You have been exploited!

标题: NTFS DoS备忘 EagleWire在packetstorm上分享了一个NTFS DoS，可以通过HTML触发。要点就是显式打开C:/$MFT/Anything，引起一个死锁。 -------------------------------------------------------------------------- The master file table, or MFT, is a hidden file in the NTFS file system. It maps out all files in the drive. It is supposed to be protected from any user access because all files that use NTFS have a reference to it. If the directory is recreated, the system will lock the file until the next reboot. Therefore, for example, when trying to create a file or read the volume of files, NTFS attempts to seize ERESOURCE $MFT file and will hang at this stage forever. -------------------------------------------------------------------------- You have been exploited! -------------------------------------------------------------------------- 如果想用windbg探究一下，可以在本地执行 $ notepad "C:\$MFT\Anything" 务必确保已经开启内核调试。我对NTFS从未深究过，本来想用windbg简单调试一下，看看死锁是如何产生的，但水平有限，未能搞清楚。提个很low的问题，在kd中已知某线程在等待某IoCompletion对象，如何知道这个 IoCompletion对象原来对应何种I/O操作，或者说是什么I/O挂住了，导致相应线程始终等待中。!locks对此问题无帮助。我就想知道如何继续调试下去。从EagleWire的描述看，每当访问NTFS文件系统上的文件、目录时，都会操作$MFT，在此过程中会对之加锁。关于MFT，参看: Master File Table https://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx -------------------------------------------------------------------------- The MFT contains one record for each file on the volume, including a record for the MFT itself. In addition to the MFT, each NTFS volume includes a set of metadata files containing the information that is used to implement the file system structure. Each of these NTFS metadata files has a name that begins with a dollar sign ($), and is hidden. For example, the file name of the MFT is $MFT. $MFT MFT $MFTMirr MFT mirror $LogFile Log file \ Root directory $Volume Volume file $AttrDef Attribute definition table $BitMap Volume cluster allocation file $Boot Boot sector $BadClus Bad-cluster file $Extend Extended metadata directory $Secure Security settings file $UpCase Uppercase character mapping $Extend\$Quota Quota information $Extend\$ObjId Distributed link tracking information $Extend\$RmMetadata\$Repair RM repair information $Extend\$Reparse Back references to reparse points $Extend\$RmMetadata RM metadata directory $Extend\$RmMetadata\$TxfLog TxF log directory $Extend\$RmMetadata\$Txf TxF metadata directory $Extend\$RmMetadata\$TxfLog\$Tops TOPS file $Extend\$RmMetadata\$TxfLog\$TxfLog.blf TxF BLF $TxfLogContainer00000000000000000001 $TxfLogContainer00000000000000000002 Usually, each MFT record corresponds to a different file. If a file has a large number of attributes or becomes highly fragmented, however, more than one record might be needed for a single file. In such cases, the first MFT record, which stores the locations of the others, is called the base file record. The MFT's own file record is the first entry in the table; the second file record points to a file located in the middle of the disk called the MFT mirror (file name $MFTMirr) that contains a copy of the first four rows of the MFT. This partial copy of the MFT is used to locate metadata files if part of the MFT file can't be read for some reason. Another entry in the MFT is reserved for the root directory (also known as "\"; for example, C:\). Its file record contains an index of the files and directories stored in the root of the NTFS directory structure. When NTFS is first asked to open a file, it begins its search for the file in the root directory's file record. After opening a file, NTFS stores the file's MFT record number so that it can directly access the file's MFT record when it reads and writes the file later. --------------------------------------------------------------------------