# Exploit Title: Trusteer Rapport memory selfcheck bypass
# Date: 29.07.2013
# Exploit Author: dovakin
# Vendor Homepage: http://www.trusteer.com
# Software Link: https://www.trusteer.com/download-trusteer-rapport?
# Version: <= 1208.41
# Tested on: Win 7 Prosessional English x32
Trusteer Rapport allows to make memory modification in the context of critical
process and turn off Rapport's selfcheck unhooking and intercepting system Api's
Unsafe subroutine IsApiPatched in RapportGP.dll module. We can easily
modificate memory of patch checking routine in order to disable Rapport's
userhooks replacement checks.
; =============== S U B R O U T I N E =======================================
IsApiPatched proc near
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push ebp
push esi
mov esi, [esp+0Ch+arg_4]
mov eax, [esi]
mov edx, [eax+10h]
push edi
mov ebp, ecx
push ebx
mov ecx, esi
call edx
mov edi, eax
test edi, edi
jz GoodGuy ; !!! jump to IsApiPatched always returns ok
push offset aPerformingPatc ; "Performing patch fix."
push offset aPatch_sentry_0 ;
"patch_sentry_policy_fix_and_report_if_p"...
push offset a_Patch_sentryP ;
".\\patch_sentry\\patching_sentry_reporter"...
push 1
call sub_CD0CA0
mov eax, [esi]
mov edx, [eax+14h]
add esp, 10h
push edi
push ebx
mov ecx, esi
call edx ; !!! restore hooked Api
mov bl, al
test bl, bl
jnz short loc_CA690F
push offset aPatchFixFailed ; "Patch fix failed."
push offset aPatch_sentry_0 ;
"patch_sentry_policy_fix_and_report_if_p"...
push offset a_Patch_sentr_0 ;
".\\patch_sentry\\patching_sentry_reporter"...
push 4
jmp short loc_CA6920
; ---------------------------------------------------------------------------
loc_CA690F: ; CODE XREF: IsApiPatched+4Aj
push offset aPatchFixDone_ ; "Patch fix done."
push offset aPatch_sentry_0 ;
"patch_sentry_policy_fix_and_report_if_p"...
push offset a_Patch_sentr_1 ;
".\\patch_sentry\\patching_sentry_reporter"...
push 1
loc_CA6920: ; CODE XREF: IsApiPatched+5Dj
call sub_CD0CA0
add esp, 10h
cmp dword ptr [ebp+4], 0
jz short loc_CA6961
push offset aReportingPatch ; "Reporting patch."
push offset aPatch_sentry_0 ;
"patch_sentry_policy_fix_and_report_if_p"...
push offset a_Patch_sentr_2 ;
".\\patch_sentry\\patching_sentry_reporter"...
push 1
call sub_CD0CA0
add esp, 10h
test bl, bl
mov ecx, offset aFixed ; "fixed"
jnz short loc_CA6955
mov ecx, offset aErrors_during_ ; "errors_during_fix"
loc_CA6955: ; CODE XREF: IsApiPatched+9Ej
mov eax, [ebp+4]
push edi
push eax
mov edx, esi
call sub_CA6430
loc_CA6961: ; CODE XREF: IsApiPatched+7Cj
mov edx, [edi]
mov eax, [edx]
push 1
mov ecx, edi
call eax
GoodGuy: ; CODE XREF: IsApiPatched+1Cj
pop edi
pop esi
pop ebp
pop ebx
retn 8
IsApiPatched endp
; ---------------------------------------------------------------------------
Included PoC sourcecodes and screenshots of Rapport selfcheck disabling and
paypal and hotmail password grabbing further
# PoC sources: rapport_mem_selfcheck_bypass.zip
# screenshots: trusteer_password_grabbing_screenshots.zip
# video demo: trusteer_password_grabbing_video.avi
Attachment:
trusteer_password_grabbing_screenshots.zip
Description: Zip archive
Attachment:
trusteer_password_grabbing_video.zip
Description: Zip archive
Attachment:
rapport_mem_selfcheck_bypass.zip
Description: Zip archive
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/