[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY174-W77107F61BBA4CB89E87AA85520@phx.gbl>
Date: Sat, 3 Aug 2013 20:17:20 +0000
From: saw saw <dovakin_saw@...mail.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Trusteer Rapport memory selfcheck bypass
# Exploit Title: Trusteer Rapport memory selfcheck bypass
# Date: 29.07.2013
# Exploit Author: dovakin
# Vendor Homepage: http://www.trusteer.com
# Software Link: https://www.trusteer.com/download-trusteer-rapport?
# Version: <= 1208.41
# Tested on: Win 7 Prosessional English x32
Trusteer Rapport allows to make memory modification in the context of critical process and turn off Rapport's selfcheck unhooking and intercepting system Api's
Unsafe subroutine IsApiPatched in RapportGP.dll module. We can easily modificate memory of patch checking routine in order to disable Rapport's userhooks replacement checks.
; =============== S U B R O U T I N E =======================================
IsApiPatched proc near
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push ebp
push esi
mov esi, [esp+0Ch+arg_4]
mov eax, [esi]
mov edx, [eax+10h]
push edi
mov ebp, ecx
push ebx
mov ecx, esi
call edx
mov edi, eax
test edi, edi
jz GoodGuy ; !!! jump to IsApiPatched always returns ok
push offset aPerformingPatc ; "Performing patch fix."
push offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
push offset a_Patch_sentryP ; ".\\patch_sentry\\patching_sentry_reporter"...
push 1
call sub_CD0CA0
mov eax, [esi]
mov edx, [eax+14h]
add esp, 10h
push edi
push ebx
mov ecx, esi
call edx ; !!! restore hooked Api
mov bl, al
test bl, bl
jnz short loc_CA690F
push offset aPatchFixFailed ; "Patch fix failed."
push offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
push offset a_Patch_sentr_0 ; ".\\patch_sentry\\patching_sentry_reporter"...
push 4
jmp short loc_CA6920
; ---------------------------------------------------------------------------
loc_CA690F: ; CODE XREF: IsApiPatched+4A.j
push offset aPatchFixDone_ ; "Patch fix done."
push offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
push offset a_Patch_sentr_1 ; ".\\patch_sentry\\patching_sentry_reporter"...
push 1
loc_CA6920: ; CODE XREF: IsApiPatched+5D.j
call sub_CD0CA0
add esp, 10h
cmp dword ptr [ebp+4], 0
jz short loc_CA6961
push offset aReportingPatch ; "Reporting patch."
push offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
push offset a_Patch_sentr_2 ; ".\\patch_sentry\\patching_sentry_reporter"...
push 1
call sub_CD0CA0
add esp, 10h
test bl, bl
mov ecx, offset aFixed ; "fixed"
jnz short loc_CA6955
mov ecx, offset aErrors_during_ ; "errors_during_fix"
loc_CA6955: ; CODE XREF: IsApiPatched+9E.j
mov eax, [ebp+4]
push edi
push eax
mov edx, esi
call sub_CA6430
loc_CA6961: ; CODE XREF: IsApiPatched+7C.j
mov edx, [edi]
mov eax, [edx]
push 1
mov ecx, edi
call eax
GoodGuy: ; CODE XREF: IsApiPatched+1C.j
pop edi
pop esi
pop ebp
pop ebx
retn 8
IsApiPatched endp
; ---------------------------------------------------------------------------
Included PoC sourcecodes and screenshots of Rapport selfcheck disabling and paypal and hotmail password grabbing further
# PoC sources: rapport_mem_selfcheck_bypass.zip
# screenshots: trusteer_password_grabbing_screenshots.zip
# video demo: trusteer_password_grabbing_video.avi
Content of type "text/html" skipped
Download attachment "trusteer_password_grabbing_screenshots.zip" of type "application/zip" (399834 bytes)
Download attachment "trusteer_password_grabbing_video.zip" of type "application/zip" (4816340 bytes)
Download attachment "rapport_mem_selfcheck_bypass.zip" of type "application/zip" (99326 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists