Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- So, my 0day in Adobe Flash Player has been killed recently, and I'm in the mood to disclose some 0day.
- So, demonstation stand is Acer Aspire V5 V5-571-6869, this laptop ships with several 3rd party drivers.
- And one of them is Wireless Broadcom (Wifi).
- So, here is details of lame 0day(by the way it's not exploitable on 64-bits platform, and tricky to exploit on 32-bit platform):
- filename: bcm42rly.sys
- file version: 5.100.196.18 (up to date)
- .text:00011E6C ; int __stdcall ioctl_handler(int Status, PIRP Irp)
- .text:00011E6C ioctl_handler proc near ; DATA XREF: sub_15006+16Ao
- .text:00011E6C
- .text:00011E6C Status = dword ptr 8
- .text:00011E6C Irp = dword ptr 0Ch
- .text:00011E6C
- .text:00011E6C mov edi, edi
- .text:00011E6E push ebp
- .text:00011E6F mov ebp, esp
- .text:00011E71 mov eax, [ebp+Irp]
- .text:00011E74 mov ecx, [eax+60h]
- .text:00011E77 push esi
- .text:00011E78 mov esi, [eax+0Ch]
- .text:00011E7B push edi
- .text:00011E7C mov edi, [ecx+4]
- .text:00011E7F mov ecx, [ecx+0Ch]
- .text:00011E82 mov edx, 22E01Ch
- .text:00011E87 cmp ecx, edx
- .text:00011E89 jg short loc_11F00
- [..]
- .text:00011F00 loc_11F00: ; CODE XREF: ioctl_handler+1Dj
- .text:00011F00 sub ecx, 22E020h
- .text:00011F06 jz short loc_11F33
- [..]
- .text:00011F33 loc_11F33: ; CODE XREF: ioctl_handler+9Aj
- .text:00011F33 push eax ; Irp
- .text:00011F34 push [ebp+Status] ; int
- .text:00011F37 call vulnerable
- [..]
- .text:00011C44 ; int __stdcall vulnerable(int, PIRP Irp)
- .text:00011C44 vulnerable proc near ; CODE XREF: ioctl_handler+CBp
- .text:00011C44
- .text:00011C44 SelectedMediumIndex= dword ptr -0A8h
- .text:00011C44 DestinationString= STRING ptr -0A4h
- .text:00011C44 AdapterName = UNICODE_STRING ptr -9Ch
- .text:00011C44 var_94 = dword ptr -94h
- .text:00011C44 OpenErrorStatus = dword ptr -90h
- .text:00011C44 Status = dword ptr -8Ch
- .text:00011C44 var_88 = dword ptr -88h
- .text:00011C44 SourceString = byte ptr -84h <---- array on stack
- .text:00011C44 var_4 = dword ptr -4
- .text:00011C44 arg_0 = dword ptr 8
- .text:00011C44 Irp = dword ptr 0Ch
- .text:00011C44
- .text:00011C44 mov edi, edi
- [..]
- .text:00011CF7 loc_11CF7: ; CODE XREF: vulnerable+95j
- .text:00011CF7 push dword ptr [esi+0Ch] <--- our buffer
- .text:00011CFA lea eax, [ebp+SourceString]
- .text:00011D00 push offset aDeviceS ; "\\Device\\%s"
- .text:00011D05 push eax ; char *
- .text:00011D06 call ds:sprintf <--- no check of size!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement