what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ATool 1.0.0.22 Stack Buffer Overflow

ATool 1.0.0.22 Stack Buffer Overflow
Posted Dec 1, 2018
Authored by Aloyce J. Makalanga

ATool version 1.0.0.2 suffers from a stack buffer overflow vulnerability.

tags | advisory, overflow
advisories | CVE-2018-19650
SHA-256 | 3992344cd58472696df7add8f8224981b55a3faa4fce723f42f045482c5a9a6d

ATool 1.0.0.22 Stack Buffer Overflow

Change Mirror Download
# Exploit Title: Kernel stack buffer overflow ATool - 1.0.0.22 (0day)
# CVE: CVE-2018-19650
# Date: 28-11-2018
# Software Link: http://www.antiy.net/ <http://www.antiy.net/
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: http://www.antiy.net/ <http://www.antiy.net/
# Category: Windows
# Attack Type: local
# Impact:Code execution/Denial of Service/Escalation of Privileges


1. Description

Local attackers can trigger a stack-based buffer overflow on vulnerable installations of Antiy-AVL IATool security management v1.0.0.22. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the processing of IOCTL 0x80002000 by the IRPFile.sys Antiy-AVL IATool kernel driver. The bug is caused by failure to properly validate the length of the user-supplied data, which results in a kernel stack buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code in the context of the kernel, which could lead to privilege escalation and a failed exploit could lead to denial of service



2. Proof of Concept


** Fatal System Error: 0x000000f7
(0x00000000,0x00000000,0x00000000,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.


*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck F7, {0, 0, 0, 0}

0: kd!analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00000000, Actual security check cookie from the stack
Arg2: 00000000, Expected security check cookie
Arg3: 00000000, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:
------------------

..snip...

SYMSRV: UNC: c:\mss\IRPFile.sys\488458088000\IRPFile.sys - path not found
SYMSRV: UNC: c:\mss\IRPFile.sys\488458088000\IRPFile.sy_ - path not found
SYMSRV: UNC: c:\mss\IRPFile.sys\488458088000\file.ptr - path not found
SYMSRV: HTTPGET: /download/symbols/IRPFile.sys/488458088000/IRPFile.sys
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/IRPFile.sys/488458088000/IRPFile.sy_
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/IRPFile.sys/488458088000/file.ptr
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: RESULT: 0x80190194
SYMSRV: BYINDEX: 0x19
c:\mss*http://msdl.microsoft.com/download/symbols <http://msdl.microsoft.com/download/symbols>
IRPFile.sys
488458088000 <tel:488458088000>
SYMSRV: UNC: c:\mss\IRPFile.sys\488458088000\IRPFile.sys - path not found
SYMSRV: UNC: c:\mss\IRPFile.sys\488458088000\IRPFile.sy_ - path not found
SYMSRV: UNC: c:\mss\IRPFile.sys\488458088000\file.ptr - path not found
SYMSRV: HTTPGET: /download/symbols/IRPFile.sys/488458088000/IRPFile.sys
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/IRPFile.sys/488458088000/IRPFile.sy_
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/IRPFile.sys/488458088000/file.ptr
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: RESULT: 0x80190194

...snip...

STACK_TEXT:
8f7d04fc 82af5083 00000003 af12dd69 00000065 nt!RtlpBreakWithStatusInstruction
8f7d054c 82af5b81 00000003 8f7d0b15 874a2a05 nt!KiBugCheckDebugBreak+0x1c
8f7d0910 82af4f20 000000f7 00000000 00000000 <tel:00000000%2000000000nt!KeBugCheck2+0x68b
8f7d0930 96187807 000000f7 00000000 00000000 <tel:00000000%2000000000nt!KeBugCheckEx+0x1e
WARNING: Stack unwind information not available. Following frames may be wrong.
8f7d0b14 82c4199f 874a2a80 87753d88 87753df8 IRPFile+0x1807


..snip..

003afba8 770e37f5 7ffdf000 772e46c0 00000000 kernel32!BaseThreadInitThunk+0xe
003afbe8 770e37c8 1c6113a4 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
003afc00 00000000 1c6113a4 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b


THREAD_SHA1_HASH_MOD_FUNC: e0510aa415746c9a78568dbc25f2ae05829414f7

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: cba5c81684013091d113a710f0d0512cbfe72fe3

THREAD_SHA1_HASH_MOD: 193e9dae344f68597c220997816646d6a31bcd0f

FOLLOWUP_IP:
IRPFile+1807
96187807 cc int 3

FAULT_INSTR_CODE: d3bcc

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: IRPFile+1807

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: IRPFile

IMAGE_NAME: IRPFile.sys

...snip...

FAILURE_ID_HASH_STRING: km:0xf7_missing_gsframe_irpfile+1807

FAILURE_ID_HASH: {9c4ca7bc-8950-996e-25be-b021c1c0c08a}

Followup: MachineOwner







3. Solution:

None


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close