WINAPI
POC:
#include <windows.h>
typedef BOOL (WINAPI *INIT_REG_ENGINE)();
typedef LONG (WINAPI *BREG_DELETE_KEY)(HKEY hKey, LPCSTR lpSubKey);
typedef LONG (WINAPI *BREG_OPEN_KEY)(HKEY hKey, LPCSTR lpSubKey, PHKEY phkResult);
typedef LONG (WINAPI *BREG_CLOSE_KEY)(HKEY hKey);
typedef LONG (WINAPI *REG_SET_VALUE_EX)(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE* lpData, DWORD cbData);
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
EXPLOIT CODE:
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
EXPLOIT CODE:
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
> >
> > "The Sony MicroVault USM-F fingerprint reader software that comes with
> > the USB stick installs a driver that is hiding a directory under
> > "c:\windows\". So, when enumerating files and subdirectories in the
> > Windows directory, the directory and files inside it are not visible
> > through Windows API. If you know the name of the directory, it is e.g.
> > possible to enter the hidden directory using Command Prompt and it is
> > possible to create new hidden files. There are also ways to run files
> > from this directory. Files in this directory are also hidden from some
> > antivirus scanners (as with the Sony BMG DRM case) — depending on the
> > techniques employed by the antivirus software. It is therefore
shared folder using a path traversal attack. The resulting wide character
string converted from 'PathName' is then passed to the file system API on
the Host system.
The conversion is performed using the 'MultiByteToWideChar' function from
the Windows API [5] which maps a character string provided as input to a
wide (Unicode UTF-16) character string.
The call of 'MultiByteToWideChar' to map the 'PathName' to Unicode UTF-16
specifies that the UTF-8 CodePage should be used for the conversion. Since
validation of the input to remove the dot-dot substring is performed
administrators username,domain name, and NTLM hashes. Now go to your
machine, use them with IAM.EXE and compromise the domain controller
using the administrator's credentials.
* GENHASH.EXE: This is a small utility that generates LM and NT
hashes using some 'undocumented' functions of the Windows API. This is
a small tool to aid testing of IAM.EXE.
Thanks!,
Hernan
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
DWORD WINAPI LegoThread(LPVOID lpThreadParameter)
{
while(TRUE)
{
Sleep(0x1000);
Using Interix subsystem, you can create a deep tree to the NTFS partition.
example:
fts_level -10000
Then, we can no longer do anything with incorrect directory from the Windows API.
If you try change permissions, copy the directory, you will receive a lot of bugs (stack overflow etc.).
SearchIndexer.exe will crash many times
- ---
This vulnerability can be exploited by a malicious person by a simple
click on the xchat's Icon in the Try-bar.
After the click on that icon xchat will crash.
Windows API used to put the application in the tray bar: Shell_NotifyIcon .
Info registers:
EDI: 0x7ffd6000
EBX: 0x0012d8e8
}
return CLASS_E_CLASSNOTAVAILABLE;
} //DllGetClassObject
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved )
{
if (fdwReason == DLL_PROCESS_ATTACH)
"The Sony MicroVault USM-F fingerprint reader software that comes with
the USB stick installs a driver that is hiding a directory under
"c:\windows\". So, when enumerating files and subdirectories in the
Windows directory, the directory and files inside it are not visible
through Windows API. If you know the name of the directory, it is e.g.
possible to enter the hidden directory using Command Prompt and it is
possible to create new hidden files. There are also ways to run files
from this directory. Files in this directory are also hidden from some
antivirus scanners (as with the Sony BMG DRM case) — depending on the
techniques employed by the antivirus software. It is therefore
>
> "The Sony MicroVault USM-F fingerprint reader software that comes with
> the USB stick installs a driver that is hiding a directory under
> "c:\windows\". So, when enumerating files and subdirectories in the
> Windows directory, the directory and files inside it are not visible
> through Windows API. If you know the name of the directory, it is e.g.
> possible to enter the hidden directory using Command Prompt and it is
> possible to create new hidden files. There are also ways to run files
> from this directory. Files in this directory are also hidden from some
> antivirus scanners (as with the Sony BMG DRM case) — depending on the
> techniques employed by the antivirus software. It is therefore
> >
> > "The Sony MicroVault USM-F fingerprint reader software that comes with
> > the USB stick installs a driver that is hiding a directory under
> > "c:\windows\". So, when enumerating files and subdirectories in the
> > Windows directory, the directory and files inside it are not visible
> > through Windows API. If you know the name of the directory, it is e.g.
> > possible to enter the hidden directory using Command Prompt and it is
> > possible to create new hidden files. There are also ways to run files
> > from this directory. Files in this directory are also hidden from some
> > antivirus scanners (as with the Sony BMG DRM case) — depending on the
> > techniques employed by the antivirus software. It is therefore
|
