端的连接。</p>
</li>
<li><p>客户端连接之后，服务端OpenProcess 打开客户端进程句柄，获得客户端进程 Image 文件路径。</p>
</li>
<li><p>验证客户端 Image 文件路径的签名。</p>
</li>
<li><p>签名验证通过之后，创建 Event 事件对象，无限等待 Event 对象直到 Signaled 状态。</p>
</li>
<li><p>通过管道接受客户端发送的 DLL 文件路径。</p>
</li>
<li><p>验证 DLL 文件路径的签名，签名通过之后调用 LoadLibrary 加载 DLL。</p>
</li>
</ol>
        
          <p class="article-more-link">
            <a href="/2017/07/23/Analysis-and-Exploitation-of-GeekPwn-2016-Windows-Services-EoP-Vulnerability/#more">Read More</a>
          </p>
        
      
    </div>
    <footer class="article-footer">
      <a data-url="https://rekken.github.io/2017/07/23/Analysis-and-Exploitation-of-GeekPwn-2016-Windows-Services-EoP-Vulnerability/" data-id="clqrrbkfo0001qxw0d9tc8ie0" class="article-share-link">Share</a>
      
      
    </footer>
  </div>
  
</article>


  
    <article id="post-Windows-Logical-EoP-Workshop-Writeup" class="article article-type-post" itemscope itemprop="blogPost">
  <div class="article-meta">
    <a href="/2017/05/30/Windows-Logical-EoP-Workshop-Writeup/" class="article-date">
  <time datetime="2017-05-30T07:57:17.000Z" itemprop="datePublished">2017-05-30</time>
</a>
    
  </div>
  <div class="article-inner">
    
    
      <header class="article-header">
        
  
    <h1 itemprop="name">
      <a class="article-title" href="/2017/05/30/Windows-Logical-EoP-Workshop-Writeup/">Windows Logical EoP Workshop Writeup</a>
    </h1>
  

      </header>
    
    <div class="article-entry" itemprop="articleBody">
      
        <p>Yuebin Sun(<a target="_blank" rel="noopener" href="https://twitter.com/yuebinsun2020">@yuebinsun2020</a>)</p>
<p>这份文档是对 James Forshaw 2017 年公开的 《Windows Logical EoP Workshop》 逻辑漏洞本地提权 Workshop 的分析调试笔记。</p>
<ul>
<li><p>Workshop PPT: <a target="_blank" rel="noopener" href="https://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20James%20Forshaw%20-%20Introduction%20to%20Logical%20Privilege%20Escalation%20on%20Windows.pdf">https://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20James%20Forshaw%20-%20Introduction%20to%20Logical%20Privilege%20Escalation%20on%20Windows.pdf</a></p>
</li>
<li><p>Workshop 源码： <a target="_blank" rel="noopener" href="https://github.com/tyranid/windows-logical-eop-workshop">https://github.com/tyranid/windows-logical-eop-workshop</a></p>
</li>
</ul>
<h2 id="1-环境搭建"><a href="#1-环境搭建" class="headerlink" title="1 环境搭建"></a>1 环境搭建</h2><h3 id="1-1-虚拟机快照一次"><a href="#1-1-虚拟机快照一次" class="headerlink" title="1.1 虚拟机快照一次"></a>1.1 虚拟机快照一次</h3><p>如果方便，建议生成一次系统快照，方便实验结束之后恢复系统环境</p>
<h3 id="1-2-关闭驱动签名验证，以便测试自己编写的驱动"><a href="#1-2-关闭驱动签名验证，以便测试自己编写的驱动" class="headerlink" title="1.2 关闭驱动签名验证，以便测试自己编写的驱动"></a>1.2 关闭驱动签名验证，以便测试自己编写的驱动</h3><p>只有关闭了这个签名验证的保护，Windows 系统才允许加载用户自己编写的驱动。另外，这个特性是针对 64 位 Windows 8&#x2F;10 的，如果用的是 32 位系统，可以忽略。</p>
<p>管理员权限运行：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">C:\Windows\system32&gt;Bcdedit.exe -set TESTSIGNING ON</span><br><span class="line">操作成功完成。</span><br><span class="line"></span><br><span class="line">C:\Windows\system32&gt;</span><br></pre></td></tr></table></figure>
        
          <p class="article-more-link">
            <a href="/2017/05/30/Windows-Logical-EoP-Workshop-Writeup/#more">Read More</a>
          </p>
        
      
    </div>
    <footer class="article-footer">
      <a data-url="https://rekken.github.io/2017/05/30/Windows-Logical-EoP-Workshop-Writeup/" data-id="clqrrbkft000bqxw0g38tb04b" class="article-share-link">Share</a>
      
      
    </footer>
  </div>
  
</article>


  
    <article id="post-hello-hexo" class="article article-type-post" itemscope itemprop="blogPost">
  <div class="article-meta">
    <a href="/2017/01/01/hello-hexo/" class="article-date">
  <time datetime="2017-01-01T05:29:29.000Z" itemprop="datePublished">2017-01-01</time>
</a>
    
  </div>
  <div class="article-inner">
    
    
      <header class="article-header">
        
  
    <h1 itemprop="name">
      <a class="article-title" href="/2017/01/01/hello-hexo/">Hello Hexo</a>
    </h1>
  

      </header>
    
    <div class="article-entry" itemprop="articleBody">
      
        <p>KNOCK KNOCK KNOCK</p>

      
    </div>
    <footer class="article-footer">
      <a data-url="https://rekken.github.io/2017/01/01/hello-hexo/" data-id="clqrrbkfs0007qxw0cw2p1hmi" class="article-share-link">Share</a>
      
      
    </footer>
  </div>
  
</article>


  


</section>
        
          <aside id="sidebar">
  
    

  
    
  <div class="widget-wrap">
    <h3 class="widget-title">Tags</h3>
    <div class="widget">
      <ul class="tag-list" itemprop="keywords"><li class="tag-list-item"><a class="tag-list-link" href="/tags/macOS/" rel="tag">macOS</a></li></ul>
    </div>
  </div>


  
    
  <div class="widget-wrap">
    <h3 class="widget-title">Tag Cloud</h3>
    <div class="widget tagcloud">
      <a href="/tags/macOS/" style="font-size: 10px;">macOS</a>
    </div>
  </div>

  
    
  <div class="widget-wrap">
    <h3 class="widget-title">Archives</h3>
    <div class="widget">
      <ul class="archive-list"><li class="archive-list-item"><a class="archive-list-link" href="/archives/2020/05/">May 2020</a></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2020/02/">February 2020</a></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2019/03/">March 2019</a></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/07/">July 2017</a></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/05/">May 2017</a></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/01/">January 2017</a></li></ul>
    </div>
  </div>


  
    
  <div class="widget-wrap">
    <h3 class="widget-title">Recent Posts</h3>
    <div class="widget">
      <ul>
        
          <li>
            <a href="/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/">Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently</a>
          </li>
        
          <li>
            <a href="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-EN/">macOS Security Framework and previous CVEs</a>
          </li>
        
          <li>
            <a href="/2020/02/26/macOS-Security-Framework-and-Previous-CVEs-CN/">macOS Security Framework and previous CVEs</a>
          </li>
        
          <li>
            <a href="/2019/03/31/Analysis-of-Microsoft-Edge-Chakra-OP-NewScObjArray-Type-Confusion-Vulnerability/">Microsoft Edge Chakra OP_NewScObjArray 类型混淆漏洞分析笔记</a>
          </li>
        
          <li>
            <a href="/2017/07/23/Analysis-and-Exploitation-of-GeekPwn-2016-Windows-Services-EoP-Vulnerability/">GeekPwn 2016 Windows 服务提权漏洞的分析和利用</a>
          </li>
        
      </ul>
    </div>
  </div>

  
</aside>
        
      </div>
      <footer id="footer">
  
  <div class="outer">
    <div id="footer-info" class="inner">
      &copy; 2023 Yuebin Sun<br>
      Powered by <a href="http://hexo.io/" target="_blank">Hexo</a>
    </div>
  </div>
</footer>
    </div>
    <nav id="mobile-nav">
  
    <a href="/" class="mobile-nav-link">Home</a>
  
    <a href="/archives" class="mobile-nav-link">Archives</a>
  
    <a href="/about" class="mobile-nav-link">About</a>
  
</nav>
    

<script src="//ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>


  
<link rel="stylesheet" href="/fancybox/jquery.fancybox.css">

  
<script src="/fancybox/jquery.fancybox.pack.js"></script>




<script src="/js/script.js"></script>




  </div>
</body>
</html>