Vulnerability of free cheetah wifi driver
Liebaonat_xp.sys, a free Wi-Fi computer version of cheetah, has the arbitrary address Write vulnerability. The write address can be controlled to execute arbitrary kernel commands.
When the IoControlCode sent to the device liebaonat_xp.sys is 0x830020F0, The liebaonat_xp.sys driver causes an arbitrary address Write vulnerability because the input and output parameters are not strictly verified, the write address is controllable/The Write Data Length is 4B, which can be used to execute arbitrary commands in the kernel.
When IoControlCode is 0x830020F0, InputBuffer is a kernel address pointer that can be predicted or even traversed in UserMode; InputBufferSize is sizeof (PVOID ); the OutputBuffer and OutputBufferSize of the driver test correspond to a user mode address of 4B. This vulnerability is caused by this vulnerability.
NTSTATUS __stdcall DeviceDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp){ PIO_STACK_LOCATION irpSp = IoGetCurrentStackLocation(); NTSTATUS Status = STATUS_SUCCESS; PVOID* inputBuffer = Irp->AssociatedIrp.SystemBuffer; PVOID* outputBuffer = Irp->AssociatedIrp.SystemBuffer; ULONG InputBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength; ULONG IoControlCode = irpSp->Parameters.DeviceIoControl.IoControlCode; if(IoControlCode == 0x830020F0) { if ( InputBufLength >= 4 ) // wowo.... { PVOID* lpBuf = CheckExploit(*inputBuffer, &IoControlCode); if ( lpBuf ) { *outputBuffer = lpBuf[143]; Status = STATUS_SUCCESS; } else { Status = NDIS_STATUS_ADAPTER_NOT_FOUND; } Irp->IoStatus.Status = Status; Irp->IoStatus.Information = 4; return Status; } } ...}
// Example program: Execute 0xEB 0xFE to realize the kernel thread endless loop; // download link http://pan.baidu.com/s/1pJFy783
Solution:
Strictly verify the input and output buffer addresses and sizes.