Kartoffel and Vulnerable Device Drivers
 evilcry <evilcry gmail com> |
Sunday, October 22 2006 03:22.16 CDT |
Some days ago i'v founded a nice and useful, Kartoffel Driver Verification Tool, that allow us a rapid verification of some of the most common Device Driver weaknesses, as untrusted IOCTLs.
For example, we can see that mrxsmb.sys (which is directly related to cscdll.dll) does not trust User Mode ingoing buffer)
>kartoffel -s \\.\Shadow -n 0 -o 0x10 -z 0 -Z 0x18 -U VALUE,HANDLES -c 2000 -I 141047
In other work we're "overflowing" the CTL code 141047, output result of Kartoffel
Input Size:[0x0000]
Ouput Size:[0x0018]
IOCTL:[0x00141047] -> Response received [IOM notified]
[ RESULTS ] _________________________________________________________
Test ID [ 0x0001 ] ------------------------------------------------------------
[ FUZZING ]
- Input Buffer Size: (0x0000) Method: "" Submethod: ""
- Output Buffer Size: (0x0018) Method: "VALUE" Submethod: "HANDLES"
- IOCTL [ 0x00141047 ]
=> DEVICE: FILE_DEVICE_NETWORK_FILE_SYSTEM
=> ACCESS: ANY ACCESS
=> FUNCTION: 0x0411
=> METHOD: METHOD_NEITHER
[ FLAW ]
- POSSIBLE DEADLOCK DETECTED -
[ BUFFERS ]
[INPUT BUFFER] = NULL
Original Data [OUTPUT BUFFER]
[0x000]: 000007E8 000007E8 000007E8 000007E8
Oh, here is the link
hXXp://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=17
..and it's also Open Source!
See you to the next post
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |