Skip to content

Instantly share code, notes, and snippets.

@hacksysteam

hacksysteam/UseAfterFree.c

Created May 7, 2015 08:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hacksysteam/973afea5def4b1d59a21 to your computer and use it in GitHub Desktop.
Save hacksysteam/973afea5def4b1d59a21 to your computer and use it in GitHub Desktop.
Download ZIP
Code Snippet for Use After Free Vulnerability in HackSys Extreme Vulnerable Driver
Raw
UseAfterFree.c
NTSTATUS HackSysHandleIoctlCreateBuffer(IN PIRP pIrp, IN PIO_STACK_LOCATION pIoStackIrp)
{
PUSE_AFTER_FREE pUseAfterFree = NULL;
SIZE_T inputBufferSize = 0;
NTSTATUS status = STATUS_UNSUCCESSFUL;
UNREFERENCED_PARAMETER(pIrp);
UNREFERENCED_PARAMETER(pIoStackIrp);
PAGED_CODE();
status = CreateBuffer();
return status;
}
NTSTATUS HackSysHandleIoctlUseBuffer(IN PIRP pIrp, IN PIO_STACK_LOCATION pIoStackIrp)
{
PVOID pInputBuffer = NULL;
SIZE_T inputBufferSize = 0;
PUSE_AFTER_FREE pUseAfterFree = NULL;
NTSTATUS status = STATUS_UNSUCCESSFUL;
UNREFERENCED_PARAMETER(pIrp);
PAGED_CODE();
pInputBuffer = pIoStackIrp->Parameters.DeviceIoControl.Type3InputBuffer;
inputBufferSize = sizeof(pUseAfterFree->buffer);
if (pInputBuffer)
status = UseBuffer(pInputBuffer, inputBufferSize);
return status;
}
NTSTATUS HackSysHandleIoctlFreeBuffer(IN PIRP pIrp, IN PIO_STACK_LOCATION pIoStackIrp)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
UNREFERENCED_PARAMETER(pIrp);
UNREFERENCED_PARAMETER(pIoStackIrp);
PAGED_CODE();
status = FreeBuffer();
return status;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment