API tools faq
paste
Advertisement
Guest User

Pwnium 2, I FAILed :'(

a guest
Oct 8th, 2012
1,198
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.06 KB | None | 0 0
raw download clone embed print report
  1. So, my 0day in Adobe Flash Player has been killed recently, and I'm in the mood to disclose some 0day.
  2.  
  3. So, demonstation stand is Acer Aspire V5 V5-571-6869, this laptop ships with several 3rd party drivers.
  4. And one of them is Wireless Broadcom (Wifi).
  5. So, here is details of lame 0day(by the way it's not exploitable on 64-bits platform, and tricky to exploit on 32-bit platform):
  6.  
  7. filename: bcm42rly.sys
  8. file version: 5.100.196.18 (up to date)
  9.  
  10. .text:00011E6C ; int __stdcall ioctl_handler(int Status, PIRP Irp)
  11. .text:00011E6C ioctl_handler proc near ; DATA XREF: sub_15006+16Ao
  12. .text:00011E6C
  13. .text:00011E6C Status = dword ptr 8
  14. .text:00011E6C Irp = dword ptr 0Ch
  15. .text:00011E6C
  16. .text:00011E6C mov edi, edi
  17. .text:00011E6E push ebp
  18. .text:00011E6F mov ebp, esp
  19. .text:00011E71 mov eax, [ebp+Irp]
  20. .text:00011E74 mov ecx, [eax+60h]
  21. .text:00011E77 push esi
  22. .text:00011E78 mov esi, [eax+0Ch]
  23. .text:00011E7B push edi
  24. .text:00011E7C mov edi, [ecx+4]
  25. .text:00011E7F mov ecx, [ecx+0Ch]
  26. .text:00011E82 mov edx, 22E01Ch
  27. .text:00011E87 cmp ecx, edx
  28. .text:00011E89 jg short loc_11F00
  29.  
  30. [..]
  31.  
  32. .text:00011F00 loc_11F00: ; CODE XREF: ioctl_handler+1Dj
  33. .text:00011F00 sub ecx, 22E020h
  34. .text:00011F06 jz short loc_11F33
  35.  
  36. [..]
  37.  
  38. .text:00011F33 loc_11F33: ; CODE XREF: ioctl_handler+9Aj
  39. .text:00011F33 push eax ; Irp
  40. .text:00011F34 push [ebp+Status] ; int
  41. .text:00011F37 call vulnerable
  42.  
  43. [..]
  44.  
  45. .text:00011C44 ; int __stdcall vulnerable(int, PIRP Irp)
  46. .text:00011C44 vulnerable proc near ; CODE XREF: ioctl_handler+CBp
  47. .text:00011C44
  48. .text:00011C44 SelectedMediumIndex= dword ptr -0A8h
  49. .text:00011C44 DestinationString= STRING ptr -0A4h
  50. .text:00011C44 AdapterName = UNICODE_STRING ptr -9Ch
  51. .text:00011C44 var_94 = dword ptr -94h
  52. .text:00011C44 OpenErrorStatus = dword ptr -90h
  53. .text:00011C44 Status = dword ptr -8Ch
  54. .text:00011C44 var_88 = dword ptr -88h
  55. .text:00011C44 SourceString = byte ptr -84h <---- array on stack
  56. .text:00011C44 var_4 = dword ptr -4
  57. .text:00011C44 arg_0 = dword ptr 8
  58. .text:00011C44 Irp = dword ptr 0Ch
  59. .text:00011C44
  60. .text:00011C44 mov edi, edi
  61.  
  62. [..]
  63.  
  64. .text:00011CF7 loc_11CF7: ; CODE XREF: vulnerable+95j
  65. .text:00011CF7 push dword ptr [esi+0Ch] <--- our buffer
  66. .text:00011CFA lea eax, [ebp+SourceString]
  67. .text:00011D00 push offset aDeviceS ; "\\Device\\%s"
  68. .text:00011D05 push eax ; char *
  69. .text:00011D06 call ds:sprintf <--- no check of size!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!