Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Trusteer Rapport memory selfcheck bypass
From: saw saw <dovakin_saw () hotmail com>
Date: Sat, 3 Aug 2013 20:17:20 +0000

 # Exploit Title: Trusteer Rapport memory selfcheck bypass
 # Date: 29.07.2013
 # Exploit Author: dovakin
 # Vendor Homepage: http://www.trusteer.com
 # Software Link: https://www.trusteer.com/download-trusteer-rapport?
 # Version: <= 1208.41
 # Tested on: Win 7 Prosessional English x32 

Trusteer Rapport allows to make memory modification in the context of critical process and turn off Rapport's selfcheck 
unhooking and intercepting system Api's

Unsafe subroutine IsApiPatched in RapportGP.dll module. We can easily modificate memory of patch checking routine in 
order to disable Rapport's userhooks replacement checks.

; =============== S U B  R O U T  I N E =======================================

IsApiPatched    proc near

arg_0        = dword    ptr  4
arg_4        = dword    ptr  8

        push    ebx
        mov    ebx, [esp+4+arg_0]
        push    ebp
        push    esi
        mov    esi, [esp+0Ch+arg_4]
        mov    eax, [esi]
        mov    edx, [eax+10h]
        push    edi
        mov    ebp, ecx
        push    ebx
        mov    ecx, esi
        call    edx
        mov    edi, eax
        test    edi, edi
        jz    GoodGuy        ; !!! jump to IsApiPatched always returns ok
        push    offset aPerformingPatc ; "Performing patch fix."
        push    offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
        push    offset a_Patch_sentryP ; ".\\patch_sentry\\patching_sentry_reporter"...
        push    1
        call    sub_CD0CA0
        mov    eax, [esi]
        mov    edx, [eax+14h]
        add    esp, 10h
        push    edi
        push    ebx
        mov    ecx, esi
        call    edx        ; !!! restore hooked Api
        mov    bl, al
        test    bl, bl
        jnz    short loc_CA690F
        push    offset aPatchFixFailed ; "Patch    fix failed."
        push    offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
        push    offset a_Patch_sentr_0 ; ".\\patch_sentry\\patching_sentry_reporter"...
        push    4
        jmp    short loc_CA6920
; ---------------------------------------------------------------------------

loc_CA690F:                ; CODE XREF: IsApiPatched+4Aj
        push    offset aPatchFixDone_ ;    "Patch fix done."
        push    offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
        push    offset a_Patch_sentr_1 ; ".\\patch_sentry\\patching_sentry_reporter"...
        push    1

loc_CA6920:                ; CODE XREF: IsApiPatched+5Dj
        call    sub_CD0CA0
        add    esp, 10h
        cmp    dword ptr [ebp+4], 0
        jz    short loc_CA6961
        push    offset aReportingPatch ; "Reporting patch."
        push    offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
        push    offset a_Patch_sentr_2 ; ".\\patch_sentry\\patching_sentry_reporter"...
        push    1
        call    sub_CD0CA0
        add    esp, 10h
        test    bl, bl
        mov    ecx, offset aFixed ; "fixed"
        jnz    short loc_CA6955
        mov    ecx, offset aErrors_during_ ; "errors_during_fix"

loc_CA6955:                ; CODE XREF: IsApiPatched+9Ej
        mov    eax, [ebp+4]
        push    edi
        push    eax
        mov    edx, esi
        call    sub_CA6430

loc_CA6961:                ; CODE XREF: IsApiPatched+7Cj
        mov    edx, [edi]
        mov    eax, [edx]
        push    1
        mov    ecx, edi
        call    eax

GoodGuy:                ; CODE XREF: IsApiPatched+1Cj
        pop    edi
        pop    esi
        pop    ebp
        pop    ebx
        retn    8
IsApiPatched    endp

; ---------------------------------------------------------------------------

Included PoC sourcecodes and screenshots of Rapport selfcheck disabling and paypal and hotmail password grabbing further
# PoC sources: rapport_mem_selfcheck_bypass.zip
# screenshots: trusteer_password_grabbing_screenshots.zip
# video demo: trusteer_password_grabbing_video.avi

Attachment: trusteer_password_grabbing_screenshots.zip

Attachment: trusteer_password_grabbing_video.zip

Attachment: rapport_mem_selfcheck_bypass.zip

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Trusteer Rapport memory selfcheck bypass saw saw (Aug 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]